Mitigating Password Re-Use From the Other End 211
An anonymous reader writes "Jen Andre, software engineer and co-founder of Threat Stack, writes about the problem of password breaches in the wake of the LivingSocial hack. She notes that the problem here is longstanding — it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed. Andre suggests a different approach: building out better auditing infrastructure. 'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events. Since authentication events are relatively similar across any application, I think this could be accomplished easily with a simple JSON-based common protocol and webhooks. ... [It] could even be a hosted service that learns based on my login behaviors and only alerts me when it thinks a login entry is suspicious— kind of how Gmail will alert if I am logging in from a strange location. Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'"
Re:how about store your passwords properly? (Score:4, Informative)
Replying to self: It looks like LivingSocial actually has switched to bcrypt now. But not early enough!
You just made it easier for cracking. (Score:4, Informative)
So, what happens when that central framework/infrastructure is cracked? Now, all cracking attempts will redirect to that single point, and when (not if) it's breached, they'll now have access to ALL websites that are signed up to use that. How is that better?
Re:Forcing strong passwords in the first place. (Score:4, Informative)
The problem is that you have to remember those passwords.
That's what post-its are for.
Seriously though, I save passwords in a browser or other keychain management program.
Re: Forcing strong passwords in the first place. (Score:5, Informative)
1) LastPass
Re:Forcing strong passwords in the first place. (Score:5, Informative)
KeePass and all its related implementations (KeePassX, etc, etc.).
This is the only family of password management apps I've found that both share a common database format, and have functional implementations even if your platform-of-the-moment isn't "hip enough" for a more polished solution to care about supporting.