Mitigating Password Re-Use From the Other End 211
An anonymous reader writes "Jen Andre, software engineer and co-founder of Threat Stack, writes about the problem of password breaches in the wake of the LivingSocial hack. She notes that the problem here is longstanding — it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed. Andre suggests a different approach: building out better auditing infrastructure. 'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events. Since authentication events are relatively similar across any application, I think this could be accomplished easily with a simple JSON-based common protocol and webhooks. ... [It] could even be a hosted service that learns based on my login behaviors and only alerts me when it thinks a login entry is suspicious— kind of how Gmail will alert if I am logging in from a strange location. Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'"
Forcing strong passwords in the first place. (Score:5, Interesting)
This seems like a good way to enforce strong password policies. if they are strong enough; they should help prevent password re-use. The only problem with this is the problem of people writing these down. We need a better online authentication system for 2013.
Re: (Score:3)
How does using a strong password prevent password re-use?
Re:Forcing strong passwords in the first place. (Score:5, Insightful)
It doesn't. I believe it may even encourage re-use.
Re:Forcing strong passwords in the first place. (Score:4, Insightful)
Furthermore, policies that require constant password changes encourage people to use the same password with an incrementally changing number.
I use strong and varied passwords for important services (email, banking etc) and shitty repeated passwords for every stupid forum that wants me to sign up to participate.
Re: (Score:2)
"How does using a strong password prevent password re-use?"
The key issue here is not so much strong passwords, but "auditing".
If this were the beginning of the month, I would suspect an April Fools joke. They want to improve your use of passwords by monitoring your password usage!!!
Gee, what could possibly be wrong with this idea? [sarcasm]
Re:Forcing strong passwords in the first place. (Score:4, Insightful)
Re:Forcing strong passwords in the first place. (Score:5, Interesting)
+5? The only way to keep a website from getting hacked is by not connecting it to the internet in the first place. Effort should certainly be put into making it difficult to hack but also making it difficult to gain anything valuable when you are hacked.
Re: (Score:2)
Effort should certainly be put into making it difficult to hack but also making it difficult to gain anything valuable when you are hacked.
Exactly. That's one of Schneier's central arguments [wikipedia.org] as to why sites getting "hacked" is so prevalent today. Once some initial security perimeter (e.g. a firewall) is breached, system design & security is sloppy enough that it's a free-for-all for the intruders. If systems were designed as a fortress built to secure data this would be a lot less of an issue, as unsuccessful crackers are broke crackers that need to start looking for income elsewhere.
Re: (Score:2)
Right, but the alternative are either user education or local solution on the user machine (keychain tool). The first one will not happen, that much should be clear by now. The second one is a matter of opinion - you need to believe the users can be collectively better at fighting malware creators than website developers at fighting dedicated cracker. It seems that recently both the botnets and general website cracking have been going well, so the jury is still out.
Egoistically, I would rather have the w
Re: (Score:2)
Keeping the site secure is the company's responsibility. Choosing passwords is the users' responsibility. Yes, they should work on their side of the problem, and let the users decide whether they want to take the risk of a weak password.
Re: (Score:2)
You're just pushing TRUST out to the remote site. Are you really sure that EVERY single website you use is likely to adhere to any sort of sane security standards, and have competent security-aware web developers?
Random usernames. Random passwords. This whole "your email address is your username" thing is retarded.
Re: (Score:2)
Re: (Score:2)
That requires the site that your trying to log into to store the passwords, which is a really Bad_Idea(tm), the site should only store a crytographic hash of the password and a salt value; please don't use a simple md5sum hash. Now if the site gets hacked and the database is stolen, the 'ner-do-wells don't have the passwords. Storing the md5 hashes doesn't work, there are plenty of lists of passwords and their md5 hashes out there.
Re: (Score:2)
My passwords all come in the following variations
yyyyyy
xxxxxxxxxx
Xxxxxxxxxx
Xxxxxxxxxx1
Xxxxxxxxxx_1
tell me again how strong password policies prevent re-use.
Re:Forcing strong passwords in the first place. (Score:5, Funny)
My passwords all come in the following variations
yyyyyy
xxxxxxxxxx
Xxxxxxxxxx
Xxxxxxxxxx1
Xxxxxxxxxx_1
You missed one of variations. I tried them all but I cannot login
Re: (Score:3)
Password policies are voodoo. They may make it more difficult for stupid users from using weak passwords, but they do not reliably prevent it, and they actively inhibit the use of strong passwords [xkcd.com].
Re: (Score:3)
Exactly. I hate it when some site first forces me to register, and then even has the balls to require a complicated password, assuring in the process that I won't become a returning visitor.
My usual password strategy is that I use a one very simple password for all systems that cannot harm me in any way. Such as news sites, free games, etc. Who cares if anyone can post under my name. For paid-for stuff and sites I leave personal details etc, I use a strong password, with alternating user names. Then when I
Re: (Score:2)
And they aren't bothered by that - their policies are designed for the vast majority, not the one-in-a-million asshat.
Re: (Score:2)
Sigh, somebody else trots out that stupid XKCD cartoon without understanding it.
The example that he used substituting for troubadour with a 2 character chaser is not something that has ever been recommended password policy anywhere I've seen recommendations made. It was specifically warned that you not take a dictionary word and transliterate it into leet speak because it wasn't a strong password.
Bottom line is that the suggested option is easier to reconstruct than a random password and that once you get m
Re: (Score:2)
THIS. Why not let me use the kind of strong password or passphrase that works for me? A password policy that has random restrictions (at least one number, at least one uppercase letter, no more than three lowercase letters in a row, etc.) just encourages the shortest weakest password that barely satisfies the constraints.... and it gives hackers information to figure out what passwords probably look like.
Just give people a realistic password meter, set some minimum level of complexity, and let them deci
Re: (Score:3)
I am so sick of websites that try to force "strong" password creation by creating their own rules. I have several strong passwords that I use that aren't considered "strong" by many websites (it is a nonsensical sentence with misspelled words). When you force me to add capitals and numbers and likely symbols, it's just going to cause me to change "thequickbrownfoxjumpsoverthelazydog" to "Thequickbrownfoxjumpsoverthelazydog1$" and then when attempting to log into the site I'll have to enter several variation
Re: (Score:2)
Apologies if this is a silly question, but doesn't requiring specific characters reduce the set of possible passwords, making it easier to crack?
If I know there has to be a numeric (and max length is 8) I don't have to try ABCDEFG[A-Z], for example.
Re: (Score:2)
... doesn't requiring specific characters reduce the set of possible passwords, making it easier to crack? If I know there has to be a numeric (and max length is 8) I don't have to try ABCDEFG[A-Z], for example.
ABCDEFG[0-9]
...
...
[0-9]BCDEFG
A[0-9]CDEFG
AB[0-9]DEFG
[0-9]bcdefg
Add the potential of "`~!@#$%^&*()-_=+[{]}\|,;:'"/?" in the square brackets and numerics instead, now you're talking secure. Why none of the graybeards back in the dark ages didn't come up with an RFC that codified Best Practice for this stuff, I don't know. Once you find yourself logging into Windows, OSF/1 (True64), AIX, HP-UX, Solaris, Linux, *BSD, and Mac, *times 2* (user + root/admin), you begin to see how abysmally this problem has
Re: (Score:2)
The length of the hash will depend to some extent on the length of the original. If it didn't you'd need infinite compression, or you'd have to accept hash collisions.
Re: (Score:2)
But then people could carve the passwords into the furniture. .
Outlaw furniture?
But Congress never holds itself accountable, so there'd be a bunch of people standing/laying on the Mall, calling Congress a pile of dicks.
Something should be done to make people more controllable.
Re: (Score:2)
Isn't there anything better than passwords, that would be unique, anonymous and disposable (destroyable)?
Re:Forcing strong passwords in the first place. (Score:5, Insightful)
LastPass used to scream at me when I was doing that, so I disabled that functionality.
Re:Forcing strong passwords in the first place. (Score:5, Insightful)
If you have so many passwords that you have to either write them down or store them in a password management system, then that criterion fails, because it's no longer something you know at all.
Whereas if you use good passwords to start with, and keep layers of trust between different systems (i.e. don't use the same password for your bank as you do for Twatter), then you will not be 100% secure, but at least you have a hope of keeping some control to yourself.
Re:Forcing strong passwords in the first place. (Score:5, Interesting)
Re: (Score:3)
That is why you use LastPass generated passwords for the millions of accounts you don't really give a fuck about and can ultimately always access through password reset mechanisms. This allows you to focus on creating and remembering unique passwords that you know for truly important accounts, such as emailaccounts and banking accounts.
The alternative of using a single throwaway password for all those crap accounts instead of LastPass 'tokens' will inevitably lead to using a terribly weak password due to d
Re: (Score:3)
Please someone mod the parent up. An overcomplicated password that need password management software ceased to be a password ("something you know") and were turned into a token ("something you have"). If your Lastpass DB is corrupted, goodbye passwords.
As well, you can export your LastPass data to another file, say one that you keep on your encrypted backups. No need to slag a very useful tool for nonsense reasons. (disclosure: premium subscriber here)
Re: (Score:3)
The most important "layer of trust" to use your phrase is to ensure that your EMAIL has a strong password, and that it is not the same as anything else. Your email password is the weak link, thanks to the forgot-password-reset (or god forbid password recovery) functionality of most other online properties.
And this raises a problem. Email is frequently used... so long pass phrases are inconvenient.
And worse, we have it saved in our phones, and on our laptops, so we don't have to re-enter it every 5 minutes.
Re: (Score:2)
Whereas if you use good passwords to start with, and keep layers of trust between different systems (i.e. don't use the same password for your bank as you do for Twatter), then you will not be 100% secure, but at least you have a hope of keeping some control to yourself.
I do something rather similar. At any given time I've memorized 4 distinct passwords. In descending order of complexity, they are: my email password (as a compromised email account makes it trivial to reset or access any other password, this is the most secure. I actually use a 20+ character "pass phrase" for this.), a "High" security password, for things like banks, paypal, amazon, basically anything that if compromised can cost me money, a "Medium" security password, for accounts that are important to me,
Re:Forcing strong passwords in the first place. (Score:5, Interesting)
Or, the other solution is assign the password, and don't let the user change his own. When it expires, a new one is generated. No reuse can happen when the user can't set any of their own passwords.
Or, forget caring. If they lose control of a password, then it's their fault.
Re:Forcing strong passwords in the first place. (Score:4, Insightful)
Or, the other solution is assign the password, and don't let the user change his own. When it expires, a new one is generated. No reuse can happen when the user can't set any of their own passwords.
It would be hellish if every website started doing that. I'd have to recover my password every time I try to log in somewhere, or keep a big document of passwords (which is worse). At the moment I have 6 different passwords (8-10 char) in total, but they're mostly variations of the same base. Anything more complex than that and I would lose track.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
And you'll send them the passwords email, which is consistently monitored for passwords and stored with poor security? And your "keychain" program is tied to one client, and a graphical environment, and that one web browser, with no way to extract the password for putting in your other web browsers?
This is just organizing a fresh set of security holes. It's not a solution. And it wouldn't have solved _this_ event which involves plain text passwords stored on the server side for millions of users.
Re:Forcing strong passwords in the first place. (Score:5, Insightful)
1) I use five different operating systems. (Osx , ios, linux, windows, android ) name one keychain program that can be used across them all and keep that program easily sync'd?
2) You push the point of failure onto the keychain program. if you want to get someone all you have to do is crack their keychain and they are screwed.
3)what happens when your keychain program gets corrupted? a simple hard disk failure now prevents you from ever logging in again.
Re: (Score:2)
A good backup regimen would mitigate corruption of keychains.
Although it's true that cracking the keychain would open the door, that would at least require a cracker to get access to the keychain. If stored locally this wouldn't be a trivial thing. In terms of return on investment it would be expensive to do for anything but attempts on individual users. Most attacks are done in bulk on specific services.
I use very strong passwords on accounts where I register payment details, and a *very* strong password o
Re: Forcing strong passwords in the first place. (Score:5, Informative)
1) LastPass
Re:Forcing strong passwords in the first place. (Score:5, Informative)
KeePass and all its related implementations (KeePassX, etc, etc.).
This is the only family of password management apps I've found that both share a common database format, and have functional implementations even if your platform-of-the-moment isn't "hip enough" for a more polished solution to care about supporting.
Re: (Score:2)
1Password [agilebits.com] by agilebits supports all of those except linux, and syncs between them all using a couple different methods including an AES encrypted files on dropbox. If you need it on linux, they have a way that you can do it, but it's not as nice.
Re: (Score:3)
1. Lastpass works across all the platforms you've named, and has it's own sync. Keepass works across all of them, and only needs some form of file sync (eg Dropbox). Firefox sync will get you 4 of the 5 (all except iOS).
2. Virtually all of the circumstances that allow someone to attack the keychain program also tend to permit the undetected installation of a physical or software keylogger. The attacker may not compromise your less frequently used accounts as quickly, but they will have everything you use on
Re: (Score:2)
Re: (Score:3)
Re: (Score:2, Insightful)
It would be hellish if every website started doing that. I'd have to recover my password every time I try to log in somewhere, or keep a big document of passwords (which is worse).
I have one website that I do exactly that with. They have such stupidly complex password for absolutely no reason (to get software updates for a product that requires a license server to run) that I refuse to participate. Their password requirements are even more complex than the Intel developer passwords - something I didn't think was even possible. So when I need to go login, I just reset my password and bypass their password system altogether. Just for fun, I even sent them email and told them that
Re: (Score:2)
I've seen some that mandate at least one of each case, and/or a digit, and/or a punctuation mark.
I haven't seen any that forbid those. Different does not necessarily imply incompatible.
Re: (Score:3)
You'd be surprised, I run into a fair number of sites where you have to use alphanumeric characters and nothing else. I've also run into a fair number of sites where the validation algorithm doesn't work so it will accept passwords that you can't use and just silently truncate or adjust them to whatever it takes without telling you what the new password is.
Then there's the sites that require at least 12 characters and the ones that limit it at 8. Really, it's a mess and the people paying for these systems d
Re:Forcing strong passwords in the first place. (Score:4, Informative)
The problem is that you have to remember those passwords.
That's what post-its are for.
Seriously though, I save passwords in a browser or other keychain management program.
Re:Forcing strong passwords in the first place. (Score:4, Insightful)
It's impossible to clear this mess up without using the same password and log in for everything. Right now I have over 400 log ins in my database. I'm not sure how many of those are ones that I need to log into again, but that's a large enough number that even changing them on a regular basis is unlikely.
Trying to unify that under the same log in that the sites get, is not something that's technically desirable. I'm not really sure how one can solve this problem form the server side, because you'd need 3rd party to access all of the passwords without the users' permission in order to know.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
What inconvenience? It's precisely the same amount of work for me to use a 2 character password as it is to use a 100 character password. Once you get more than about 4 log ins, it becomes inconvenient to memorize them anyways, and with a keychain the length of the string and the component characters are moot.
3rd party box (Score:3)
Since the audit entries are being created by the box running the application, it obviously has write access to the 3rd party box. So whoever has access to the application box has access to write (and hence alter) the 3rd party box.
Adult sites doing this well for years, Strongbox (Score:2)
To clarify something other people brought up, the remote audit system doesn't store passwords. It stores information about log-in events - who logged in from where, using what type of hardware, which browser,
Passwords are unfixable (Score:2, Interesting)
You can tack on more mitigation, but in the end it's the concept that's flawed, not the implementation.
how about store your passwords properly? (Score:5, Insightful)
It also ought to be easy for LivingSocial to store passwords hashed with a secure hash designed for passwords, like scrypt [wikipedia.org] (or the related bcrypt). That way even if the password db is compromised, the plaintext passwords aren't, and the attacker cannot use the result to get into other services, even if users shared passwords across services.
It's easy to blame users, but there has been no excuse for storing plaintext passwords for years now. Password reuse is a much smaller problem if websites are designed properly. So rather than "as an industry" attempting to change user behavior, how about "as an industry" implement your damn sites properly, and audit that.
Re:how about store your passwords properly? (Score:4, Informative)
Replying to self: It looks like LivingSocial actually has switched to bcrypt now. But not early enough!
Re: (Score:3)
It also ought to be easy for LivingSocial to store passwords hashed with a secure hash designed for passwords, like scrypt [wikipedia.org] (or the related bcrypt).
It's easy to blame users, but there has been no excuse for storing plaintext passwords for years now.
Yes! I can't believe there are websites out there that still don't hash passwords.
A few months ago I signed up to the website of a large health insurance provider, and they sent me an email confirmation of my account creation that included my website password in plaintext. Unbelievable.
Who writes this stuff? And who hires these people?
Re: (Score:2)
Putting your password in an e-mail during the registration process doesn't mean they store it in plain text in their database. If they can come up with your password at a later point (like when requesting a "lost password"), THEN you know they are storing their passwords in plain text.
Keep clear text passwords on the client (Score:2)
Putting your password in an e-mail during the registration process doesn't mean they store it in plain text in their database.
But it does mean that they send the password in clear text rather than hashing it on the client.
Clear text passwords should never be sent over the Internet, even over secure channels.
You just made it easier for cracking. (Score:4, Informative)
So, what happens when that central framework/infrastructure is cracked? Now, all cracking attempts will redirect to that single point, and when (not if) it's breached, they'll now have access to ALL websites that are signed up to use that. How is that better?
Re: (Score:3)
So, what happens when that central framework/infrastructure is cracked? Now, all cracking attempts will redirect to that single point, and when (not if) it's breached, they'll now have access to ALL websites that are signed up to use that. How is that better?
that you have to just use one complex password at one place and have to change it just at one place.
however the author is a dumb fuck who apparently hasn't heard of any of the SSO services...
No, the audit system doesn't store passwords. (Score:2)
Or, alternatively... (Score:4, Insightful)
If you're security conscious enough to put this fancy bit of JSON on your site, then most likely you're smart enough to not store your user's passwords in plaintext. In fact, I'd like to think you're clever enough to salt the hash of the passwords that you're storing as well.
Why am I pointing this out? Because password re-use is an issue when a password gets compromised. Passwords get compromised when they're not encrypted or hashed. So to "fix" the problem like this is all well and dandy, but it only works if every site does it and if every site hashed the bloody passwords in the first place, they wouldn't get compromised as often.
one key to rule... (Score:2, Interesting)
Or we could just use GPG authentication, where a user simply uploads his public key to the site. User's happy, because s/he can use the same passphrase everywhere and the site is also secure because even a hack won't divulge any passwords. Separate (key-less) password could still be optional.
Too many damn passwords (Score:4, Interesting)
If you have too many different username/passwords you will not be able to keep them straight. This is what OpenID was supposed to solve. One can flip the argument around very easily: if there were fewer sites maintaining their own password databases, then there would be fewer breaches.
And that does NOT mean using OpenID for everything including financial accounts.
Still a issue that Devs won't acknowledge (Score:5, Interesting)
The thought process of a developer is that it is usually a user problem, and therefore it is the user that needs fixing, not the user.
The cold reality is that using passwords at all is the problem.
Passwords are an antiquated solution to a simple problem from the very start of multi-user computing. It is simple but exponentially ineffective as it scales.
The human mind is not set up to remember multiple, complex passwords. There are very few humans who are gifted with this ability to remember literally hundreds of different passwords without writing it down, I would put someone who can in the realm of an academic genius who can remember entire textbooks or recite Pi for hours before they eventually have to take a break for physical reasons.
Normal people write it down or keep it to a narrow set of passwords depending on which level of complexity the system will allow. Both bad security practice.
And passwords that expire every 45 days with annoying complexity requirments? You're going to drive users nuts trying to think of new ones each time that eventually they will come up with the simplist password the system will allow and increment by 1 each time they have to change eg: Password1, Password2, Password3, etc.
There are hacks out there, eg: KeePass and LastPass, but this is a workaround to the underlying problem. The websites that Force you to use Facebook are even worse (as they force you to handover all your personal details while you are at it, which just as easily can be used for identity fraud. Many Banks, Telcos etc. only authenticate with your DOB). OpenID is better but the implementation makes it common to sign in from the website your are trying to access, making it susceptible to being spoofed.
Realistically, we need to kill the password. Two factor authentication all the way. It needs ONE trust relationship between the user and the authenticator. This could be a user ID and a token. The authenticator can have then multiple trust relationships with participating websites.
The authenticator should only provide two data points: (1) The user ID of that website (different ID to other websites so that the user can be tracked with the same ID across websites) and (2) That the user has authenticated themselves. Thats it. Most websites don't need to know your name, DOB, Vanity username, email address or anything else about you. If they need this, ask - but only if actually required - and give the user a clear option to decline or provide only partial data.
The only thing that most websites or other computer systems need is a way to tell which user profile to load up, and that the user requesting it is really the same user. A password does not prove that,
Re: (Score:2)
I disagree. Zero factor authentication works beautifully for everything online.
For the physical world, there's cold hard cash -- The Great Authenticator.
Re: Still a issue that Devs won't acknowledge (Score:3)
Then how come you are posting as VertexCortex and not Anonymous coward, still needs to be a mechanism to make sure you are VertexCortex. Ideally you should be able go hit "Login" on your browser, and your browser automatically logs you in for you while using two factor in the background (once you have already two-factored with your browser when you sat down) so Slashdot knows 1. You are VertexCortex (to load your preferences and posting abilities as your name) and 2. You have proven yourself (It doesn't ne
nightmare (Score:3)
That sounds like a security and privacy nightmare.
Perhaps users just don't give a f*ck whether their account on some third rate e-commerce marketing site gets compromised?
If I were to create an account on LivingSocial, it would get my "disposable" password, the password for accounts I just don't care about at all. Only gradually do accounts and services migrate into the category where I bother remembering a specific and hard password for them.
Re:nightmare (Score:4, Interesting)
If I were to create an account on LivingSocial, it would get my "disposable" password, the password for accounts I just don't care about at all. Only gradually do accounts and services migrate into the category where I bother remembering a specific and hard password for them.
That's rational.
Frankly, most password security "thinking" seems to me demented. There is no way I or most anyone else could possibly keep track of hundreds of different strong passwords with arbitrary characters, random case, etc without writing them down. And maybe not then.
And there is no practical way that I could secure that password list.
Neither is it likely that information providers can secure password information -- strong, weak or non-existent -- on their end. That's why massive password breaches are a daily event.
Bluntly, the industry's attempts at security can't and don't provide much security and are more a massive usability problem than anything else. How is "user education" supposed to overcome faulty engineering?
Look folks, the method you want to use to secure stuff simply doesn't work very well. Never has. Never will. Forget about "educating" users, and start thinking seriously about how to secure stuff, and whether most of what you are trying to "secure" actually needs securing. Maybe in decade or three you'll come up with something that works.
In the meantime. Get real.
Don't brush your problem off on the user (Score:5, Insightful)
I see it very often in audits, company security is facing the same problem: How to secure the network? The easy way out: The user has to do it. He has to come up with a password that fulfills the most inane requirements AND must remember it AND must not note it down.
That's the easy way out. All the burden is shifted to the user.
I consider it extremely patronizing if they then go, after a breach, that they tried to "educate" the user but failed. Well, DUH. Guess what. It's not the user's job to keep your database secure. It is his job to make sure his credentials don't get handed over to a third party, yes. But it is YOUR job to make it possible to him. And it is NOT possible for the average human being to remember passwords in the style of k$aUZ_nR2o.
Don't try to shift a problem that YOU have to solve onto your users!
Re: (Score:3, Funny)
And it is NOT possible for the average human being to remember passwords in the style of k$aUZ_nR2o.
Obligatory XKCD: http://xkcd.com/936/ [xkcd.com]
Re: (Score:2)
Solution is simple (Score:2)
Don't make users log in with their email address. Give them a randomly generated username and password combination.
This whole practice of forcing you to use an EASILY identifiable piece of information (your email) as one of the autentication factors is just retarded.
Re: (Score:2)
great, so now we have to remember both a username AND password? That'll make this whole thing even worse! Even worse, if my login is taken on one website then every website has a different log in (and password likely). So now I'm remembering 2xN pieces of information instead of just N.
Re: (Score:2)
Forget passwords, worry about "Secret Questions" (Score:5, Insightful)
All this concern over passwords is ignoring the much greater problem of so-called "Secret Questions". This is a mechanisms that positively encourages people to use the same security information on every site they visit and to give answers that can easily be guessed by other people.
How many sites hash the answers to these questions so that they can't be re-used by a hacked who breaches the site (or a corrupt employee)?
How many users take care to give a different wrong answer to these "Secret Questions" every time?
The complexity and variablility of the password reset process can make this mechanism less susceptible to automated attack, but if you want to attack a specific account of a known person this is a much better route that trying to crack the password.
Educate the users, Avoiding reuse is easy (Score:3)
2. We should ask the more important accounts like brokerage, mutual fund, bank accounts to use a two factor authentication system. But I don't want to juggle too many RSA key fobs. I like google sending a six digit code to the designated cell phone. Google also lets you set up 10 one time pad numbers ahead of time to handle the case when the cell phone cant get texts. As a first step if they would just send me text or an email for each login event and each transaction that would reduce fraud.
3. What really bugs me is, in this day and age of social network where people are posting details of their breakfast lunch and dinner for the whole world to see, even banks use "maiden name of mother" "name of your pet" or "where you went for honeymoon" to reset passwords. That is insane. So I used to give non intuitive answers like "nissan sentra" as the mothers maiden name. But it is so difficult to remember what stupid answer I gave to which site. That is my biggest beef with these security questions.
4. No I did not switch my username and password edit boxes when I signed up for slashdot. Friends recognize the dorm addresses, rest of alumna recognize the dorm names.
Re: (Score:2)
What you suggest is already available via add-in password hashers on the users end. Passwords are automatically generated and salted with the URL. You can "bump" a password to change the salt. The main problems I've come across are:
1) The algorithm differs by browser, even those that say they are compatible.
2) Some password entry points don't have a hasher function built in, requiring me to either write down the password or switch to the browser to get it.
All of my password hashing efforts are moot if th
Re: (Score:3)
Re: (Score:2)
Simplest thing to do is to use a 8 char string as the base password and append, prepend or insert a three char string based on the web site name into it.
I used to do this, but the problem is that it only protects against automated attempts to abuse a compromised password. If I happen to have bought something at EvilWebshopHosterX and made an account with BasePasswordEWHX, it's easy for anyone that gets their hands on the password to figure out all my other passwords based on the scheme.
Rotate the base password once a year or so.
This is a terrible hassle and generally leads to having to try multiple base passwords before giving up and using the password reset mechanism because at that particular webs
Re: (Score:2)
Edit the spam solution form (Score:2)
The old spam solution form at http://craphound.com/spamsolutions.txt [craphound.com] covers most of the solutions being proposed here.
http://craphound.com/spamsolutions.txt [craphound.com]
Common spam problems such as "Ease of searching tiny alphanumeric address space" and "Jurisdictional problems" translate easily to the common password problems of "sending passwords via email is inherently insecure" and "requiring unique passwords for each trivial new website creates enormous keychains that are not safely por
Do it in Firefox (Score:2)
Firefox already has password tools - it can optionally store the password from different sites. It should be simple to extend this to warn the user if any two passwords are the same.
Firefox uses *local* storage for this, on the user's computer, so it will be more secure than any remotely-hosted solution.
Low and High Security (Score:2)
(Result: I can not guarantee that I wrote this message. So what.)
Wrong approach in use. Secrets should be local (Score:5, Interesting)
The sites that are calling for better password choice need to step back a bit and consider whether their design concept of storing user passwords centrally is a good one. It's not, so they should get rid of it instead of applying band aids to a bad scheme.
It doesn't matter what encryption scheme is used, if authentication secrets are stored centrally on a website then they are at risk. Good sites make it hard to crack, and poor sites make it easy, but they are all at risk, from internal employee corruption if nothing else. Those secrets will leak because when stored at a single point then they are all accessible to the attacker at a single point. Leakage is just a matter of time.
A vastly more secure approach that's been well known for decades is for the user to store their secret locally as a private key, one half of a {private,public} key pair. The server only gets to know the public key (PK), and it's pointless for an attacker to crack that because the PK is public information that can be distributed freely through keyservers. (The PGP/GnuPG keyserver network has been doing this for decades.)
When a user creates an account on some website, she provides the identifier of her chosen PK (she may have lots of them). When logging in to the account subsequently, the server looks up her PK identifier in the info for this account, fetches her PK from the keyservers, then it sends her a random string encrypted with her PK. She decrypts it with her private key (which is only held locally by the user, nowhere else) and sends the decrypted string back. The server accepts the login if the returned string matches the random string that it picked, which is not stored and varies on every login, and rejects the fraudulent login attempt if the match failed.
That's strong distributed security, and it's resistant to MITM attacks and does not store any authentication secrets on the central service so those secrets cannot leak when the service is compromised.
It's not rocket science. Why this old but secure scheme isn't used by websites is quite a mystery.
Lastpass (Score:2)
I don't know why more people don't use solutions like Lastpass. I have one very long and difficult to guess password (but easy for me to remember), and every site I visit has a unique psudo-random gibberish password. If a site does something really stupid like store passwords of their users in plaintext, a breach will only allow access to that site since that password is used nowhere else. This method is impervious to dictionary attacks, hash-table lookups, etc. It's a tiny bit of an inconvenience, but
Completely missing the point (Score:5, Interesting)
The problem isn't that users use the same password on every site. The problem is that users have to create login credentials for every site they use.
That multiplication of logins is extremely inconvenient for users, and it's simply not practical for people to create good, unique credentials for every site and memorize them all. So people who care a lot about security are are willing to put in the effort (read: anal geeks) use encrypted password stores and such. Everyone else (read: 99+%) uses the same password or small set of passwords on all sites.
What's really stupid is that we have already solved this problem, and in a much better way then Jen Andre proposes. The solution is single-sign-on. Delegate account management and authentication to a trusted third party (TTP). Even better, allow many organizations to act in this role. Best of all, allow users to choose which TTP they want to use, or even to act as their own.
We've already built this. It's called OAUTH. Moreover, there are already a bunch of high-profile OAUTH implementors acting as TTPs -- and nearly all Internet users already have an account with at least one of them (e.g. Google, Facebook, Yahoo, Microsoft). For that matter, there are a number of sites already taking advantage of it to provide nearly zero-effort login (for example, stackoverflow is one that many slashdotters may use).
The common security objection to this approach -- that centralizing your authentication in a single account creates a single point of failure for your security -- ignores the fact that your web security already has a single point of failure, even if you use unique, strong passwords for every site you visit. That SPOF is your e-mail account, because essentially all web sites use the ability to receive e-mail as the golden key that bypasses all of their other security mechanisms.
But, with OAUTH you still have the ability to use different providers, and even to set up your own on a server you control if you like. You can choose the tradeoff between centralization and decentralization you like. No relying site will ever see any of your credentials. You can also pick a provider based on the level and type of authentication security they provide. Personally, I'm very happy with Google's two-factor authentication -- but OAUTH imposes no restrictions. Want certificate plus one-time-password plus fingerprint plus retina scan plus 100-word passepic? Fine. Find (or build) a provider that does that. Want nothing at all? You can have that, too.
And whatever you choose, none of the relying sites will ever have any of your credentials. Which means creators of those sites can't screw up storing your credentials.
The only thing that's required to make all of this work, for real, everywhere, is for sites to offer OAUTH authentication. It's easy, it's super convenient for users, it's as secure as the provider.
Some sites might choose to limit the providers they'll accept, on the theory that users can't be trusted to choose a good one. That's annoying and obnoxious, but whatever. Some sites (like banks) might decide that they simply have to do their security themselves because they can't trust anyone else, and They Are A Bank. Okay, fine, though such sites should be a tiny minority (and, frankly, as someone who worked as a banking security consultant for over a decade, and now works for Google doing security, Google -- and, I would expect, the other major Internet properties -- do a far, far better job at online security than virtually any bank).
The solution is to make OAUTH the default, expected login mechanism all over the web. It provides dead-simple, reasonably high security authorization for the masses and allows the paranoid to build/buy whatever they want.
Re: (Score:3)
OAUTH could have been nice, but Google, Facebook, etc. just see it as an opportunity for more data gathering.
If Google et al cared more about security than violating my privacy they would support a single sign standard on that didn't enable the correlation of user activity across sites.
This will never happen.
Did you not read my post?
If you don't want to use Google as your OAUTH provider, don't! Pick a different one. If you want one that guarantees not to violate your privacy, find one that makes that guarantee. Don't trust guarantees? Fine... run your own OAUTH provider. It's as simple as setting up a server and installing some software.
As for your theoretical single sign-on standard that doesn't enable the correlation of user activity across sites, by all means please tell us how such a thing would work.
The thing is ... (Score:4, Interesting)
I have numerous accounts for everything from forums to banking. Some are clearly important, while others are not important. The important accounts get the strong passwords, passwords that aren't reused (even in terms of a significant modification). The unimportant accounts have reused passwords, with the only real rule being that the password is different from accounts that may somehow be correlated (e.g. through their authentication mechanism or username).
The problem with preventing reuse is (a) every service thinks that they are the most important thing since the creation of the universe and (b) strong, non-repeated passwords have their own inherent insecurities.
By inherent insecurities I mean things like people recording their passwords. Written records and unencrypted electronic records can be read by anyone. These digital key managers secure all passwords with a single password, may they be locally hosted or remotely hosted. Records of any form run the risk of tying all accounts together rather than keeping them separate. Even those who memorize their passwords run the risk of entering the password for service A into service B.
Of course the people who think about security usually think about the things that they can control, which is the combination of bits. They rarely seem to address the psychology of the people using their mechanisms (outside of complaining or making unrealistic demands). If they want to create secure systems they need to apply human psychology, and recognize that security is often being applied where it is unimportant.
Third party? (Score:2)
Hmm. Now who [threatstack.com] might be offering just such services?
I thought I checked "Ads Disabled".
RADIUS (Score:2)
See if you can hack the user (Score:3)
Username: halcyon1234@example.com
Password:12345
Checking...
Server-side...
IF EmailLoginChecker.TryLogInToMailSystem("example.com", "halcyon1234", "12345") THEN
Error = "You're using the same password as your email address. We're mitigating that risk. Idiot."
ELSE RegisterUser();
END IF
Re: (Score:2)
Re: (Score:2)
Yet another one has drunk the KoolAide.
Re: (Score:2)
Or someone logged in as James Grimmelmann did.