Top E-commerce Sites Fail To Protect Users From Stupid Passwords

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

Ticketmaster

[suso]

Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

"(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

Re:

[Number42]

A 250-character password isn't nearly strong enough. The company's limiting my safety by not allowing the extremely secure 10×10^10 character password I thought of!

Re:

[CanHasDIY]

Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

"(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

That's nothing - A company I once worked for allowed passwords such as "Charlie5", but not a 10-character sequence of random alphanumerics (too long - 10 characters is too long a password!!!), or anything with a special character.

Were I a betting man, I'd put money down that not a thing has changed.

Re:

[wiredlogic]

They didn't want you entering anything that wasn't in their set of rainbow tables.

Re:

[Quirkz]

When I first registered online with a credit card company in the 90's, they limited me to 4 characters. I think they were still in a PIN mindset. That got fixed eventually, but not for years.

not really a huge deal...

[Connie_Lingus]

it's a lot harder to actually steal money online [microsoft.com] then people think.

Re:not really a huge deal...

[Anubis IV]

From what it sounds like, stealing money is harder than people think (myself included until I just read through that rather great link), but it's far from impossible. Moreover, a large part of the paper makes the point that it's not the customer who had their password stolen that will suffer the financial damage, but rather the person who owns the account that's used as a mule to move the funds, meaning that there's still a victim, just not who we thought.

For instance, if they get your password, they can't just cash your account out, since they don't have your ATM card, your PIN, or your government-issued ID. They first need to transfer the money to an account they control. But they don't want that account linking back to them either, which is where those spam e-mails about someone having $10,000 for you come into play. They'll send a person your $10,000 in exchange for that person sending them a $1000 "commission", and that person will then be scammed out of the $1000 they paid as a commission when you repudiate the $10,000 transfer and it's removed from their account. They're partially to blame too, of course, since they've allowed themselves to be taken in by an obvious scam, but its the people engaging in bad password practices (both users and developers) that are enabling the scammers to scam in the first place.

...and this wont change because

[mnt]

users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

Re:

[tlhIngan]

users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

Well, the first question I have is... why?

I mean, I run into websites that declared themselves so important that the password HAD to be complex. Which is great, except I only accessed it once every few months, and ended up clicking "Forgot Password" anyways because they wouldn't ac

Re:

[BenSchuarmer]

I don't mind strong passwords at sites that I'll never visit again, because I won't have to remember it (and if I do come back, I just hit the "I forgot my password" button).

It's the sites that I go to infrequently that drive me nuts.

To use your download entitlements

[tepples]

I mean, I run into websites that declared themselves so important that the password HAD to be complex [but] all the site had were software downloads.

Might it have been to keep an intruder from pretending to be you and redownloading the software you paid for? Or maybe I guess my mind got clouded by today's story about Steam...

Re:

[swv3752]

I had this with my Gas Utility company. I can only see the last couple of digits of credit card. The worst someone could is pay my bill before I am ready, or see how much gas i am using. Why do I need to use a 16 character alphanumeric case sensitive password that requires multiple special characters. I work in IT and have to maintain strong passwords, even on government HIPAA systems, and the gas company is more stringent.

I have ended up setting up an auto-pay and have not touched the account in two ye

Slashvertisement.

[khasim]

Vendor of X does a study showing that people would be safer using X.

The easiest way to create and remember strong passwords is with a password manager, like Dashlane, which generates unique passwords for you, saves them to your account, and autofills them online.

My bank enforces stupid passwords

[allsorts46]

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters. None of the several bank staff I asked about it could tell me why that is.

Re:

[Drethon]

My bank tells you if you entered an invalid user name. Not particularly thrilled about that.

Re:

[tepples]

My bank tells you if you entered an invalid user name.

Attempting to create a new account with that username, attempting to begin the password reset process, or attempting to send money to that user would disclose the same.

Re:

[reikae]

Password reset process maybe, but wouldn't creating an account (in the online banking sense, not a bank account) require a visit to the branch in person? That's what I remember doing quite a few years ago when I started doing banking online. Money transfers use IBANs or a similar system of account numbers, which are separate from login usernames.

Re:

[allsorts46]

Password reset process doesn't necessarily need it either. You can just tell the user '*if* you entered a valid username, we're sending you reset instructions', without revealing whether there was a match or not.

Online-only banks exist

[tepples]

but wouldn't creating an account (in the online banking sense, not a bank account) require a visit to the branch in person?

I opened accounts with Ally (a bank) and PayPal (not technically a bank but they act like one) while living in Fort Wayne, Indiana. Ally and PayPal have no branches there.

Money transfers use IBANs or a similar system of account numbers, which are separate from login usernames.

A PayPal user sends money to another PayPal username, which is an e-mail address. Chase is starting a similar system called Chase QuickPay.

Re:

[reikae]

I see. I wonder what benefits Chase sees in the system; it seems to me that security-wise there is a downside in using login usernames for payment addressing. I'm not familiar enough with US banking to figure out the upsides, but most probably the system will lower costs somehow.

Re:

[Scutter]

My bank just implemented a new password policy. "Between 6-10 characters, the first two should be 'XX' and the rest must be letters and numbers, with at least one of each type". I just finished sending them an e-mail in which I included a helpful link to some rainbow tables.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[CanHasDIY]

My bank just implemented a new password policy. "Between 6-10 characters, the first two should be 'XX' and the rest must be letters and numbers, with at least one of each type". I just finished sending them an e-mail in which I included a helpful link to some rainbow tables.

I believe you just won the Internet.

Re:

[Cro Magnon]

One of my bank sites doesn't allow special characters. Only letters & numbers.

They're probably not hashing them.

[khasim]

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters.

That means that they're probably storing them in a database where the field is set to 14 characters. Possibly in plain text.

If they were hashing them (with or without a salt) then they wouldn't care if your password was larger. As long as it still fit into the buffer they've assigned to it. Because the hash of a 1 character password should be the same length as the hash of a 256 character password.

Be worried about that bank's security.

Re:

[sudon't]

How about that, so does my bank. I'm only allowed to use letters and numbers. I forget what the length limit is, but yeah, short for that kind of simple password. I have much better passwords for forums.

allsorts asks, "Why?" The only thing I can can come up with is they're too lazy to write the regex.

I've been railing about this for years, but since we're on passwords: Password Manager. They've had a decent one in OS X (Keychain) since at least 2002, which is how far back my saved passwords go. Since I b

Smells like NTLM passwords n/t

[marxmarv]

n/t

Re:

[cbhacking]

TLC client cert?!? Really? Oh, PLEASE tell me what bank that is! If they're available in the US I would consider switching just to approve their use of that approach.

My bank (Wells Fargo) uses case-insensitive 8-character alphanumeric passwords. At least, the limit of 8 characters was present when I last tried to create a password. Maybe they're better now, but I kind of doubt it (the check is still case insensitive...)

Morons. We trust these people with our money?

Re:

[WuphonsReach]

Wells Fargo switched a while ago to allowing longer passwords. They still limit you to "6-14 characters, no more then 8 numbers, and must contain at least one letter and one number.

Still not great, but better then it was.

Tobuscus Got It Right

[TheSwift]

This is getting effing ridiculous.

https://www.youtube.com/watch?v=jQ7DBG3ISRY

1, 2, 3, 4, 5

[SGDarkKnight]

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Darth Helmet look at each other in horror]

Oblig. xkcd

[barlevg]

I love how the submitter headed us off.

30 years later. This isn't that hard.

[Animats]

Sigh. My obvious password detector [animats.com], published in 1984:

The algorithm used requires that the length of the password be within configurable length limits, and that the password not have triplet statistics similar to those associated with words in the English language. This is an inversion of a technique used to find spelling errors without a full dictionary. No word in the UNIX spelling dictionary will pass this algorithm.

Users should be advised to pick a password composed of random letters and

Re:

[dkf]

My obvious password detector [animats.com], published in 1984

I came across this password strength detector [dropboxusercontent.com] the other day. It really cheered me up, as it uses a scientifically-justifiable approach (information entropy FTW!) and it laughs in the face of a number of tricks that many people recommend despite them being actually weak (replacing "o" with "0" only really adds one bit of security, which is nearly nothing, whereas adding another word adds far more despite being easier to remember).

Three fold problem

[gurps_npc]

1) A bunch of sites that insist on using a password when they don't really need one. Prime example: Amazon. They don't really need a password as long as they don't keep your credit card on file - which they certainly should NOT do. My neighborhood grocer does not ask to keep my credit card # on file no matter how 'convenient' (for whom???). If you want to discuss past trades use the last 4 digits of the credit card you used for those trades as an ID.

2) A bunch of sites that have legitimate needs for

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[SleazyRidr]

But, if they're not keeping your credit card # they can't do the one-click order thing. I do get kinda annoyed having to type my credit card in every time, but I realise that it's nothing compared to the annoyance of having it stolen.

Since the story already had the obligatory xkcd, here's an oatmeal which also describes it: http://theoatmeal.com/comics/s... [theoatmeal.com] . To paraphrase: if I want a shitty password and don't care if it gets stolen, why shouldn't I?

Re:

[BenSchuarmer]

I think Amazon does give you the option of storing your credit card number. Some of their customers think this is a nice convenience, and are likely to take their money elsewhere if Amazon doesn't offer this "service" (or maybe it just makes impulse sales easier).

Re:

[BenSchuarmer]

You might be better off using a credit card number.

If somebody hacks the site and uses a debit card number, you may be responsible for part of the charge plus overdraft charges, etc.

With a credit card, the credit card company will cancel fraudulent charges that you tell them about.

Why I only shop using Paypal, Amazon, GoogleWallet

[scorp1us]

When you use the above merchants to pay, only the money is transferred and no re-usable billing information like credit card info is sent to the recipient of the funds. So when doing ecommerce you don't have to put your CC# everywhere on the internet then wonder why you've got credit card fraud.

In some cases you can set up or are forced to automatic authorization from PayPal, but you can revoke that immediately. PayPal really is the safest way to pay. No comment on the rest of PayPal's operations though (di

This is your password deal with it.

[caitriona81]

I think the right strategy for websites which have to do user registration is to just provide the user with a random password of sufficient length as to be near impossible to type correctly, much less remember, and don't even provide the functionality for users to select their own. This almost insures that the password won't be used elsewhere, it enforces password quality, and it encourages the use of a good password manager.

Re:

[Cro Magnon]

The funny thing is, when I forget my password, some sites reset me to a pw like that - then make me change it to something memorable.

Re:

[jader3rd]

encourages the use of a good password manager

Lol!
All that would really encourage is people not using the website. If Kellogs.com customer loyalty reward website assigned me a ginourmus password, using characters I don't think I could even find on my phones' keyboard, it would encourage me pretty quickly to not use Kellogs products and seek out the competitors product (which would have a more reasonable password policy) when the difference was negligible to me.

Re:

[x0ra]

Good password manager ? I consult regular website from 5 or 6 differents machine (including laptop, desktop, tablet, phone, ipod,...), all running different kind of OS. There is NO password manager for this, which is typical nowadays.

Problems with conflicting rules

[Maxo-Texas]

I'm starting to have problems with differing rules at different sites.

I.e. one REQUIRES a special character. Another disallows special characters.

One has a maximum length of 8 (crazy short) while others have a minimum length of 8 characters.

And all of them won't let you reuse a recent password so if you can't remember the password, then your new password can't follow your own password rule set.

It's reached a point that now i have a sticky pad with coded passwords written down.

Netflix has been a pain becaus

Re:

[Khashishi]

Differing rules is kind of a good thing, because then you can't reuse the same password on different sites.

Re:

[Maxo-Texas]

I don't reuse the same password- but I can't even follow the same password generation rules/algorithm.

Which means I must write down the passwords at this point since i have over two dozen passwords- some at sites I visit only once every six months.

I will check out lastpass that the other poster recommended.

Problems with unpublished rules

[Flexagon]

My problem is this: too many sites don't even publish their password policies, so I can't even begin to tell what is an acceptable password. I may go to the trouble to use mixed case, only to find out that their password is case-insensitive. Or they may accept a long password but silently truncate it. Or they may not accept special characters, but "tell" me only with an error message when I try one. Or sites that turn right around and *send* me my new password so I won't forget it (again, without tellin

Silly suggestion

[DaveAtFraud]

In addition to just listing their password requirements, sites could provide a link or bubble help to a method of creating a "good" password. I like:

1) Pick a short phrase (e.g., "See Spot run.") but that connects to the site to provide some mneumonic value (so "See Spot hurl." might be for your vet).
2) Do some simple letter to number, symbol or punctuation substitutions (e.g., "S33 Sp0+ hurl.").
3) If you wish, squish out the blanks between words (e.g., S33Sp0+hurl.).

So we now have an easy to remember, ele

Re:

[dskoll]

Any password-generation algorithm that is not based on a cryptographically-secure random number generator reduces the search space and makes it easier to guess passwords.

I do not believe in "easy to remember" passwords. I believe in strong passwords, which of necessity are hard to remember, so they have to be written down and stored safely, or stored in a password keeper protected by strong encryption and as long a passphrase as you can get away with.

Re:

[x0ra]

All in all, these are all the worst hints ever:
1) prone to typo error, especially as the password is generally hidden
2) number & capitals are a pain on mobile devices
3) ever harder to remember (ie. where the @!#$ did I put the capital)

Re:

[DaveAtFraud]

So, suggest a better method. The requirements are:

1) Easy to remember.
2) Not based on a password already in rainbow tables (e.g., dictionary words with all permutations of upper and lower case; simple substitution of letters, numbers or punctuation for letters; etc.)
3) Not easily guessed from social information.
4) Typical strong password requirements like must contain both upper and lower case letters, numbers and punctuation (I go though this every 90 days where I work for each password system I have to d

Re:

[DaveAtFraud]

So, suggest an alternative. The requirements are:

1) Easy to remember.
2) Not a word that is in a password compendium like rainbow tables so no dictionary words or simple upper/lower case permutations or simple substitutions of numbers and punctuation for letters.
3) Meets recognized strong password criteria (mix of upper and lower case, numbers and punctuation and symbols) and at least 10 characters long.
4) Not based on something easily obtained socially.

and add your requirements/critique even though they co

Correct, that's a battery staple

[marxmarv]

and a silly suggestion.

How many bits of entropy are you actually producing? If you don't know, go to the back of the class.

Help me act on this advice

[tepples]

From the report [dashlane.com]:

66% accept notoriously weak passwords such as "123456" or "password"

How should a web site determine whether a given password is "notoriously weak"?

66% make no attempt to block entry after 10 incorrect password entries

Where does "10" come from, and how long should entry be blocked? We don't want customers to become ex-customers when they discover that they have to make international telephone calls at a dollar per minute or more to get their accounts unblocked.

60% do not provide any advice

Re:

[cbhacking]

Detecting weak passwords is trivial. Here's how you do it: take a password database (there have been lots of leaked passwords from various insecure sites). Sort it by how common the password is, descending order. Require that the user's new password not be in the upper portion (upper thousand or so would probably be a good start) of the list. Update that list periodically, to account for the possibility of password shift.

For bonus points, do the following:
Hash every password in the list to make it marginall

Tesco

[nogginthenog]

Me: Additional Information: password "Must be between six and ten characters in length"
Why does Tesco have such a silly limit???? Please consider increasing the max length of the password!

I am sorry that you are unhappy with the length of password you can use to register on our website. I have now logged your comments on our Customer Feedback System under reference 13782619. This will ensure that it is fed back to the relevant team in our Head Office.

That was back in 2012

Re:

[Zaiff Urgulbunger]

In July 2012 I was searching for car insurance and found it hilarious that More-Than's (morethan.com) password policy at the time was:

• Be between 8 and 14 characters
• Not include more than 2 repeated characters in a row
• Not include the word 'guest'
• Not contain swear words

Obviously they're storing the password, and at a guess, the reason for no-swear-words is that their call-centre staff confirm your identity with your password... or something? Whatever. But what's up with not including "guest" in there? It mus

Our policy

[dskoll]

We sell software that has an accompanying account for users to download data feeds and related updates. We do not let users pick their own passwords. We give the user a randomly-generated password that he/she has to use.

There are two major benefits: If we get hacked and all the credentials are stolen, the passwords (with overwhelming probability) will not be usable on any other sites, so our users are safe. Conversely, if another web site used by our users is hacked, then (with overwhelming probabilit

Re:

[x0ra]

I HATE this kind of company. It will no matter what ALWAYS end up the same: "I forgot my password, send me a new one". Heck.. I'm not even able to remember password for my utility company whose I consult every 6 month...

Why make users reset after X number of failures?

[island_earth]

Apple, among many, many other services, says that after a certain number of failed attempts, your account is locked and you have to reset your password to regain access.

This seems stupid to me because if the password kept someone out after X failed attempts it must be strong enough. So why force a new one?

Experiment: force enough password resets on a user's account until they've run out of strong passwords, then use "password" to get in. Profit!

Re:

[gatfirls]

I don't think you have thought your plan all the way through.

Re:

[cbhacking]

Wow, you're trying (and I appreciate that) but you really need to think this through a lot harder!

1) Password "guessing" isn't done by a human who will get bored. It's automated, and *extremely* fast. Let's say I can submit 10 password attempts per second (practically speaking, even a shitty home connection can probably manage closer to 50; a botnet could manage tens of thousands easily if the login server is up to it). Just because your password isn't in the 10 most commonly used ones doesn't mean it isn't

Re:

[island_earth]

Thought it through just fine, thank you. My plan to take over the world was a jest. My complaint about requiring a password reset after X number of tries is 100% valid. Let's walk this through:

1) Bot hits my account 10 times. Account is locked. Victory! Bot doesn't get in.

2) Eventually, I request that the account get unlocked. Company has two choices:

i. Unlock the account and let me go about my business, secure in the knowledge that I have a password that can't be guessed in 10 tries.
ii. Force me to choose

if you think there ought to be a law...

[x0ra]

Let's think about this again... if you think there ought to be a law, there probably oughtn't.

Good!

[neminem]

More sites should fail to protect me from using a "stupid" 30-letter-or-whatever-long passphrase just because its algorithm thinks that it's "weak" because it doesn't have 2 numbers and two special characters (but only choose from these 3 specific special characters, because we don't know how to protect against sql injection otherwise!) Let me pick my own frelling password.

Ok, so it probably makes sense to specifically bar users from using completely butt-tarded passwords like "123" and "password", but only

On the other news...

[Lisias]

... job admission forms fail to protected candidates to burn themselves by bad grammar.

(thanks god Slashdot fails too, as some of you can easily note by my already traditional bad grammar)

Companies that limit passwords are worse

[jonwil]

The bank I used to be with before I recently switched upgraded their security a few months ago. Prior to the upgrade, they actually limited passwords to 10 characters maximum. Thankfully, both this bank after the security upgrade and my current bank don't have any such maximums and I can use a longer password. (and no, the security stuff wasn't why I switched, I switched because I moved to a new area where my old bank didn't have any branches)

Any web site that limits the maximum amount of characters in this

news at 11

[Riceballsan]

Actual security that will protect people from themselves, costs a lot more than compensating the 2% of that 66% who actually get hacked. Person gets hacked for his own stupidity, company may or may not need to compensate the victim. lets say this amount comes to $100 per 1,000 users as a high estimate pulled out of my ass. Company B uses real security, that somehow completely eliminates fraud, blocks users out after 3 wrong passwords, and requires really complex passwords. Users keep forgetting their passwo

Personally, I love password rules.

[tlambert]

Personally, I love password rules.

The more complex the rules, the smaller my brute force search space, since I can just not look for passwords which don't meet the rules.

Please, no more arbitrary rules

[cowwoc2001]

There is nothing more I hate than websites that made me adhere to their arbitrary password security rules. The more hoops you make me jump through, the harder the password is to remember, and the dumber the password I pick (in the hopes of making it easier to remember).

Please, leave me alone.

blocking access after failed passwords

[Khashishi]

Blocking access after failed passwords just invites denial of service attacks. It seems like a bad idea for most situations.

The problem is not passwords it is identity.

[brunes69]

Repeat after me.

The problem IS NOT PASSWORDS. Fighting for "better passwords" is a never-ending, stupid, foolish waste of time.

What is the point of a password? It is to prove who you are. Nothing more, nothing less. A password is not used as a key to look up information for a retailer, or blog, or anything else - that is keyed off your user name. All a password is is an identifier showing WHO YOU ARE.

It is unrealistic to expect a human to remember dozens of complex passwords and change them monthly. It is

Where do OpenID endpoints come from, the stork?

[marxmarv]

Because, of course, it is so much better to sell your users to some social network and let them control how you run your site or business?

Webmasters do live in and manage their own universes, to the extent that they want to. What next, you're going to complain I have a door on my house or on my bathroom? Go away, you're creepy.

Not only e-commerce sites

[andrewbaldwin]

I went into my bank recently and got the hard sell about switching to internet banking.

This is something I've resisted, but I was told it was "quite safe" and "millions of people do it".

They had a so-called free cash-back offer on the debit card. I looked at the sign-up process and was told by the counter staff it needed a password of 6-8 characters - case insensitive and letters/numbers only.

For some reason they were surprised when I informed them that this was incredibly weak password scheme and that I w

Re:Top gun manufacturers fail to protect users

[causality]

From pointing the gun at their face.

Indeed. And "rules that require even more complexity in passwords" backfire because the notion of protecting people from themselves is fundamentally flawed. Note the way you practically never see this notion questioned in any headline or summary.

Re:

[ShanghaiBill]

the notion of protecting people from themselves is fundamentally flawed.

Yet traffic deaths are at a sixty year low [masslive.com] despite a quadrupling of the number of cars and drivers. When common sense safeguards, such as seat belts, were first proposed, the auto industry made the same argument you are using here: "Our customers are stupid, and deserve what they get."

Re:

[x0ra]

how is more death on the road necessarily "bad" ? If Joe the Plumber crash and was not wearing a sit belt, well, too bad for him. Why should the government try to protect people from themselves ?

Re:

[ShanghaiBill]

Why should the government try to protect people from themselves ?

I wasn't saying the government should protect people from themselves. I was saying that the car industry should protect people from themselves. Most car safety improvements have NOT been the result of government regulation. They were the result of liability laws that made manufacturers responsible for the preventable deaths and injuries of people using their products.

Re:

[x0ra]

No. The car industry should provide the mean for people to protect themselves, but ultimately, it is to the people to decide whether or not they want that extra protection (and pay for it). The Government *IS* protecting people from themselves by imposing mandatory seat belt law and alike.

Re:

[Bert64]

How are liability laws not government regulation?

Re:

[Bert64]

Most of the safety mechanisms in todays cars are transparent to the user and do not inconvenience them in any way...

Re:

[AlphaWolf_HK]

Honestly I get annoyed with password requirements that want you to have a special character, number, mixed case, etc. I just like to use really long but simple passwords; mathematically speaking, they're more secure than this mixed content bullshit while being easier to remember.

Re:

[hsmith]

I've seen Bank of America (no longer know if this is true) specify "password must be between 8-16 characters."

Why would you set a ceiling - unless you are storing them in plain text...

Re:

[Qzukk]

My electric company recently (last year) changed out its billing system.

The new billing system required me to reset my password to be between 6 and 8 characters, letters and numbers only (but is at least case sensitive).

Re:

[Jeff Flanagan]

Is your electric company ComEd? Their payment system does this. An 8 character limit is insane, but I suppose I don't mind if someone breaks in and pays my electric bill.

Re:

[Bert64]

A lot of sites with tough password policies are too self important... Most of the things i'm signed up to online i don't particularly care if they get cracked, and so use weak and easily remembered passwords for them if possible.

Re:

[cbhacking]

Yes, yes, one in every 10^85 random passphrases with have the same SHA256 hash. OH NOES! Meanwhile, unhashed (or weakly hashed) passwords are trivial to reverse (and then use to log in as those users, or to try logging in as them on other sites as well) as soon as the password database gets dumped. Such dumps happen all the time. I would be willing to wager that in the entire history of the Internet, nobody has blindly (i.e. without knowing the hash they were trying to generate) stumbled onto a password ver

Re:

[account_deleted]

Comment removed based on user account deletion

Password length is important

[knarfling]

Several years ago, I used to work for a now defunct online web site company that provided websites to customers. Customers were required to activate their site and sign in to a site management web page. Although the password policy was not as sophisticated as it should have been, we did require password to be between 6 and 16 characters.

We received an email from one customer who was helping a new customer activate and sign up for the web management page. The new customer liked to pick passwords based on a m

Re:

[account_deleted]

Comment removed based on user account deletion

Using a service on a user's behalf

[tepples]

A salted hash of the user's password is fine for authenticating the user to your own service. But it doesn't help when your service needs to authenticate to another service to perform actions on that user's behalf. Say a server running service A uses service B on behalf of users of service B. In order to do this, service A needs to store a credential for each user of service B. How should service A protect these credentials from an intruder?

Re:

[unrtst]

Say a server running service A uses service B on behalf of users of service B. In order to do this, service A needs to store a credential for each user of service B.

You're doing it wrong.
One way is for Service A to establish a trust with Service B (ex. using SAML), and have the user at Service B authorize that usage. Service A and B agree on a unique key for that exchange (ex. private/public certs), and Service A issues those commands to Service B using its user + that authorized cert to perform on that users behalf.
Of course, if Service B offers no such ability, then you'll need some sort of kludge like you suggested, but that doesn't make it right. Even so, they shou

Re:

[tepples]

One way is for Service A to establish a trust with Service B (ex. using SAML), and have the user at Service B authorize that usage. Service A and B agree on a unique key for that exchange (ex. private/public certs)

So how would the operator of service A prevent the service from stealing service A's private key with service B?

Of course, if Service B offers no such ability, then you'll need some sort of kludge like you suggested, but that doesn't make it right.

The kludge I suggested is a clunky way to describe the OAuth family of protocols, used by Twitter, Amazon MWS, and the like.

a key server appliance

How much does one of those cost to buy and operate, especially if the rest of service A is small enough to run on shared hosting or a small VPS?

Re:

[pla]

Funny, I got my password from xkcd. UNCRACKABLE

Nonono, you can't just use that one, you need to roll your own using a random number generator [xkcd.com]!

And without giving too much away, I know mine counts as secure, because it starts with a "4"!


/ Actually, I kinda wonder how many real-world accounts out there have "correct horse battery staple" as the password.
// Probably enough to make Randall cry.

Re:correct horse battery staple

[Holladon]

Eh. It kinda works. If your goal is to invade Amazon accounts using the method laid out in the strip, it's that much easier to do because by allowing you to use anything for a password, they're more likely to have people using simple repeat passwords that, even if not common for everyone, are common for the user. If those sites had more stringent requirements, you couldn't use your childhood dog's name as a password like you've been doing for various account passwords since high school.

But yeah -- this xkcd [xkcd.com] was probably the more applicable strip.

Re:

[Bert64]

Requiring the site name in the password is stupid, anyone launching a brute force attack will simply take that (and any other policy requirements) into account, eg if you know the password policy requires mixed case and minimum length of 8 then you don't need to try all lowercase passwords or anything shorter than 8.

Similarly locking out after a number of guesses is dangerous, that means an attacker who doesn't know your password can still cause a denial of service against your account, and its utterly inef

Re:

[amiga3D]

I use simple and easy for everything non-monetary related. For things like my bank I use very long and complex passwords that I have to write down in a book. If I ever lose this book I'm fucked.

WRONG, timeouts suck (DOS vector)

[cbhacking]

That's not even vaguely related to what CloudCracker does, which suggests to me that you haven't a clue what you're talking about.

This suggestion is reinforced by the fact that you recommend adding a "feature" which will allow me to prevent you from logging into any website I want, for near-arbitrary values of "you". There are right ways to do anti-brute-forcing protections on a password. Time delays (on remotely accessible unauthenticated login pages) are almost never the right option.

Much better is to aut

Re:

[cbhacking]

This is why you should use unique email addresses for each account. Gmail kind of supports this (they ignore . characters, and anything after a + character, when figuring out the mailbox to send a message to). So you can, for example, use yourgmailaddress+slashdot@gmail.com to sign up for Slashdot (not that you, AC, would ever do such a thing) and use yourgmailaddress+bankname@gmail.com when signing up for online banking, and be secure against the attack you describe unless somebody really clever figures ou