Slashdot Mirror
Hotmail To Ban Common Passwords
Time and again, when security breaches reveal large numbers of user passwords, analysis shows there are particular passwords commonly used by a significant percentage of the userbase. Now, an anonymous reader tips news that Hotmail is trying to do something about it. "We will now prevent our customers from using one of several common passwords. Having a common password makes your account vulnerable to brute force 'dictionary' attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords). ... Common passwords are not just 'password' or '123456' (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like 'ilovecats' or 'gogiants.'" This comes alongside a new feature that lets users send a report indicating a friend has had their account hacked.
My luggage! Nooooo
By the time I post this, someone else will already have posted the "combination on my luggage" joke.
That Hotmail still exists.
Oh man, I can't WAIT for the new millennium!
What if you really love cats?
"Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
Wont this just lead to new commonly used passwords while at the same time reducing the number of overall passwords possible. I would think they would need to regularly study what becomes common and ban those while unbanning old common passwords.
It would be ironic if someone would publish a list of all the banned passwords sorted by frequency of usage... the perfect tool for brute force attacks on non-hotmail sites.
http://xkcd.com/792/
I believe there was a misprint in the quote. It should read "Having a Hotmail account makes you vulnerable"
Seems like people need to start using a secure password generator: http://www.bizzeh.com/pass/
portfolio
Why not limit the number of password tries in a given time unit?
3M's Post-It note division sales will increase, due to users writing down their passwords and storing them under their keyboards.
I say, you cant secure your password you deserve to be hacked
Their real problem isn't common passwords... it's enforcing a maximum password length (to around 15 chars). I assume Hotmail shares the same rules.
I had to check the year to make sure it wasn't 1998. Password length restrictions in 2011? WTF? Passphrases aren't some arcane nerd practice anymore. Lots of people use them now, usually because they're easier to remember.
I thought those passwords are encrypted, so how do they get the list of those common password? And isn't `recover your password` questions are common/flawed as having password in place?
This is something that public access UNIX systems and universities with a ton of students learned ages ago, when all it took was a guy running Crack on /etc/passwd (before passwords were shadowed.)
Most operating systems have a small dictionary they check against so people using "12345" for something other than their luggage will be stopped immediately.
History just repeats itself... websites are now learning what operating system makers learned in the early 1990s -- keep the passwords well encrypted, and disallow obvious dictionary entries, so a brute force operation may take seconds to find a password rather than microseconds.
Doesn't Hotmail have minimum password requirements, like "at least 6 characters, 1 number, 1 capital letter" etc ?
What I find disturbing with features like this, is how the service (be it hotmail, linkedin, facebook, whatever) always assumes that when you receive crap from one of their users and want to report it so something is done about it, you also have an account yourself.
I want to be able to report that I receive spam from one of their users WITHOUT having to create an account on their system.
So the "my friend has been hacked" report should not be only in their mail user interface, but also in some publicly accessible webpage or even better in the handling of mail sent to abuse@.
Furthermore, having monitored events of "hacked hotmail accounts" for some time, I believe quite a number of them is not hacked by bruteforcing the password, but by phishing or luring the user into "when you fill in this questionnaire we will send you a free led lamp" etc, where one of the questions in the questionnaire actually asks the user to provide their mail address and password.
Many naive users give all info you ask them for when promised a free gift.
Far better than simply outlawing "you can't use your username as your password" Same goes for the silly "can't use the last password as your current one". I never understood the reasoning behind the time based password change. No one expects people to get a new key every six months for their home lock. No one expects someone to get a new ATM card every 6 months. Good passwords are worth keeping for years - as long as they actually are a good password. Are you supposed to be worried that you have given out your old password and forgotten about doing it? You can't stop an idiot from giving away his password. But you don't have to screw it up for the rest of us to help out the idiot.
excitingthingstodo.blogspot.com
The principle of the idea is sound, but the implications of them being--ironically--spammed to hide real problems is probably not appealing to them.
This is almost certainly true, but the features simply came out at the same time due to their relationship, and having your password brute forced is not a requirement to having your account flagged by your friend.
http://yro.slashdot.org/story/11/07/15/1216222/Mozilla-BrowserID-Decentralized-Federated-Login
I will say this again and again and again.
Hotmail needs to do this. Have a master pass, for whole account access, and a secondary pass, for accessing e-mail (viewing/composing/sending only).
If someone's secondary pass is compromised, no big deal. Just log in using a secure computer using the master pass and change the secondary pass. But the secondary pass would still need to be strong.
Now, that above is my suggestion. Currently, if the password is compromised, what prevents the alternative e-mail, mobile phone number, secret question (which probably has the answer posted on their social networking site anyways) from being changed?
I feel sorry for all the victims of spoofing being labled as hacked.
Except in this scene (in Spaceballs), I think the password is: 0000.
That's what I use for everything.
More of big brother telling people what to do!
How would you expect to `reset your password` for your email, while the validation process requires you login to your email account?
How do you envision to reset your password on Hotmail, while the requirement might be for you to login to get the reset password link?
Actually, its good to mention Google's two way authentication here as well.
I know HSBC or some other banks had been using similar way 20 years ago, and with better technologies, Google expands this with an app on Android phone (it works on my Android, never had an iPhone).
Personally I think it's a good idea. I'm glad Hotmail is implementing this feature. I think it makes the internet as a whole a safer place. What's different about this is that most security advances center around the system; this centers around the fact that Hotmail is a small part of their users lives. This doesn't make Hotmail less hackable in any way, but it does (or is at least trying to) protect the user from having their reputation (is spam being sent from this account) hijacked when another service gets cracked, and the users shared password is comprimised.
Email providers often ask for a secondary email when you sign up, just for this purpose, some services allow you to change it "in-place" (ie, answer a few questions, type in the new password - not terribly secure, of course), some use SMS (I quite like that option).
With banks, you typically have to call them, which is fine - it's not something yo have to do all that often.
Speaking of HSBC, they have this gimmick where you have two passwords, and one of them you have to enter by clicking letters on a little javascript keyboard (instead of typing) - I hate that thing, pointless security theater, and I always forget the second password.
sic transit gloria mundi
Won't this just cause new common passwords to arise?
Approx 20 years ago I wrote code for a system at work to do this, list was 100's of possible, including acronyms from work, userids and real names, stupid stuff like variations of 'password', etc. We had to do it cuz the customer (nasa) considered it "old hat, everyone else is doing this, why aren't we?"
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
The Google Two Way Authentication is similar the the SMS solution that you mentioned.
As for HSBC 20 years ago (not Internet era yet, but using modem to call into their server), which generates a second password for your next session.
i can't imagine that the "my friend has been hacked" button will last. I would imagine that the hackers would want to flood that button to obscure the real attacks. and it wouldn't be that hard to script....
I'm sick of having to remember so many complicated passwords. Now that Hotmail is going to force me to change my password to something I can't remember, I'm just going to have to migrate to another email company. Hopefully I can get the same user name part as I have now (ron_damon).
Are you adequate?
I've been using 8 asterisks for passwords so I can see what I'm typing.
I'd considered this sort of thing a while back -- there's really no need to use a set list of passwords.
Assuming that the passwords are being hashed, you can have a lookup table where you store:
(Password hash) + (Current # of accounts using that hash)
By setting a threshold for the ratio of (Current # of accounts using a hash) to (Total # of accounts), you can reasonably control the average entropy of passwords in the system.
For example, if you have 100,000 users in a system and set a threshold of 2%, the system would stop allowing anyone else to use that password.
Would be an interesting experiment to see what ratio comes up with the best balance between being secure vs. being too annoying to users.
The big downside of that type of dynamic system is that for low numbers of users, it may become easier to brute force which passwords are in use by iterating through the "change password" process. (Setting a limit on how many times an account can change their password in a given day would help slightly, but might not do much to stop a distributed attack)
In the case of Hotmail (or any other large provider), they're already starting with a large data set, so they'd be able to avoid that issue.
I would like to say, you go girl! This Catherine Kieu Becker sounds like a great women. We need more feminists like this. I hope that more little girls learn from her example and become the proud young women that this world deserves. We need to take this world back from the male oppressors one detached-penis at a time!
People need to use the browser's password manager to avoid remembering or entering any passwords. There is no reason to keep it in your head when your computer is perfectly capable of doing it.
The problem with the current implementation is that you still have to enter the master password every time you start the browser, which leads most people to just not set one, which leads to the passwords being stored on the disk unencrypted and easily stolen.
The solution we need is to integrate authentication for the password manager with the login process. Store the passwords in an encrypted file, with the account password as the key. A password daemon, like ssh-agent, running as root can securely load and decrypt your password file at login time. It will remain unaccessible except through a specific interface. The interface can authenticate the calling application by using socket credentials passing and allow the user to explicitly let the firefox password manager (which will have to be a separate process and executable for this purpose) access the passwords.
This way the passwords are not accessible to any remote threat and are encrypted on disk to thwart any local threats. The user never has to enter any passwords except at login. Convenience and security.
...we should add basic security to the curriculum at schools? I'm sure I'll be parroting what others have said already, but all password systems need to allow letters (case mattering), numbers, and special characters. Further I think they should require them. Length limits are good, and 8 is a decent starting point. Obvious pass words should be blacklisted as being done here. Perhaps implement a check against other user info like birth-date and such to refuse passwords involving 2 and 4 year birth year dates, etc.
Making password management easier for folks without it being a program they have to buy or spend a lot on will go a long way too. Being able to make one really long random strong password and have it applied to all websites would make things easier for the average user. Obviously they could then protect that with only one other password which they would need to memorize. Of course a keylogger could cause a problem there, but that's an issue no matter what.
At least with a central program, if a system was found to be rooted, once cleared the program could be used to push out a new password for all accounts, with a new master password for the program. No idea how feasible this would be though. First have to get all websites on board with decent password systems. Still far too many out there that restrict to text/digits only passwords, which is part of the problem. Especially when some of these sites are banks. Would also need sites to stop using login fields that a browser or other software cannot detect. That doesn't stop a keylogger, and only makes logins more of a PITA for the user.
What about people like me who have an account that I specifically use a really easy password for, because I DON'T CARE if someone hacks it. There's no information linked to this email address, it's never used for anything important, it's purely a throwaway email that I can use for sites that require arbitrary user registration that I will never use more than once.
Probably overlaps with:
Twitter's List Of 370 Banned Passwords
http://www.businessinsider.com/twitters-list-of-370-banned-passwords-2009-12
Anyone have the actual Hotmail list?
For every rule one adds to the creation of passwords one decreases the number of possibilities. For example, if an 8 character password that must be letters and numbers you are removing 52^8 all character words and 10^8 all digit words. As the number of rules get larger the number of possibilities get smaller. I agree there should be a short list of banned passwords but if the list is too big it just helps cracking.
That's the majority of Hotmail's user base. I mean, if they were smart enough to use a decent password, they (generally) wouldn't be using Hotmail, would they?
Now I'm going to have to change my password from hunter2 to something else
Then that means my brute force attacks can ignore the entire common password set and move on to the nitty gritty stuff, WOOT! Thanks Hotmail, ^_^b
That's possible.
Any dictionary of "common passwords" is going to have to be adaptive.
But the thing is, if you look at lists of common passwords, and of how many accounts can be compromised by them, the really common ones are really common.
Hotmail have taken a long-overdue step here. I'd love to see all major online service providers follow suit, though if we could just get major email providers (Google, Hotmail, Apple, Yahoo, AOL), and Facebook (used for single sign-on), we'd be ahead of the game.
There are still myriad problems with password recovery features (especially in a world of "free" online services which aren't tied to payments, a payment/credit card account, or billing address).
And there's the fundamental problem that most user-based networks are far more interested in increasing the number of users, not in boosting security. Security provisions slow sign-ups, and are fundamentally at odds with increasing userbase.
What part of "gestalt" don't you understand?
Password : /usr/bin/laden
You assume incorrectly that the user cares about the security of his account always.
I myself create occasionally accounts that I really don't care about them, I just need them for temporary means. In such use cases, a thousand rules and fields to fill are just pointless. And BTW, I always thought the "mystery question/answer" was the most stupid security measure ever invented, even for my main accounts.
Warn the user: YES. Ban the simple or common passwords: NO.
Also, a lot of people here on Slashdot needs to drop this high-and-mighty attitude regarding the complexity of the passwords. They are not really solving the real security issues, its mostly a brag issue: "Oh look, that guy just typed something like 25 characters for his password, he must be so awesome!".
I.E. how Microsoft is actually doing this password analysis, because we would presume that they're smart enough not to store them in clear text so anonymous/lulzsec/etc can come steal them. I wouldn't be surprised if they just popped themselves up on the radar of hacker groups, "Hey guys, M$ must be storing about 50 million passwords in clear text!!1" Certainly, you can compare hashes to get a count of identical passwords, but then how do you know what those passwords actually are in order to ban them?