Slashdot Mirror
Hotmail To Ban Common Passwords
Time and again, when security breaches reveal large numbers of user passwords, analysis shows there are particular passwords commonly used by a significant percentage of the userbase. Now, an anonymous reader tips news that Hotmail is trying to do something about it. "We will now prevent our customers from using one of several common passwords. Having a common password makes your account vulnerable to brute force 'dictionary' attacks, in which a malicious person tries to hijack your account just by guessing passwords (using a short list of very common passwords). ... Common passwords are not just 'password' or '123456' (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like 'ilovecats' or 'gogiants.'" This comes alongside a new feature that lets users send a report indicating a friend has had their account hacked.
My luggage! Nooooo
By the time I post this, someone else will already have posted the "combination on my luggage" joke.
That Hotmail still exists.
Oh man, I can't WAIT for the new millennium!
Wont this just lead to new commonly used passwords while at the same time reducing the number of overall passwords possible. I would think they would need to regularly study what becomes common and ban those while unbanning old common passwords.
Why not limit the number of password tries in a given time unit?
3M's Post-It note division sales will increase, due to users writing down their passwords and storing them under their keyboards.
I'll admit that a couple of passwords I thought were 'clever' have shown up on these lists, and it's convinced me to change them to something less common.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
I thought those passwords are encrypted, so how do they get the list of those common password? And isn't `recover your password` questions are common/flawed as having password in place?
This is something that public access UNIX systems and universities with a ton of students learned ages ago, when all it took was a guy running Crack on /etc/passwd (before passwords were shadowed.)
Most operating systems have a small dictionary they check against so people using "12345" for something other than their luggage will be stopped immediately.
History just repeats itself... websites are now learning what operating system makers learned in the early 1990s -- keep the passwords well encrypted, and disallow obvious dictionary entries, so a brute force operation may take seconds to find a password rather than microseconds.
What I find disturbing with features like this, is how the service (be it hotmail, linkedin, facebook, whatever) always assumes that when you receive crap from one of their users and want to report it so something is done about it, you also have an account yourself.
I want to be able to report that I receive spam from one of their users WITHOUT having to create an account on their system.
So the "my friend has been hacked" report should not be only in their mail user interface, but also in some publicly accessible webpage or even better in the handling of mail sent to abuse@.
Furthermore, having monitored events of "hacked hotmail accounts" for some time, I believe quite a number of them is not hacked by bruteforcing the password, but by phishing or luring the user into "when you fill in this questionnaire we will send you a free led lamp" etc, where one of the questions in the questionnaire actually asks the user to provide their mail address and password.
Many naive users give all info you ask them for when promised a free gift.
no. and above all, see the comment above about a max password length for Live.com accounts. (hotmail is part of live.com now)
Far better than simply outlawing "you can't use your username as your password" Same goes for the silly "can't use the last password as your current one". I never understood the reasoning behind the time based password change. No one expects people to get a new key every six months for their home lock. No one expects someone to get a new ATM card every 6 months. Good passwords are worth keeping for years - as long as they actually are a good password. Are you supposed to be worried that you have given out your old password and forgotten about doing it? You can't stop an idiot from giving away his password. But you don't have to screw it up for the rest of us to help out the idiot.
excitingthingstodo.blogspot.com
Ilove3cats
well, you just have to check and see if "ireallylovecats" is on the blacklist. If it is, try "ireallyreallylovecats." Rinse and repeat (not the cats).
Is it just me, or does that graph look an awful lot like a fish without a head?
The principle of the idea is sound, but the implications of them being--ironically--spammed to hide real problems is probably not appealing to them.
This is almost certainly true, but the features simply came out at the same time due to their relationship, and having your password brute forced is not a requirement to having your account flagged by your friend.
What if you really love cats?
Oh please, no one loves cats more than this girl
http://youtu.be/mTTwcCVajAc
Summation 2
Except in this scene (in Spaceballs), I think the password is: 0000.
That's what I use for everything.
How would you expect to `reset your password` for your email, while the validation process requires you login to your email account?
How do you envision to reset your password on Hotmail, while the requirement might be for you to login to get the reset password link?
Actually, its good to mention Google's two way authentication here as well.
I know HSBC or some other banks had been using similar way 20 years ago, and with better technologies, Google expands this with an app on Android phone (it works on my Android, never had an iPhone).
You can create a 100% secure password:
il0v3c4ts
I use this technique all the time. Usually I just use the name of the service, like bankofamerica, and change Es to 3s, etc. Do you get it? An E and a 3 look kinda the same... but backwards!!! Brilliant!
This is totally bulletproof. No hackers have ever heard of this amazing technique. Everyone should use it.
Personally I think it's a good idea. I'm glad Hotmail is implementing this feature. I think it makes the internet as a whole a safer place. What's different about this is that most security advances center around the system; this centers around the fact that Hotmail is a small part of their users lives. This doesn't make Hotmail less hackable in any way, but it does (or is at least trying to) protect the user from having their reputation (is spam being sent from this account) hijacked when another service gets cracked, and the users shared password is comprimised.
Email providers often ask for a secondary email when you sign up, just for this purpose, some services allow you to change it "in-place" (ie, answer a few questions, type in the new password - not terribly secure, of course), some use SMS (I quite like that option).
With banks, you typically have to call them, which is fine - it's not something yo have to do all that often.
Speaking of HSBC, they have this gimmick where you have two passwords, and one of them you have to enter by clicking letters on a little javascript keyboard (instead of typing) - I hate that thing, pointless security theater, and I always forget the second password.
sic transit gloria mundi
Won't this just cause new common passwords to arise?
Approx 20 years ago I wrote code for a system at work to do this, list was 100's of possible, including acronyms from work, userids and real names, stupid stuff like variations of 'password', etc. We had to do it cuz the customer (nasa) considered it "old hat, everyone else is doing this, why aren't we?"
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
The Google Two Way Authentication is similar the the SMS solution that you mentioned.
As for HSBC 20 years ago (not Internet era yet, but using modem to call into their server), which generates a second password for your next session.
I less than three cats!
The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
i can't imagine that the "my friend has been hacked" button will last. I would imagine that the hackers would want to flood that button to obscure the real attacks. and it wouldn't be that hard to script....
I'm sick of having to remember so many complicated passwords. Now that Hotmail is going to force me to change my password to something I can't remember, I'm just going to have to migrate to another email company. Hopefully I can get the same user name part as I have now (ron_damon).
Are you adequate?
Its a heck of an improvement over lowercase alpha-only passwords.
they'll just add another word to it. such as ilovelasercats
In Soviet Russia, Trojan exploits YOU!
Given the hash in a common format, applications like LophtCrack could take this out in about 20 minutes or less... We won't even start with how fast rainbow tables or brute force could whip through it at a length of only 9 characters and only using alpha-numerics.
There is even a specific option to slightly increase the cracking time by checking for letter - number - symbol substitution which it will do before attempting brute force checking.
Not really any more secure at all. Sorry. I used to use Lopht on a network I administered to check for passwords this weak. And without fail they would take at most a couple of hours to find.
Ok, I give myself the "whoosh" of the day award. Carry on...
Or change it to: icanhazpassword
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
I don't think you're clear on what brute force means.
This is not the funny you're looking for.
I've been using 8 asterisks for passwords so I can see what I'm typing.
Sure, with the hashes you can break the passwords quickly, but that requires you first have the hashes. Now think about attacking over the web and brute forcing it. Let's assume their brain dead and allow you to try all day long. How fast can you try passwords? Remember, you have to consider not only your connection speed, but their speed and the rate their server can answer.
I recently tested hydra on a full duplex 100Mbit network with just two computers on it, one being an ssh server and the other the attacker. The best speed I could sustain was around 220 tries/min. Assuming a 6 character password, lowercase only (English), if an attacker tried for 30 days non-stop and knew the character set, and knew it was 6 characters long, their chance of guessing the password would be (6^26/220/60/24)*30/(6^26) = 0.01%
Keep in mind, out of some 30 odd real life attacks against an ssh server I've got data on, the fastest attack I've seen is about 150 tries/min and that attack lasted less than 4 minutes. Obviously, if you use a dictionary attack and a dictionary password, the chance of brute forcing it jumps dramatically. But the actual data I have shows most usernames are tried only 1-3 times (depending on the attack) before the attacker moves on to the next account.
But the fact remains, it's not web brute force attacks that need to be feared. It's a server compromise where the hashes are compromised that is to be feared. And with Amazon's GPU clusters available for rent, the best hash can be brute forced quickly and cheaply.
Hotmail's changes are like the TSA. Lots of noise, inconvenience, and expense, but little to no real security improvement.
I'd considered this sort of thing a while back -- there's really no need to use a set list of passwords.
Assuming that the passwords are being hashed, you can have a lookup table where you store:
(Password hash) + (Current # of accounts using that hash)
By setting a threshold for the ratio of (Current # of accounts using a hash) to (Total # of accounts), you can reasonably control the average entropy of passwords in the system.
For example, if you have 100,000 users in a system and set a threshold of 2%, the system would stop allowing anyone else to use that password.
Would be an interesting experiment to see what ratio comes up with the best balance between being secure vs. being too annoying to users.
The big downside of that type of dynamic system is that for low numbers of users, it may become easier to brute force which passwords are in use by iterating through the "change password" process. (Setting a limit on how many times an account can change their password in a given day would help slightly, but might not do much to stop a distributed attack)
In the case of Hotmail (or any other large provider), they're already starting with a large data set, so they'd be able to avoid that issue.
People need to use the browser's password manager to avoid remembering or entering any passwords. There is no reason to keep it in your head when your computer is perfectly capable of doing it.
The problem with the current implementation is that you still have to enter the master password every time you start the browser, which leads most people to just not set one, which leads to the passwords being stored on the disk unencrypted and easily stolen.
The solution we need is to integrate authentication for the password manager with the login process. Store the passwords in an encrypted file, with the account password as the key. A password daemon, like ssh-agent, running as root can securely load and decrypt your password file at login time. It will remain unaccessible except through a specific interface. The interface can authenticate the calling application by using socket credentials passing and allow the user to explicitly let the firefox password manager (which will have to be a separate process and executable for this purpose) access the passwords.
This way the passwords are not accessible to any remote threat and are encrypted on disk to thwart any local threats. The user never has to enter any passwords except at login. Convenience and security.
...we should add basic security to the curriculum at schools? I'm sure I'll be parroting what others have said already, but all password systems need to allow letters (case mattering), numbers, and special characters. Further I think they should require them. Length limits are good, and 8 is a decent starting point. Obvious pass words should be blacklisted as being done here. Perhaps implement a check against other user info like birth-date and such to refuse passwords involving 2 and 4 year birth year dates, etc.
Making password management easier for folks without it being a program they have to buy or spend a lot on will go a long way too. Being able to make one really long random strong password and have it applied to all websites would make things easier for the average user. Obviously they could then protect that with only one other password which they would need to memorize. Of course a keylogger could cause a problem there, but that's an issue no matter what.
At least with a central program, if a system was found to be rooted, once cleared the program could be used to push out a new password for all accounts, with a new master password for the program. No idea how feasible this would be though. First have to get all websites on board with decent password systems. Still far too many out there that restrict to text/digits only passwords, which is part of the problem. Especially when some of these sites are banks. Would also need sites to stop using login fields that a browser or other software cannot detect. That doesn't stop a keylogger, and only makes logins more of a PITA for the user.
Probably overlaps with:
Twitter's List Of 370 Banned Passwords
http://www.businessinsider.com/twitters-list-of-370-banned-passwords-2009-12
Anyone have the actual Hotmail list?
For every rule one adds to the creation of passwords one decreases the number of possibilities. For example, if an 8 character password that must be letters and numbers you are removing 52^8 all character words and 10^8 all digit words. As the number of rules get larger the number of possibilities get smaller. I agree there should be a short list of banned passwords but if the list is too big it just helps cracking.
That's possible.
Any dictionary of "common passwords" is going to have to be adaptive.
But the thing is, if you look at lists of common passwords, and of how many accounts can be compromised by them, the really common ones are really common.
Hotmail have taken a long-overdue step here. I'd love to see all major online service providers follow suit, though if we could just get major email providers (Google, Hotmail, Apple, Yahoo, AOL), and Facebook (used for single sign-on), we'd be ahead of the game.
There are still myriad problems with password recovery features (especially in a world of "free" online services which aren't tied to payments, a payment/credit card account, or billing address).
And there's the fundamental problem that most user-based networks are far more interested in increasing the number of users, not in boosting security. Security provisions slow sign-ups, and are fundamentally at odds with increasing userbase.
What part of "gestalt" don't you understand?
I am glad you mentioned that xkcd. It's funny, and quite possibly true. I don't know why someone marked you down as a troll. If anything, it may be off-topic.
You assume incorrectly that the user cares about the security of his account always.
I myself create occasionally accounts that I really don't care about them, I just need them for temporary means. In such use cases, a thousand rules and fields to fill are just pointless. And BTW, I always thought the "mystery question/answer" was the most stupid security measure ever invented, even for my main accounts.
Warn the user: YES. Ban the simple or common passwords: NO.
Also, a lot of people here on Slashdot needs to drop this high-and-mighty attitude regarding the complexity of the passwords. They are not really solving the real security issues, its mostly a brag issue: "Oh look, that guy just typed something like 25 characters for his password, he must be so awesome!".
I.E. how Microsoft is actually doing this password analysis, because we would presume that they're smart enough not to store them in clear text so anonymous/lulzsec/etc can come steal them. I wouldn't be surprised if they just popped themselves up on the radar of hacker groups, "Hey guys, M$ must be storing about 50 million passwords in clear text!!1" Certainly, you can compare hashes to get a count of identical passwords, but then how do you know what those passwords actually are in order to ban them?