Slashdot Mirror
Ask Slashdot: Changing Passwords For the New Year?
New submitter windcask asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."
I use a free implementation of the Stanfard PwdHash algorithm for the Mac called Locksmith (here on the app store). There are also websites that implement PwdHash, and even a Firefox add-on. By changing one master password, all the passwords I generate will automatically be changed when I regenerate them.
"Sufferin' succotash."
What a good way to harvest guessing algorithms... Not giving you mine!
but it's the new year time to change password12 to password1
https://lastpass.com/
http://xkcd.com/936/
Enough said.
Why not use a password manager and skip all that hassle? I use a portable version of KeePass, with both the app and my password database synced through Dropbox so I have them everywhere, including my phone. Random 20+ character passwords for every site and you can set expirations for every one so you don't have to remember when to change them, and all you have to remember is the master password. I don't understand why everyone in the world doesn't do this, it's just so convenient.
"Once in Hawaii I had sex with a 102 year old male turtle. It is difficult to argue that it was consensual." - Steve Ma
Keepass is available for Blackberry, ios, android. (even Windows 7 Mobile, if that's how you roll.) You can migrate database files between PC and handheld device. (Although you should be careful of having company passwords on a personal device -- there might be a policy against that.)
In your case, I'd spend an hour of quality time in keepass changing your passwords, sync it to work and home PC and whatever device you carry, then make all your websites conform.
As to websites you haven't visited in a long time and have forgotten about, I don't have an answer. I have essentially the same problem with forums that require you to register to participate. I may only visit the forum once, but my login is forever.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
There are versions of Keepass available for both the iPhone and Android (perhaps others as well). I use DropBox to keep my phone and main computers in sync. Works like a champ!
I gave up caring a few years ago. I protect my online banking, amazon etc passwords (write them down at home, long and random) but everything else I couldn't care less. If my Slashdot/openid etc ones get guessed or whatever then I'll just create a new account. Don't kid yourself that anyone cares about your online persona - they don't. Friends will get an email from you about your new G+/facebook account. Everyone else will just not be interested in "RandomInternetGuy10248034034" now being known as "RandomInternetGuy23038908343". It's just not worth the mental effort remembering, nor the paper writing down 40 odd passwords. It's just some website.
And since it's easy to find out what the make of my first car was, or what year I graduated, I have an alter ego with answers to those questions. I know what year "she" was born, "her" mother's maiden name, etc.
As an extra layer, I don't just answer "What year did you graduate high school" with: 1938.
I say: "year1938". And one more layer:
Since this is likely stored as plain text, I have a site-unique word mixed in:
"year1938banking"
I have sufficiently secure passwords that I see no benefit in changing just because.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Most websites don't store your password, just a hash of it. When you enter the password, it hashes what you just entered then compares the hashes. Reverse engineering the password when you only have the hash isn't trivial.
Tequila: It's not just for breakfast anymore!
If you look at all the possible attack vectors and scenarios changing your passwords once a year change your statistical chances of being hacked or losing data very little. The ROI is low enough I wouldn't recommend changing your passwords on a regular schedule.
Picking good (as in hard to crack) passwords is more important. For random web properties using different passwords for each so when one is compromised and caught storing passwords in plain text only one account is compromised is key.
However, that's all not what I want to talk about. This entire question is the result of a huge failure of the industry. Every web site uses a password. Every one has a different idea of what a "good" password is, meaning if you come up with one (or use a generator) it won't always be allowed. Google has taken a step forward with their two factor options (via say, a cell text) but that's not really a practical option for many small web sites.
This is an excellent case for a PKI. Users should generate a public-private key pair, and provide the public key to the web site upon sign up. Extra authentication steps could be done at setup (web of trust a la PGP, known entities, a la X.509, callback texts, whatever). Users would sign a login blob with their private key to authenticate.
Using the same key for many web sites is much less dangerous. Compromising the web sites, and all the public keys, gets the attacker approximately nothing. They can be stored in plain (unencrypted) format on the web server. The only attack is to get the users private key, which can be encrypted on their machine behind passwords, biometrics, or whatever. Getting one user's private key gets you only one user, it's a low value attack.
What's needed is a standard format for this encrypted exchange, and then support by clients (from web browsers to ssh clients) and their corresponding server services. This is where the industry is letting us down.
If the big 15-20 web properties could get together with the big 4 browsers and make this happen it would be huge leap forward.
Far too many websites actually DO store the password (because they're idiots)
That's exactly what I was thinking. For any site that maters, the most they can do is reset it for you, not tell you what it was. Most sites just don't matter. Other than your Karma, how much damage can be done when they hack your Slashdot password?
But I gotta ask, Why bother changing every year?
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
Those hovering over your shoulder to catch one key today and the next key tomorrow should be pretty obvious after a year, don't you think?
The key loggers would have found you long before the year is up, and the timing routines can be outfoxed by simply typing with only one finger, a different
finger each day.
Most sites that force you to change do so more frequently than a year. And 99.44% of them end up having users simply adding ascending digits
to the key, which becomes pretty easy to guess.
Sig Battery depleted. Reverting to safe mode.
Why under the keyboard? If someone breaks into my house, the last thing I will worry about is them stealing my passwords. Really, complex password schemes for trivial website and blog registrations is just an exercise in vanity. Guess what? Nobody cares!
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
One measure of the security of a password is the amount of time it would take to compromise it as compared to its useful lifetime. Assuming the password database is stolen today, would someone be able to compromise your password before you changed it?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Based on my experiences working on websites, far too many companies store the password in plain text. Many, many more will hash it, but will hash it ineffectively by not salting it. Lots of the people working on these websites don't even understand the kinds of attacks salting and hashing are intended to block.
As an example, look at mailman, the mailing list manager. Not only did it store the plaintext password, it mails it to you monthly. Fortunately, the current developers aren't idiots and have removed this flaw (as of ~2007) but tons of sites out there are still using the old version since I keep getting the "reminders".
Trust me... Spend a bit of time in industry working on these websites, and you'll understand.
Website users aren't the same as OS users.
Most website developers don't even understand what a hash is. They are simply not capable of using hashes on their sites, even less to do some sane salting. Most of the top used development frameworks also don't help securing passwords, some even make them harder to secure.
That said, I don't care about people harvesting the passwords I use on most sites.
Rethinking email
How could he be? Every new years eve he's busy changing his passwords
I can tell you that RCN cable does. I was with RCN for many years, even using their email. Two years ago I moved, and transferred my service. During the transfer process on the phone, they asked me my 'PIN' number for my voicemail. I didn't know it, because I never set one as I never used RCN voicemail. After answering some other questions, they told me over the phone what my 'PIN' was. Lo and behold it was my RCN email password, that I would never have given them as a voicemail PIN!!! It was complicated and hard for the person on the phone to read, and I was thinking to myself "where the f**k did you get that?"...
No. Don't ever reuse passwords, even if you add a suffix like 'rcn' at the end...
Shouldn't you be doing something useful?
Think of the websites you've used. How many at some point or another have actually emailed your password to you rather than just let you reset it with an email link? I know I have several dozen accounts and a few do indeed email me my password when I pick one. That means they have it in their data somewhere at least at some point in time.
Congratulations, only a few characters have to be guessed for each site!
Not only that. You say 'hey this is insecure' you have to prove it with an exploit. They will fix the exploit missing the point...
Then you they look at you like you are weird trying to attack the site. Got yelled at once for 2 hours straight by a manager who worked on a different product for doing this. Even though my boss explicitly told me to do it. At that point I realized no one really cares until they are hacked and it is in the news.
So I use a pattern based password for web sites and when I buy things I use a 1 time used credit card number.
For example if you had said 2 years ago that sony would have in the wild their entire db for credit cards people would have laughed at you. Now not so much. Security is an afterthought many times.
I dont even bother mentioning it on my projects anymore. No one cares. Or it is 'something we will fix later'.
So I *know* I am not alone in this and this just a small sample. So I use passwords that match the site one to one. Do not reuse them anywhere. And one time credit card info.
Bergen University College in Bergen, Norway store plain-text passwords and will email them to you if you request a reset.
Using a commercial system they pay for as an alumni website... I've tried and tried again to point out how stupid it is for a technical college to have such a flaw but they ignore it.
Hopefully there are no other flaws in the site (hah!) :p
Just a real world example of arse security in what one would hope was a serious site.
XKCD on password security.
http://xkcd.com/936/
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
LastPass is a web-based service that syncs your passwords across your computers, Android devices, iPhone, and Blackberry. Supposedly, it uses client-side encryption so even if the stored data is compromised, it is useless without your password. Most importantly, it supports Google Authenticator so those with Android devices can use it to generate secure keys needed to log in.
A NYC lawyer blogs. http://www.chuangblog.com/
Some banks I know, Wells Fargo and Capital One do. Try a simple experiment, try logging in with your password in wrong caps, you would still be able to login. I would be really really surprised if they were using a case insensitive hash instead of storing the text and making a case insensitive comparison.
Hashing is not enough. Proper security is only obtained by salting the passwords before hashing. Without salting, password hashes are only slightly better than clear text, as they are vulnerable to rainbow table attacks. Rainbow tables for 11 character passwords already exist.
Drupal (a popular PHP CMS software) did not salt their password hashes until version 7 (http://stackoverflow.com/questions/5031662/what-is-drupals-default-password-encryption-method), and version 7 came out in 2011. This means most drupal users' passwords have never been secure from attack. And if a popular, widely used have gaping holes like this, all of the home grown websites are probably worse.
Basically, most people are clueless about password security, even if they are know they shouldn't store clear text passwords. Much better to not trust the websites and have different passwords for your "important" stuff.
In Soviet Russia, articles before post read *you*!
My method has slowly evolved over the years. I grew up on a crappy dial up connection out in the country. Our ISP gave us a generated strong password. Our connection would constantly drop and I would have to enter that password in several times a night. I kept that password and slowly morphed it over time. It kept getting stronger and stronger with every evolution. I did this with 2 passwords. One for secure stuff and one for everything else.
Then not too long ago, I discovered rainbow tables. Pre-generated LM password hashes. My passwords were not in the free tables, but they would be in one of the more detailed collections. Then I started doubling my short passwords by typing them twice. Instant 16 char passwords that were easy to remember and type. Sometimes I would mix it up and use 2 of my old 8 char passwords together. I would think password1 then password2 and type them just as fast.
More recently with smartphones and now tablets, my passwords were just a monster to enter in. One password was lnnLllnnlnnLllnn where l = lower, n = number, L = upper. A total pain when you also have to swap from numbers to letter on the key pad. My current passwords are much simpler, very fast and easy to enter, and even longer than before.
One of the passwords that I just cycled out contained 2 swype-able (dictionary) words and a full 10 digit phone number. My short one was 19 character, easy to remember, and super fast to type on my computer and moble device. Entering the password is much more natural. I can swype on my moble and bounce over to the number pad on my desktop. I work in IT constantly get comments of shock from users when they see me enter my long passwords on systems.
I do reuse passwords on sites more often then I would like to admit. I treat my email as the master password. With that, all other accounts can be reset. I have my financial password, my work password, my social password, and then everything else password. That everything else password is used on all accounts that I don't care about or don't impact me financially. The everything else password never gets changed. I will usually take 3 guesses at a password on a site. If its not my current one, previous one, or the everything password. I then request a password reset and set it to the everything password.
I never know what to put for a password hint on the sites that ask.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
Get this. A school I know of uses a five digit numeric password for all student accounts enabling them to access their grades, financial information, FAFSA info, class registration, and so on. On top of using a standard password that no one changes (the last four of their SSN!) for these accounts some smart smarty thought about security and set a three attempt lockout on passwords. Long story short, this permits a script kiddie attack to lock out every student from their account in a few minutes. This would result in total havoc and there would be no way to stop/recover without consuming every defensive measure in their arsenal for the network. In reality, I don't think their is any way to prevent it without dropping the system off the Internet. At a good university where you have talented students in computer science this system would have already been owned numerous times and subsequently fixed. But as it stands, it is an obscure system so it is not a high-profile target.
Another thing I should mention, according to the state attorney general's office (just a had an in-person training session): per the sunshine laws our school (any school) would have to cough up the email addresses for every student were anyone were to request a list. Most schools might deny it but he (Deputy Attorney General) suggested just complying with any such request to avoid a lawsuit.
I object to power without constructive purpose. --Spock
Or, they could be converting passwords to lowercase before hashing them.
Git + GPG + a GPG-VIM plugin.
I use "vim" to edit my password file as if it is plain-text; git pull/commit/push to make changes to it.
If I need to roll back, I check out an older copy of the file.
Of course they know this, he just advertised it on a the goddamned Slashdot frontpage!
Random Thoughts From A Diseased Mind (Not For Dummies)
Your statement doesn't take several risk factors into account. Ultimately, risk is something you have to assess for yourself: what is the value of your passwords? Are you guarding multi-million dollar corporate secrets, or are you risking a $50 credit card fee? It makes a difference as to how much effort to put into the task.
Long, random character passwords that are written down using actual pen-on-paper are still very secure against network based attacks. I have yet to see the virus that can read the password off a sticky note.
Having them on a piece of paper stuck in to your monitor in your house is going to expose them only to the people you invite in. Now, if you're talking about passwords at work, then you have coworkers, cleaning people, maintenance people, and all sorts of random passers-by that can read the note. Yes, those are less secure. But again, what are you guarding?
Having them inside a locked desk drawer improves the situation by quite a bit. Only someone who is specifically targeting you is likely to go after them. And if someone's targeting you personally, they'll probably do it the easy way with a keyboard sniffer or virus, rather than trying to break in to your office, bribe your janitor, or pick your desk drawer lock.
That said, in all cases you're still better off with an encrypted storage tool like a yubikey. Keep them with you, keep them encrypted. Much harder to leak that way.
John
I keep my passwords safe by not bragging about my selection strategies on slashdot.
That's not because the developers of mailman were idiots. It's because they assumed that the users were not idiots,
Uh, doesn't that make the developers of mailman idiots? How stupid would you have to be to make such an assumption about users?
... and then they built the supercollider.
Or they could just, you know, go around the whole thing. For an example I bet a lot of guys here have seen spam lately coming from the Yahoo accounts of old friends and are wondering WTF? I can answer that, the malware guys have figured out a way around the XSS protection in FF and whenever your friend looks at a porn "free videos!" site in FF it loads a hidden iFrame and then gets FF to autocomplete and loads the Yahoo email addresses and spams the shit out of them with driveby malware links. Don't ask me how they got out the sandbox as i'm not a browser security expert, fucked if i know, what I CAN tell you is that it works in FF but not Chrome based or IE, and it works in yahoo but not Gmail or Hotmail. Haven't tried it with FF 9 as I'm on vacation but it worked with FF 8. I'm sure there is enough guys off on the holidays I'll know if it still works if I start getting yahoo spam again.
And this is just one nasty and not counting hacking the website itself, which we have seen everything from governments to kernel.org get pwned this year so his little system probably wouldn't work too good if just two of the sites he goes to gets pwned so they can compare. Personally if he wants to go through all that work more power to 'em i say, everybody needs a hobby, but I'd just rather not have data worth giving a crap about on most sites and the few where i spend money at have a really solid password based on the serial along with make and model of one of my basses. i know my basses by heart so whipping that off is easy and the combo of letters numbers and symbols is nice and long and won't show up on a dictionary attack with me capitalizing all vowels. Easy for me to use, easy to remember, hard to hack.
ACs don't waste your time replying, your posts are never seen by me.
Password Safe (pwsafe) + Dropbox. Store enough information to deduce your master key with your final instructions for your spouse or will executor. Don't have final instructions/Will/Life insurance? :( Everyone calls finally() eventually.