Slashdot Mirror
Ask Slashdot: Changing Passwords For the New Year?
New submitter windcask asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."
I use a free implementation of the Stanfard PwdHash algorithm for the Mac called Locksmith (here on the app store). There are also websites that implement PwdHash, and even a Firefox add-on. By changing one master password, all the passwords I generate will automatically be changed when I regenerate them.
"Sufferin' succotash."
What a good way to harvest guessing algorithms... Not giving you mine!
but it's the new year time to change password12 to password1
https://lastpass.com/
http://xkcd.com/936/
Why not use a password manager and skip all that hassle? I use a portable version of KeePass, with both the app and my password database synced through Dropbox so I have them everywhere, including my phone. Random 20+ character passwords for every site and you can set expirations for every one so you don't have to remember when to change them, and all you have to remember is the master password. I don't understand why everyone in the world doesn't do this, it's just so convenient.
"Once in Hawaii I had sex with a 102 year old male turtle. It is difficult to argue that it was consensual." - Steve Ma
Keepass is available for Blackberry, ios, android. (even Windows 7 Mobile, if that's how you roll.) You can migrate database files between PC and handheld device. (Although you should be careful of having company passwords on a personal device -- there might be a policy against that.)
In your case, I'd spend an hour of quality time in keepass changing your passwords, sync it to work and home PC and whatever device you carry, then make all your websites conform.
As to websites you haven't visited in a long time and have forgotten about, I don't have an answer. I have essentially the same problem with forums that require you to register to participate. I may only visit the forum once, but my login is forever.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
There are versions of Keepass available for both the iPhone and Android (perhaps others as well). I use DropBox to keep my phone and main computers in sync. Works like a champ!
I gave up caring a few years ago. I protect my online banking, amazon etc passwords (write them down at home, long and random) but everything else I couldn't care less. If my Slashdot/openid etc ones get guessed or whatever then I'll just create a new account. Don't kid yourself that anyone cares about your online persona - they don't. Friends will get an email from you about your new G+/facebook account. Everyone else will just not be interested in "RandomInternetGuy10248034034" now being known as "RandomInternetGuy23038908343". It's just not worth the mental effort remembering, nor the paper writing down 40 odd passwords. It's just some website.
I have sufficiently secure passwords that I see no benefit in changing just because.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Most websites don't store your password, just a hash of it. When you enter the password, it hashes what you just entered then compares the hashes. Reverse engineering the password when you only have the hash isn't trivial.
Tequila: It's not just for breakfast anymore!
If you look at all the possible attack vectors and scenarios changing your passwords once a year change your statistical chances of being hacked or losing data very little. The ROI is low enough I wouldn't recommend changing your passwords on a regular schedule.
Picking good (as in hard to crack) passwords is more important. For random web properties using different passwords for each so when one is compromised and caught storing passwords in plain text only one account is compromised is key.
However, that's all not what I want to talk about. This entire question is the result of a huge failure of the industry. Every web site uses a password. Every one has a different idea of what a "good" password is, meaning if you come up with one (or use a generator) it won't always be allowed. Google has taken a step forward with their two factor options (via say, a cell text) but that's not really a practical option for many small web sites.
This is an excellent case for a PKI. Users should generate a public-private key pair, and provide the public key to the web site upon sign up. Extra authentication steps could be done at setup (web of trust a la PGP, known entities, a la X.509, callback texts, whatever). Users would sign a login blob with their private key to authenticate.
Using the same key for many web sites is much less dangerous. Compromising the web sites, and all the public keys, gets the attacker approximately nothing. They can be stored in plain (unencrypted) format on the web server. The only attack is to get the users private key, which can be encrypted on their machine behind passwords, biometrics, or whatever. Getting one user's private key gets you only one user, it's a low value attack.
What's needed is a standard format for this encrypted exchange, and then support by clients (from web browsers to ssh clients) and their corresponding server services. This is where the industry is letting us down.
If the big 15-20 web properties could get together with the big 4 browsers and make this happen it would be huge leap forward.
Far too many websites actually DO store the password (because they're idiots)
To whoever stole my account, please give it back.
That's exactly what I was thinking. For any site that maters, the most they can do is reset it for you, not tell you what it was. Most sites just don't matter. Other than your Karma, how much damage can be done when they hack your Slashdot password?
But I gotta ask, Why bother changing every year?
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
Those hovering over your shoulder to catch one key today and the next key tomorrow should be pretty obvious after a year, don't you think?
The key loggers would have found you long before the year is up, and the timing routines can be outfoxed by simply typing with only one finger, a different
finger each day.
Most sites that force you to change do so more frequently than a year. And 99.44% of them end up having users simply adding ascending digits
to the key, which becomes pretty easy to guess.
Sig Battery depleted. Reverting to safe mode.
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
One measure of the security of a password is the amount of time it would take to compromise it as compared to its useful lifetime. Assuming the password database is stolen today, would someone be able to compromise your password before you changed it?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Based on my experiences working on websites, far too many companies store the password in plain text. Many, many more will hash it, but will hash it ineffectively by not salting it. Lots of the people working on these websites don't even understand the kinds of attacks salting and hashing are intended to block.
As an example, look at mailman, the mailing list manager. Not only did it store the plaintext password, it mails it to you monthly. Fortunately, the current developers aren't idiots and have removed this flaw (as of ~2007) but tons of sites out there are still using the old version since I keep getting the "reminders".
Trust me... Spend a bit of time in industry working on these websites, and you'll understand.
My password files just look like this:
/dev/random.
user: damnstupidelf
pass: glintprickjuliatrunkwouldexcelhymnallearhopbloat
first girlfriend: razeblazetrudytdmoltnobitalysankassetzd
high school: actsdrurybyrneavailprofit'llsjmeaddrawpave
some_other_weakest_link_in_site_security_question: alleysandalohmichead60fendweighhamlinwillstout
I sign up for site accounts using email addresses at random domains that will expire soon. No chance of plaintext password-reset emails being sent out and intercepted unless the site uses a non-SSL third party relay.
The password files are symmetrically encrypted with a passphrase that isn't used anywhere else. Long diceware passphrases are immune to rainbow tables, dictionary and brute force attacks, and rubber hose cryptanalysis (I can't remember them), although some worthless sites limit the length of password form fields (shouldn't the site salt and hash passphrases to a fixed number of bits immediately, thus negating the need to limit the length? Yes.) and I have to revert to uuencoding 16 bytes from
The password files are on an encrypted partition using an ephemeral key on a netbook and there's a generator for power outages longer than a couple hours. Alt-SysRq-B has been modified to wipe RAM before rebooting. I hooked up a USB heart monitor as an actual deadman switch to use when I sleep.
NO ONE is getting my WoW forum credentials.
Think of the websites you've used. How many at some point or another have actually emailed your password to you rather than just let you reset it with an email link? I know I have several dozen accounts and a few do indeed email me my password when I pick one. That means they have it in their data somewhere at least at some point in time.
Bergen University College in Bergen, Norway store plain-text passwords and will email them to you if you request a reset.
Using a commercial system they pay for as an alumni website... I've tried and tried again to point out how stupid it is for a technical college to have such a flaw but they ignore it.
Hopefully there are no other flaws in the site (hah!) :p
Just a real world example of arse security in what one would hope was a serious site.
XKCD on password security.
http://xkcd.com/936/
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
LastPass is a web-based service that syncs your passwords across your computers, Android devices, iPhone, and Blackberry. Supposedly, it uses client-side encryption so even if the stored data is compromised, it is useless without your password. Most importantly, it supports Google Authenticator so those with Android devices can use it to generate secure keys needed to log in.
A NYC lawyer blogs. http://www.chuangblog.com/
Get this. A school I know of uses a five digit numeric password for all student accounts enabling them to access their grades, financial information, FAFSA info, class registration, and so on. On top of using a standard password that no one changes (the last four of their SSN!) for these accounts some smart smarty thought about security and set a three attempt lockout on passwords. Long story short, this permits a script kiddie attack to lock out every student from their account in a few minutes. This would result in total havoc and there would be no way to stop/recover without consuming every defensive measure in their arsenal for the network. In reality, I don't think their is any way to prevent it without dropping the system off the Internet. At a good university where you have talented students in computer science this system would have already been owned numerous times and subsequently fixed. But as it stands, it is an obscure system so it is not a high-profile target.
Another thing I should mention, according to the state attorney general's office (just a had an in-person training session): per the sunshine laws our school (any school) would have to cough up the email addresses for every student were anyone were to request a list. Most schools might deny it but he (Deputy Attorney General) suggested just complying with any such request to avoid a lawsuit.
I object to power without constructive purpose. --Spock
Of course they know this, he just advertised it on a the goddamned Slashdot frontpage!
Random Thoughts From A Diseased Mind (Not For Dummies)
Your statement doesn't take several risk factors into account. Ultimately, risk is something you have to assess for yourself: what is the value of your passwords? Are you guarding multi-million dollar corporate secrets, or are you risking a $50 credit card fee? It makes a difference as to how much effort to put into the task.
Long, random character passwords that are written down using actual pen-on-paper are still very secure against network based attacks. I have yet to see the virus that can read the password off a sticky note.
Having them on a piece of paper stuck in to your monitor in your house is going to expose them only to the people you invite in. Now, if you're talking about passwords at work, then you have coworkers, cleaning people, maintenance people, and all sorts of random passers-by that can read the note. Yes, those are less secure. But again, what are you guarding?
Having them inside a locked desk drawer improves the situation by quite a bit. Only someone who is specifically targeting you is likely to go after them. And if someone's targeting you personally, they'll probably do it the easy way with a keyboard sniffer or virus, rather than trying to break in to your office, bribe your janitor, or pick your desk drawer lock.
That said, in all cases you're still better off with an encrypted storage tool like a yubikey. Keep them with you, keep them encrypted. Much harder to leak that way.
John
I keep my passwords safe by not bragging about my selection strategies on slashdot.