Mitigating Password Re-Use From the Other End

An anonymous reader writes "Jen Andre, software engineer and co-founder of Threat Stack, writes about the problem of password breaches in the wake of the LivingSocial hack. She notes that the problem here is longstanding — it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed. Andre suggests a different approach: building out better auditing infrastructure. 'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events. Since authentication events are relatively similar across any application, I think this could be accomplished easily with a simple JSON-based common protocol and webhooks. ... [It] could even be a hosted service that learns based on my login behaviors and only alerts me when it thinks a login entry is suspicious— kind of how Gmail will alert if I am logging in from a strange location. Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'"

Forcing strong passwords in the first place.

[bejiitas_wrath]

This seems like a good way to enforce strong password policies. if they are strong enough; they should help prevent password re-use. The only problem with this is the problem of people writing these down. We need a better online authentication system for 2013.

Re:Forcing strong passwords in the first place.

So they can't use the same strong password on every site..?

Re:Forcing strong passwords in the first place.

[war4peace]

LastPass used to scream at me when I was doing that, so I disabled that functionality.

Re:Forcing strong passwords in the first place.

[neokushan]

How does using a strong password prevent password re-use?

Re:Forcing strong passwords in the first place.

[adolf]

How does using a strong password prevent password re-use?

It doesn't. I believe it may even encourage re-use.

Re:Forcing strong passwords in the first place.

[Dunbal]

How about instead coding a site properly so it won't get hacked in the first place? Put the effort and resources there.

Re:Forcing strong passwords in the first place.

[AK+Marc]

No, they can't. There are a number of sites with incompatible password standards. If sites standardized on incompatible standards, then there wouldn't be an issue. I've seen some with 8 char requirement (no more, no less), and others that require more than 8. Some must start with an alpha, others that must contain a capital, lower, special, and number, so make requirements that are incompatible. Some must start with an alpha, others must start with a number.

Or, the other solution is assign the password, and don't let the user change his own. When it expires, a new one is generated. No reuse can happen when the user can't set any of their own passwords.

Or, forget caring. If they lose control of a password, then it's their fault.

Re:Forcing strong passwords in the first place.

[ldcroberts]

easy, just take the users attempted password and user name and try and log in to any of 100 other sites with it, if you can then reject it.

Re:Forcing strong passwords in the first place.

[feedayeen]

My passwords all come in the following variations

yyyyyy
xxxxxxxxxx
Xxxxxxxxxx
Xxxxxxxxxx1
Xxxxxxxxxx_1

tell me again how strong password policies prevent re-use.

Re:Forcing strong passwords in the first place.

[Yaotzin]

Or, the other solution is assign the password, and don't let the user change his own. When it expires, a new one is generated. No reuse can happen when the user can't set any of their own passwords.

It would be hellish if every website started doing that. I'd have to recover my password every time I try to log in somewhere, or keep a big document of passwords (which is worse). At the moment I have 6 different passwords (8-10 char) in total, but they're mostly variations of the same base. Anything more complex than that and I would lose track.

Re:Forcing strong passwords in the first place.

[maxwell+demon]

The problem is that you have to remember those passwords.

There are a few places where unique passwords are mandatory (everything related to money, your email account(s), and anything where you keep private data). But for anything else, a break is annoying, but not downright dangerous. OK, so if someone broke my password on Wikipedia, he might be able to get into my account on several other Wikis (assuming they correctly guessed which username I used there; I'm usually not using the same user name on different web sites, nor do I generally reveal my identity on those sites - for example, the only place where I use the nickname "maxwell demon" is Slashdot. Good luck guessing my Wikipedia login name; but then, my passwords on Slashdot and Wikipedia are different anyway).

Re:Forcing strong passwords in the first place.

[sbluen]

I think it can be acceptable for gaming websites and other low-value websites to allow weaker passwords though, because the inconvenience of a lot of extra typing isn't worth the utility and so that people automatically have multiple passwords if that password is insecure.

Re:Forcing strong passwords in the first place.

If anything they encourage it - people stuggle to learn the complex passwords allowed so resort to either only learning one complex password and using it everywhere or post-it notes.

This is a much more secure method, but most sites won't allow passwords that long (even though it should be generating a hash so the length shouldn't actually matter to them at all): http://xkcd.com/936/

Re:Forcing strong passwords in the first place.

The site operators may still have a problem with that, though, since breached accounts can be abused for spamming and the like.

Re:Forcing strong passwords in the first place.

[AK+Marc]

You don't need to keep them if you have some manner of keychain program. You save them once, and don't ever enter them again (until they expire, which should be more rare if re-use was eliminated).

Re:Forcing strong passwords in the first place.

[AK+Marc]

The problem is that you have to remember those passwords.

That's what post-its are for.

Seriously though, I save passwords in a browser or other keychain management program.

Re:Forcing strong passwords in the first place.

good luck.

Re:Forcing strong passwords in the first place.

[leaen]

My passwords all come in the following variations

yyyyyy
xxxxxxxxxx
Xxxxxxxxxx
Xxxxxxxxxx1
Xxxxxxxxxx_1

You missed one of variations. I tried them all but I cannot login

Re:Forcing strong passwords in the first place.

[Arancaytar]

Password policies are voodoo. They may make it more difficult for stupid users from using weak passwords, but they do not reliably prevent it, and they actively inhibit the use of strong passwords.

Re:Forcing strong passwords in the first place.

People want to be able to access their accounts from whatever device they use at the time.
And they don't want to have to use a clumsy program with yet another password and cut-and-paste of passwords from there to their login screens.
This mess has to be cleared once and for all.

Re:Forcing strong passwords in the first place.

The site operator's problem is not my problem.
When the site operator elects to have rotten code and is being breaked in to, or is stupid enough to use e-mail addresses as usernames, let them solve the problems for themselves.

Re:Forcing strong passwords in the first place.

[sosume]

Exactly. I hate it when some site first forces me to register, and then even has the balls to require a complicated password, assuring in the process that I won't become a returning visitor.
My usual password strategy is that I use a one very simple password for all systems that cannot harm me in any way. Such as news sites, free games, etc. Who cares if anyone can post under my name. For paid-for stuff and sites I leave personal details etc, I use a strong password, with alternating user names. Then when I need access, I check my mail archive to retrieve the username and voila. But for the real deal, paypal, google, banking and my pc login, it's a whole different ballgame. Strong individual passwords, and I change them each time after use on an insecure network, or when switching projects. But there are only four of those. It's just a waste of brain cells to have to remember 100s of user names and passwords, and change them frequently too. And I do not trust external applications or plugins to remember them for me.

Re:Forcing strong passwords in the first place.

[T-Bone-T]

+5? The only way to keep a website from getting hacked is by not connecting it to the internet in the first place. Effort should certainly be put into making it difficult to hack but also making it difficult to gain anything valuable when you are hacked.

Re:Forcing strong passwords in the first place.

[smash]

You're just pushing TRUST out to the remote site. Are you really sure that EVERY single website you use is likely to adhere to any sort of sane security standards, and have competent security-aware web developers?

Random usernames. Random passwords. This whole "your email address is your username" thing is retarded.

Re:Forcing strong passwords in the first place.

[fph+il+quozientatore]

And, let me add, Firefox and Chrome can act as "keychain programs".

Re:Forcing strong passwords in the first place.

A good 50bit entropy password, salted and stretched using bcrypt or scrypt is virtually uncrackable no matter how much GPUs you throw at it. 50 bit entropy is 8 random characters or 5 random words. It's not that hard, and it's much safer and better from a privacy point of view than what the OP is suggesting.

Better browser support will go a long way: if the browser can scrypt() the password on the user's machine I don't need to receive the plain text, the load on my auth server is reduced so I can demand strong stretching (2 seconds before you can login). The browser should become the authentication medium, not an easy to hijack webform.

Re:Forcing strong passwords in the first place.

[peragrin]

1) I use five different operating systems. (Osx , ios, linux, windows, android ) name one keychain program that can be used across them all and keep that program easily sync'd?

2) You push the point of failure onto the keychain program. if you want to get someone all you have to do is crack their keychain and they are screwed.

3)what happens when your keychain program gets corrupted? a simple hard disk failure now prevents you from ever logging in again.

Re:Forcing strong passwords in the first place.

[flimflammer]

I am so sick of websites that try to force "strong" password creation by creating their own rules. I have several strong passwords that I use that aren't considered "strong" by many websites (it is a nonsensical sentence with misspelled words). When you force me to add capitals and numbers and likely symbols, it's just going to cause me to change "thequickbrownfoxjumpsoverthelazydog" to "Thequickbrownfoxjumpsoverthelazydog1$" and then when attempting to log into the site I'll have to enter several variations until I remember what specific version of "strong" this particular site is trying to shove down my throat before I can log in.

My password is secure enough without you complicating things further by requiring certain characteristics.

On another note, it amazes me how often websites will enforce "strong" passwords, but have a length limit. You want a capital, a number, a symbol, but it can only be between 8 to 12 characters long? What?

Re:Forcing strong passwords in the first place.

[smittyoneeach]

Well, we could subsidize all the Dunder Mifflins out there, and then outlaw paper. . .
But then people could carve the passwords into the furniture. . .
Outlaw furniture?
But Congress never holds itself accountable, so there'd be a bunch of people standing/laying on the Mall, calling Congress a pile of dicks.
Something should be done to make people more controllable.

Re:Forcing strong passwords in the first place.

[smittyoneeach]

You have a strong root password, and a simple, site-specific suffix.

Re:Forcing strong passwords in the first place.

Looks like you've been sequencing DNA In West Virginia again.

Re:Forcing strong passwords in the first place.

[MysteriousPreacher]

A good backup regimen would mitigate corruption of keychains.

Although it's true that cracking the keychain would open the door, that would at least require a cracker to get access to the keychain. If stored locally this wouldn't be a trivial thing. In terms of return on investment it would be expensive to do for anything but attempts on individual users. Most attacks are done in bulk on specific services.

I use very strong passwords on accounts where I register payment details, and a *very* strong password on my keychain. It's not invulnerable but it would be very difficult to break.

Re:Forcing strong passwords in the first place.

You missed one of variations. I tried them all but I cannot login

Have you tried ******** , works for me.

Re:Forcing strong passwords in the first place.

[funkboy]

Effort should certainly be put into making it difficult to hack but also making it difficult to gain anything valuable when you are hacked.

Exactly. That's one of Schneier's central arguments as to why sites getting "hacked" is so prevalent today. Once some initial security perimeter (e.g. a firewall) is breached, system design & security is sloppy enough that it's a free-for-all for the intruders. If systems were designed as a fortress built to secure data this would be a lot less of an issue, as unsuccessful crackers are broke crackers that need to start looking for income elsewhere.

Re:Forcing strong passwords in the first place.

A length limit on a password is a smell that they're storing it in plaintext somewhere. If they're doing things properly, storing a salted hash of a password, why do they care what the maximum plaintext length is? Avoid such sites.

Re:Forcing strong passwords in the first place.

Actually, people using longer passwords, and different ones for different sites/systems - and then writing them down would be an improvement. If you write down your passwords and keep them in your wallet, then the number of people who could potentially "hack" them is limited to those with close personal contact that could snatch your wallet.

Re:Forcing strong passwords in the first place.

"Strong password policies" mostly translates to the bad form described by xkcd at http://xkcd.com/936/, of unusable, hard to remember passwords that *enforces* the use of a few passwords re-used and typed everywhere, easily stolen, hard to change.

"Don't keep or send passwords in clear text" is an old lesson that keeps being violated. Subversion with HTTP and HTTPS? Stores passwords locally in clear text. Most rotten password schemes? Stores passwords in clear text. Most git users with SSH keys? Stores passphrase free keys locally because the owners can't be bothered to use keys, and have the strange attitude that "if you don't trust the machine you're working on you should'n't be using it" which does *NOTHING* for other people in less secure environments who use the same software. Shared root passwords on all the servers, written in the wiki? Happens everywhere I've been for the last decade.

It's not the system, it's a collection of bad attitudes and poor practices that were solved more than a decade ago with good tools like Kerberos, but were blocked from general adoption by idiocies like US export encryption regulations and have promulgated by every idiot with a new software system re-inventing the wheel and *leaving out half the spokes*. And it's encouraged by modern "object oriented" programming where the problem is consistently left to someone else, and to cope with and the local aspects of it in each part of the programming stack are simply ignored as "not relevant to this part of the system".

Kerberos did about as good a job as you can do with it from a technology sense. The password management is robust, it's encrypted at each layer of the stack, but it got abused with that secretive "your password isn't good enough, we won't tell you which part wasn't good enough and we *won't tell you what the rules you have to follow are*". So we've wound up with the Mix3dKaz3" leetspeak passwords xkcd described.

Re:Forcing strong passwords in the first place.

[Antique+Geekmeister]

And you'll send them the passwords email, which is consistently monitored for passwords and stored with poor security? And your "keychain" program is tied to one client, and a graphical environment, and that one web browser, with no way to extract the password for putting in your other web browsers?

This is just organizing a fresh set of security holes. It's not a solution. And it wouldn't have solved _this_ event which involves plain text passwords stored on the server side for millions of users.

Re:Forcing strong passwords in the first place.

[PopeRatzo]

The only problem with this is the problem of people writing these down.

Isn't there anything better than passwords, that would be unique, anonymous and disposable (destroyable)?

Re:Forcing strong passwords in the first place.

if they are strong enough; they should help prevent password re-use.

Bulll FUCKING shit.

Re:Forcing strong passwords in the first place.

[Hognoxious]

No, they can't. There are a number of sites with incompatible password standards.

I've seen some that mandate at least one of each case, and/or a digit, and/or a punctuation mark.

I haven't seen any that forbid those. Different does not necessarily imply incompatible.

Re: Forcing strong passwords in the first place.

1) LastPass

Re:Forcing strong passwords in the first place.

There is no point of using a strong password if the site imposes a limit on brute force attacks in the first place. The site is offloading security to its users.
So what if the password is weak as in 10^4 vs 10^9 combination if the site only let you have 3 failures per day before the account get locked up for the day and notify the account owner? Also the site should encrypt + salt their account info so that a leak cannot be lead to someone using a hash attack.

Re: Forcing strong passwords in the first place.

Keepass+dropbox = Secure keychaining on all devices ( Even iPhone ) and all Browsers, and only i have access to the information. The FBI can't get it from google or apple

Re:Forcing strong passwords in the first place.

You have to limit password length to limit the probability of hash collision. But then about 64 chars max would be likely enough, no need to limit it THAT much.

Re:Forcing strong passwords in the first place.

[Hognoxious]

Apologies if this is a silly question, but doesn't requiring specific characters reduce the set of possible passwords, making it easier to crack?

If I know there has to be a numeric (and max length is 8) I don't have to try ABCDEFG[A-Z], for example.

Re:Forcing strong passwords in the first place.

[houghi]

This is great if it works for you. e.g. bhj648_+shlasdot.org as password for this site and bX3hj648_+google.com for google.
You can extend it to your work place.
This will work great for you. Now let us add some reality to it.

When I look at where I work, most people need only two passwords. I have told them again and again that it is easier if they have the same password for both.

This worked for a while, but then things changed. One password needed to be at least 10 and the other only 8 characters. You would just add two characters and be done with it.
What I do is to take the month and year, add a 4 letter word and for the 10 letter password add ++. So now I have a password this month like 0413Foad and 0413Foad++. I change the password on the 1st of the month. Never had a failed password due to forgetting it.

Yet even this simple method will not work for the majority of people. They do not see password as a way to security. They see it as a way to hinder them to do their job.

So passwords and security are a social issue. When you only look at the technical part of it, you will fail.

First IT people should start with not needing to change my password every month. That will make me select a safer one, because I can remember it. The fact that people write down their passwords is not the fault of those people. It is the fault of the ones making the security for not taking the human into account.

And here I am just talking about 2 passwords at work. Add complexity for the rest of all your logins, passwords and pincodes.

Re:Forcing strong passwords in the first place.

[Hognoxious]

The length of the hash will depend to some extent on the length of the original. If it didn't you'd need infinite compression, or you'd have to accept hash collisions.

Re:Forcing strong passwords in the first place.

[BrokenHalo]

I would do likewise. The whole point of a password is that it should satisfy the criterion of "something you know".

If you have so many passwords that you have to either write them down or store them in a password management system, then that criterion fails, because it's no longer something you know at all.

Whereas if you use good passwords to start with, and keep layers of trust between different systems (i.e. don't use the same password for your bank as you do for Twatter), then you will not be 100% secure, but at least you have a hope of keeping some control to yourself.

Re:Forcing strong passwords in the first place.

[gutnor]

Right, but the alternative are either user education or local solution on the user machine (keychain tool). The first one will not happen, that much should be clear by now. The second one is a matter of opinion - you need to believe the users can be collectively better at fighting malware creators than website developers at fighting dedicated cracker. It seems that recently both the botnets and general website cracking have been going well, so the jury is still out.

Egoistically, I would rather have the website invest in good security. No matter how good is my password management skills are, when a website is cracked it affects me anyway. Giving up and letting the user sort it out on their end is already business as usual for me (and most /. users).

Re:Forcing strong passwords in the first place.

[Curupira]

Please someone mod the parent up. An overcomplicated password that need password management software ceased to be a password ("something you know") and were turned into a token ("something you have"). If your Lastpass DB is corrupted, goodbye passwords.

Re:Forcing strong passwords in the first place.

[hedwards]

It's impossible to clear this mess up without using the same password and log in for everything. Right now I have over 400 log ins in my database. I'm not sure how many of those are ones that I need to log into again, but that's a large enough number that even changing them on a regular basis is unlikely.

Trying to unify that under the same log in that the sites get, is not something that's technically desirable. I'm not really sure how one can solve this problem form the server side, because you'd need 3rd party to access all of the passwords without the users' permission in order to know.

Re:Forcing strong passwords in the first place.

[hedwards]

You'd be surprised, I run into a fair number of sites where you have to use alphanumeric characters and nothing else. I've also run into a fair number of sites where the validation algorithm doesn't work so it will accept passwords that you can't use and just silently truncate or adjust them to whatever it takes without telling you what the new password is.

Then there's the sites that require at least 12 characters and the ones that limit it at 8. Really, it's a mess and the people paying for these systems don't care about security beyond appearances.

Re:Forcing strong passwords in the first place.

[hedwards]

What inconvenience? It's precisely the same amount of work for me to use a 2 character password as it is to use a 100 character password. Once you get more than about 4 log ins, it becomes inconvenient to memorize them anyways, and with a keychain the length of the string and the component characters are moot.

Re:Forcing strong passwords in the first place.

[vux984]

The most important "layer of trust" to use your phrase is to ensure that your EMAIL has a strong password, and that it is not the same as anything else. Your email password is the weak link, thanks to the forgot-password-reset (or god forbid password recovery) functionality of most other online properties.

And this raises a problem. Email is frequently used... so long pass phrases are inconvenient.

And worse, we have it saved in our phones, and on our laptops, so we don't have to re-enter it every 5 minutes. So if we lose our device, we're hosed. I don't want to put in a long passphrase everytime i unlock my PC, I want to enter in a long passphrase to unlock my phone even less. So while I have a good password on my email, if my phone is stolen I'm potentially hosed.

The more I think about it, password reset functionality by email is -inherently- a bad idea. We should almost really have a 2ndary "secure" email that we don't use except for managing password changes etc. The problem with that of course is that no systems support having a separate email just for password recovery, so if you set one up you'd miss all the other mail from the site that you would presumably want to receive.

Re:Forcing strong passwords in the first place.

[hedwards]

Sigh, somebody else trots out that stupid XKCD cartoon without understanding it.

The example that he used substituting for troubadour with a 2 character chaser is not something that has ever been recommended password policy anywhere I've seen recommendations made. It was specifically warned that you not take a dictionary word and transliterate it into leet speak because it wasn't a strong password.

Bottom line is that the suggested option is easier to reconstruct than a random password and that once you get more than a small number of passwords, you're probably not going to be memorizing them anyways, as you're supposed to be changing them from time to time.

Re:Forcing strong passwords in the first place.

It would be hellish if every website started doing that. I'd have to recover my password every time I try to log in somewhere, or keep a big document of passwords (which is worse).

I have one website that I do exactly that with. They have such stupidly complex password for absolutely no reason (to get software updates for a product that requires a license server to run) that I refuse to participate. Their password requirements are even more complex than the Intel developer passwords - something I didn't think was even possible. So when I need to go login, I just reset my password and bypass their password system altogether. Just for fun, I even sent them email and told them that is what I do - but got no response.

Hell, why am I even hiding their name? It is Synopsys.

At the moment I have 6 different passwords (8-10 char) in total, but they're mostly variations of the same base. Anything more complex than that and I would lose track.

I have a few variations on a few bases. I have an ultra-low security password (for forums like slashdot and others), a mid-security base and a high security base. Then I have a few unique passwords that I use for one and only one purpose (one of them being my PGP key).

        Marc

Re:Forcing strong passwords in the first place.

[AthanasiusKircher]

THIS. Why not let me use the kind of strong password or passphrase that works for me? A password policy that has random restrictions (at least one number, at least one uppercase letter, no more than three lowercase letters in a row, etc.) just encourages the shortest weakest password that barely satisfies the constraints.... and it gives hackers information to figure out what passwords probably look like.

Just give people a realistic password meter, set some minimum level of complexity, and let them decide how to make it strong. The website that has five constraints on the exact structure of your password but then requires it to be 8-10 characters maximum is just idiotic, not to mention incredibly annoying for users.

As for password reuse, is that really your problem? What about a giant flashing warning next to the password meter that says "DO NOT REUSE PASSWORDS FROM OTHER SITES OR YOUR OTHER DEVICES HERE. IF YOU DO, YOU DO SO AT YOUR OWN RISK. IF SOMEONE, SOMEHOW GETS YOUR PASSWORD EVEN BY HACKING THIS SITE, WE ARE NOT RESPONSIBLE FOR PROTECTING YOUR DATA ELSEWHERE." Make the user click the giant flashing warning three times. Problem solved?

Re:Forcing strong passwords in the first place.

[bbelt16ag]

those are keys not passwords.

Re:Forcing strong passwords in the first place.

[dinfinity]

That is why you use LastPass generated passwords for the millions of accounts you don't really give a fuck about and can ultimately always access through password reset mechanisms. This allows you to focus on creating and remembering unique passwords that you know for truly important accounts, such as emailaccounts and banking accounts.

The alternative of using a single throwaway password for all those crap accounts instead of LastPass 'tokens' will inevitably lead to using a terribly weak password due to differing password restrictions on different websites and still allows all the accounts in the crap zone to be compromised by a hack of one of them.

Re:Forcing strong passwords in the first place.

[Octorian]

KeePass and all its related implementations (KeePassX, etc, etc.).
This is the only family of password management apps I've found that both share a common database format, and have functional implementations even if your platform-of-the-moment isn't "hip enough" for a more polished solution to care about supporting.

Re:Forcing strong passwords in the first place.

Your password can be the same, but different. Add something different to the front or the end of your usual password for each site. For /. you could add "./" (without quotes) to the front of your reusable password. For Amazon you could add "Amz" to the end. You get the idea.

If you don't want it to be that obvious then add "crap" to the front of your /. password, "buy" for Amazon, "post" for FB password, "chirp" for Twitter etc. I know someone who adds a different animal to the start of each of her passwords.

This gives you a different password for each site but gives you a common core that you can remember and use.

As long as the site isn't storing the passwords in a format that can be decrypted (or plain text!), and is adding sufficient salt, you should be able to avoid the rainbow tables and the common password generators (such as Jack the Ripper).

Re:Forcing strong passwords in the first place.

[ilsaloving]

1Password by agilebits supports all of those except linux, and syncs between them all using a couple different methods including an AES encrypted files on dropbox. If you need it on linux, they have a way that you can do it, but it's not as nice.

Re:Forcing strong passwords in the first place.

[Hentes]

Keeping the site secure is the company's responsibility. Choosing passwords is the users' responsibility. Yes, they should work on their side of the problem, and let the users decide whether they want to take the risk of a weak password.

Re:Forcing strong passwords in the first place.

Yeah...

I use a password algorithm which is usually something like [profanity] + something visually fixed on the site. Plus the stupid "you must have one number and one capital letter pisses me off, with different site having different enforcement of password rules. Like as a stupid example if I have an account on geico.com the password would be something like fuckinGeck0. This renders a unique password for every site.

My financial-related accounts have a different algorithm. So at worst someone specificly trying to hack my accounts would only be able to get one unless they got to my email first. Once a hacker gets into your email, you could have the best password system in the world and you'd still be screwed.

Passwords are the second weakest link in authentication... where they are stored is the first. Who's to blame for this? How about every site that insists on sending you useless newsletters, auto-subscriptions, and birthday messages. Thanks, now if my email is hacked all someone has to do is "search" for what they want to hack next. Many sites switched to "email login" which makes it just that much easier, because now they already have the username, and just have to reset the password, grab the password reminder email before I see it, and do whatever misdeed they want with that account before I realize it.

Remember the Gawker hack? Yahoo reset my password from that. I haven't used Yahoo since.

One of the sites I manage, basically anything that isn't a @gmail.com account is abandoned. Gmail won the free email contest by
a) Not deleting accounts after 270 days like hotmail
b) Not deleting the contents of email accounts after a certain amount of time like yahoo

Deleting accounts/content due to inactivity is bad policy, however in the case of yahoo it might be good policy if the person who owns the account has abandoned it to prevent the contents from getting into someone elses hands, but this really should be up to the account owner to have a "destruction timeout" eg "If I fail to login to this account in 3 years, [x] delete all emails and [x] delete the account"

Re:Forcing strong passwords in the first place.

[Kal+Zekdor]

Whereas if you use good passwords to start with, and keep layers of trust between different systems (i.e. don't use the same password for your bank as you do for Twatter), then you will not be 100% secure, but at least you have a hope of keeping some control to yourself.

I do something rather similar. At any given time I've memorized 4 distinct passwords. In descending order of complexity, they are: my email password (as a compromised email account makes it trivial to reset or access any other password, this is the most secure. I actually use a 20+ character "pass phrase" for this.), a "High" security password, for things like banks, paypal, amazon, basically anything that if compromised can cost me money, a "Medium" security password, for accounts that are important to me, but wouldn't be a huge deal if they were compromised, slashdot would fall in this category, and finally, a "Low" security password, for accounts that I don't care about, or only expect to use once and then forget about.

Because I layer my passwords like this, it's rarely a big deal even if some site leaks my password and email address. Even if a Low security site has a breach, the usual targets (email and High security sites) are insulated from the risk, so I just change the password at that site and am done with it. High security sites usually have better track records, but if there is a leak, the password group is small enough for me to be able to change them all immediately.

It works pretty well for me. Sourceforge.net leaked my email/password a number of years ago, and I noticed some (failed) unauthorized attempts to login to my email and paypal accounts shortly afterwards. Even if you don't want to go so far as to memorize 4 passwords at any one time, I highly recommend that you at least keep a separate password solely for your email account.

Re:Forcing strong passwords in the first place.

If you meaning Living Social when you say _this_ event, I'm pretty sure they said they were encrypted and salted, not plaintext?

Re:Forcing strong passwords in the first place.

[theshowmecanuck]

Sure, and I have only one device that I ever use, so that keychain program works great. And hell, a keychain program is better than writing them all down since it writes them down for you! I would be willing to bet that if sites forced you to have a unique password for each place, people would use less sites. If you make things hard to use, people won't use them.

Re:Forcing strong passwords in the first place.

[tqk]

... doesn't requiring specific characters reduce the set of possible passwords, making it easier to crack? If I know there has to be a numeric (and max length is 8) I don't have to try ABCDEFG[A-Z], for example.

ABCDEFG[0-9]
[0-9]BCDEFG
A[0-9]CDEFG
AB[0-9]DEFG
...
[0-9]bcdefg
...

Add the potential of "`~!@#$%^&*()-_=+[{]}\|,;:'"/?" in the square brackets and numerics instead, now you're talking secure. Why none of the graybeards back in the dark ages didn't come up with an RFC that codified Best Practice for this stuff, I don't know. Once you find yourself logging into Windows, OSF/1 (True64), AIX, HP-UX, Solaris, Linux, *BSD, and Mac, *times 2* (user + root/admin), you begin to see how abysmally this problem has been managed down through the years.

Re:Forcing strong passwords in the first place.

[DerekLyons]

assuring in the process that I won't become a returning visitor

And they aren't bothered by that - their policies are designed for the vast majority, not the one-in-a-million asshat.

Re:Forcing strong passwords in the first place.

As long as the site isn't storing the passwords in a format that can be decrypted (or plain text!), and is adding sufficient salt

Sadly, you cannot rely on this. Not all web developers are stupid, but the lowest-bidder ones are.

Re:Forcing strong passwords in the first place.

[budgenator]

That requires the site that your trying to log into to store the passwords, which is a really Bad_Idea(tm), the site should only store a crytographic hash of the password and a salt value; please don't use a simple md5sum hash. Now if the site gets hacked and the database is stolen, the 'ner-do-wells don't have the passwords. Storing the md5 hashes doesn't work, there are plenty of lists of passwords and their md5 hashes out there.

Re:Forcing strong passwords in the first place.

Yeah... when I ran a website, anytime somebody entered a password and had (say) a hotmail account, I'd try to log in with that password. Works for account set up just as well as incorrect password attempts! If everybody did this, nobody would reuse passwords.

Re:Forcing strong passwords in the first place.

[Jane+Q.+Public]

"How does using a strong password prevent password re-use?"

The key issue here is not so much strong passwords, but "auditing".

If this were the beginning of the month, I would suspect an April Fools joke. They want to improve your use of passwords by monitoring your password usage!!!

Gee, what could possibly be wrong with this idea? [sarcasm]

Re:Forcing strong passwords in the first place.

[bblough]

1) I don't use a single program, I use a single format. I use different programs per platform, but all of them use Password Safe compatible databases. Sync is done via an encrypted cloud storage service.

2) Admittedly, this is a potential issue, but in my opinion there are two problems with this point. First, you trivialize it by saying "all you have to do is crack the keychain." With a strong enough passphrase that will not be easy at all. Second, you're changing the threat model under discussion. A compromised website with re-used passwords is one thing, someone coming directly after your locally stored data (e.g., your keychain) is another. In the first model, the attacker will not have access to your keyring, and therefore has no chance of cracking it. In the second model, if you're the direct target, precautions probably aren't going to matter.

3) Backups. The same encrypted storage service that handles my sync keeps automatic, versioned backups.

Re:Forcing strong passwords in the first place.

plus the keepasse2 file format is pretty straight forward. i have extended/rewritten an existing keepass1 library to also support 2 (in python): https://github.com/fdemmer/libkeepass

personally i sync my encrypted keepass file with dropbox. so i usually have it anywhere i want it including my phone. that way i can also keep pins and notes for other more real world secrets with me other than just passwords.

Re:Forcing strong passwords in the first place.

[Jessified]

Furthermore, policies that require constant password changes encourage people to use the same password with an incrementally changing number.

I use strong and varied passwords for important services (email, banking etc) and shitty repeated passwords for every stupid forum that wants me to sign up to participate.

Re:Forcing strong passwords in the first place.

[Jstlook]

You know, I keep seeing how corporations keep pushing CISPA related bills through the government.

How about the people push a similar bill through the government, only this time, we mandate some sort of corporate responsibility for firewall security, and protection of consumer-related personal information?

I'm downright tired of companies engaging in the act of demographic siphoning behavior under the guise of a "free" service.

Re:Forcing strong passwords in the first place.

Is people writing down passwords really an issue? Maybe in a company environment sure. But for the average home user, like my mum, writing down a password in a notebook or something wont be an issue. Hell she could even keep it in her safe so she only needs to look should she forget it. The only way someone one will get that is if a family member takes the book or if some one breaks in. I doubt any burglars want my mums Facebook password.

Password reuse will always be an issue. A lot of people I know have a system where they place a value on a website and then decide the password they use on that. With a generic password for things like forums and the such. Higher up passwords for various shopping sites and then very secure unique passwords for things like banking.

Re:Forcing strong passwords in the first place.

[fph+il+quozientatore]

At least for Firefox, you can easily sync your passwords on their servers, and everything is encrypted client-side so they'll never know it. You can even more easily get those passwords out (edit->preferences->security->saved passwords). The problem of the security of the browser/keychain program itself still stands though.

Re:Forcing strong passwords in the first place.

[Hognoxious]

Add the potential of

Are you assuming a false dichotomy, i.e. that if a numeric isn't obligatory it's not allowed? I neither stated nor implied that.

ABCDEFG[0-9]
[0-9]BCDEFG
A[0-9]CDEFG
AB[0-9]DEFG

If there might be one (or more), but equally there might not, then you need to test all of those you mentioned plus ABCDEFG[A-Z].

Surely a restriction, by definition, reduces the pool of possible passwords that need to be tried by arbitrarily eliminating a subset of potential ones?

Re:Forcing strong passwords in the first place.

[caitriona81]

This idea has strong potential, and a way that it can be refined is to offer the user a choice between a random set of password requirements that apply only to them, and change once every few days, and a random passphrase of the xkcd sort. So, you'd have the static rules (at least 16 characters, can't be similar to username, etc), and then you'd add 4 random requirements like:
- The 4th character must be a number.
- The 7th character must by a symbol
- The 2nd character must be an upper case letter.
- The 11th character must be a lower case letter followed by the letter 3 letters before it in the alphabet.
- Enter a password twice below that meets these requirements, or click here to choose the random password the system has chosen for you [fireball yelling slashed baseballs]

Password reuse impossible. Use of a password manager encouraged, and an option is still open for someone who feels the need to memorize. Because the ruleset is random, but can only be switched every few days, the user can't refresh until they find a set that their password is compatible with, and most users will take the easy way out and accept the random passphrase that suddenly looks a lot less scary, but is reasonably secure.

Of course, this is assuming that you actually have a compelling need to even have logins and passwords - if you aren't a financial (banks, credit unions, credit cards, brokerages, etc), healthcare or an email provider, or dealing with accounts for use inside your company, then you probably don't, and should encourage the user of persona or openid instead, rather than furthering the proliferation of accounts that users have to keep up with...

Re:Forcing strong passwords in the first place.

[x3CDA84B]

This is great if it works for you. e.g. bhj648_+shlasdot.org as password for this site and bX3hj648_+google.com for google.

Yeah, and the first time that any one of those passwords is cracked by someone using e.g. HashCat, they will add your logic to the list of methods that are commonly used by people when creating a password, and now all of the other historical hashes that have been stolen from accounts you set up are now compromised as well.

When I look at where I work, most people need only two passwords. I have told them again and again that it is easier if they have the same password for both.

This is actually pretty terrible advice these days, because if something requires a separately-stored password (IE it is not integrated with your central auth system), there is a good chance it is transmitting or storing the password insecurely. Now your users have compromised their main account as well.

What I do is to take the month and year, add a 4 letter word and for the 10 letter password add ++. So now I have a password this month like 0413Foad and 0413Foad++.

That password would fall to an offline hash attack in minutes or seconds. And since it's procedurally-generated, again, now whoever cracked it can add your logic to the list of commonly-used methods, and crack all of your past and future passwords even faster.

First IT people should start with not needing to change my password every month. That will make me select a safer one, because I can remember it.

We do that because the assumption has to be that given enough time, your password will be compromised. The longer you have to wait to change it, the longer the window of exposure when that happens.

Re:Forcing strong passwords in the first place.

[x3CDA84B]

Except that they do have the passwords, because of tools like HashCat that allow ridiculously-fast brute-force attacks on hashes, combined with statistical analysis of previously-stolen and -decrypted credentials to figure out the patterns that people use to create passwords (e.g. dictionary word + three digits + punctuation). Using salted hashes is great, but it only slows down the retrieval of passwords - it doesn't prevent it.

Re:Forcing strong passwords in the first place.

[x3CDA84B]

The length of the hash will depend to some extent on the length of the original.

Um, no. All of the standard hashing algorithms return a fixed-length value. Collisions are certainly possible, but because the algorithms are strong, the chance of a collision for anything that's likely to be used as a password has an extremely low probability.

Re:Forcing strong passwords in the first place.

[caitriona81]

1. Lastpass works across all the platforms you've named, and has it's own sync. Keepass works across all of them, and only needs some form of file sync (eg Dropbox). Firefox sync will get you 4 of the 5 (all except iOS).
2. Virtually all of the circumstances that allow someone to attack the keychain program also tend to permit the undetected installation of a physical or software keylogger. The attacker may not compromise your less frequently used accounts as quickly, but they will have everything you use on a daily basis. (Further, accounts you don't use on a daily basis may be forgotten about, a side benefit of a password manager is a checklist of what needs changed in the event of compromise.)
3. Backup processes apply to password managers, as do password reset processes, and use of a password manager does not preclude use of memorable passphrases for particular accounts, particularly for things like email accounts. Right now, I use passphrases + token codes for email, banking, and my password manager itself, passphrases stored in a password manager for accounts that I have to be able to retype the password (facebook, etc), and completely random passwords at the complexity limit of whatever site I'm registering for if I'm not having to sign on to them from any of my devices (random web forums, etc)., and a shorter, more "traditional" 8 character password for my desktop, where a brute force attack is more likely to be carried out by hand than against the password hash., and ease of typing (muscle memory) is desired.

Re:Forcing strong passwords in the first place.

[Helix_Sky]

An overcomplicated password that need password management software ceased to be a password ("something you know") and were turned into a token ("something you have"). If your Lastpass DB is corrupted, goodbye passwords.

It is still "something you know". You have to know your LastPass password. Saying it is "something you have" is like saying needing a browser to access my bank site is needing "something you have". If I have access to the internet then I have access to LastPass.

As for your corrupted db problem, you can make offline backups of your LastPass db

Re:Forcing strong passwords in the first place.

[tqk]

If there might be one (or more), but equally there might not, then you need to test all of those you mentioned plus ABCDEFG[A-Z].

I've spent zero time attempting to crack passwords, and I suspect /. is one of the last places to be if you want to learn how to. There's so many variables involved, it's not a simple problem, and a lot of them are closer to "social engineering" than logicalities:

i) does someone who uses 12345 for a password have anything worth stealing?
ii) is it better to go for the low hanging fruit (12345) before progressing through the tougher cases ("[0-9?`~!@#$%^&*()-=+_?]BCDEFG", ...)?
iii) do you try all potential solutions on one password at a time before going onto the next password, or run all passwords through the easiest, then next easiest, ... through hardest?
iv) do you treat all accounts as equally worth cracking, or concentrate on the obviously valuable hard targets (remember, even low value accounts may get you closer to getting into high value accounts)?

John the ripper's source code may be a good place to start.

Re:Forcing strong passwords in the first place.

[gonz]

I use five different operating systems. (Osx , ios, linux, windows, android ) name one keychain program that can be used across them all and keep that program easily sync'd?

http://lastpass.com/

Re:Forcing strong passwords in the first place.

[Terrasque]

Hash collisions...

MD5: 128bit. 2^128. 3.40282366920938463463374607431768211456 Ã-- 10^38 combinations
SHA1: 160 bits. 2^160. 1.461501637330902918203684832716283019655932542976 Ã-- 10^48 combinations
SHA-256: 256 bits. 2^256. 1.1579208923731619542357098500868790785326998466564056403... Ã-- 10^77 combinations.
SHA-512: 512 bits. 2^512. 1.340780792994259709957402499820584612747936582059239337... Ã-- 10^154 combinations.

Big numbers. Comparison numbers:
estimated number of atoms in the Earth: 1Ã--10^50 atoms
estimated number of atoms in the Milky Way galaxy: 2.9Ã--10^76 atoms
estimated number of atoms in the universe: 1Ã--10^80 atoms

The chance of a random hash collision, even factoring in birthday attack, is extremely small. It's also not a problem, even if it happens. As it is paired with a login name, you don't suddenly have person A logging in as person B.

And as noted, the length of a hash is fixed for the algorithm.

Re:Forcing strong passwords in the first place.

[porges]

And if you succeed, you've broken the various laws against logging into web sites without authorization.

Re:Forcing strong passwords in the first place.

[smittyoneeach]

If you do a pattern somewhere on the keyboard with alternate raising/lowering of the SHIFT key, you can balance all but the most asinine password regimes with the capacity to remember them.

Re:Forcing strong passwords in the first place.

[Lachlan+Hunt]

Actually, in my experience, most sites do allow good passwords. I have a little over 200 sites stored in my password manager, and of those, about 90% of them use long randomly generated passwords with letters, numbers and symbols. About 5% are still long, but imposed some restriction on either length or the use of symbols and the remaining 5% are crap due to really bad password restrictions limiting lengths to below 12 characters or less.

Re: Forcing strong passwords in the first place.

[rex.clts]

I've been using Keepass+dropbox for about two years now, and am very happy with my workflow. It takes a little bit of massaging of the settings to get everything comfortable, but once you get it set up the way you want, it's very easy to use. Simply use the global hotkey (Ctrl+Alt+A) when I need a password entered. If it's the first time I've used it since log-on, I have to enter my master key, and then it stays unlocked until my windows session is locked. Then my "very strong" passwords are securely auto-typed into the browser session.

Re:Forcing strong passwords in the first place.

[jamesh]

Another way would be when you create an account somewhere, that the website tries logging in to google, facebook, myspace (does that still exist?), pinterest, etc using the same credentials, and warns the user that they have used the same password in multiple places. Some wording in the EULA that this will happen will cover you, in theory.

Re:Forcing strong passwords in the first place.

It's called public key authentication. It has existed for a long time. Users of (for instance) OpenSSH can tell you more. :-)

Re:Forcing strong passwords in the first place.

[wallsg]

+5? The only way to keep a website from getting hacked is by not connecting it to the internet in the first place. Effort should certainly be put into making it difficult to hack but also making it difficult to gain anything valuable when you are hacked.

The only way to win is not to play?

Re:Forcing strong passwords in the first place.

[T-Bone-T]

I guess you could say you win if you get hacked and the hacker(s) still don't gain anything of value.

Re:Forcing strong passwords in the first place.

[L4t3r4lu5]

A set maximum length password implies they store it in plaintext, as a password hash isn't defined by the input length. MD5 of aaaa is exactly the same bit length as the MD5 hash of a 1GB Linux ISO.

Trust no site with a maximum password length.

Re:Forcing strong passwords in the first place.

[L4t3r4lu5]

I turn all sites into two-factor authenticated sites.

I have a KeyPass database with my website login details (usernames, email address variants etc) which I use to store a portion of the password, which is randomly generated by the KeyPass program. Passwords are made up from the contents of the password field + a passphrase I've memorised. The KeyPass database is encrypted with a unique key totally different to the passphrase.

The keypass database is useless without my passphrase, and the passphrase is useless without the database. All sites require two-factor authentication.

Re:Forcing strong passwords in the first place.

[Ash-Fox]

I don't want to put in a long passphrase everytime i unlock my PC, I want to enter in a long passphrase to unlock my phone even less.

I don't, but I do it anyway, I haven't found a better method yet.

We should almost really have a 2ndary "secure" email that we don't use except for managing password changes etc.

Despite running my own mail server, so I didn't have to fear of being unable to recover my account is that the next weak point is the domain. If someone were to steal my domain, it would still screw me over.

Unfortunately, even following best practices, I feel vulnerable to intrusion.

Re:Forcing strong passwords in the first place.

[Ash-Fox]

As long as the site isn't storing the passwords in a format that can be decrypted (or plain text!), and is adding sufficient salt, you should be able to avoid the rainbow tables and the common password generators (such as Jack the Ripper).

In my opinion, this is not good enough as most common hashes are designed themselves to be quickly generated for signature purposes (md5, sha512 etc), brute-forcing takes little time these days. The use of rainbow tables aren't as necessary with the calculation speed of current processor technologies.

A knowledgeable web developer in my opinion would use an algorithm designed to be slow such as bcrypt or a stretched algorithm such as PBKDF2, this is a far better defense against brute-forcing.

Also, outside of older security professionals, do malicious users even use jack the ripper anymore?

Re:Forcing strong passwords in the first place.

[fa2k]

SuperGenPass has a lot of limitations due to its design, but its simplicity makes up for that IMO. It is not a password manager, just a hasher, which hashes the domain name and the master password into a unique 10 char alphanumeric password. Only one site I've used has complained about this, and that was eBay, which required punctuation as well. It can't handle well if a password must be changed (you can add something like "2012", "2013" to the master pw though). It is great that the passwords are stored nowhere, so there is no need for synchronisation or backup.

Password managers and SuperGenPass are a good solution, but too complicated for most people to use. The system suggested in the article doesn't work either. When a password DB is compromised there will be no entry in the audit hook. The audit hook will only give an elert too late, when the hackers use the password.

There are much better options for improving authentication. It's not easy to do without relying on a third party though, while still allowing logins from various new computers with little effort.

Re:Forcing strong passwords in the first place.

hunter2

Re:Forcing strong passwords in the first place.

[goose-incarnated]

First IT people should start with not needing to change my password every month. That will make me select a safer one, because I can remember it.

We do that because the assumption has to be that given enough time, your password will be compromised. The longer you have to wait to change it, the longer the window of exposure when that happens.

Yes. Because of course an attacker that has only had the password for the last 29 days neglected to install backdoors and keypress-capture software in the 29 days that he had access to the system, so of course you should change the password before the attacker installs the malware on the 31st day of compromise.

Is it any wonder, with that 29-day logic, that normal intelligent people regard IT people as slightly retarded? The 29-day policy forces easily guessable dictionary passwords with incrementing numbers somewhere in them, preventing the normal computer user from ever picking a good password. Face it, any system that's been compromised will, within a few minutes, have all its future passwords compromised as well, until such time that the system is purged of all malware. Whether your "assumption" is compromised-within-a-month or a compromised-within-a-day, expiring passwords have no actual effect on security.

Re:Forcing strong passwords in the first place.

[goose-incarnated]

I think it's hunter2

Re:Forcing strong passwords in the first place.

[Tool+Man]

Please someone mod the parent up. An overcomplicated password that need password management software ceased to be a password ("something you know") and were turned into a token ("something you have"). If your Lastpass DB is corrupted, goodbye passwords.

As well, you can export your LastPass data to another file, say one that you keep on your encrypted backups. No need to slag a very useful tool for nonsense reasons. (disclosure: premium subscriber here)

Re:Forcing strong passwords in the first place.

That's because of the password blocker on Slashdot. You are only seeing x's, y's, and z's but on feedayeen's end he sees his own password.

I'd demonstrate, but it only works if you are logged in-- in short, slashdot won't let you type your password on the comments. You'll see your password when you read it, but everyone else will just see x's and y's.

Re:Forcing strong passwords in the first place.

[mcmaddog]

SplashID

1. It has apps for most of your OS's (exception being Linux) plus Blackberry, WebOS, and Palm OS
2. Uses AES and 256-bit Blowfish encryption
3. lets you synchronize between desktop and mobile apps and also has an export to encrypted file option you can use as a backup

Re:Forcing strong passwords in the first place.

[lsatenstein]

A theoretical solution would be to have the client software generate a randomly created software, and store in in a keyvault with a simple name. When it is time to logo on to a site, you use the vault to send the password.

You can also email the vault to yourself at a secondary location or store it on your flash drive

3rd party box

[Frankie70]

Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'

Since the audit entries are being created by the box running the application, it obviously has write access to the 3rd party box. So whoever has access to the application box has access to write (and hence alter) the 3rd party box.

Re:3rd party box

[maxwell+demon]

The other box would of course only support adding records, not removing them. So unless you are hacking the other box, the only thing you could do is to increase the suspicion by creating bogus extra login reports.

Re:3rd party box

You can design the 3rd party box to only allow appends to the log. So you can end up with fake/garbage logs but you can't get rid of the earlier logs.

Anyway it all seems a bit like a solution looking for a problem. And the solution might end up worse than the problem when actually implemented.

Re:3rd party box

Since the audit entries are being created by the box running the application, it obviously has write access to the 3rd party box. So whoever has access to the application box has access to write (and hence alter) the 3rd party box.

No serious implementation of distributed logging would allow the client to modify entries on the server -- only the appending of new entries would be permitted... ...much like syslogd(8) has been doing for donkey's years.

Come to think of it, why re-invent the wheel -- why not just use a remote syslogd for the recording process (wrapping the comms in some sort of encryption first, naturally)?

Passwords are unfixable

You can tack on more mitigation, but in the end it's the concept that's flawed, not the implementation.

how about store your passwords properly?

[Trepidity]

it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit

It also ought to be easy for LivingSocial to store passwords hashed with a secure hash designed for passwords, like scrypt (or the related bcrypt). That way even if the password db is compromised, the plaintext passwords aren't, and the attacker cannot use the result to get into other services, even if users shared passwords across services.

It's easy to blame users, but there has been no excuse for storing plaintext passwords for years now. Password reuse is a much smaller problem if websites are designed properly. So rather than "as an industry" attempting to change user behavior, how about "as an industry" implement your damn sites properly, and audit that.

Re:how about store your passwords properly?

[Trepidity]

Replying to self: It looks like LivingSocial actually has switched to bcrypt now. But not early enough!

Re:how about store your passwords properly?

[niftydude]

It also ought to be easy for LivingSocial to store passwords hashed with a secure hash designed for passwords, like scrypt (or the related bcrypt).

It's easy to blame users, but there has been no excuse for storing plaintext passwords for years now.

Yes! I can't believe there are websites out there that still don't hash passwords.

A few months ago I signed up to the website of a large health insurance provider, and they sent me an email confirmation of my account creation that included my website password in plaintext. Unbelievable.

Who writes this stuff? And who hires these people?

Re:how about store your passwords properly?

[dingen]

Putting your password in an e-mail during the registration process doesn't mean they store it in plain text in their database. If they can come up with your password at a later point (like when requesting a "lost password"), THEN you know they are storing their passwords in plain text.

Re:how about store your passwords properly?

If the password is in plain text in an email it is available to anyone in the network path between the service provider and my email provider. It is also available to anyone looking over my shoulder when I read my email. Sending a password in an email is just plain stupid, with an exception for one-use passwords that force a reset when used.

Re:how about store your passwords properly?

While bcrypt may be the gold standard in password storage, LivingSocial's per-user salt + hash is fairly good. The only thing missing is an "application salt" that is not stored in a database, can be a whole lot longer (>=4KB), and would be difficult to get with a simple database breach.

You just made it easier for cracking.

[mjuarez]

So, what happens when that central framework/infrastructure is cracked? Now, all cracking attempts will redirect to that single point, and when (not if) it's breached, they'll now have access to ALL websites that are signed up to use that. How is that better?

Re:You just made it easier for cracking.

[gl4ss]

So, what happens when that central framework/infrastructure is cracked? Now, all cracking attempts will redirect to that single point, and when (not if) it's breached, they'll now have access to ALL websites that are signed up to use that. How is that better?

that you have to just use one complex password at one place and have to change it just at one place.

however the author is a dumb fuck who apparently hasn't heard of any of the SSO services...

Or, alternatively...

[neokushan]

If you're security conscious enough to put this fancy bit of JSON on your site, then most likely you're smart enough to not store your user's passwords in plaintext. In fact, I'd like to think you're clever enough to salt the hash of the passwords that you're storing as well.

Why am I pointing this out? Because password re-use is an issue when a password gets compromised. Passwords get compromised when they're not encrypted or hashed. So to "fix" the problem like this is all well and dandy, but it only works if every site does it and if every site hashed the bloody passwords in the first place, they wouldn't get compromised as often.

one key to rule...

Or we could just use GPG authentication, where a user simply uploads his public key to the site. User's happy, because s/he can use the same passphrase everywhere and the site is also secure because even a hack won't divulge any passwords. Separate (key-less) password could still be optional.

Re:one key to rule...

[MacDork]

The element is part of the HTML5 spec. Microsoft is holding back the industry by refusing to implement it.

Too many damn passwords

[seeker_1us]

If you have too many different username/passwords you will not be able to keep them straight. This is what OpenID was supposed to solve. One can flip the argument around very easily: if there were fewer sites maintaining their own password databases, then there would be fewer breaches.

And that does NOT mean using OpenID for everything including financial accounts.

Oauth 2.0

This third party box with json interface already exists!
When u login using facebook, twitter, linkedin, google its exactly that!
Protocol also exists: oauth/oath 2.0!

Still a issue that Devs won't acknowledge

[Quick+Reply]

The thought process of a developer is that it is usually a user problem, and therefore it is the user that needs fixing, not the user.

The cold reality is that using passwords at all is the problem.

Passwords are an antiquated solution to a simple problem from the very start of multi-user computing. It is simple but exponentially ineffective as it scales.

The human mind is not set up to remember multiple, complex passwords. There are very few humans who are gifted with this ability to remember literally hundreds of different passwords without writing it down, I would put someone who can in the realm of an academic genius who can remember entire textbooks or recite Pi for hours before they eventually have to take a break for physical reasons.

Normal people write it down or keep it to a narrow set of passwords depending on which level of complexity the system will allow. Both bad security practice.

And passwords that expire every 45 days with annoying complexity requirments? You're going to drive users nuts trying to think of new ones each time that eventually they will come up with the simplist password the system will allow and increment by 1 each time they have to change eg: Password1, Password2, Password3, etc.

There are hacks out there, eg: KeePass and LastPass, but this is a workaround to the underlying problem. The websites that Force you to use Facebook are even worse (as they force you to handover all your personal details while you are at it, which just as easily can be used for identity fraud. Many Banks, Telcos etc. only authenticate with your DOB). OpenID is better but the implementation makes it common to sign in from the website your are trying to access, making it susceptible to being spoofed.

Realistically, we need to kill the password. Two factor authentication all the way. It needs ONE trust relationship between the user and the authenticator. This could be a user ID and a token. The authenticator can have then multiple trust relationships with participating websites.

The authenticator should only provide two data points: (1) The user ID of that website (different ID to other websites so that the user can be tracked with the same ID across websites) and (2) That the user has authenticated themselves. Thats it. Most websites don't need to know your name, DOB, Vanity username, email address or anything else about you. If they need this, ask - but only if actually required - and give the user a clear option to decline or provide only partial data.

The only thing that most websites or other computer systems need is a way to tell which user profile to load up, and that the user requesting it is really the same user. A password does not prove that,

Re:Still a issue that Devs won't acknowledge

[VortexCortex]

I disagree. Zero factor authentication works beautifully for everything online.

For the physical world, there's cold hard cash -- The Great Authenticator.

Re: Still a issue that Devs won't acknowledge

[Quick+Reply]

Then how come you are posting as VertexCortex and not Anonymous coward, still needs to be a mechanism to make sure you are VertexCortex. Ideally you should be able go hit "Login" on your browser, and your browser automatically logs you in for you while using two factor in the background (once you have already two-factored with your browser when you sat down) so Slashdot knows 1. You are VertexCortex (to load your preferences and posting abilities as your name) and 2. You have proven yourself (It doesn't need to know how, it just needs to kniw that you have)

Re:Still a issue that Devs won't acknowledge

You want to kill the password and replace it with two factor. What two factors do you want to use? The password is/was "something you know." Are you going to use something else you know? Or something you have (token) and something you are (biometrics) instead?

See, posts like yours make me think you miss the benefits of passwords (or pass phrases, or by any other name you can think of). As a professional working in a company that provides several premier authentication solutions, I can tell you that passwords have value, and are entirely appropriate for some needs. And it's entirely inappropriate for other needs. For example, passwords are extremely low cost to implement when compared to "something you [have|are]" but they are often weaker than the other factors. Not every asset requires high security - I sure don't care about /. - in fact, I don't even care enough to maintain an account, which means anyone can claim to be me on this site. But I do care about my bank account, so much so that I have requested that my bank institute a block against online banking with my account.

My point is that we will not have a one-size-fits-all solution because one size doesn't fit all!

nightmare

[stenvar]

'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events.

That sounds like a security and privacy nightmare.

but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed.

Perhaps users just don't give a f*ck whether their account on some third rate e-commerce marketing site gets compromised?

If I were to create an account on LivingSocial, it would get my "disposable" password, the password for accounts I just don't care about at all. Only gradually do accounts and services migrate into the category where I bother remembering a specific and hard password for them.

Re:nightmare

[vtcodger]

If I were to create an account on LivingSocial, it would get my "disposable" password, the password for accounts I just don't care about at all. Only gradually do accounts and services migrate into the category where I bother remembering a specific and hard password for them.

That's rational.

Frankly, most password security "thinking" seems to me demented. There is no way I or most anyone else could possibly keep track of hundreds of different strong passwords with arbitrary characters, random case, etc without writing them down. And maybe not then.

And there is no practical way that I could secure that password list.

Neither is it likely that information providers can secure password information -- strong, weak or non-existent -- on their end. That's why massive password breaches are a daily event.

Bluntly, the industry's attempts at security can't and don't provide much security and are more a massive usability problem than anything else. How is "user education" supposed to overcome faulty engineering?

Look folks, the method you want to use to secure stuff simply doesn't work very well. Never has. Never will. Forget about "educating" users, and start thinking seriously about how to secure stuff, and whether most of what you are trying to "secure" actually needs securing. Maybe in decade or three you'll come up with something that works.

In the meantime. Get real.

Re:nightmare

After having my gmail account hijacked, I use keepassx to generate passwords as well as to store them. All are obfuscated, and I can't remember them. I have to open keepassx with a password and key file, and then paste the password into the clipboard and paste it into the site needing the password. It's a PIA, but I'm going to do my best to prevent another breach. Passwords, such as y5bfmEY*0JF0N46 can't easily be remembered, and are unlikely to be stumbled upon.

Don't brush your problem off on the user

[Opportunist]

I see it very often in audits, company security is facing the same problem: How to secure the network? The easy way out: The user has to do it. He has to come up with a password that fulfills the most inane requirements AND must remember it AND must not note it down.

That's the easy way out. All the burden is shifted to the user.

I consider it extremely patronizing if they then go, after a breach, that they tried to "educate" the user but failed. Well, DUH. Guess what. It's not the user's job to keep your database secure. It is his job to make sure his credentials don't get handed over to a third party, yes. But it is YOUR job to make it possible to him. And it is NOT possible for the average human being to remember passwords in the style of k$aUZ_nR2o.

Don't try to shift a problem that YOU have to solve onto your users!

Re:Don't brush your problem off on the user

[Intrepid+imaginaut]

And it is NOT possible for the average human being to remember passwords in the style of k$aUZ_nR2o.

Obligatory XKCD: http://xkcd.com/936/

Re:Don't brush your problem off on the user

[140Mandak262Jamuna]

The user has n interest to make sure that if one site he/she logs into gets hacked, the damage does not spill over into other websites. The websites have a completely different cost/benefit scenario. Security is seen s cost. Do the minimum required to identify the users, remember their settings/preferences, give users some vague sense of security. That is all the web sites are going to do. Unless the user demands better security they wont provide it. You think there will be enough users demanding more secure sites in this day and age? Most users dont even seem to know that there is something called security and privacy. No there is no incentive for the sites to provide any more security. Costs money, reduces user "experience".

So if you care about security, first take steps to make sure you can prevent spill over from one hacked site to other user accounts you have on other sites. Then evangelize about the need for better security, At some point even the twitter using teen might actually "get" it.

Keep clear text passwords on the client

[Ottibus]

Putting your password in an e-mail during the registration process doesn't mean they store it in plain text in their database.

But it does mean that they send the password in clear text rather than hashing it on the client.

Clear text passwords should never be sent over the Internet, even over secure channels.

Re:Keep clear text passwords on the client

[Ksevio]

Most website won't hash your password on the client anyways because that's sort of pointless (an attacker could just replicate the process). It's perfectly possible the server has one function that hashes the password and stores it in the database, then emails the login details in a confirmation email.

Sending out password info in email raises a whole new set of security issues for the user (intercepted or email hacked).

Re:Keep clear text passwords on the client

But it does mean that they send the password in clear text rather than hashing it on the client.

Clear text passwords should never be sent over the Internet, even over secure channels.

Umm, no. If you hash on the client, and send the hash over the connection, then the hash *is* the plaintext password. Hashing must be done on the server side, not the client - and this means you need to provide the password to the server so it can hash it.

The only ways to avoid sending passwords in plaintext involve the password acting as a shared secret, all of which require the password to be stored in plaintext (or reversibly encrypted - not hashed) on the server side as well.

Best option for passwords is salted+hashed password stored on server (using appropriate algorithm, e.g. bcrypt/scrypt), and password transmitted plaintext by client over a secure channel (e.g. SSL).

Re:Keep clear text passwords on the client

Whatever gets sent over the wire *is* the password.

Solution is simple

[smash]

Don't make users log in with their email address. Give them a randomly generated username and password combination.

This whole practice of forcing you to use an EASILY identifiable piece of information (your email) as one of the autentication factors is just retarded.

Re:Solution is simple

[notanalien_justgreen]

great, so now we have to remember both a username AND password? That'll make this whole thing even worse! Even worse, if my login is taken on one website then every website has a different log in (and password likely). So now I'm remembering 2xN pieces of information instead of just N.

Re:Solution is simple

[smash]

Yes. Put it in a keychain, paper, or whatever. You can't "remember" properly secure randomly generated passwords for each website anyhow.

Forget passwords, worry about "Secret Questions"

[Ottibus]

All this concern over passwords is ignoring the much greater problem of so-called "Secret Questions". This is a mechanisms that positively encourages people to use the same security information on every site they visit and to give answers that can easily be guessed by other people.

How many sites hash the answers to these questions so that they can't be re-used by a hacked who breaches the site (or a corrupt employee)?

How many users take care to give a different wrong answer to these "Secret Questions" every time?

The complexity and variablility of the password reset process can make this mechanism less susceptible to automated attack, but if you want to attack a specific account of a known person this is a much better route that trying to crack the password.

I just use facebook

[alen]

Lots of sites support using Facebook for authentication
So that's what I use instead of making up a fiftieth username password combo

Re:I just use facebook

[smittyoneeach]

But when FaceBook becomes FacePlant, you wind up in a steaming pile of Faces.

Re:I just use facebook

[PPH]

Yet another one has drunk the KoolAide.

Educate the users, Avoiding reuse is easy

[140Mandak262Jamuna]

1. It is in the best interests of the users to use different passwords for different sites. Simplest thing to do is to use a 8 char string as the base password and append, prepend or insert a three char string based on the web site name into it. Each site has its own password, but it would not be easy to use a compromised password at other sites. It is in the best interests of the users to do it. For sites security is just cost, they do the minimum. Rotate the base password once a year or so.

2. We should ask the more important accounts like brokerage, mutual fund, bank accounts to use a two factor authentication system. But I don't want to juggle too many RSA key fobs. I like google sending a six digit code to the designated cell phone. Google also lets you set up 10 one time pad numbers ahead of time to handle the case when the cell phone cant get texts. As a first step if they would just send me text or an email for each login event and each transaction that would reduce fraud.

3. What really bugs me is, in this day and age of social network where people are posting details of their breakfast lunch and dinner for the whole world to see, even banks use "maiden name of mother" "name of your pet" or "where you went for honeymoon" to reset passwords. That is insane. So I used to give non intuitive answers like "nissan sentra" as the mothers maiden name. But it is so difficult to remember what stupid answer I gave to which site. That is my biggest beef with these security questions.

4. No I did not switch my username and password edit boxes when I signed up for slashdot. Friends recognize the dorm addresses, rest of alumna recognize the dorm names.

Re:Educate the users, Avoiding reuse is easy

[__aaqvdr516]

What you suggest is already available via add-in password hashers on the users end. Passwords are automatically generated and salted with the URL. You can "bump" a password to change the salt. The main problems I've come across are:

1) The algorithm differs by browser, even those that say they are compatible.

2) Some password entry points don't have a hasher function built in, requiring me to either write down the password or switch to the browser to get it.

All of my password hashing efforts are moot if the server end loses their password database, though I'll only have that one password compromised.

Even with these hurdles, it's worth using the hasher.

Re:Educate the users, Avoiding reuse is easy

2. We should ask the more important accounts like brokerage, mutual fund, bank accounts to use a two factor authentication system. But I don't want to juggle too many RSA key fobs.

You don't have to. People may be used to thinking of RSA hardware tokens as something that is provided to them by the company they are doing business with, but you can BYOT (bring your own token) for your account. While corporate VPNs are likely to have policies against that just as they commonly have policies against bringing your own computer, most private uses are happy to let you save them $35 by enrolling a token you already have.

Get a free RSA token from ETrade and use it at PayPal, or get a token from your bank and also use it at your brokerage. You will have to call tech support at your bank/brokerage/etc to enroll rather than use the preprovided web forms when you BYOT, but it works.

For example, here's some folks talking about how to BYOT to Fidelity brokerage accounts http://www.bogleheads.org/forum/viewtopic.php?f=2&t=108267. That's a broker who isn't even known for supporting two-factor authentication for customers!

Re:Educate the users, Avoiding reuse is easy

[140Mandak262Jamuna]

My problem with such hasher is that, I did not write it. I am not trusting all my passwords to some binary blob. How do I know the add-on/extension/app is not phoning home all my passwords to some chinese hackers? That is why I use my own brain to do the hashing and salting. I am not so paranoid about passwords to minor accounts like slashot or app dev. Even medium level accounts like amazon or gmail is ok. But each my bank/brokerage account gets a personalized password that is not written down, not generated by an app, extension or add-on, not saved by the browser. Unless I can avoid it, I log into these accounts from exactly two computers. One from work (out of the four I use at work) and one from home (out of the seven internet devices at home network).

Re:Educate the users, Avoiding reuse is easy

[140Mandak262Jamuna]

Thanks, I have a free key fob from ETrade. Let me check if schwab would accept it and if quicken would handle it right.

Re:Educate the users, Avoiding reuse is easy

[dinfinity]

Simplest thing to do is to use a 8 char string as the base password and append, prepend or insert a three char string based on the web site name into it.

I used to do this, but the problem is that it only protects against automated attempts to abuse a compromised password. If I happen to have bought something at EvilWebshopHosterX and made an account with BasePasswordEWHX, it's easy for anyone that gets their hands on the password to figure out all my other passwords based on the scheme.

Rotate the base password once a year or so.

This is a terrible hassle and generally leads to having to try multiple base passwords before giving up and using the password reset mechanism because at that particular website, none of the base passwords plus the website specific scheme were allowed by retarded password restrictions.

The main point is that I just don't want to trust any entity with key information that can be used for doing other things. Things like LastPass generated unique tokens and application specific tokens are things that remove that risk, although of course pretty much everything is compromised if your emailaccount used in password reset mechanisms is compromised.

Re:Educate the users, Avoiding reuse is easy

Thanks, I have a free key fob from ETrade. Let me check if schwab would accept it and if quicken would handle it right.

Etrade, like PayPal, Schwab and many other consumer-oriented sites, actually uses a hardware token from Symantec's Verisign Identity Protection (VIP) ecosystem. At https://idprotect.verisign.com/learnmoretoken.v you'll see a picture with VIP tokens where one looks exactly like (except for branding) the free one you could have gotten from Schwab and the other looks exactly like the one you got from Etrade. Because Schwab also gives out VIP tokens you may need to make it clear that you already have a token and just want to enroll it to your account. When Schwab signed up with VIP they made it clear that they supported its goal of using one token across multiple sites http://www.securitiestechnologymonitor.com/issues/20060604/17672-1.html

Schwab actually gives Quicken, but not Mint, an interface that bypasses the token check. Convenient for you in that your Quicken usage won't be affected, but not as secure. I never used Schwab's iOS or Android apps so I don't know whether they enforce the token check on access through those interfaces like Etrade does. You'd think they should but its amazing how short sighted brokerages and banks can be about extending good security to their retail customers.

Re:Forget passwords, worry about "Secret Questions

I use a 2nd password as the "answer" to any secret question. Answering it correctly is a security risk since it can be guessed.

Passwords get reused because the web sites that

[mark_reh]

need a password allow the user to select their own, usually insecure password. If each web site generated a secure password/phrase for you this problem would go away. The problem is that people would complain about having to store/remember complex passwords. What is needed is ubiquitous and automatic password management software/hardware that works on any computer, phone, or tablet.

Programs/services like LastPass can make storing/using passwords easy, though their mobile phone app isn't very good compared to the browser app. 2nd credential devices like Yubikey and Google Authenticator are OK too, but there's still too much messing around to do to use them, though I suppose there is some minimal amount of messing around that will always be necessary to prove that you are who you claim to be.

Edit the spam solution form

[Antique+Geekmeister]

The old spam solution form at http://craphound.com/spamsolutions.txt covers most of the solutions being proposed here.

        http://craphound.com/spamsolutions.txt

Common spam problems such as "Ease of searching tiny alphanumeric address space" and "Jurisdictional problems" translate easily to the common password problems of "sending passwords via email is inherently insecure" and "requiring unique passwords for each trivial new website creates enormous keychains that are not safely portable to new computers or software clients"..

Do it in Firefox

[sunderland56]

Firefox already has password tools - it can optionally store the password from different sites. It should be simple to extend this to warn the user if any two passwords are the same.

Firefox uses *local* storage for this, on the user's computer, so it will be more secure than any remotely-hosted solution.

Low and High Security

[AndyCanfield]

I have a low-security password that I use for Slashdot and most web sites. I have a very high-security password that I use with my bank (it depends on a number that has not been written down anywhere for fifty years). The idea of needing a unique password for every web site is rediculous. What do I care if yahoo.com is hacked and somebody logs in to Slashdot as me? Impersonation is not a serious problem.

(Result: I can not guarantee that I wrote this message. So what.)

Simple Solution

Why does every dammed web site needs it's on password in the first place?

No human is able to remember them and (together with weird complexity rules and change intervals).

I have not seen a working cross platform (all major OS(Windows + Mac + Linux in different versions), all desktop browsers, smartphone, tablets) roaming keychain solution I trust.

So Open ID Connect (easier ti implement than the clumsy OpenID spec) could be one solution. It reduces the number of passwords to remember, the number of registrations (and confirmation emails). Maybe the only missing piece here is a mechanism to link more than 1 account together (so that the impact of a disabled account (for whatever reason) could be solved easily.

Single Sign On

If you have a central service doing this, you might as well just have it be a single sign-on service, in which case password reuse isn't a problem because you only have one anyway.

Wrong approach in use. Secrets should be local

[Morgaine]

The sites that are calling for better password choice need to step back a bit and consider whether their design concept of storing user passwords centrally is a good one. It's not, so they should get rid of it instead of applying band aids to a bad scheme.

It doesn't matter what encryption scheme is used, if authentication secrets are stored centrally on a website then they are at risk. Good sites make it hard to crack, and poor sites make it easy, but they are all at risk, from internal employee corruption if nothing else. Those secrets will leak because when stored at a single point then they are all accessible to the attacker at a single point. Leakage is just a matter of time.

A vastly more secure approach that's been well known for decades is for the user to store their secret locally as a private key, one half of a {private,public} key pair. The server only gets to know the public key (PK), and it's pointless for an attacker to crack that because the PK is public information that can be distributed freely through keyservers. (The PGP/GnuPG keyserver network has been doing this for decades.)

When a user creates an account on some website, she provides the identifier of her chosen PK (she may have lots of them). When logging in to the account subsequently, the server looks up her PK identifier in the info for this account, fetches her PK from the keyservers, then it sends her a random string encrypted with her PK. She decrypts it with her private key (which is only held locally by the user, nowhere else) and sends the decrypted string back. The server accepts the login if the returned string matches the random string that it picked, which is not stored and varies on every login, and rejects the fraudulent login attempt if the match failed.

That's strong distributed security, and it's resistant to MITM attacks and does not store any authentication secrets on the central service so those secrets cannot leak when the service is compromised.

It's not rocket science. Why this old but secure scheme isn't used by websites is quite a mystery.

Re:Wrong approach in use. Secrets should be local

If a user only ever logged in from one device, this would be great.
But people don't want to have to copy/sync their collection of private keys over their various home, work and mobile devices.

Re:Wrong approach in use. Secrets should be local

You only need to have as many keys on your keyring as you want, possibly only one, depending on your level of paranoia or your need to keep different identities separate. And syncing your keyring to multiple devices is beyond trivial. What's more, the keyring almost never changes once you've established a desired set of key identities, so the syncing "problem" goes away entirely because the keyring doesn't need to be updated for each new account you create.

And while I dispute your claim that syncing or copying the keyrings is a hardship, it can be avoided entirely by services allowing multiple keys to be associated with an account, so you can use a different key per gadget.

Re:Wrong approach in use. Secrets should be local

A different key per gadget is a good idea anyway, because then if you loose one gadget or it's stolen and they brute-force the passphrase on its keyring, this will only give them access to one key instead of to all of them. Your other gadgets are still safe even if you used the same passphrase on them, because they'd have to steal these other gadgets too to be able to use their keys. That's another benefit of non-centralized secrets.

Also, when one gadget is stolen then you can immediately revoke its public key without affecting all your other keys, so it's a good approach.

Re:Wrong approach in use. Secrets should be local

[swillden]

That's impractical.

10 years ago, I'd have been right with you on that. Five ago I realized that key management is harder than it appears. Today I know that it's just impossible for the general public to do. Too many devices, none of which are very secure, and each of which represents a single point of failure. Not only that, users want mobility. They don't want to be tied to a single device, or even a small set of devices -- and that's entirely reasonable.

On the other hand, there's nothing fundamentally wrong with password authentication, if it's done right, and if the user only needs one password -- not a password per-site. The problem is that managing passwords correctly (on the server side) is much harder than it appears, and there are many sites.

The solution is single sign on, and we've already implemented it: OAUTH.

Re:Wrong approach in use. Secrets should be local

Exactly what I'm (re)discovering.

By keeping the secret key local, there is nothing to gain from the site by breaking into it.

But there is more to gain, by having each site sign the public keys into certificates we can have secure private communication. And with DNSSEC/DANE we can create global secure messaging.

See http://witmond.nl/eccentric-authentication/introduction.html

Lastpass

[sdo1]

I don't know why more people don't use solutions like Lastpass. I have one very long and difficult to guess password (but easy for me to remember), and every site I visit has a unique psudo-random gibberish password. If a site does something really stupid like store passwords of their users in plaintext, a breach will only allow access to that site since that password is used nowhere else. This method is impervious to dictionary attacks, hash-table lookups, etc. It's a tiny bit of an inconvenience, but it's very secure and I don't have to worry about breaches like this at all.

-S

Completely missing the point

[swillden]

The problem isn't that users use the same password on every site. The problem is that users have to create login credentials for every site they use.

That multiplication of logins is extremely inconvenient for users, and it's simply not practical for people to create good, unique credentials for every site and memorize them all. So people who care a lot about security are are willing to put in the effort (read: anal geeks) use encrypted password stores and such. Everyone else (read: 99+%) uses the same password or small set of passwords on all sites.

What's really stupid is that we have already solved this problem, and in a much better way then Jen Andre proposes. The solution is single-sign-on. Delegate account management and authentication to a trusted third party (TTP). Even better, allow many organizations to act in this role. Best of all, allow users to choose which TTP they want to use, or even to act as their own.

We've already built this. It's called OAUTH. Moreover, there are already a bunch of high-profile OAUTH implementors acting as TTPs -- and nearly all Internet users already have an account with at least one of them (e.g. Google, Facebook, Yahoo, Microsoft). For that matter, there are a number of sites already taking advantage of it to provide nearly zero-effort login (for example, stackoverflow is one that many slashdotters may use).

The common security objection to this approach -- that centralizing your authentication in a single account creates a single point of failure for your security -- ignores the fact that your web security already has a single point of failure, even if you use unique, strong passwords for every site you visit. That SPOF is your e-mail account, because essentially all web sites use the ability to receive e-mail as the golden key that bypasses all of their other security mechanisms.

But, with OAUTH you still have the ability to use different providers, and even to set up your own on a server you control if you like. You can choose the tradeoff between centralization and decentralization you like. No relying site will ever see any of your credentials. You can also pick a provider based on the level and type of authentication security they provide. Personally, I'm very happy with Google's two-factor authentication -- but OAUTH imposes no restrictions. Want certificate plus one-time-password plus fingerprint plus retina scan plus 100-word passepic? Fine. Find (or build) a provider that does that. Want nothing at all? You can have that, too.

And whatever you choose, none of the relying sites will ever have any of your credentials. Which means creators of those sites can't screw up storing your credentials.

The only thing that's required to make all of this work, for real, everywhere, is for sites to offer OAUTH authentication. It's easy, it's super convenient for users, it's as secure as the provider.

Some sites might choose to limit the providers they'll accept, on the theory that users can't be trusted to choose a good one. That's annoying and obnoxious, but whatever. Some sites (like banks) might decide that they simply have to do their security themselves because they can't trust anyone else, and They Are A Bank. Okay, fine, though such sites should be a tiny minority (and, frankly, as someone who worked as a banking security consultant for over a decade, and now works for Google doing security, Google -- and, I would expect, the other major Internet properties -- do a far, far better job at online security than virtually any bank).

The solution is to make OAUTH the default, expected login mechanism all over the web. It provides dead-simple, reasonably high security authorization for the masses and allows the paranoid to build/buy whatever they want.

Re:Completely missing the point

OAUTH could have been nice, but Google, Facebook, etc. just see it as an opportunity for more data gathering.

If Google et al cared more about security than violating my privacy they would support a single sign standard on that didn't enable the correlation of user activity across sites.

This will never happen.

Re:Completely missing the point

[swillden]

OAUTH could have been nice, but Google, Facebook, etc. just see it as an opportunity for more data gathering.

If Google et al cared more about security than violating my privacy they would support a single sign standard on that didn't enable the correlation of user activity across sites.

This will never happen.

Did you not read my post?

If you don't want to use Google as your OAUTH provider, don't! Pick a different one. If you want one that guarantees not to violate your privacy, find one that makes that guarantee. Don't trust guarantees? Fine... run your own OAUTH provider. It's as simple as setting up a server and installing some software.

As for your theoretical single sign-on standard that doesn't enable the correlation of user activity across sites, by all means please tell us how such a thing would work. Keep in mind that the authentication must be portable, that I should be able to authenticate on a friend's computer roughly as easily as I can on my own, and that complex key management schemes are barely usable by geeks and completely unusable by everyone else.

Re:Completely missing the point

God you're an ass.

"Run your own OAUTH server"? No way in hell would Google allow their login processes to accept authentication decisions from Joe's bedroom OAUTH server. Quit being disingenuous.

"Doesn't enable correlation of user activity" - the poster you're responding to never said he wanted a standard that was impossible to abuse, he said he wanted major service providers to accept a common authentication from a provider who has not already demonstrated that they intend to abuse the collected information. Now if the major service providers had announced plans to use an authentication service provided by EPIC or the EFF ... but Google et.al. made it clear they won't give up that tasty marketing data.

Re:Completely missing the point

Original AC here. What single OAUTH provider allows me to sign on to both Facebook and Google? As long as the answer remains "none", we will never have single sign-on.

My complaint about correlating activity with OAUTH was that it allows every site to correlate information because they all get your user ID. But reading further I've just discovered that Google does this properly - it allows logons that leak no identity information (it provides a random ID). However, I can't find a site that will accept such a logon!

In summary. The big sites won't accept anybody else's OAUTH. The little sites won't accept anonymous logons from the big sites.

I understand that the OAUTH provider will always be able to correlate everything, but this problem would be greatly mitigated if we actually had a real choice of OAUTH provider. As I said, this will never happen.

Re:Completely missing the point

The common security objection to this approach -- that centralizing your authentication in a single account creates a single point of failure for your security -- ignores the fact that your web security already has a single point of failure, even if you use unique, strong passwords for every site you visit. That SPOF is your e-mail account, because essentially all web sites use the ability to receive e-mail as the golden key that bypasses all of their other security mechanisms

That single point of failure is unlikely to cause your entire userbase to be compromised in a single breach. A single user's email gets breached and it doesn't impact everyone on your service. A single webmail site gets breached and that affects only the accounts for your service that use those webmail accounts. Unless all your users use the same webmail, you still don't have a *single* point of failure.

You also ignore the ability to use multiple communication channels to communicate a password reset to your users. Email, text message, and even snail mail are options for verification, and each is appropriate for different levels of security. Remember: neither everyone nor everything requires uber-ultra-mega-secure-perfect-in-theory security.

Re:Completely missing the point

[swillden]

The common security objection to this approach -- that centralizing your authentication in a single account creates a single point of failure for your security -- ignores the fact that your web security already has a single point of failure, even if you use unique, strong passwords for every site you visit. That SPOF is your e-mail account, because essentially all web sites use the ability to receive e-mail as the golden key that bypasses all of their other security mechanisms

That single point of failure is unlikely to cause your entire userbase to be compromised in a single breach. A single user's email gets breached and it doesn't impact everyone on your service. A single webmail site gets breached and that affects only the accounts for your service that use those webmail accounts. Unless all your users use the same webmail, you still don't have a *single* point of failure.

I was speaking from the user's perspective, not the site's perspective.

And your argument applies equally well to using OAUTH... a breach of one user's OAUTH provider account affects only that user. And a total breach of an OAUTH provider affects only the subset of your users using that provider.

You also ignore the ability to use multiple communication channels to communicate a password reset to your users. Email, text message, and even snail mail are options for verification, and each is appropriate for different levels of security. Remember: neither everyone nor everything requires uber-ultra-mega-secure-perfect-in-theory security.

All of which applies in exactly the same way in an OAUTH world.

I don't think you know what you're talking about.

Re:Completely missing the point

[swillden]

What single OAUTH provider allows me to sign on to both Facebook and Google? As long as the answer remains "none", we will never have single sign-on.

This is a valid point. The OAUTH providers need to get with it and start accepting OAUTH from others. I'll file a bug in Google's bugtracking system. Google is the right company to start that trend. There may be some concern that crappy OAUTH providers might be used to do an end-run around Google's own spam account creation mitigation efforts (Google works hard to make it difficult for spammers to create lots of Google accounts), but hopefully most of those efforts are independent of the authentication mechanism.

My complaint about correlating activity with OAUTH was that it allows every site to correlate information because they all get your user ID. But reading further I've just discovered that Google does this properly - it allows logons that leak no identity information (it provides a random ID). However, I can't find a site that will accept such a logon!

Ah, so you're not so much concerned (or not only concerned) about Google correlating your cross-site usage, but about all of the other sites getting together to correlate your usage, independently of Google (or whoever your OAUTH provider is) but using your common OAUTH ID.

Do you have link to the random ID stuff from Google? That's intriguing.

Given a web site that accepts true OAUTH (not just "log in with Google, Facebook, or Yahoo"), you could make your own OAUTH provider that gives you random IDs which can be used with different sites. I'm sure that's what Google is providing, though I'd still like to read the details.

I understand that the OAUTH provider will always be able to correlate everything, but this problem would be greatly mitigated if we actually had a real choice of OAUTH provider. As I said, this will never happen.

There are a few sites I know of that accept arbitrary providers. Stackoverflow does, for example. I agree that we need to get more sites accepting any openid, rather than just one of the big providers. But that's a per-site decision... and so is the -- vastly inferior -- approach proposed in TFA. If sites were willing to adopt TFA's idea, they should be even more willing to adopt OAUTH.

The fact that OpenID/OAUTH isn't as widely deployed as it should be, or deployed in the right configuration, isn't a reason to dismiss the technology, it's a reason to get it deployed more widely, and correctly.

Re:Completely missing the point

[swillden]

"Run your own OAUTH server"? No way in hell would Google allow their login processes to accept authentication decisions from Joe's bedroom OAUTH server. Quit being disingenuous.

I'm not being disingenuous at all, and I really believe that Google should be willing to do exactly that. No matter how horribly broken it is, Joe's bedroom OAUTH server can't compromise Google's login process in general, only the users who choose to use Joe. I could see Google throwing up some strong warnings, and there may be some issues around account creation control -- if Joe's bedroom OAUTH server could be used to facilitate mass-creation of gmail accounts for use by spammers, for example, that would be a problem, but I think most of those controls are independent of authentication mechanism.

I should mention that I don't work on Google's account management or authentication systems, so there may well be technical issues that I'm unaware of that prevent this. But I doubt it.

a provider who has not already demonstrated that they intend to abuse the collected information

I take issue with the claim that Google has demonstrated they intend to abuse the collected information. I think Google behaves quite responsibly with their collected information and that they're quite clear with users about how it will be used. I grant that it's always possible that some future version of Google might behave differently, but I challenge you to show any case of Google abuse of collected information. At most you can point to a couple of instances where Google collected information that perhaps they should not have, but none where that information was abused.

Re:Completely missing the point

do you mean OpenID?

http://en.wikipedia.org/wiki/Oauth#OpenID_vs._pseudo-authentication_using_OAuth

Re:Completely missing the point

No, you completely missed the point. The point isn't necessarily to enforce strong passwords. Let's say you had different accounts and passwords on every site you used, yet somehow (via shoulder surfing or password guessing or whatever), one of your accounts was compromised anyway.

This solution isn't intended to replace a single sign on, but to add an extra layer of security by having a third party audit log that you could run analytics on to potentially alert you if some login or account activity looked suspicious. This could work in concert with oauth or openid, or any increased security -- if I use my oauth credentials on site "A" at 8am from Nigeria, and I have an audit log entry that tells me that is not normal, I can assume my oauth credentials may be hacked.

Re:Completely missing the point

Spam accounts needn't be a problem. You could use the usual account creation mechanism with all its checks, then allow an OAUTH provider to be associated with the account. Or add the anti-spam checks to the login path the first time an OAUTH identity is used.

This was the page: "Google sends a random code to third-party sites to enable you to sign in to these sites with your Google Account. This code doesn't reveal any personal information.". I was assuming this was done properly and the random code was unique for each third-party site, but I may well be wrong.

Stackoverflow isn't great. It won't accept an "anonymous" logon from Google. If you won't give up your email address you can't log in.

Anyway, thanks for engaging. AC is usually ignored.

Re:Completely missing the point

[Ash-Fox]

Unfortunately, this doesn't work. Google, Yahoo, Microsoft, Facebook etc. won't let me login to my account with my own oauth provider. Yet they claim to support oauth.

Re:Completely missing the point

My problem with OAUTH is that Google won't let me use my own oauth-server to identify to them.

The missing point is control over accounts.

With OAuth, I lose that control. Using google's oauth server to log into my bookstore/newspaper/slashdot gives google the ability block each of those at their whim. They promise not to be evil but *require* me to *trust* them to get some security.

I've come up with an different way. It deploys DNSSEC/DANE and First Party CA's. It provides security that can lead to trust.

Please see http://witmond.nl/eccentric-authentication/introduction.html

The thing is ...

[MacTO]

I have numerous accounts for everything from forums to banking. Some are clearly important, while others are not important. The important accounts get the strong passwords, passwords that aren't reused (even in terms of a significant modification). The unimportant accounts have reused passwords, with the only real rule being that the password is different from accounts that may somehow be correlated (e.g. through their authentication mechanism or username).

The problem with preventing reuse is (a) every service thinks that they are the most important thing since the creation of the universe and (b) strong, non-repeated passwords have their own inherent insecurities.

By inherent insecurities I mean things like people recording their passwords. Written records and unencrypted electronic records can be read by anyone. These digital key managers secure all passwords with a single password, may they be locally hosted or remotely hosted. Records of any form run the risk of tying all accounts together rather than keeping them separate. Even those who memorize their passwords run the risk of entering the password for service A into service B.

Of course the people who think about security usually think about the things that they can control, which is the combination of bits. They rarely seem to address the psychology of the people using their mechanisms (outside of complaining or making unrealistic demands). If they want to create secure systems they need to apply human psychology, and recognize that security is often being applied where it is unimportant.

The bottomost line

People make secure systems insecure because insecure systems do what people want and secure systems don't.

I wish I'd said something that pithy, but it was James Grimmelmann who did.

Re:The bottomost line

[PPH]

Or someone logged in as James Grimmelmann did.

Paypal sucks again

kind of how Gmail will alert if I am logging in from a strange location

Unlike PayPal which just fails with no remedy if you try to pay for something from outside your usual country.

Why are we still using passwords?!

Why don't sites support two-way SSL? If everyone had a cert signed by trusted Certificate Authority then we could eliminate manual login. The trick would be making it easy/cheap for everyone to generate keys and csr's, and install the cert. Current tools for that are probably beyond the ability for 99% of Internet users.

Re:Why are we still using passwords?!

[Eccentric-Dude]

Why don't sites support two-way SSL? If everyone had a cert signed by trusted Certificate Authority then we could eliminate manual login. The trick would be making it easy/cheap for everyone to generate keys and csr's, and install the cert. Current tools for that are probably beyond the ability for 99% of Internet users.

Using client certificates from global Trusted third parties has a problem. Loss of privacy. That's why we still use passwords. These leave the choice to users. See: http://witmond.nl/blog/2012/11/21/why-we-still-use-passwords.html

Adult sites doing this well for years, Strongbox

[raymorris]

The sites can only send new log entries to the third party server, not modify existing entries. Any bogus records would have the effect of locking down the accounts that the hacker is sending bogs data for. Adult sites have been doing this for many years using systems like Strongbox, and it works.

To clarify something other people brought up, the remote audit system doesn't store passwords. It stores information about log-in events - who logged in from where, using what type of hardware, which browser, which version, etc. It then audits that information. Suppose for the life of your account you've always logged in from Kansas, US, on either a Mac using Safari or an iPad. Today, someone claiming to be you is trying to log in using a Windows XP machine in Russia, and also someone claims to be you logging in from a web server in China. The system would flag that, knowing the web server is probably a zombie.

That's a very basic overview of a fairly complex system, but if you've ever visited a site like members.GirlsGoneWild.com you've already had this type of auditing system protecting your account.

No, the audit system doesn't store passwords.

[raymorris]

The audit system doesn't store passwords. It stores information about log-in events - who logged in from where, using what type of hardware, which browser, which version, etc. It then audits that information. Suppose for the life of your account you've always logged in from Kansas, US, on either a Mac using Safari or an iPad. Today, someone claiming to be you is trying to log in using a Windows XP machine in Russia, and also someone claims to be you logging in from a web server in China. The system would flag that, knowing the web server is probably a zombie. Adult sites have been doing this very successfully for years, using systems like Strongbox.

That's a very basic overview of a fairly complex system, but if you've ever visited a site like members.GirlsGoneWild.com you've already had this type of auditing system protecting your account.

Mozilla Persona

No more need to store passwords on the site (unless your are an idendity provider), no more need to try mitigating the reuse of the password...
https://login.persona.org/about
https://developer.mozilla.org/docs/persona

Third party?

[PPH]

Hmm. Now who might be offering just such services?

I thought I checked "Ads Disabled".

How to enforce unique passwords

1. Let users create accounts with passwords
2. Set up a bot that tries the name/password combination at every other site.
3. When login succeeds at another site, use the opportunity to delete/terminate the other account.
4. Profit?

RADIUS

[Jaime2]

So... they want to reinvent RADIUS... again.

Browser-generated GUUID passwords?

Since browsers cache passwords for me, and I don't remember them anyway because I never type them after the browser remembers them for me, why not have a browser plug-in that generates GUUID passwords? Each site would have a unique browser-generated password, so if one was compromised, that would be it. Good luck cracking my password with John the Ripper. Human-understandable passwords seem unnecessary.

Lets force another system on people because...

Why are we even bothering with this concept? People need to be responsible for their own security. If each site clearly posts instructions on why a strong unique password or a token is a good choice then that should be enough. If the user decides that they want to make all of their passwords for multiple sites the same simple password then let them. They make a clear choice and they can live with the results (good, bad or indifferent).

I think that this situation is similar to a lot of other non-online life situations. Quit coddling and hand holding me through a limited number of choices just because someone else is not willing/able to make what others consider to be "good decisions".

If your site doesn't believe that a strong password is enough and wants to offer another type of verification or your customers are requesting it then fine make those available. But don't force me to use a "better" system because of that.

"Simple" hashing solution

[aaarrrgggh]

First off, static passwords will never be secure as a keylogger can intercept them. A perfect solution would allow for challenge-response on the meat-space side.

I was starting to get some obnoxious password requirements and actually needed secure passwords that would not be stored in "keychain" on the mac or on a post-it note. My solution was to make a simple script that concatenated a built-in token with one of my common passwords and the website name, made a MD5 hash and packed it into a 12-character quasi-uuencoded form (some characters were forbidden). It is a kludge, but it avoids password re-use, and I can change the website name to something I associate the website with if I am feeling especially paranoid.

Re:Adult sites doing this well for years, Strongbo

The adult industry does not do this to protect your account.

They do this to stop credential sharing. It was (is?) common to find websites listing logins for adult sites. By auditing the login process they can detect these leaked/hacked/shared/given-away credentials.

Why let users choose their passwords?

[gozar]

If you are going to do this, then why even let the user choose their password? Use an algorithm to create user's passwords (for example, randomly select a length, then randomly generate a password). Guaranteed strong passwords.

Yes, users will write it down. Is this worse or better than what is happening now?

(For the most part, I prefer OAUTH. I let Google handle the two factor authentication.)

great, so they capture all my logins...

So they can "compare them"?
Perhaps they'll see all my logins are different, but I use the same scheme... ie MyDumbAssPW1...MyDumbAssPW2...MyDumbAssPW3...etc

Re:Forget passwords, worry about "Secret Questions

[Hognoxious]

It wouldn't be so bad if they let you choose your own question. Very few do this. Apart from the kid who shat himself doing the long-jump who remembers (or could find out) the kid who shat himself doing the long-jump?

As you say, lying consistently is very difficult. Even if you adopt a persona, you have to remember for each site whether you answered as the guy who played left tackle in HS, Donald Sinden, or Baruch Spinoza.

GO JSON!

JSON has officially overtaken XML.

See if you can hack the user

[halcyon1234]

Welcome to Joe Schmoe's website. Please create your account.
Username: halcyon1234@example.com
Password:12345
Checking...
Server-side...
IF EmailLoginChecker.TryLogInToMailSystem("example.com", "halcyon1234", "12345") THEN
Error = "You're using the same password as your email address. We're mitigating that risk. Idiot."
ELSE RegisterUser();
END IF

Re:See if you can hack the user

[mysidia]

Sounds like a way to get your IP address banned by example.com in short order, and maybe some abuse complaints, about hacking attempts from your web server...

This scheme is worse for that.

[Tatarize]

Well, if you did that. You'll love this scheme in the above post. You'll have a central site telling you that that login and email is useful somewhere. It's like printing theft gold. You won't even need to try it blind, it'll just flag it and tell you if they gave you a useful username and password.

*chaching!*

Password Algorithms

[Tatarize]

The problem there is that if they get a plain text password it might be determinable, also there's too much secondary issues.

A better password algorithm is something like preface the passwords with something like #1 (for the alpha numeric requirements) and then invent a word alphabet for the letters like various animals. So say you take the last three digits of the site name. Here DOT, you'd have a password #1DogOstrichTurkey -- It would be unhackable, hard to figure out how you made it, and you'd be able to dodge those alphanumeric and capital lowercase letter issues. Site unique and with enough bits to make take a few hundred years to brute force, and you'd never forget it.

* For those curious, no I don't use a password anything like that don't fucking bother.

Passphrases

[zlel]

Why don't we just accept modified song lyrics that produce zero google matches as pass phrases?

Plaspass is a Cloud service

[krischik]

If your Lastpass DB is corrupted, goodbye passwords.

The Lastpass DB is stored in the cloud and is synced over several devices. Pretty unlikely.

And before you say it: The Lastpass DB is Client site encrypted using the master password. So the master password is something I know and all the other “passwords” are indeed now token.

After very tight comes very loose

[krischik]

for example, randomly select a length, then randomly generate a password

Because then users will write them down. As they say in mechanics: After very tight comes very loose. (as in: the screw breaks off).