Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mitigating Password Re-Use From the Other End

Posted by Soulskill on from the 12345-goaway-letmein dept.

An anonymous reader writes "Jen Andre, software engineer and co-founder of Threat Stack, writes about the problem of password breaches in the wake of the LivingSocial hack. She notes that the problem here is longstanding — it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed. Andre suggests a different approach: building out better auditing infrastructure. 'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events. Since authentication events are relatively similar across any application, I think this could be accomplished easily with a simple JSON-based common protocol and webhooks. ... [It] could even be a hosted service that learns based on my login behaviors and only alerts me when it thinks a login entry is suspicious— kind of how Gmail will alert if I am logging in from a strange location. Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'"

5 of 211 comments (clear)

  1. Re:how about store your passwords properly? by Trepidity · · Score: 3, Informative

    Replying to self: It looks like LivingSocial actually has switched to bcrypt now. But not early enough!

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  2. You just made it easier for cracking. by mjuarez · · Score: 3, Informative

    So, what happens when that central framework/infrastructure is cracked? Now, all cracking attempts will redirect to that single point, and when (not if) it's breached, they'll now have access to ALL websites that are signed up to use that. How is that better?

  3. Re:Forcing strong passwords in the first place. by AK+Marc · · Score: 3, Informative

    The problem is that you have to remember those passwords.

    That's what post-its are for.

    Seriously though, I save passwords in a browser or other keychain management program.

    --
    Learn to love Alaska
  4. Re: Forcing strong passwords in the first place. by Anonymous Coward · · Score: 5, Informative

    1) LastPass

  5. Re:Forcing strong passwords in the first place. by Octorian · · Score: 4, Informative

    KeePass and all its related implementations (KeePassX, etc, etc.).
    This is the only family of password management apps I've found that both share a common database format, and have functional implementations even if your platform-of-the-moment isn't "hip enough" for a more polished solution to care about supporting.