Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mitigating Password Re-Use From the Other End

Posted by Soulskill on from the 12345-goaway-letmein dept.

An anonymous reader writes "Jen Andre, software engineer and co-founder of Threat Stack, writes about the problem of password breaches in the wake of the LivingSocial hack. She notes that the problem here is longstanding — it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed. Andre suggests a different approach: building out better auditing infrastructure. 'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events. Since authentication events are relatively similar across any application, I think this could be accomplished easily with a simple JSON-based common protocol and webhooks. ... [It] could even be a hosted service that learns based on my login behaviors and only alerts me when it thinks a login entry is suspicious— kind of how Gmail will alert if I am logging in from a strange location. Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'"

61 of 211 comments (clear)

  1. Forcing strong passwords in the first place. by bejiitas_wrath · · Score: 4, Interesting

    This seems like a good way to enforce strong password policies. if they are strong enough; they should help prevent password re-use. The only problem with this is the problem of people writing these down. We need a better online authentication system for 2013.

    --
    liberare massarum ex ignorantia, clausa descendit molestie.
    1. Re:Forcing strong passwords in the first place. by war4peace · · Score: 5, Insightful

      LastPass used to scream at me when I was doing that, so I disabled that functionality.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    2. Re:Forcing strong passwords in the first place. by neokushan · · Score: 2

      How does using a strong password prevent password re-use?

      --
      +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    3. Re:Forcing strong passwords in the first place. by adolf · · Score: 5, Insightful

      How does using a strong password prevent password re-use?

      It doesn't. I believe it may even encourage re-use.

      --
      Kid-proof tablet..
    4. Re:Forcing strong passwords in the first place. by Dunbal · · Score: 4, Insightful

      How about instead coding a site properly so it won't get hacked in the first place? Put the effort and resources there.

      --
      Seven puppies were harmed during the making of this post.
    5. Re:Forcing strong passwords in the first place. by AK+Marc · · Score: 4, Interesting

      No, they can't. There are a number of sites with incompatible password standards. If sites standardized on incompatible standards, then there wouldn't be an issue. I've seen some with 8 char requirement (no more, no less), and others that require more than 8. Some must start with an alpha, others that must contain a capital, lower, special, and number, so make requirements that are incompatible. Some must start with an alpha, others must start with a number.

      Or, the other solution is assign the password, and don't let the user change his own. When it expires, a new one is generated. No reuse can happen when the user can't set any of their own passwords.

      Or, forget caring. If they lose control of a password, then it's their fault.

      --
      Learn to love Alaska
    6. Re:Forcing strong passwords in the first place. by ldcroberts · · Score: 2

      easy, just take the users attempted password and user name and try and log in to any of 100 other sites with it, if you can then reject it.

    7. Re:Forcing strong passwords in the first place. by Yaotzin · · Score: 3, Insightful

      Or, the other solution is assign the password, and don't let the user change his own. When it expires, a new one is generated. No reuse can happen when the user can't set any of their own passwords.

      It would be hellish if every website started doing that. I'd have to recover my password every time I try to log in somewhere, or keep a big document of passwords (which is worse). At the moment I have 6 different passwords (8-10 char) in total, but they're mostly variations of the same base. Anything more complex than that and I would lose track.

      --
      Error: No error occurred
    8. Re:Forcing strong passwords in the first place. by AK+Marc · · Score: 3, Informative

      The problem is that you have to remember those passwords.

      That's what post-its are for.

      Seriously though, I save passwords in a browser or other keychain management program.

      --
      Learn to love Alaska
    9. Re:Forcing strong passwords in the first place. by leaen · · Score: 5, Funny

      My passwords all come in the following variations

      yyyyyy
      xxxxxxxxxx
      Xxxxxxxxxx
      Xxxxxxxxxx1
      Xxxxxxxxxx_1

      You missed one of variations. I tried them all but I cannot login

    10. Re:Forcing strong passwords in the first place. by Arancaytar · · Score: 2

      Password policies are voodoo. They may make it more difficult for stupid users from using weak passwords, but they do not reliably prevent it, and they actively inhibit the use of strong passwords.

    11. Re:Forcing strong passwords in the first place. by sosume · · Score: 2

      Exactly. I hate it when some site first forces me to register, and then even has the balls to require a complicated password, assuring in the process that I won't become a returning visitor.
      My usual password strategy is that I use a one very simple password for all systems that cannot harm me in any way. Such as news sites, free games, etc. Who cares if anyone can post under my name. For paid-for stuff and sites I leave personal details etc, I use a strong password, with alternating user names. Then when I need access, I check my mail archive to retrieve the username and voila. But for the real deal, paypal, google, banking and my pc login, it's a whole different ballgame. Strong individual passwords, and I change them each time after use on an insecure network, or when switching projects. But there are only four of those. It's just a waste of brain cells to have to remember 100s of user names and passwords, and change them frequently too. And I do not trust external applications or plugins to remember them for me.

    12. Re:Forcing strong passwords in the first place. by T-Bone-T · · Score: 5, Interesting

      +5? The only way to keep a website from getting hacked is by not connecting it to the internet in the first place. Effort should certainly be put into making it difficult to hack but also making it difficult to gain anything valuable when you are hacked.

    13. Re:Forcing strong passwords in the first place. by peragrin · · Score: 4, Insightful

      1) I use five different operating systems. (Osx , ios, linux, windows, android ) name one keychain program that can be used across them all and keep that program easily sync'd?

      2) You push the point of failure onto the keychain program. if you want to get someone all you have to do is crack their keychain and they are screwed.

      3)what happens when your keychain program gets corrupted? a simple hard disk failure now prevents you from ever logging in again.

      --
      i thought once I was found, but it was only a dream.
    14. Re:Forcing strong passwords in the first place. by flimflammer · · Score: 2

      I am so sick of websites that try to force "strong" password creation by creating their own rules. I have several strong passwords that I use that aren't considered "strong" by many websites (it is a nonsensical sentence with misspelled words). When you force me to add capitals and numbers and likely symbols, it's just going to cause me to change "thequickbrownfoxjumpsoverthelazydog" to "Thequickbrownfoxjumpsoverthelazydog1$" and then when attempting to log into the site I'll have to enter several variations until I remember what specific version of "strong" this particular site is trying to shove down my throat before I can log in.

      My password is secure enough without you complicating things further by requiring certain characteristics.

      On another note, it amazes me how often websites will enforce "strong" passwords, but have a length limit. You want a capital, a number, a symbol, but it can only be between 8 to 12 characters long? What?

    15. Re:Forcing strong passwords in the first place. by Antique+Geekmeister · · Score: 2

      And you'll send them the passwords email, which is consistently monitored for passwords and stored with poor security? And your "keychain" program is tied to one client, and a graphical environment, and that one web browser, with no way to extract the password for putting in your other web browsers?

      This is just organizing a fresh set of security holes. It's not a solution. And it wouldn't have solved _this_ event which involves plain text passwords stored on the server side for millions of users.

    16. Re: Forcing strong passwords in the first place. by Anonymous Coward · · Score: 5, Informative

      1) LastPass

    17. Re:Forcing strong passwords in the first place. by BrokenHalo · · Score: 5, Insightful

      I would do likewise. The whole point of a password is that it should satisfy the criterion of "something you know".

      If you have so many passwords that you have to either write them down or store them in a password management system, then that criterion fails, because it's no longer something you know at all.

      Whereas if you use good passwords to start with, and keep layers of trust between different systems (i.e. don't use the same password for your bank as you do for Twatter), then you will not be 100% secure, but at least you have a hope of keeping some control to yourself.

    18. Re:Forcing strong passwords in the first place. by Curupira · · Score: 4, Interesting

      Please someone mod the parent up. An overcomplicated password that need password management software ceased to be a password ("something you know") and were turned into a token ("something you have"). If your Lastpass DB is corrupted, goodbye passwords.

    19. Re:Forcing strong passwords in the first place. by hedwards · · Score: 3, Insightful

      It's impossible to clear this mess up without using the same password and log in for everything. Right now I have over 400 log ins in my database. I'm not sure how many of those are ones that I need to log into again, but that's a large enough number that even changing them on a regular basis is unlikely.

      Trying to unify that under the same log in that the sites get, is not something that's technically desirable. I'm not really sure how one can solve this problem form the server side, because you'd need 3rd party to access all of the passwords without the users' permission in order to know.

    20. Re:Forcing strong passwords in the first place. by hedwards · · Score: 2

      You'd be surprised, I run into a fair number of sites where you have to use alphanumeric characters and nothing else. I've also run into a fair number of sites where the validation algorithm doesn't work so it will accept passwords that you can't use and just silently truncate or adjust them to whatever it takes without telling you what the new password is.

      Then there's the sites that require at least 12 characters and the ones that limit it at 8. Really, it's a mess and the people paying for these systems don't care about security beyond appearances.

    21. Re:Forcing strong passwords in the first place. by vux984 · · Score: 2

      The most important "layer of trust" to use your phrase is to ensure that your EMAIL has a strong password, and that it is not the same as anything else. Your email password is the weak link, thanks to the forgot-password-reset (or god forbid password recovery) functionality of most other online properties.

      And this raises a problem. Email is frequently used... so long pass phrases are inconvenient.

      And worse, we have it saved in our phones, and on our laptops, so we don't have to re-enter it every 5 minutes. So if we lose our device, we're hosed. I don't want to put in a long passphrase everytime i unlock my PC, I want to enter in a long passphrase to unlock my phone even less. So while I have a good password on my email, if my phone is stolen I'm potentially hosed.

      The more I think about it, password reset functionality by email is -inherently- a bad idea. We should almost really have a 2ndary "secure" email that we don't use except for managing password changes etc. The problem with that of course is that no systems support having a separate email just for password recovery, so if you set one up you'd miss all the other mail from the site that you would presumably want to receive.

    22. Re:Forcing strong passwords in the first place. by Anonymous Coward · · Score: 2, Insightful

      It would be hellish if every website started doing that. I'd have to recover my password every time I try to log in somewhere, or keep a big document of passwords (which is worse).

      I have one website that I do exactly that with. They have such stupidly complex password for absolutely no reason (to get software updates for a product that requires a license server to run) that I refuse to participate. Their password requirements are even more complex than the Intel developer passwords - something I didn't think was even possible. So when I need to go login, I just reset my password and bypass their password system altogether. Just for fun, I even sent them email and told them that is what I do - but got no response.

      Hell, why am I even hiding their name? It is Synopsys.

      At the moment I have 6 different passwords (8-10 char) in total, but they're mostly variations of the same base. Anything more complex than that and I would lose track.

      I have a few variations on a few bases. I have an ultra-low security password (for forums like slashdot and others), a mid-security base and a high security base. Then I have a few unique passwords that I use for one and only one purpose (one of them being my PGP key).

              Marc

    23. Re:Forcing strong passwords in the first place. by bbelt16ag · · Score: 2

      those are keys not passwords.

      --
      NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER GIVE UP! "No limitations, no boundaries, there is no reason for them."
    24. Re:Forcing strong passwords in the first place. by dinfinity · · Score: 2

      That is why you use LastPass generated passwords for the millions of accounts you don't really give a fuck about and can ultimately always access through password reset mechanisms. This allows you to focus on creating and remembering unique passwords that you know for truly important accounts, such as emailaccounts and banking accounts.

      The alternative of using a single throwaway password for all those crap accounts instead of LastPass 'tokens' will inevitably lead to using a terribly weak password due to differing password restrictions on different websites and still allows all the accounts in the crap zone to be compromised by a hack of one of them.

    25. Re:Forcing strong passwords in the first place. by Octorian · · Score: 4, Informative

      KeePass and all its related implementations (KeePassX, etc, etc.).
      This is the only family of password management apps I've found that both share a common database format, and have functional implementations even if your platform-of-the-moment isn't "hip enough" for a more polished solution to care about supporting.

    26. Re:Forcing strong passwords in the first place. by Kal+Zekdor · · Score: 2

      Whereas if you use good passwords to start with, and keep layers of trust between different systems (i.e. don't use the same password for your bank as you do for Twatter), then you will not be 100% secure, but at least you have a hope of keeping some control to yourself.

      I do something rather similar. At any given time I've memorized 4 distinct passwords. In descending order of complexity, they are: my email password (as a compromised email account makes it trivial to reset or access any other password, this is the most secure. I actually use a 20+ character "pass phrase" for this.), a "High" security password, for things like banks, paypal, amazon, basically anything that if compromised can cost me money, a "Medium" security password, for accounts that are important to me, but wouldn't be a huge deal if they were compromised, slashdot would fall in this category, and finally, a "Low" security password, for accounts that I don't care about, or only expect to use once and then forget about.

      Because I layer my passwords like this, it's rarely a big deal even if some site leaks my password and email address. Even if a Low security site has a breach, the usual targets (email and High security sites) are insulated from the risk, so I just change the password at that site and am done with it. High security sites usually have better track records, but if there is a leak, the password group is small enough for me to be able to change them all immediately.

      It works pretty well for me. Sourceforge.net leaked my email/password a number of years ago, and I noticed some (failed) unauthorized attempts to login to my email and paypal accounts shortly afterwards. Even if you don't want to go so far as to memorize 4 passwords at any one time, I highly recommend that you at least keep a separate password solely for your email account.

    27. Re:Forcing strong passwords in the first place. by theshowmecanuck · · Score: 2

      Sure, and I have only one device that I ever use, so that keychain program works great. And hell, a keychain program is better than writing them all down since it writes them down for you! I would be willing to bet that if sites forced you to have a unique password for each place, people would use less sites. If you make things hard to use, people won't use them.

      --
      -- I ignore anonymous replies to my comments and postings.
    28. Re:Forcing strong passwords in the first place. by bblough · · Score: 2

      1) I don't use a single program, I use a single format. I use different programs per platform, but all of them use Password Safe compatible databases. Sync is done via an encrypted cloud storage service.

      2) Admittedly, this is a potential issue, but in my opinion there are two problems with this point. First, you trivialize it by saying "all you have to do is crack the keychain." With a strong enough passphrase that will not be easy at all. Second, you're changing the threat model under discussion. A compromised website with re-used passwords is one thing, someone coming directly after your locally stored data (e.g., your keychain) is another. In the first model, the attacker will not have access to your keyring, and therefore has no chance of cracking it. In the second model, if you're the direct target, precautions probably aren't going to matter.

      3) Backups. The same encrypted storage service that handles my sync keeps automatic, versioned backups.

    29. Re:Forcing strong passwords in the first place. by Jessified · · Score: 3, Insightful

      Furthermore, policies that require constant password changes encourage people to use the same password with an incrementally changing number.

      I use strong and varied passwords for important services (email, banking etc) and shitty repeated passwords for every stupid forum that wants me to sign up to participate.

    30. Re:Forcing strong passwords in the first place. by caitriona81 · · Score: 2

      1. Lastpass works across all the platforms you've named, and has it's own sync. Keepass works across all of them, and only needs some form of file sync (eg Dropbox). Firefox sync will get you 4 of the 5 (all except iOS).
      2. Virtually all of the circumstances that allow someone to attack the keychain program also tend to permit the undetected installation of a physical or software keylogger. The attacker may not compromise your less frequently used accounts as quickly, but they will have everything you use on a daily basis. (Further, accounts you don't use on a daily basis may be forgotten about, a side benefit of a password manager is a checklist of what needs changed in the event of compromise.)
      3. Backup processes apply to password managers, as do password reset processes, and use of a password manager does not preclude use of memorable passphrases for particular accounts, particularly for things like email accounts. Right now, I use passphrases + token codes for email, banking, and my password manager itself, passphrases stored in a password manager for accounts that I have to be able to retype the password (facebook, etc), and completely random passwords at the complexity limit of whatever site I'm registering for if I'm not having to sign on to them from any of my devices (random web forums, etc)., and a shorter, more "traditional" 8 character password for my desktop, where a brute force attack is more likely to be carried out by hand than against the password hash., and ease of typing (muscle memory) is desired.

    31. Re:Forcing strong passwords in the first place. by Helix_Sky · · Score: 2

      An overcomplicated password that need password management software ceased to be a password ("something you know") and were turned into a token ("something you have"). If your Lastpass DB is corrupted, goodbye passwords.

      It is still "something you know". You have to know your LastPass password. Saying it is "something you have" is like saying needing a browser to access my bank site is needing "something you have". If I have access to the internet then I have access to LastPass.

      As for your corrupted db problem, you can make offline backups of your LastPass db

    32. Re:Forcing strong passwords in the first place. by smittyoneeach · · Score: 2

      If you do a pattern somewhere on the keyboard with alternate raising/lowering of the SHIFT key, you can balance all but the most asinine password regimes with the capacity to remember them.

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
    33. Re:Forcing strong passwords in the first place. by Tool+Man · · Score: 2

      Please someone mod the parent up. An overcomplicated password that need password management software ceased to be a password ("something you know") and were turned into a token ("something you have"). If your Lastpass DB is corrupted, goodbye passwords.

      As well, you can export your LastPass data to another file, say one that you keep on your encrypted backups. No need to slag a very useful tool for nonsense reasons. (disclosure: premium subscriber here)

  2. 3rd party box by Frankie70 · · Score: 2

    Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'

    Since the audit entries are being created by the box running the application, it obviously has write access to the 3rd party box. So whoever has access to the application box has access to write (and hence alter) the 3rd party box.

  3. Passwords are unfixable by Anonymous Coward · · Score: 2, Interesting

    You can tack on more mitigation, but in the end it's the concept that's flawed, not the implementation.

  4. how about store your passwords properly? by Trepidity · · Score: 5, Insightful

    it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit

    It also ought to be easy for LivingSocial to store passwords hashed with a secure hash designed for passwords, like scrypt (or the related bcrypt). That way even if the password db is compromised, the plaintext passwords aren't, and the attacker cannot use the result to get into other services, even if users shared passwords across services.

    It's easy to blame users, but there has been no excuse for storing plaintext passwords for years now. Password reuse is a much smaller problem if websites are designed properly. So rather than "as an industry" attempting to change user behavior, how about "as an industry" implement your damn sites properly, and audit that.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    1. Re:how about store your passwords properly? by Trepidity · · Score: 3, Informative

      Replying to self: It looks like LivingSocial actually has switched to bcrypt now. But not early enough!

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    2. Re:how about store your passwords properly? by niftydude · · Score: 2

      It also ought to be easy for LivingSocial to store passwords hashed with a secure hash designed for passwords, like scrypt (or the related bcrypt).

      It's easy to blame users, but there has been no excuse for storing plaintext passwords for years now.

      Yes! I can't believe there are websites out there that still don't hash passwords.

      A few months ago I signed up to the website of a large health insurance provider, and they sent me an email confirmation of my account creation that included my website password in plaintext. Unbelievable.

      Who writes this stuff? And who hires these people?

      --
      You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
  5. You just made it easier for cracking. by mjuarez · · Score: 3, Informative

    So, what happens when that central framework/infrastructure is cracked? Now, all cracking attempts will redirect to that single point, and when (not if) it's breached, they'll now have access to ALL websites that are signed up to use that. How is that better?

    1. Re:You just made it easier for cracking. by gl4ss · · Score: 2

      So, what happens when that central framework/infrastructure is cracked? Now, all cracking attempts will redirect to that single point, and when (not if) it's breached, they'll now have access to ALL websites that are signed up to use that. How is that better?

      that you have to just use one complex password at one place and have to change it just at one place.

      however the author is a dumb fuck who apparently hasn't heard of any of the SSO services...

      --
      world was created 5 seconds before this post as it is.
  6. Or, alternatively... by neokushan · · Score: 3, Insightful

    If you're security conscious enough to put this fancy bit of JSON on your site, then most likely you're smart enough to not store your user's passwords in plaintext. In fact, I'd like to think you're clever enough to salt the hash of the passwords that you're storing as well.

    Why am I pointing this out? Because password re-use is an issue when a password gets compromised. Passwords get compromised when they're not encrypted or hashed. So to "fix" the problem like this is all well and dandy, but it only works if every site does it and if every site hashed the bloody passwords in the first place, they wouldn't get compromised as often.

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  7. one key to rule... by Anonymous Coward · · Score: 2, Interesting

    Or we could just use GPG authentication, where a user simply uploads his public key to the site. User's happy, because s/he can use the same passphrase everywhere and the site is also secure because even a hack won't divulge any passwords. Separate (key-less) password could still be optional.

  8. Too many damn passwords by seeker_1us · · Score: 3, Interesting

    If you have too many different username/passwords you will not be able to keep them straight. This is what OpenID was supposed to solve. One can flip the argument around very easily: if there were fewer sites maintaining their own password databases, then there would be fewer breaches.

    And that does NOT mean using OpenID for everything including financial accounts.

  9. Still a issue that Devs won't acknowledge by Quick+Reply · · Score: 4, Interesting

    The thought process of a developer is that it is usually a user problem, and therefore it is the user that needs fixing, not the user.

    The cold reality is that using passwords at all is the problem.

    Passwords are an antiquated solution to a simple problem from the very start of multi-user computing. It is simple but exponentially ineffective as it scales.

    The human mind is not set up to remember multiple, complex passwords. There are very few humans who are gifted with this ability to remember literally hundreds of different passwords without writing it down, I would put someone who can in the realm of an academic genius who can remember entire textbooks or recite Pi for hours before they eventually have to take a break for physical reasons.

    Normal people write it down or keep it to a narrow set of passwords depending on which level of complexity the system will allow. Both bad security practice.

    And passwords that expire every 45 days with annoying complexity requirments? You're going to drive users nuts trying to think of new ones each time that eventually they will come up with the simplist password the system will allow and increment by 1 each time they have to change eg: Password1, Password2, Password3, etc.

    There are hacks out there, eg: KeePass and LastPass, but this is a workaround to the underlying problem. The websites that Force you to use Facebook are even worse (as they force you to handover all your personal details while you are at it, which just as easily can be used for identity fraud. Many Banks, Telcos etc. only authenticate with your DOB). OpenID is better but the implementation makes it common to sign in from the website your are trying to access, making it susceptible to being spoofed.

    Realistically, we need to kill the password. Two factor authentication all the way. It needs ONE trust relationship between the user and the authenticator. This could be a user ID and a token. The authenticator can have then multiple trust relationships with participating websites.

    The authenticator should only provide two data points: (1) The user ID of that website (different ID to other websites so that the user can be tracked with the same ID across websites) and (2) That the user has authenticated themselves. Thats it. Most websites don't need to know your name, DOB, Vanity username, email address or anything else about you. If they need this, ask - but only if actually required - and give the user a clear option to decline or provide only partial data.

    The only thing that most websites or other computer systems need is a way to tell which user profile to load up, and that the user requesting it is really the same user. A password does not prove that,

    1. Re: Still a issue that Devs won't acknowledge by Quick+Reply · · Score: 2

      Then how come you are posting as VertexCortex and not Anonymous coward, still needs to be a mechanism to make sure you are VertexCortex. Ideally you should be able go hit "Login" on your browser, and your browser automatically logs you in for you while using two factor in the background (once you have already two-factored with your browser when you sat down) so Slashdot knows 1. You are VertexCortex (to load your preferences and posting abilities as your name) and 2. You have proven yourself (It doesn't need to know how, it just needs to kniw that you have)

  10. nightmare by stenvar · · Score: 2

    'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events.

    That sounds like a security and privacy nightmare.

    but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed.

    Perhaps users just don't give a f*ck whether their account on some third rate e-commerce marketing site gets compromised?

    If I were to create an account on LivingSocial, it would get my "disposable" password, the password for accounts I just don't care about at all. Only gradually do accounts and services migrate into the category where I bother remembering a specific and hard password for them.

    1. Re:nightmare by vtcodger · · Score: 3, Interesting

      If I were to create an account on LivingSocial, it would get my "disposable" password, the password for accounts I just don't care about at all. Only gradually do accounts and services migrate into the category where I bother remembering a specific and hard password for them.

      That's rational.

      Frankly, most password security "thinking" seems to me demented. There is no way I or most anyone else could possibly keep track of hundreds of different strong passwords with arbitrary characters, random case, etc without writing them down. And maybe not then.

      And there is no practical way that I could secure that password list.

      Neither is it likely that information providers can secure password information -- strong, weak or non-existent -- on their end. That's why massive password breaches are a daily event.

      Bluntly, the industry's attempts at security can't and don't provide much security and are more a massive usability problem than anything else. How is "user education" supposed to overcome faulty engineering?

      Look folks, the method you want to use to secure stuff simply doesn't work very well. Never has. Never will. Forget about "educating" users, and start thinking seriously about how to secure stuff, and whether most of what you are trying to "secure" actually needs securing. Maybe in decade or three you'll come up with something that works.

      In the meantime. Get real.

      --
      You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
  11. Don't brush your problem off on the user by Opportunist · · Score: 4, Insightful

    I see it very often in audits, company security is facing the same problem: How to secure the network? The easy way out: The user has to do it. He has to come up with a password that fulfills the most inane requirements AND must remember it AND must not note it down.

    That's the easy way out. All the burden is shifted to the user.

    I consider it extremely patronizing if they then go, after a breach, that they tried to "educate" the user but failed. Well, DUH. Guess what. It's not the user's job to keep your database secure. It is his job to make sure his credentials don't get handed over to a third party, yes. But it is YOUR job to make it possible to him. And it is NOT possible for the average human being to remember passwords in the style of k$aUZ_nR2o.

    Don't try to shift a problem that YOU have to solve onto your users!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Don't brush your problem off on the user by Intrepid+imaginaut · · Score: 2, Funny

      And it is NOT possible for the average human being to remember passwords in the style of k$aUZ_nR2o.

      Obligatory XKCD: http://xkcd.com/936/

  12. Keep clear text passwords on the client by Ottibus · · Score: 2

    Putting your password in an e-mail during the registration process doesn't mean they store it in plain text in their database.

    But it does mean that they send the password in clear text rather than hashing it on the client.

    Clear text passwords should never be sent over the Internet, even over secure channels.

  13. Forget passwords, worry about "Secret Questions" by Ottibus · · Score: 5, Insightful

    All this concern over passwords is ignoring the much greater problem of so-called "Secret Questions". This is a mechanisms that positively encourages people to use the same security information on every site they visit and to give answers that can easily be guessed by other people.

    How many sites hash the answers to these questions so that they can't be re-used by a hacked who breaches the site (or a corrupt employee)?

    How many users take care to give a different wrong answer to these "Secret Questions" every time?

    The complexity and variablility of the password reset process can make this mechanism less susceptible to automated attack, but if you want to attack a specific account of a known person this is a much better route that trying to crack the password.

  14. Educate the users, Avoiding reuse is easy by 140Mandak262Jamuna · · Score: 2
    1. It is in the best interests of the users to use different passwords for different sites. Simplest thing to do is to use a 8 char string as the base password and append, prepend or insert a three char string based on the web site name into it. Each site has its own password, but it would not be easy to use a compromised password at other sites. It is in the best interests of the users to do it. For sites security is just cost, they do the minimum. Rotate the base password once a year or so.

    2. We should ask the more important accounts like brokerage, mutual fund, bank accounts to use a two factor authentication system. But I don't want to juggle too many RSA key fobs. I like google sending a six digit code to the designated cell phone. Google also lets you set up 10 one time pad numbers ahead of time to handle the case when the cell phone cant get texts. As a first step if they would just send me text or an email for each login event and each transaction that would reduce fraud.

    3. What really bugs me is, in this day and age of social network where people are posting details of their breakfast lunch and dinner for the whole world to see, even banks use "maiden name of mother" "name of your pet" or "where you went for honeymoon" to reset passwords. That is insane. So I used to give non intuitive answers like "nissan sentra" as the mothers maiden name. But it is so difficult to remember what stupid answer I gave to which site. That is my biggest beef with these security questions.

    4. No I did not switch my username and password edit boxes when I signed up for slashdot. Friends recognize the dorm addresses, rest of alumna recognize the dorm names.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Educate the users, Avoiding reuse is easy by 140Mandak262Jamuna · · Score: 2

      My problem with such hasher is that, I did not write it. I am not trusting all my passwords to some binary blob. How do I know the add-on/extension/app is not phoning home all my passwords to some chinese hackers? That is why I use my own brain to do the hashing and salting. I am not so paranoid about passwords to minor accounts like slashot or app dev. Even medium level accounts like amazon or gmail is ok. But each my bank/brokerage account gets a personalized password that is not written down, not generated by an app, extension or add-on, not saved by the browser. Unless I can avoid it, I log into these accounts from exactly two computers. One from work (out of the four I use at work) and one from home (out of the seven internet devices at home network).

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  15. Low and High Security by AndyCanfield · · Score: 2
    I have a low-security password that I use for Slashdot and most web sites. I have a very high-security password that I use with my bank (it depends on a number that has not been written down anywhere for fifty years). The idea of needing a unique password for every web site is rediculous. What do I care if yahoo.com is hacked and somebody logs in to Slashdot as me? Impersonation is not a serious problem.

    (Result: I can not guarantee that I wrote this message. So what.)

  16. Wrong approach in use. Secrets should be local by Morgaine · · Score: 4, Interesting

    The sites that are calling for better password choice need to step back a bit and consider whether their design concept of storing user passwords centrally is a good one. It's not, so they should get rid of it instead of applying band aids to a bad scheme.

    It doesn't matter what encryption scheme is used, if authentication secrets are stored centrally on a website then they are at risk. Good sites make it hard to crack, and poor sites make it easy, but they are all at risk, from internal employee corruption if nothing else. Those secrets will leak because when stored at a single point then they are all accessible to the attacker at a single point. Leakage is just a matter of time.

    A vastly more secure approach that's been well known for decades is for the user to store their secret locally as a private key, one half of a {private,public} key pair. The server only gets to know the public key (PK), and it's pointless for an attacker to crack that because the PK is public information that can be distributed freely through keyservers. (The PGP/GnuPG keyserver network has been doing this for decades.)

    When a user creates an account on some website, she provides the identifier of her chosen PK (she may have lots of them). When logging in to the account subsequently, the server looks up her PK identifier in the info for this account, fetches her PK from the keyservers, then it sends her a random string encrypted with her PK. She decrypts it with her private key (which is only held locally by the user, nowhere else) and sends the decrypted string back. The server accepts the login if the returned string matches the random string that it picked, which is not stored and varies on every login, and rejects the fraudulent login attempt if the match failed.

    That's strong distributed security, and it's resistant to MITM attacks and does not store any authentication secrets on the central service so those secrets cannot leak when the service is compromised.

    It's not rocket science. Why this old but secure scheme isn't used by websites is quite a mystery.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  17. Completely missing the point by swillden · · Score: 4, Interesting

    The problem isn't that users use the same password on every site. The problem is that users have to create login credentials for every site they use.

    That multiplication of logins is extremely inconvenient for users, and it's simply not practical for people to create good, unique credentials for every site and memorize them all. So people who care a lot about security are are willing to put in the effort (read: anal geeks) use encrypted password stores and such. Everyone else (read: 99+%) uses the same password or small set of passwords on all sites.

    What's really stupid is that we have already solved this problem, and in a much better way then Jen Andre proposes. The solution is single-sign-on. Delegate account management and authentication to a trusted third party (TTP). Even better, allow many organizations to act in this role. Best of all, allow users to choose which TTP they want to use, or even to act as their own.

    We've already built this. It's called OAUTH. Moreover, there are already a bunch of high-profile OAUTH implementors acting as TTPs -- and nearly all Internet users already have an account with at least one of them (e.g. Google, Facebook, Yahoo, Microsoft). For that matter, there are a number of sites already taking advantage of it to provide nearly zero-effort login (for example, stackoverflow is one that many slashdotters may use).

    The common security objection to this approach -- that centralizing your authentication in a single account creates a single point of failure for your security -- ignores the fact that your web security already has a single point of failure, even if you use unique, strong passwords for every site you visit. That SPOF is your e-mail account, because essentially all web sites use the ability to receive e-mail as the golden key that bypasses all of their other security mechanisms.

    But, with OAUTH you still have the ability to use different providers, and even to set up your own on a server you control if you like. You can choose the tradeoff between centralization and decentralization you like. No relying site will ever see any of your credentials. You can also pick a provider based on the level and type of authentication security they provide. Personally, I'm very happy with Google's two-factor authentication -- but OAUTH imposes no restrictions. Want certificate plus one-time-password plus fingerprint plus retina scan plus 100-word passepic? Fine. Find (or build) a provider that does that. Want nothing at all? You can have that, too.

    And whatever you choose, none of the relying sites will ever have any of your credentials. Which means creators of those sites can't screw up storing your credentials.

    The only thing that's required to make all of this work, for real, everywhere, is for sites to offer OAUTH authentication. It's easy, it's super convenient for users, it's as secure as the provider.

    Some sites might choose to limit the providers they'll accept, on the theory that users can't be trusted to choose a good one. That's annoying and obnoxious, but whatever. Some sites (like banks) might decide that they simply have to do their security themselves because they can't trust anyone else, and They Are A Bank. Okay, fine, though such sites should be a tiny minority (and, frankly, as someone who worked as a banking security consultant for over a decade, and now works for Google doing security, Google -- and, I would expect, the other major Internet properties -- do a far, far better job at online security than virtually any bank).

    The solution is to make OAUTH the default, expected login mechanism all over the web. It provides dead-simple, reasonably high security authorization for the masses and allows the paranoid to build/buy whatever they want.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    1. Re:Completely missing the point by swillden · · Score: 2

      OAUTH could have been nice, but Google, Facebook, etc. just see it as an opportunity for more data gathering.

      If Google et al cared more about security than violating my privacy they would support a single sign standard on that didn't enable the correlation of user activity across sites.

      This will never happen.

      Did you not read my post?

      If you don't want to use Google as your OAUTH provider, don't! Pick a different one. If you want one that guarantees not to violate your privacy, find one that makes that guarantee. Don't trust guarantees? Fine... run your own OAUTH provider. It's as simple as setting up a server and installing some software.

      As for your theoretical single sign-on standard that doesn't enable the correlation of user activity across sites, by all means please tell us how such a thing would work. Keep in mind that the authentication must be portable, that I should be able to authenticate on a friend's computer roughly as easily as I can on my own, and that complex key management schemes are barely usable by geeks and completely unusable by everyone else.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  18. The thing is ... by MacTO · · Score: 3, Interesting

    I have numerous accounts for everything from forums to banking. Some are clearly important, while others are not important. The important accounts get the strong passwords, passwords that aren't reused (even in terms of a significant modification). The unimportant accounts have reused passwords, with the only real rule being that the password is different from accounts that may somehow be correlated (e.g. through their authentication mechanism or username).

    The problem with preventing reuse is (a) every service thinks that they are the most important thing since the creation of the universe and (b) strong, non-repeated passwords have their own inherent insecurities.

    By inherent insecurities I mean things like people recording their passwords. Written records and unencrypted electronic records can be read by anyone. These digital key managers secure all passwords with a single password, may they be locally hosted or remotely hosted. Records of any form run the risk of tying all accounts together rather than keeping them separate. Even those who memorize their passwords run the risk of entering the password for service A into service B.

    Of course the people who think about security usually think about the things that they can control, which is the combination of bits. They rarely seem to address the psychology of the people using their mechanisms (outside of complaining or making unrealistic demands). If they want to create secure systems they need to apply human psychology, and recognize that security is often being applied where it is unimportant.

  19. Re:Solution is simple by notanalien_justgreen · · Score: 2

    great, so now we have to remember both a username AND password? That'll make this whole thing even worse! Even worse, if my login is taken on one website then every website has a different log in (and password likely). So now I'm remembering 2xN pieces of information instead of just N.

  20. See if you can hack the user by halcyon1234 · · Score: 2

    Welcome to Joe Schmoe's website. Please create your account.
    Username: halcyon1234@example.com
    Password:12345
    Checking...
    Server-side...
    IF EmailLoginChecker.TryLogInToMailSystem("example.com", "halcyon1234", "12345") THEN
    Error = "You're using the same password as your email address. We're mitigating that risk. Idiot."
    ELSE RegisterUser();
    END IF

    --
    UTF-8: There and Back Again