Slashdot Mirror
Mitigating Password Re-Use From the Other End
An anonymous reader writes "Jen Andre, software engineer and co-founder of Threat Stack, writes about the problem of password breaches in the wake of the LivingSocial hack. She notes that the problem here is longstanding — it's easy for LivingSocial to force password resets, but impossible to get users to create different passwords for each site they visit. We've tried education, and it's failed. Andre suggests a different approach: building out better auditing infrastructure. 'We, as an industry, need a standard for auditing that allows us to reliably track and record authentication events. Since authentication events are relatively similar across any application, I think this could be accomplished easily with a simple JSON-based common protocol and webhooks. ... [It] could even be a hosted service that learns based on my login behaviors and only alerts me when it thinks a login entry is suspicious— kind of how Gmail will alert if I am logging in from a strange location. Because these audit entries are stored on a third-party box, if a certain web application is compromised, it won't have access to alter its audit log history since it lives somewhere else.'"
It also ought to be easy for LivingSocial to store passwords hashed with a secure hash designed for passwords, like scrypt (or the related bcrypt). That way even if the password db is compromised, the plaintext passwords aren't, and the attacker cannot use the result to get into other services, even if users shared passwords across services.
It's easy to blame users, but there has been no excuse for storing plaintext passwords for years now. Password reuse is a much smaller problem if websites are designed properly. So rather than "as an industry" attempting to change user behavior, how about "as an industry" implement your damn sites properly, and audit that.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
LastPass used to scream at me when I was doing that, so I disabled that functionality.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
It doesn't. I believe it may even encourage re-use.
Kid-proof tablet..
My passwords all come in the following variations
yyyyyy
xxxxxxxxxx
Xxxxxxxxxx
Xxxxxxxxxx1
Xxxxxxxxxx_1
You missed one of variations. I tried them all but I cannot login
+5? The only way to keep a website from getting hacked is by not connecting it to the internet in the first place. Effort should certainly be put into making it difficult to hack but also making it difficult to gain anything valuable when you are hacked.
All this concern over passwords is ignoring the much greater problem of so-called "Secret Questions". This is a mechanisms that positively encourages people to use the same security information on every site they visit and to give answers that can easily be guessed by other people.
How many sites hash the answers to these questions so that they can't be re-used by a hacked who breaches the site (or a corrupt employee)?
How many users take care to give a different wrong answer to these "Secret Questions" every time?
The complexity and variablility of the password reset process can make this mechanism less susceptible to automated attack, but if you want to attack a specific account of a known person this is a much better route that trying to crack the password.
1) LastPass
I would do likewise. The whole point of a password is that it should satisfy the criterion of "something you know".
If you have so many passwords that you have to either write them down or store them in a password management system, then that criterion fails, because it's no longer something you know at all.
Whereas if you use good passwords to start with, and keep layers of trust between different systems (i.e. don't use the same password for your bank as you do for Twatter), then you will not be 100% secure, but at least you have a hope of keeping some control to yourself.