Top E-commerce Sites Fail To Protect Users From Stupid Passwords

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

correct horse battery staple

[operagost]

Funny, I got my password from xkcd. UNCRACKABLE

Re:correct horse battery staple

[AvitarX]

I read the XKCD linked, and it starts by stating that password entropy is NOT a problem, then goes on to explain why.

I guess what I'm saying is /. editors suck.

Re:correct horse battery staple

[Holladon]

Eh. It kinda works. If your goal is to invade Amazon accounts using the method laid out in the strip, it's that much easier to do because by allowing you to use anything for a password, they're more likely to have people using simple repeat passwords that, even if not common for everyone, are common for the user. If those sites had more stringent requirements, you couldn't use your childhood dog's name as a password like you've been doing for various account passwords since high school.

But yeah -- this xkcd was probably the more applicable strip.

Re:correct horse battery staple

[pla]

Funny, I got my password from xkcd. UNCRACKABLE

Nonono, you can't just use that one, you need to roll your own using a random number generator!

And without giving too much away, I know mine counts as secure, because it starts with a "4"!


/ Actually, I kinda wonder how many real-world accounts out there have "correct horse battery staple" as the password.
// Probably enough to make Randall cry.

Re:correct horse battery staple

[AvitarX]

The only real solution to password re-use (site to site) I can think of is requiring changes and making sure past passwords aren't used again.

Perhaps require the site's name to be part of the password (and not at either end), this won't add much entropy, but maybe enough that along with lock-out after a certain number of guesses it could be sufficient.

Two factor authentication, with a different token per site, but short one, around 4 digits, is the only way I can think to have memorable passwords AND site-to-site security. But that introduces it's own issues. Perhaps that plus a long password in a vault (similar to Google's lost my token password).

Re:correct horse battery staple

[Bert64]

Requiring the site name in the password is stupid, anyone launching a brute force attack will simply take that (and any other policy requirements) into account, eg if you know the password policy requires mixed case and minimum length of 8 then you don't need to try all lowercase passwords or anything shorter than 8.

Similarly locking out after a number of guesses is dangerous, that means an attacker who doesn't know your password can still cause a denial of service against your account, and its utterly ineffective against most brute force attacks as they will go after a huge number of usernames using a small number of passwords rather than the other way round.

Re:correct horse battery staple

[AvitarX]

So, what's a good way to protect against password reuse that doesn't cost more cognitive effort on the users than money saved?

Perhaps lock to DoS is too big a problem, though I'd think CAPTHCA a few times could significantly reduce that risk on a large scale (I assume CAPTCHAs still have some use, as I still deal with them regularly, and they dramatically drop comment spam).

Sitename in random part of password is better than not having it, as it should have low cognitive cost, and provide decent protection from password reuse attacks (when coupled with lock-out for bad password).

Ticketmaster

[suso]

Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

"(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

Re:Ticketmaster

[Number42]

A 250-character password isn't nearly strong enough. The company's limiting my safety by not allowing the extremely secure 10×10^10 character password I thought of!

Re:Ticketmaster

[CanHasDIY]

Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

"(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

That's nothing - A company I once worked for allowed passwords such as "Charlie5", but not a 10-character sequence of random alphanumerics (too long - 10 characters is too long a password!!!), or anything with a special character.

Were I a betting man, I'd put money down that not a thing has changed.

Re:Ticketmaster

[wiredlogic]

They didn't want you entering anything that wasn't in their set of rainbow tables.

Re:Ticketmaster

[Quirkz]

When I first registered online with a credit card company in the 90's, they limited me to 4 characters. I think they were still in a PIN mindset. That got fixed eventually, but not for years.

Re:Top gun manufacturers fail to protect users

[causality]

From pointing the gun at their face.

Indeed. And "rules that require even more complexity in passwords" backfire because the notion of protecting people from themselves is fundamentally flawed. Note the way you practically never see this notion questioned in any headline or summary.

not really a huge deal...

[Connie_Lingus]

it's a lot harder to actually steal money online then people think.

Re:not really a huge deal...

[Anubis+IV]

From what it sounds like, stealing money is harder than people think (myself included until I just read through that rather great link), but it's far from impossible. Moreover, a large part of the paper makes the point that it's not the customer who had their password stolen that will suffer the financial damage, but rather the person who owns the account that's used as a mule to move the funds, meaning that there's still a victim, just not who we thought.

For instance, if they get your password, they can't just cash your account out, since they don't have your ATM card, your PIN, or your government-issued ID. They first need to transfer the money to an account they control. But they don't want that account linking back to them either, which is where those spam e-mails about someone having $10,000 for you come into play. They'll send a person your $10,000 in exchange for that person sending them a $1000 "commission", and that person will then be scammed out of the $1000 they paid as a commission when you repudiate the $10,000 transfer and it's removed from their account. They're partially to blame too, of course, since they've allowed themselves to be taken in by an obvious scam, but its the people engaging in bad password practices (both users and developers) that are enabling the scammers to scam in the first place.

...and this wont change because

[mnt]

users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

Re:...and this wont change because

[tlhIngan]

users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

Well, the first question I have is... why?

I mean, I run into websites that declared themselves so important that the password HAD to be complex. Which is great, except I only accessed it once every few months, and ended up clicking "Forgot Password" anyways because they wouldn't accept a simple one.

No, all the site had were software downloads.

So really - it's another case of "web site is SOOOOOOOOOOO IMPORTANT!" syndrome where the website believes it's the be-all-end-all of websites and wants everyone to use a strong password. User sees it as just a web site that they don't care much about and wants to use a simple crappy one, because well, who really cares?

This is especially true if it's a one-off purchase. I mean, I run into many places that require you to register so you can buy from them. Except that the product I bought was all I needed and all I was going to need. So now I have to create an account and come up with a strong password that I'll never bother using again?

Re:...and this wont change because

[BenSchuarmer]

I don't mind strong passwords at sites that I'll never visit again, because I won't have to remember it (and if I do come back, I just hit the "I forgot my password" button).

It's the sites that I go to infrequently that drive me nuts.

Re:...and this wont change because

[swv3752]

I had this with my Gas Utility company. I can only see the last couple of digits of credit card. The worst someone could is pay my bill before I am ready, or see how much gas i am using. Why do I need to use a 16 character alphanumeric case sensitive password that requires multiple special characters. I work in IT and have to maintain strong passwords, even on government HIPAA systems, and the gas company is more stringent.

I have ended up setting up an auto-pay and have not touched the account in two years.

Slashvertisement.

[khasim]

Vendor of X does a study showing that people would be safer using X.

The easiest way to create and remember strong passwords is with a password manager, like Dashlane, which generates unique passwords for you, saves them to your account, and autofills them online.

My bank enforces stupid passwords

[allsorts46]

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters. None of the several bank staff I asked about it could tell me why that is.

Re:My bank enforces stupid passwords

[Drethon]

My bank tells you if you entered an invalid user name. Not particularly thrilled about that.

Re:My bank enforces stupid passwords

[Scutter]

My bank just implemented a new password policy. "Between 6-10 characters, the first two should be 'XX' and the rest must be letters and numbers, with at least one of each type". I just finished sending them an e-mail in which I included a helpful link to some rainbow tables.

Re:My bank enforces stupid passwords

[mmell]

So you're actively trying to get yourself arrested?

Re:My bank enforces stupid passwords

[CanHasDIY]

My bank just implemented a new password policy. "Between 6-10 characters, the first two should be 'XX' and the rest must be letters and numbers, with at least one of each type". I just finished sending them an e-mail in which I included a helpful link to some rainbow tables.

I believe you just won the Internet.

Re:My bank enforces stupid passwords

[Cro+Magnon]

One of my bank sites doesn't allow special characters. Only letters & numbers.

Re:My bank enforces stupid passwords

[allsorts46]

I think we have a winner!

Re:My bank enforces stupid passwords

[tepples]

My bank tells you if you entered an invalid user name.

Attempting to create a new account with that username, attempting to begin the password reset process, or attempting to send money to that user would disclose the same.

Re:My bank enforces stupid passwords

[reikae]

Password reset process maybe, but wouldn't creating an account (in the online banking sense, not a bank account) require a visit to the branch in person? That's what I remember doing quite a few years ago when I started doing banking online. Money transfers use IBANs or a similar system of account numbers, which are separate from login usernames.

Re:My bank enforces stupid passwords

[cbhacking]

TLC client cert?!? Really? Oh, PLEASE tell me what bank that is! If they're available in the US I would consider switching just to approve their use of that approach.

My bank (Wells Fargo) uses case-insensitive 8-character alphanumeric passwords. At least, the limit of 8 characters was present when I last tried to create a password. Maybe they're better now, but I kind of doubt it (the check is still case insensitive...)

Morons. We trust these people with our money?

Re:My bank enforces stupid passwords

[allsorts46]

Password reset process doesn't necessarily need it either. You can just tell the user '*if* you entered a valid username, we're sending you reset instructions', without revealing whether there was a match or not.

Re:My bank enforces stupid passwords

[WuphonsReach]

Wells Fargo switched a while ago to allowing longer passwords. They still limit you to "6-14 characters, no more then 8 numbers, and must contain at least one letter and one number.

Still not great, but better then it was.

Re:My bank enforces stupid passwords

[sudon't]

How about that, so does my bank. I'm only allowed to use letters and numbers. I forget what the length limit is, but yeah, short for that kind of simple password. I have much better passwords for forums.

allsorts asks, "Why?" The only thing I can can come up with is they're too lazy to write the regex.

I've been railing about this for years, but since we're on passwords: Password Manager. They've had a decent one in OS X (Keychain) since at least 2002, which is how far back my saved passwords go. Since I began using it, and began creating unique and complicated passwords for each account, I've never had an account compromised. The only one I worry about is my bank with it's enforced simplicity.

Tobuscus Got It Right

[TheSwift]

This is getting effing ridiculous.

https://www.youtube.com/watch?v=jQ7DBG3ISRY

1, 2, 3, 4, 5

[SGDarkKnight]

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Darth Helmet look at each other in horror]

Oblig. xkcd

[barlevg]

I love how the submitter headed us off.

Re: I don't understand length limits

[digitalPhant0m]

I hope this is sarcasm.

Length is important because the longer the length the harder it is to brute force.

Re:I don't understand length limits

My bank, even the company I work for, have arbitrary length limits for passwords. I can not fathom why unless the password is stored unencrypted :/

I like how you say that, like somehow storing the password encrypted would be significantly better. All storing the passwords encrypted does is change the challenge from "steal lots of passwords" to "steal lots+1 passwords".

30 years later. This isn't that hard.

[Animats]

Sigh. My obvious password detector, published in 1984:

The algorithm used requires that the length of the password be within configurable length limits, and that the password not have triplet statistics similar to those associated with words in the English language. This is an inversion of a technique used to find spelling errors without a full dictionary. No word in the UNIX spelling dictionary will pass this algorithm.

Users should be advised to pick a password composed of random letters and numbers. Eight randomly chosen letters will pass the algorithm over 95% of the time. A word prefaced by a digit will not pass the algorithm, although a word with a digit in the middle usually will. Two words run together will often pass.

(The code linked is the original version in pre-ANSI C. Yes, kiddies, that's what C code once looked like.)

Re:30 years later. This isn't that hard.

[dkf]

My obvious password detector, published in 1984

I came across this password strength detector the other day. It really cheered me up, as it uses a scientifically-justifiable approach (information entropy FTW!) and it laughs in the face of a number of tricks that many people recommend despite them being actually weak (replacing "o" with "0" only really adds one bit of security, which is nearly nothing, whereas adding another word adds far more despite being easier to remember).

Re:30 years later. This isn't that hard.

[gewalker]

While an admirable attempt, the password "nicht schiessen" reports a crack time of centuries, yet it is a simple phrase seen in many movies -- It is german, meaning Don't shoot (using ss for the ß character). Using ß is reported as having more entropy, even though logically it would be a simply dictionany pair.

"don't shoot me now" claims 4 years to crack

I use a similar approach on websites I control, but there is really not a simple algorithm that prevents all human stupidity in terms of password selection. My point is not "don't try to test for entropy" but rather know that your test will no be perfect.

Three fold problem

[gurps_npc]

1) A bunch of sites that insist on using a password when they don't really need one. Prime example: Amazon. They don't really need a password as long as they don't keep your credit card on file - which they certainly should NOT do. My neighborhood grocer does not ask to keep my credit card # on file no matter how 'convenient' (for whom???). If you want to discuss past trades use the last 4 digits of the credit card you used for those trades as an ID.

2) A bunch of sites that have legitimate needs for passwords but do NOT need 'secure' passwords. Slashdot is a great example - we need to confirm who you are but if someone steals your Slashdot password it is not a big deal. So they use your identity to Praise Senator Cruz, and destroy your reputation, no big deal. Let people use 4 character passwords - just like for your ATM card.

3) Websites with a real need for secure passwords - 'primary' email accounts, credit card accounts, etc. They could easily use stream ciphers - little electronic devices that constantly update the password. You have 1 minute to enter the password before it changes. Or if you prefer anonymity for your email account a downloaded program that resides on the PC you use to establish the email account and to log in, you must use that PC (with a 'move my account' program that must be initiated from that PC). Of course that limits your functionality, but at least it gives you anonymity.

Re:Three fold problem

[kodomo]

repeat that to ./ four digits uid number

Re:Three fold problem

[mmell]

Amazon - sending you stuff in the mail. You claim you didn't order it? You don't have to pay for it. Amazon has to give you your money back if they can't prove their end of the transaction, so the credit card company gives you back your money and dukes it out with Amazon in court.

Those other guys - somebody runs up to 'em with a subpoena and says "Who did what from where when?" It'd sure be nice if I could keep a straight face when I let them into my database - something about staying out of Club Fed . . .

What, you thought they were using your password for your protection?

Re:Three fold problem

[SleazyRidr]

But, if they're not keeping your credit card # they can't do the one-click order thing. I do get kinda annoyed having to type my credit card in every time, but I realise that it's nothing compared to the annoyance of having it stolen.

Since the story already had the obligatory xkcd, here's an oatmeal which also describes it: http://theoatmeal.com/comics/s... . To paraphrase: if I want a shitty password and don't care if it gets stolen, why shouldn't I?

Re:Three fold problem

[BenSchuarmer]

I think Amazon does give you the option of storing your credit card number. Some of their customers think this is a nice convenience, and are likely to take their money elsewhere if Amazon doesn't offer this "service" (or maybe it just makes impulse sales easier).

Re:Three fold problem

[BenSchuarmer]

You might be better off using a credit card number.

If somebody hacks the site and uses a debit card number, you may be responsible for part of the charge plus overdraft charges, etc.

With a credit card, the credit card company will cancel fraudulent charges that you tell them about.

Re: I don't understand length limits

[hsmith]

I've seen Bank of America (no longer know if this is true) specify "password must be between 8-16 characters."

Why would you set a ceiling - unless you are storing them in plain text...

Re: I don't understand length limits

[mmell]

Uh, you misinterpreted his post. You're off by 180 degrees. I get the impression that these institutions impose a maximum key length of ten characters, not a minimum.

My apologies if I'm wrong . . .

Why I only shop using Paypal, Amazon, GoogleWallet

[scorp1us]

When you use the above merchants to pay, only the money is transferred and no re-usable billing information like credit card info is sent to the recipient of the funds. So when doing ecommerce you don't have to put your CC# everywhere on the internet then wonder why you've got credit card fraud.

In some cases you can set up or are forced to automatic authorization from PayPal, but you can revoke that immediately. PayPal really is the safest way to pay. No comment on the rest of PayPal's operations though (disputes and seizures).

Re: I don't understand length limits

[Qzukk]

My electric company recently (last year) changed out its billing system.

The new billing system required me to reset my password to be between 6 and 8 characters, letters and numbers only (but is at least case sensitive).

Re:I don't understand length limits

[mmell]

Almost - it's gone to "steal lots of passwords - this (hopefully harder) one first."

This is your password deal with it.

[caitriona81]

I think the right strategy for websites which have to do user registration is to just provide the user with a random password of sufficient length as to be near impossible to type correctly, much less remember, and don't even provide the functionality for users to select their own. This almost insures that the password won't be used elsewhere, it enforces password quality, and it encourages the use of a good password manager.

Re:This is your password deal with it.

[Cro+Magnon]

The funny thing is, when I forget my password, some sites reset me to a pw like that - then make me change it to something memorable.

Re:This is your password deal with it.

[jader3rd]

encourages the use of a good password manager

Lol!
All that would really encourage is people not using the website. If Kellogs.com customer loyalty reward website assigned me a ginourmus password, using characters I don't think I could even find on my phones' keyboard, it would encourage me pretty quickly to not use Kellogs products and seek out the competitors product (which would have a more reasonable password policy) when the difference was negligible to me.

Re:This is your password deal with it.

[x0ra]

Good password manager ? I consult regular website from 5 or 6 differents machine (including laptop, desktop, tablet, phone, ipod,...), all running different kind of OS. There is NO password manager for this, which is typical nowadays.

Problems with conflicting rules

[Maxo-Texas]

I'm starting to have problems with differing rules at different sites.

I.e. one REQUIRES a special character. Another disallows special characters.

One has a maximum length of 8 (crazy short) while others have a minimum length of 8 characters.

And all of them won't let you reuse a recent password so if you can't remember the password, then your new password can't follow your own password rule set.

It's reached a point that now i have a sticky pad with coded passwords written down.

Netflix has been a pain because it's non-standard as a result of resets and you need to reenter the password on every device (and I'm up to five now).

So when I have to reset the password, I have to reset the password on all my devices. And on some the password screen only comes up when it checks the password- which isn't apparently every time you use the device. I guess they get a token that's good for a month or more.

Re:Problems with conflicting rules

[Khashishi]

Differing rules is kind of a good thing, because then you can't reuse the same password on different sites.

Re:Problems with conflicting rules

[Maxo-Texas]

I don't reuse the same password- but I can't even follow the same password generation rules/algorithm.

Which means I must write down the passwords at this point since i have over two dozen passwords- some at sites I visit only once every six months.

I will check out lastpass that the other poster recommended.

Re:Comment on this story...

[amiga3D]

I use simple and easy for everything non-monetary related. For things like my bank I use very long and complex passwords that I have to write down in a book. If I ever lose this book I'm fucked.

Wrong xkcd in header

The blurb has the wrong xkcd article, this is much better: http://xkcd.com/936/

Need timeouts

[edxwelch]

Developers should protect the password from brute force cracking by putting a time delay after successive failed login attempts. It doesn't really matter how strong your password is, if the system allow unlimited login attempts then it's possible to crack using something like CloudCracker.

They're probably not hashing them.

[khasim]

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters.

That means that they're probably storing them in a database where the field is set to 14 characters. Possibly in plain text.

If they were hashing them (with or without a salt) then they wouldn't care if your password was larger. As long as it still fit into the buffer they've assigned to it. Because the hash of a 1 character password should be the same length as the hash of a 256 character password.

Be worried about that bank's security.

Re:They're probably not hashing them.

[allsorts46]

The only (non-technical) reason I can think of is that they think that longer passwords are more likely to be forgotten, and they don't want to deal with the support calls.

On the other hand, the people I work with who constantly forget their passwords can't even remember a string of 3 or 4 numbers, so maybe the length doesn't really make a lot of difference there.

Silly suggestion

[DaveAtFraud]

In addition to just listing their password requirements, sites could provide a link or bubble help to a method of creating a "good" password. I like:

1) Pick a short phrase (e.g., "See Spot run.") but that connects to the site to provide some mneumonic value (so "See Spot hurl." might be for your vet).
2) Do some simple letter to number, symbol or punctuation substitutions (e.g., "S33 Sp0+ hurl.").
3) If you wish, squish out the blanks between words (e.g., S33Sp0+hurl.).

So we now have an easy to remember, eleven character password that includes upper and lower case letters, numbers, a symbol and punctuation.

Cheers,
Dave

Re:Silly suggestion

[dskoll]

Any password-generation algorithm that is not based on a cryptographically-secure random number generator reduces the search space and makes it easier to guess passwords.

I do not believe in "easy to remember" passwords. I believe in strong passwords, which of necessity are hard to remember, so they have to be written down and stored safely, or stored in a password keeper protected by strong encryption and as long a passphrase as you can get away with.

Re:Silly suggestion

[x0ra]

All in all, these are all the worst hints ever:
1) prone to typo error, especially as the password is generally hidden
2) number & capitals are a pain on mobile devices
3) ever harder to remember (ie. where the @!#$ did I put the capital)

Re:Silly suggestion

[DaveAtFraud]

So, suggest a better method. The requirements are:

1) Easy to remember.
2) Not based on a password already in rainbow tables (e.g., dictionary words with all permutations of upper and lower case; simple substitution of letters, numbers or punctuation for letters; etc.)
3) Not easily guessed from social information.
4) Typical strong password requirements like must contain both upper and lower case letters, numbers and punctuation (I go though this every 90 days where I work for each password system I have to deal with).

and add your requirements/critique which contradicts #4. Have at it...

Cheers,
Dave

Re:Silly suggestion

[DaveAtFraud]

So, suggest an alternative. The requirements are:

1) Easy to remember.
2) Not a word that is in a password compendium like rainbow tables so no dictionary words or simple upper/lower case permutations or simple substitutions of numbers and punctuation for letters.
3) Meets recognized strong password criteria (mix of upper and lower case, numbers and punctuation and symbols) and at least 10 characters long.
4) Not based on something easily obtained socially.

and add your requirements/critique even though they contradict #3. Have at it.

Cheers,
Dave

Using a service on a user's behalf

[tepples]

A salted hash of the user's password is fine for authenticating the user to your own service. But it doesn't help when your service needs to authenticate to another service to perform actions on that user's behalf. Say a server running service A uses service B on behalf of users of service B. In order to do this, service A needs to store a credential for each user of service B. How should service A protect these credentials from an intruder?

Re:Using a service on a user's behalf

[unrtst]

Say a server running service A uses service B on behalf of users of service B. In order to do this, service A needs to store a credential for each user of service B.

You're doing it wrong.
One way is for Service A to establish a trust with Service B (ex. using SAML), and have the user at Service B authorize that usage. Service A and B agree on a unique key for that exchange (ex. private/public certs), and Service A issues those commands to Service B using its user + that authorized cert to perform on that users behalf.
Of course, if Service B offers no such ability, then you'll need some sort of kludge like you suggested, but that doesn't make it right. Even so, they should protect those credentials in a much more sophisticated way than just another table in the same DB with an encrypted version of the Service B credentials (ex. a key server appliance).

Re:Using a service on a user's behalf

[tepples]

One way is for Service A to establish a trust with Service B (ex. using SAML), and have the user at Service B authorize that usage. Service A and B agree on a unique key for that exchange (ex. private/public certs)

So how would the operator of service A prevent the service from stealing service A's private key with service B?

Of course, if Service B offers no such ability, then you'll need some sort of kludge like you suggested, but that doesn't make it right.

The kludge I suggested is a clunky way to describe the OAuth family of protocols, used by Twitter, Amazon MWS, and the like.

a key server appliance

How much does one of those cost to buy and operate, especially if the rest of service A is small enough to run on shared hosting or a small VPS?

Re:Top gun manufacturers fail to protect users

From pointing the gun at their face.

Indeed. And "rules that require even more complexity in passwords" backfire because the notion of protecting people from themselves is fundamentally flawed. Note the way you practically never see this notion questioned in any headline or summary.

My guess is that they're probably afraid of losing business to customers that would end up being frustrated trying to make up a password they'll remember that contains at least one uppercase letter, one number, one symbol, and is a minimum of a LONG 8 characters (long for the user, short for us IT techie guys).

In the end, to some degree, it probably has to do with (1) not recognizing, accepting, and implementing security and (2) fear of losing business. This especially matters with small businesses because most of them are too cheap / won't recognize, accept, and implement security / straight out don't give a ****.

Re: I don't understand length limits

[jeffmflanagan]

Is your electric company ComEd? Their payment system does this. An 8 character limit is insane, but I suppose I don't mind if someone breaks in and pays my electric bill.

To use your download entitlements

[tepples]

I mean, I run into websites that declared themselves so important that the password HAD to be complex [but] all the site had were software downloads.

Might it have been to keep an intruder from pretending to be you and redownloading the software you paid for? Or maybe I guess my mind got clouded by today's story about Steam...

Help me act on this advice

[tepples]

From the report:

66% accept notoriously weak passwords such as "123456" or "password"

How should a web site determine whether a given password is "notoriously weak"?

66% make no attempt to block entry after 10 incorrect password entries

Where does "10" come from, and how long should entry be blocked? We don't want customers to become ex-customers when they discover that they have to make international telephone calls at a dollar per minute or more to get their accounts unblocked.

60% do not provide any advice on how to create a strong password during signup

One site I manage uses the following, with a link to Wikipedia's page about password strength and xkcd's comic about passphrases: "Either 8 or more characters using at least one letter and one digit or a phrase of 16 or more characters using at least one letter, and not easy to guess"

and only 14% display a password meter

I don't know how it's possible to "display a password meter" to users of NoScript.

Re:Help me act on this advice

[cbhacking]

Detecting weak passwords is trivial. Here's how you do it: take a password database (there have been lots of leaked passwords from various insecure sites). Sort it by how common the password is, descending order. Require that the user's new password not be in the upper portion (upper thousand or so would probably be a good start) of the list. Update that list periodically, to account for the possibility of password shift.

For bonus points, do the following:
Hash every password in the list to make it marginally more difficult to reverse (for practical reasons, you can't use a strong password verification function like SCrypt or PBKDF2-with-lots-of-iterations here, but you shouldn't use plain text). Make sure the user's proposed password's hash isn't one of the commonly used ones. Then, once it's accepted (and protected much more strongly, with salt and so on), add it to the list (incrementing the count if already present) and re-sort. That way, if you block the 1000 most common passwords and a bunch of people start using the 1001st-most-common, that password will itself quickly become unusable for new accounts and password changes or resets.

Tesco

[nogginthenog]

Me: Additional Information: password "Must be between six and ten characters in length"
Why does Tesco have such a silly limit???? Please consider increasing the max length of the password!

I am sorry that you are unhappy with the length of password you can use to register on our website. I have now logged your comments on our Customer Feedback System under reference 13782619. This will ensure that it is fed back to the relevant team in our Head Office.

That was back in 2012

Re:Tesco

[Zaiff+Urgulbunger]

In July 2012 I was searching for car insurance and found it hilarious that More-Than's (morethan.com) password policy at the time was:

• Be between 8 and 14 characters
• Not include more than 2 repeated characters in a row
• Not include the word 'guest'
• Not contain swear words

Obviously they're storing the password, and at a guess, the reason for no-swear-words is that their call-centre staff confirm your identity with your password... or something? Whatever. But what's up with not including "guest" in there? It must be some kind of magic keyword that makes their system do something different or something!!

I didn't get my insurance with them in the end!

Re:Top gun manufacturers fail to protect users

[ShanghaiBill]

the notion of protecting people from themselves is fundamentally flawed.

Yet traffic deaths are at a sixty year low despite a quadrupling of the number of cars and drivers. When common sense safeguards, such as seat belts, were first proposed, the auto industry made the same argument you are using here: "Our customers are stupid, and deserve what they get."

Our policy

[dskoll]

We sell software that has an accompanying account for users to download data feeds and related updates. We do not let users pick their own passwords. We give the user a randomly-generated password that he/she has to use.

There are two major benefits: If we get hacked and all the credentials are stolen, the passwords (with overwhelming probability) will not be usable on any other sites, so our users are safe. Conversely, if another web site used by our users is hacked, then (with overwhelming probability) those credentials will not work on our site.

Yes, it's a little inconvenient for our users. We tell them to write down the password on a piece of paper and keep it in their wallet.

Re:Our policy

[x0ra]

I HATE this kind of company. It will no matter what ALWAYS end up the same: "I forgot my password, send me a new one". Heck.. I'm not even able to remember password for my utility company whose I consult every 6 month...

Why make users reset after X number of failures?

[island_earth]

Apple, among many, many other services, says that after a certain number of failed attempts, your account is locked and you have to reset your password to regain access.

This seems stupid to me because if the password kept someone out after X failed attempts it must be strong enough. So why force a new one?

Experiment: force enough password resets on a user's account until they've run out of strong passwords, then use "password" to get in. Profit!

Re:Top gun manufacturers fail to protect users

[x0ra]

how is more death on the road necessarily "bad" ? If Joe the Plumber crash and was not wearing a sit belt, well, too bad for him. Why should the government try to protect people from themselves ?

if you think there ought to be a law...

[x0ra]

Let's think about this again... if you think there ought to be a law, there probably oughtn't.

Good!

[neminem]

More sites should fail to protect me from using a "stupid" 30-letter-or-whatever-long passphrase just because its algorithm thinks that it's "weak" because it doesn't have 2 numbers and two special characters (but only choose from these 3 specific special characters, because we don't know how to protect against sql injection otherwise!) Let me pick my own frelling password.

Ok, so it probably makes sense to specifically bar users from using completely butt-tarded passwords like "123" and "password", but only those specifically.

On the other news...

[Lisias]

... job admission forms fail to protected candidates to burn themselves by bad grammar.

(thanks god Slashdot fails too, as some of you can easily note by my already traditional bad grammar)

Companies that limit passwords are worse

[jonwil]

The bank I used to be with before I recently switched upgraded their security a few months ago. Prior to the upgrade, they actually limited passwords to 10 characters maximum. Thankfully, both this bank after the security upgrade and my current bank don't have any such maximums and I can use a longer password. (and no, the security stuff wasn't why I switched, I switched because I moved to a new area where my old bank didn't have any branches)

Any web site that limits the maximum amount of characters in this way is stupid, as is any web site that makes passwords case-insensitive or doesn't allow numbers or symbols)

news at 11

[Riceballsan]

Actual security that will protect people from themselves, costs a lot more than compensating the 2% of that 66% who actually get hacked. Person gets hacked for his own stupidity, company may or may not need to compensate the victim. lets say this amount comes to $100 per 1,000 users as a high estimate pulled out of my ass. Company B uses real security, that somehow completely eliminates fraud, blocks users out after 3 wrong passwords, and requires really complex passwords. Users keep forgetting their passwords, support is now overwhelmed, company pays $400 per 1,000 customers on support.

Re:Top gun manufacturers fail to protect users

[ShanghaiBill]

Why should the government try to protect people from themselves ?

I wasn't saying the government should protect people from themselves. I was saying that the car industry should protect people from themselves. Most car safety improvements have NOT been the result of government regulation. They were the result of liability laws that made manufacturers responsible for the preventable deaths and injuries of people using their products.

Re:Top gun manufacturers fail to protect users

[x0ra]

No. The car industry should provide the mean for people to protect themselves, but ultimately, it is to the people to decide whether or not they want that extra protection (and pay for it). The Government *IS* protecting people from themselves by imposing mandatory seat belt law and alike.

Re:Why make users reset after X number of failures

[gatfirls]

I don't think you have thought your plan all the way through.

Top E-commerce Sites Fail To Protect Users From St

[grep+-v+'.*'+*]

Didn't realize it was their job to be a nanny to their users. And here I thought they had to be over 18 and of legal age to "sign" the EULA.

A lot of sites have the same userID and a password like "xyz123". OMG you hacked into my free pandora / whatever site that I don't care about? Yawn, I guess I'll just create another account.

Now ones with my CCs and other more more important info? They all have much harder credentials and unique passwords.

(Yes, I can read. "These are Top Sites we're working with. Which ones? Top. Sites.") Still not my problem. Maybe the users actually want their account attacked so they can get free CC account monitoring? Or can plead bankruptcy easier somehow? Hell, maybe it's a detection canary sponsored by your regional government or police officials. Just because it's weak doesn't mean it's bad, maybe the users have memory loss and can only remember a single letter.

That's RIGHT, you're now actively arguing for discriminating against intelligence-impaired people, people who can't touch-type, and people (executives) that are much too important and busy to bother typing a complex password. Government standards will soon mandate a minimum password of 0 characters with a maximum of 9 in order to preserve the impending world-wide bit crisis. The more characters you use now, the less that remain for everyone one. Larger font letters that require more digital ink to store will soon increase in price -- soon only the 1% will be able to afford them, so BUY NOW!

Password length is important

[knarfling]

Several years ago, I used to work for a now defunct online web site company that provided websites to customers. Customers were required to activate their site and sign in to a site management web page. Although the password policy was not as sophisticated as it should have been, we did require password to be between 6 and 16 characters.

We received an email from one customer who was helping a new customer activate and sign up for the web management page. The new customer liked to pick passwords based on a mild shock value and wanted to use "Penis" as his password. The customer wanted us to know that they almost died laughing when the web page responded back with the message:
"Password rejected. Not long enough. Please try another."

Remember, password length is important. Choose your length wisely.

Re: I don't understand length limits

[cbhacking]

Yes, yes, one in every 10^85 random passphrases with have the same SHA256 hash. OH NOES! Meanwhile, unhashed (or weakly hashed) passwords are trivial to reverse (and then use to log in as those users, or to try logging in as them on other sites as well) as soon as the password database gets dumped. Such dumps happen all the time. I would be willing to wager that in the entire history of the Internet, nobody has blindly (i.e. without knowing the hash they were trying to generate) stumbled onto a password verifier hash collision (i.e. not simply guessing the user's actual password, but trying a different one and having it accepted anyhow) if a cryptographically secure hash was used (hell, I'll even allow the use of the broken and deprecated MD5).

"strictly speaking storing hashes is less secure" my ASS. You are full of bullshit, oh random AC.

Personally, I love password rules.

[tlambert]

Personally, I love password rules.

The more complex the rules, the smaller my brute force search space, since I can just not look for passwords which don't meet the rules.

WRONG, timeouts suck (DOS vector)

[cbhacking]

That's not even vaguely related to what CloudCracker does, which suggests to me that you haven't a clue what you're talking about.

This suggestion is reinforced by the fact that you recommend adding a "feature" which will allow me to prevent you from logging into any website I want, for near-arbitrary values of "you". There are right ways to do anti-brute-forcing protections on a password. Time delays (on remotely accessible unauthenticated login pages) are almost never the right option.

Much better is to automatically initiate a password reset for the affected user, where practical. Where not-so-practical, require a high-quality CAPTCHA after more than, on, three failed attempts. The first approach makes brute-forcing practically impossible unless you have control over the password reset mechanism (in which case you would just have triggered that yourself, then completed the process on behalf of the victim). Worth noting here that the site needs to log the user in directly as part of the password reset (rather than just bouncing them back to the login page) since the attacker can force another reset almost instantly. The second approach slows down brute-forcing without making it too hard for the user, and makes *automated* brute-forcing nearly impossible.

Re:WRONG, timeouts suck (DOS vector)

[edxwelch]

It's quite easy to work around that small problem, if you implement the scheme with a small amount of intelligence. Some one trying to dos you will becoming from a different IP than the legit user, so you only time out if coming from the same domain.
And yes, cloudcracker was used to crack passwords: http://arstechnica.com/securit...

Re: I don't understand length limits

[pablo.cl]

He's saying he doesn't understand why his banks has a lenght limit.

Re:Why make users reset after X number of failures

[cbhacking]

Wow, you're trying (and I appreciate that) but you really need to think this through a lot harder!

1) Password "guessing" isn't done by a human who will get bored. It's automated, and *extremely* fast. Let's say I can submit 10 password attempts per second (practically speaking, even a shitty home connection can probably manage closer to 50; a botnet could manage tens of thousands easily if the login server is up to it). Just because your password isn't in the 10 most commonly used ones doesn't mean it isn't in the 600 most commonly used ones. Oh no, instead of one second, it took my automated proxy a full minute to break into your account! As if that's a meaningful delay for a targeted attack...

2) How the heck is the user going to "run out" of strong passwords? I mean, even if the site prohibits re-using the old password after a reset, there are a quite literally infinite number of possible passwords. I'll grant that if you kept this attack up until the heat death of the universe, it would eventually reach the point where my "password" might need to longer than a typical sentence in English, but whoop-de-do. You could keep this kind of attack up all year without running the user out of dictionary words, so long as they aren't logging in 20 times a day! You couldn't run somebody out of pairs of such words in a natural human lifetime. That's ignoring case, and using the stupidest possible password generation scheme (choose the next word [pair] from the dictionary). A decent password scheme would be vastly more secure.

3) This user notes that somebody is *constantly* trying to brute force their password. Let's say you've managed to keep it up for months without getting your IP blocked or getting arrested under the CFAA or some such thing. The target of the attack has run through dozens of passwords. Why the hell would they decide to use a really weak one (knowing there's a constant attack going on) for their next one? Wouldn't it make a lot more sense at that point to hammer on the keyboard for five seconds when asked to create their password, knowing full well they will need to reset it next time they want to log in anyhow, due to that asshole wasting their time forcing resets constantly?

Yeah, you *really* didn't think about that one very hard, did you?

Re:It's not just passwords

[cbhacking]

This is why you should use unique email addresses for each account. Gmail kind of supports this (they ignore . characters, and anything after a + character, when figuring out the mailbox to send a message to). So you can, for example, use yourgmailaddress+slashdot@gmail.com to sign up for Slashdot (not that you, AC, would ever do such a thing) and use yourgmailaddress+bankname@gmail.com when signing up for online banking, and be secure against the attack you describe unless somebody really clever figures out your naming scheme.

There are other webmail providers that do an even better job of handling unique, disposable addresses.

Please, no more arbitrary rules

[cowwoc2001]

There is nothing more I hate than websites that made me adhere to their arbitrary password security rules. The more hoops you make me jump through, the harder the password is to remember, and the dumber the password I pick (in the hopes of making it easier to remember).

Please, leave me alone.

blocking access after failed passwords

[Khashishi]

Blocking access after failed passwords just invites denial of service attacks. It seems like a bad idea for most situations.

Re: I don't understand length limits

Perhaps the underlying system has the requirement by design?

The design and choice of said underlying system is bad. However, a developer who's authentication page you use may not have had any input. Security may not have had any input. Said inputs may have been ignored.

Or, don't enforce an upper limit and just sanitize the input down to 16 characters behind the scenes. Not a real solution but at least an obvious rule isn't being presented to outsiders. Security though obscurity isn't a bad idea though it should never be a fundamental assumption.

Also, if you have no actual upper limit, your password hashes probably do have an upper limit. As you increase the allowed upper limit, you slow things down and increase the likelihood of collisions.

Although it's understood that everyone has different barometers for the following terms, "Perfect is the enemy of good enough" is a true statement whether we're talking construction, accuracy, a SAP implementation, storage capacity, car safety, physical security or password policy.

The problem is that those who make the decisions are never held accountable for where they draw the distinction - its always externalized and in the case of password policy and implementation, like in most things, is a social rather than technical issue.

Re:Why make users reset after X number of failures

[island_earth]

Thought it through just fine, thank you. My plan to take over the world was a jest. My complaint about requiring a password reset after X number of tries is 100% valid. Let's walk this through:

1) Bot hits my account 10 times. Account is locked. Victory! Bot doesn't get in.

2) Eventually, I request that the account get unlocked. Company has two choices:

i. Unlock the account and let me go about my business, secure in the knowledge that I have a password that can't be guessed in 10 tries.
ii. Force me to choose another password according to whatever arbitrary rules Company has in place.

Option ii makes no sense to me. The bot may, or may not, have been hammering at my (locked) account all this time. So what? It's not like anything out there is keeping track of the 10 tries that failed, and will continue from there once I get around to asking Company to unlock the account.

Option i makes sense, and is user-friendly. Option ii makes no sense and is user-hostile, not to mention lazy because it shows that Company prefers the illusion of security than actually thinking it through.

Please, show me where I'm wrong. It's Slashdot, that's practically a hobby here.

The problem is not passwords it is identity.

[brunes69]

Repeat after me.

The problem IS NOT PASSWORDS. Fighting for "better passwords" is a never-ending, stupid, foolish waste of time.

What is the point of a password? It is to prove who you are. Nothing more, nothing less. A password is not used as a key to look up information for a retailer, or blog, or anything else - that is keyed off your user name. All a password is is an identifier showing WHO YOU ARE.

It is unrealistic to expect a human to remember dozens of complex passwords and change them monthly. It is also unrealistic to preach "password managers" as a solution because they don't work in all situations and on the go.

So then, why is it then that I need a username and password FOR EVERY OF Amazon, Tesco, Virgin, and every other company listed in the OP, and Facebook, and Yahoo, and Google, and Slashdot, and every other site? Why can't I just have ONE complex, known, secure identification mechanism?

And even more pointedly - WHY IS IT that the technology ALREADY EXISTS to answer every point I raised - namely, the combination OpenID and OAuth - to solve this problem?

If every webmaster would stop thinking they live in their own universe, and SIMPLY STOP storing their own passwords and instead REQUIRE AND ONLY SUPPORT OpenID and OAuth authentication, this whole problem would be nearly entirely eliminated from the internet. People would have ONLY ONE password to remember, for all sites. They could be FORCED to change it monthly, and it would not be a huge burden since it is their ONLY password.

But no, every site in existence thinks they are THE ONE and should be able to exist in their own walled garden independent of everyone else.

Online-only banks exist

[tepples]

but wouldn't creating an account (in the online banking sense, not a bank account) require a visit to the branch in person?

I opened accounts with Ally (a bank) and PayPal (not technically a bank but they act like one) while living in Fort Wayne, Indiana. Ally and PayPal have no branches there.

Money transfers use IBANs or a similar system of account numbers, which are separate from login usernames.

A PayPal user sends money to another PayPal username, which is an e-mail address. Chase is starting a similar system called Chase QuickPay.

Re:Online-only banks exist

[reikae]

I see. I wonder what benefits Chase sees in the system; it seems to me that security-wise there is a downside in using login usernames for payment addressing. I'm not familiar enough with US banking to figure out the upsides, but most probably the system will lower costs somehow.

Problems with unpublished rules

[Flexagon]

My problem is this: too many sites don't even publish their password policies, so I can't even begin to tell what is an acceptable password. I may go to the trouble to use mixed case, only to find out that their password is case-insensitive. Or they may accept a long password but silently truncate it. Or they may not accept special characters, but "tell" me only with an error message when I try one. Or sites that turn right around and *send* me my new password so I won't forget it (again, without telling me ahead of time). Or this beaut from Verizon Wireless: to enter your billing password (a secondary password that you can't change if you forget even if you know your primary password there), if you have to on your phone, you convert its mixed-case letters via the phone's keys. The prompt (long after you've created your password) says that the password "abc2" is the same as "2222". In essence, they reduce everything to digits.

This is a completely new twist on "security by obscurity". Your password is defined under double secret probation.

At least most sites are now accepting greater than 8 characters. But even that took years.

Re:Top gun manufacturers fail to protect users

[AlphaWolf_HK]

Honestly I get annoyed with password requirements that want you to have a special character, number, mixed case, etc. I just like to use really long but simple passwords; mathematically speaking, they're more secure than this mixed content bullshit while being easier to remember.

Re:Top gun manufacturers fail to protect users

[Bert64]

Most of the safety mechanisms in todays cars are transparent to the user and do not inconvenience them in any way...

Re:Top gun manufacturers fail to protect users

[Bert64]

How are liability laws not government regulation?

Re: I don't understand length limits

[Bert64]

A lot of sites with tough password policies are too self important... Most of the things i'm signed up to online i don't particularly care if they get cracked, and so use weak and easily remembered passwords for them if possible.

Not only e-commerce sites

[andrewbaldwin]

I went into my bank recently and got the hard sell about switching to internet banking.

This is something I've resisted, but I was told it was "quite safe" and "millions of people do it".

They had a so-called free cash-back offer on the debit card. I looked at the sign-up process and was told by the counter staff it needed a password of 6-8 characters - case insensitive and letters/numbers only.

For some reason they were surprised when I informed them that this was incredibly weak password scheme and that I wanted nothing to do with it.

Needless to say, I'm still refusing to sign up for any internet based banking and automated money transfers.

Re: I don't understand length limits

[rpstrong]

My power company (SCE) also changed their system a year or two ago, claiming that "in order to increase security", my login name (previously unique to that site) was changed to my email address. (Their customer service department never replied to my request for them to explain how this increased security).

New password

[rpstrong]

My new password is going to be "nanny".

Please don't copy it - thank you.

Smells like NTLM passwords n/t

[marxmarv]

n/t

Correct, that's a battery staple

[marxmarv]

and a silly suggestion.

How many bits of entropy are you actually producing? If you don't know, go to the back of the class.

Where do OpenID endpoints come from, the stork?

[marxmarv]

Because, of course, it is so much better to sell your users to some social network and let them control how you run your site or business?

Webmasters do live in and manage their own universes, to the extent that they want to. What next, you're going to complain I have a door on my house or on my bathroom? Go away, you're creepy.

Passwords serve two purposes

[marxmarv]

1) to control access to data the user cares about
2) to externalize the costs of controlling access to data the company cares about onto the user

123456, password, etc. are perfectly valid and rational user responses to the latter situation.

Re: Where do OpenID endpoints come from, the stork

[brunes69]

Facebook Google Twitter Yahoo all provide them already. So does ident.ca and OpenID.ogr and DOZENS of others. And if you wear a tinfoil hat 24*7 then you can run your own trivially. And finally, your ISP should provide one with your account as well.