Slashdot Mirror
A Plea For Websites To Stop Blocking Password Managers
An anonymous reader writes: Password managers aren't a security panacea, but experts widely agree that it's better to use one than to have weak (but easy-to-remember) passwords. Just this week, they were listed as a tool non-experts don't use as much as experts do. I use one, and a pet peeve of mine is when a website specifically (or through bad design) interferes with the copying and pasting of a password. Thus, I appreciated this rant about it in Wired: "It's unacceptable that in an age where our lives are increasingly being played out online, and are sometimes only protected by a password, some sites deliberately stop their users from being as secure as possible, for no really justifiable reason."
Well some sites don't want scripts interacting with the password fields. This could be a way to stop some malware from scraping user passwords from input fields.
Anyone who uses password managers and believes them to be safe and unable to be broken should not be able to use the Internet. All passwords should be maintained separately and typed in manually.
Do you have a citation for that Mr. Scraps of Bad Security on Paper? or are you just varying your normal MOO trolls.
I'm sure Bruce Scheirer would appreciate your insights into secure code. KeepPass has so many flaws.
The alternative being what? Using the same password everywhere and/or spreading your security thin across a thousand different web services you're using all incompetent at protecting your password to varying degrees?
Bitten Apples are still better than dirty Windows...
Except that in the year 2015, attackers have realized that it is far easier to just attack companies directly instead. A password manager, or a manually typed 50-character password that is unique to the site isn't going to change poor security one bit. If you don't trust a recognized password manager, I hope you keep your life savings in your mattress as well.
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
* Yes, please use exactly this password; it's super safe, I promise!
Bitten Apples are still better than dirty Windows...
It's risk analysis. Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised. Most people can't remember more than 5 (strong) passwords at best and they get lazy and reuse them everywhere. Password managers let you eliminate password reuse so even if your Amazon account gets hacked, the attackers won't suddenly have the keys to the castle.
It is one place to attack, true, but how likely is it that someone targets your password database? I would argue it's pretty remote, even if your machine was compromised or stolen. Assuming your master password is strong, the attacker either needs to crack it (difficult) or know you well enough to guess it. What's far more likely is that the drive the database is on fails and you lose access to all your randomised passwords. However in that scenario, you might have printed backup keys for your email account (Gmail will let you do this) and no worries.
For the truly paranoid, good old wetware suffices or a pencil and paper; again, you're weighing the risk of your house (or mind) being broken into vs some script kiddies attacking a website.
As always, it's a trade-off between security and convenience.
You could keep your passwords engraved on dog-tags and locked in various fire-proof safes in different basements, but that really ruins the convenience part of the trade-off.
Or you could just use the same password for all sites (if possible), but that really ruins the security part of the trade-off.
How about: you use a password manager to store your non-critical passwords and store your critical passwords somewhere else - especially the password to your email account from which you can reset all the others if they're stolen. Perhaps a more reasonable trade-off.
Prioritization of passwords i.e. choosing complex ones for a few critical accounts/services and "easy to remember" ones for non critical things can eliminate the need for managers . As someone pointed out , managers are all eggs in one basket.
While it's true the site operators are at fault, I also blame the browser makers.
Many websites don't allow copy or paste, or even selecting/highlighting text.
While I can understand the draw of websites, especially ones with games, being able to grab keyboard input, it's a potential security disaster waiting to happen.
Browser makers should treat these kind of keyboard/mouse hooks the same way they treat websites asking for location data. With a message asking the user if they want to allow the behavior or not. Furthermore, they should do it in such a way that operators can not force users to click allow.
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
I generally don't trust anything or anyone having the word "manager" in their name.
Except it doesn't stop shit.
Any malware would either intercept the keystrokes, or read the in-memory data directly, or even change the web content to inject whatever scripts it wanted... or even read the password from clipboard, because the fact that you can't paste it into the page, does not stop you from copying if from wherever you had it in the first place.
The frustrating thing is that we have better technology available; but we mostly can't use it because sites don't support it. PKCS#11 is older than God, and ICs to suit are nice and cheap because SIMs also use them; but when was the last time you saw a non-state site supporting that? The RSA style auth fobs are also better, as long as you don't let somebody steal the seed data(looking at you RSA) and they don't even need a card reader on the client device. Whatever the 'FIDO' people are messing around with is immature and barely adopted; but also is better than passwords. Aside from a few token "we'll send you a text message and call it two-factor" options, and amusing little pace-of-adoption quirks that make it easier to get a hardware token to protect your WoW account than your bank account, the sites that control the login options haven't done a damn thing in two decades.
Blizzard's Battle.net does this. Or at least to, I haven't checked recently. I did contact them about it and they just scoffed it off as a "security measure."
IMHO, this is a browser problem, not a website problem. Browser shouldn't allow scripts to interact with a password field. Period.
[Disclaimer: I'm not the GP AC.]
Isn't this exactly what a password manager does? I thought Lastpass (to name one) uses Javascript to change the form fields, including the password field (which suddenly has a clickable * in it). So if you disable that, you have to paste manually.
I used to have a "good" combination on my luggage... until the day I forgot it (or set it wrong, who knows). Poking this way and the other, it turned out that it takes about 10-15 seconds to pick my luggage, and about 2 seconds to pry it open with a screwdriver. :D
Since then, I just use 12345, because why bother
You can write a browser with a built-in password manager.
Why should a password manager be a part of a browser? You do realize that there are plenty of cases even outside of the web where passwords are used.
The problem AC "identified" is that a password manager can be cracked and reveal all your passwords.
A password BOOK doesn't even need to be cracked, so it's not a solution to that problem - it's got the same problems as before PLUS it's not secured at all.
Hey, I know, why don't we write all our passwords onto stickers and put them under the keyboard. Nobody ever looks under the keyboard.
My server logs disagree with your assumptions. Fail2ban is running constant blocks on botnets trying to guess passwords on SSH, FTP, SASL and webesites and this goes for my day job, my personal server and my evening contracts.
JavaScript can also intercept the contents of the clipboard. If you're blocking password managers, then people are going to do one of two things. Either they'll pick a (weak) easy-to-remember password, or they'll use a password manager and paste the password in. If they opt for the latter, then any malicious ad on the page can grab the password while it's in the clipboard...
I am TheRaven on Soylent News
A password BOOK doesn't even need to be cracked, so it's not a solution to that problem - it's got the same problems as before PLUS it's not secured at all.
It's locked into my house. If someone breaks into my house I worry more about my immediate safety than someone logging into my facebook account.
If they got access to my physical password book they have already gotten access to my wallet with my credit card and ID.
Oh, and they probably found my passport too.
And my passwords aren't written in a way that is legible. I don't write address, login and password together, and the password is usually a reference to a by me well known password with a modifier.
I tend to work on the premise that if it's an important password it either doesn't go in my password manager unless it supports 2 factor authentication. I'm yet to hear an argument against password managers that isn't wrong, trivial or blatantly obvious. Yes it'd be stupid to put all the information required to get into your bank account and transfer money out onto a password manager, however none of my financial service providers allow money to be sent to an account it hasn't already been sent to without requiring some form of additional authentication (SMS code etc).
There's 230 passwords in my lastpass vault, they're all reasonably complex and none of them are the same. You can't get into any email or financial account with just the information in there. Is it perfect? Not even close, but it's vastly better than I could viably manager without it and I've made an informed decision on the trade off.
Password managers are essentially making a bet that the risk of your hard drive being compromised is far less likely than a website being compromised.
If your hard drive is compromised then your keystrokes are being logged and your cookies are being extracted, and any website you log into will be compromised. The password manager isn't really adding that much more risk here.
Some sites and wifi hotspots double down on this annoyance by inflicting it on their mobile pages too. So you have to enter an email twice from a handset. And just in case that wasn't enough, they fail to specify the field is for email so the phone browser's autocorrect fucks it up as you type it.
It's not a difference that I would rely on; but there likely are some differences: it's typically easiest to get some sort of cross-site-scripting malice to work,
In which case your passwords are toast no matter whether you typed them in by hand or they were injected by a password manager.
less easy but far too common to escape from the browser and poke around with the user's permissions,
Do you have a citation for this common occurrence?
I can't seem to find one - though I only did a quick google and a search though the last decade of email from the Full Disclosure mailing list.
Also could you expand on how such an exploit would not be able to result in key logging that also result in a typed password being captured?
more difficult again to escalate privileges above the user's context; and potentially quite tricky to get a kernel driver in without either compromising some vaguely respectable OEM or mucking with the system's certificate store.
I agree with what made sense. You lost me with the "vaguely respectable OEM" bit. Could you expand on that please. I can be a bit thick.
Mechanisms that touch the browser too closely will probably fall to a good XSS exploit, basic browser-stores-passwords arrangements should fall over with nothing more than your security level
Sound good - a bit theoretical. How does that get past a passphrase and encrypted password storage?
; actually getting a keylogger, especially a persistent one, in there should be more demanding.
I'd disagree there - if I have that much access I can download what I need - if I'm too lazy to use what's already on the system.
Better to use a single password and write it on a couple of post-its. That way you can tape one to every device you own.
Is it just my observation, or are there way too many stupid people in the world?
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
Now my favorite password is in cleartext on the Interweb, and I can't use it any longer.. Thanks for nothing. :(
Sig ?
Websites have disabled autocomplete on password fields to prevent browser bases password managers from working. In response to this many browsers ignore autocomplete=off on password fields. I ran into this behaviour on a user administration screen, the browser was trying to fill in my password into the other users password field. I could not stop the browser from autofilling in the wrong password.
The most dangerous drug
horse battery staple
Not any more. Words are now characters. You have a 3 character password right there. Unless you're going to munge up the words with misspellings or nonalphanumerics,
Besides, having to type in your master pass[phrase] that's 30 characters long into something like LastPass from a phone keyboard with ******** as your visual feedback every time you need to re-authorize (which should be frequent if you're being diligent) is a royal pain in the ass. Do that for a couple of days and you'll be back to 12345 out of shear frustration.
Is it just my observation, or are there way too many stupid people in the world?
So many talking about securing passwords and not single mention to double factor authentication...
But apps have to integrate it. That's the problem - some don't.
Is it just my observation, or are there way too many stupid people in the world?
Since my password manager is a simple piece of software - an encrypted database of my passwords that runs on my computer with the data on my computer, I'd say yes, I have no reason not to trust it. I wouldn't put my bank login details in to it though, because of vulnerabilities + trojans + keystroke-loggers.
Trust an online password manager - hell no.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Which is one of the many reasons why JavaScript clipboard functions should only be allowed for white-listed sites.
If anyone knows of an extension to fix this I'd like to know.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
I have one strongish password which I modify in a systematic and easy to remember way based on the website name. For example (and this isn't exactly what I do, obviously), say my core password is ghs78kja: on slashdot I would use as a password /DOTghs78kjaSLASH* on the New Scientist's site I would use /SCIENTISTghs78kjaNEW*.
While I understand the appeal of such a system (and tried it briefly years ago), it seems somewhat bizarre to me if you actually want any security. Yes, it will stop some random hacker who obtained a password list from site X from automatically logging into site Y by just applying the old list.
But if a hacker actually gives a crap about what he's doing and actually wants to get into your accounts, a system like this is well-known enough that he could guess your passwords to other sites once he knows one of them.
Obviously you said this isn't what you use exactly, but to really make it reasonably secure, you'd need to have a much more sophisticated method of generating password modifications for each site (e.g., disguising the name or manipulating it in a non-obvious way, performing some non-obvious modification on your "core" password based on the site name, etc.). And once you go down that road to generate something non-obvious, then you need to recreate those steps of generation every time you try to remember a password... which could be tedious and annoying unless you design it well.
Anyhow, for accounts you really don't care about, something like this sounds fine. But GP was talking about strong passwords, which should probably be more individualized for accounts you really want to keep secure.
These passwords are all unique, long, very easy to remember, and use all the character classes.
Yeah, except I'm sure they break half of the password policies at various sites anyway. That's the primary reason I started using a password manager -- even if I used a system like yours, I'd still have to remember all the random constraints on passwords for a various sites.
For example, some sites have length maximums that could be anywhere from 8 characters up. Some sites will accept a longer string when you try to login, but they won't warn you that your password must be shorter, so you keep typing in your 20-character phrase and get rejected because your password is actually the first 12 characters or whatever. And then you have sites that don't accept special characters, or sites that require special characters (but only from a certain list), or sites that don't allow you to begin your password with a number or a special character or whatever, or sites that don't accept strings of more than X letters in a row (yes, those exist, and you have to mix up the letters with numbers or special characters).... or whatever other random constraint applies.
With a password manager, I can have 30-character passwords or whatever on all the sites that accept them. If they use special characters, I can randomly generate a password with them. If they don't, I can specify a random alphanumeric password. Or whatever. And if the maximum length is 12 characters, I can specify that too without artificially limiting the length of my passwords on other sites or having to remember "Oh yeah, that site only allows a short password and it won't warn me if I try to enter my long one..." etc.
I'm not saying password managers are the best option for everything. But for remembering random website passwords, they can work pretty well.
True, although most password managers can generate random passwords (of varying strengths, as a recent Oakland paper showed). Using this functionality is generally easier than thinking up a password.
I am TheRaven on Soylent News
Your argument has one flaw - just because someone uses a password manager doesn't mean he will pick strong passwords...
The flaw you see is not where you think it is. The OP never said a password manager requires strong passwords. That would require idiot proofing - that's a whole other subject.
Using a password manager does not necessarily enforce good passwords - or prohibit the reuse of them.
Writing passwords down means you have to read them out, and type them in to use them - a practise that also does not necessarily enforce good passwords - or prohibit the reuse of them.
Writing passwords down means you have to read them out, and type them in to use them - a practise that encourages bad passwords and the reuse of them.
Using a password manager does not encourage bad passwords and the reuse of them.
The reason for the difference is in ease of use and amount of effort involved. People cut corners because they are lazy or in a hurry.
I touch type - most people don't, I make mistakes typing in complex passwords that have been written down. The more I use those passwords, and the more passwords I need to keep, the greater the incentive to practise bad security. Given that most people can't touch type - they have an even stronger incentive than me to practise poor security - the evidence from all the password list dumps and all the security tests on password usage just proves the same thing. People use dumb passwords, people reuse passwords. When they are asked why they do so they say it's because it's too hard to remember them - or to write them all down, keep control of the pieces of paper, and to type them back in each time.
The other risk with using either method for storing password is loss of the passwords. Passwords managers have to be backed up. Paper records of password needed to be backed up and secured. Password manager use passphrase protection so they are secured. (or should be - see my previous comment about idiot proofing)
If your password is "OPnuo(I&n hKUYNB68IOnih4wOIB*GBi234t73" as it should be,* then yes...
Parent was modded funny, but this is what your passwords should look like -- long and random, and typing them is a PITA. Any web site that disables pasting or prevents your browser or extensions from auto-filling passwords is broken. The sad thing is that most sites that do this (other than those that do it by accident because the devs are clueless) do it because they think they're increasing the security of their users' accounts. They're not.
Solutions like LastPass et al are the best, but honestly just using your browser's password database is better than reusing passwords everywhere. And Chrome and Firefox (at least, perhaps others) offer the option of keeping your passwords synced to all of the devices you use, optionally protected with a master password. Browsers need to offer password generation as well. I think some are working on it.
Of course, the real solution is to get rid of passwords. Web sites should switch to using OpenID authentication. Yes this means that most users will use their Facebook or Google logins, which means that, essentially, the site has outsourced its account security to those other entities. So what? If the developers of random web sites think they can do a better job of account security than Google or Facebook -- they're wrong . I work for Google and previously spent a decade as a security consultant in the financial industry and after seeing how they all work from the inside, I would feel much more secure about my bank account if I could use my Google account (with 2FA, plus all of the analytics and monitoring Google does) to log into it rather than trusting the bank to do a decent job with password-based security. I haven't seen Facebook's infrastructure, but I know people who work there, and they're good. Far better than you'll find at a typical bank, much less J. Random Web Developer.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
LastPass is no more proprietary than KeePass. The JavaScript implementation is visible. And while their server was hacked, the thieves got nothing of value since the contents of your "vault" never leave your computer unencrypted and LastPass doesn't have the key.
I agree with the article - blocking password managers lowers security.
The nicsez check website comes to mind.
You know to one that's used to run background checks for guns in 36 states or so?
If I recall correctly its forbidden in the terms to use a password manager.
And you have to change the password every 90 days.
Minimum threshold fixed. Thanks!
I stopped using traditional "passwords" years ago and switched to a derivation algorithm instead.
I never have to remember a password because I can derive each one easily. Does anyone else use this strategy?
Don't Panic.
Obviously you have limited experience or familiarity with password managers. LastPass, among others, keeps your encrypted passwords "in the cloud", so that they are accessible even if your local disk "takes a dump". For LastPass, there's also a local copy of the encrypted database, and yes, I do have backups. (If you don't have backups, you have a lot more problems than losing passwords.)
Image/phrase/password verification is hardly "better" (better than what?). How many of those can you remember? If you can come up with an authentication scheme better than passwords that you can get every online service to use, then please let us know. The reality is that passwords are what we use today and password managers make them easier to use in a more secure fashion, so that one has a different, strong password for every login. Two-factor authentication is also very helpful (and I enable that where supported.)
Currently the biggest weakness of passwords, other than most people using them poorly, is sites that store passwords insecurely. This, combined with the tendency of those NOT using password managers to reuse passwords, is what leads to the majority of account hacking.
Why would you not have a backup? You can't fix stupid, no matter what you use.
Keepass is also (correct me if I'm wrong: I'd love to hear there is another) the only password manager I know of which is fully cross platform. Combined with Dropbox or some private file sync tool (I host a seafile installation), I have a synced password manager that works on Linux/Win/Mac/iOS/android. And I keep the key separate and move that to devices I use manually, so I'm almost totally unafraid of my vault being intercepted/stolen. Without my master pass phrase AND the encrypted key itself, breaking it is.... way harder than my passwords are worth.
The article mes a good point: preventing paste into a password field just encourages people to use crappy passwords that are easier to type. The same applies to that silly convention of asterisk masking in password fields. The inconvenience massively outweighs that one time in a hundred that masking prevents a shoulder-surf attack.
Can we develop a standard HTML interface for password managers, with built-in safeguards against malware usage? Any compliant PM would connect with any compliant login screen.
KeepassX does not use the clipboard but instead simulates actual typing, with a configurable delay.
When you select a password entry and press Ctrl-v in KeepassX, it hides itself, switches the focus to the last active window and types the password.
This also protects you from accidentally leaking password to remote desktop sessions or virtual machines that synchronize the clipboards.
Until you go to a random PC which you don't own and try logging in to that whatever website...
What I did (but is difficult to do in general) is learn an algorithm which allows my own brain to generate a password based on the website I'm logging in to.
Give me a website name and I can create an unique password for it, all in my head. And whenever I revisit the website I can re-generate the password for reuse.
The algorithm has evolved during last few years and sometimes I have to enter 2-3 passwords if I rarely visit a certain website, but overall it works great.
Thinking a password is easy - but only after you spent some time and brain cells learning the algorithm.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Not by default it can't.
True there are potentially bugs in implementation or bad configurations that allow scripts to read the external clipboard, but the same argument could be made against password managers. Poor security / configuration of the browser could allow scripts to read the password provided by the password manager.
Not only password managers but institutions are screwing up online security and it has to be deliberate. Banks have vast restrictions on what one can use for a password. Really only weak passwords are allowed at many banks. Every night on the news we here whining about lack of security in financial transactions over the net. Yet the banks refuse the use of strong passwords. Other people must be noticing this. why is there no outcry?
SQRL does something like a secure token. It allows a manager on a smartphone or computer.
The site you are trying to access presents a clickable QR code that contains a session id and some random gibberish. The SQRL manager will sign that message with a private key that you have, and it signifies that you are who you say you are.
This allows you to sign into a public machine using your smartphone, and once the session is terminated, anything that could have been captured doesn't allow an attacker to login later.
On your home machine you could have a manager that handles SQRL:// and it takes the smartphone out of the loop.
https://www.grc.com/sqrl/sqrl.htm
horse battery staple
As a hacker this is all you know
1) You have a password that is eighteen characters long,
As a hacker you can make assumptions
1) Word length
2) Number of words
3) Spaces or Not
4) Fancy Characters or not
5) Numbers or not
OR you can target passwords that are eight characters in length.
I would suggest to you, that if you have a whole database of passwords, encrypted and salted properly, you pick low hanging fruit first.
If you're a hacker, which password is easier to brute force ? "onetwothreefourabeeceedeeexclamationpound" or "1234abcd!#" (basically the same password) all other things being equal?
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I gave up on trying to remember increasingly complex passwords and just remembered how to make them. Computers are great at doing complex math humans aren't. Humans can remember some things very easily (Correct Horse Battery Staple).
Then I only have to remember or write down 3 things: The 'password', the length and the mapping.
echo -n $password+$user+$website | sha256 | cut -c1-$length | [mapping]
Where mapping maps the hex codes to a-z, a-Z, a-Z0-9, a-Z0-9!-). (You can make up your own charset and just use mod(charset length)).
For example if my password was 'qwerty' I'd salt it such that my actual slashdot password would be:
echo -n qwerty+0100010001010011+slashdot.org | sha256 | cut -c1-20
050e48f9f39d4d481ec3
It's not that much harder to implement in Python for use on Windows. (I just have a simple GUI).
If you want to take it a step further just remember a pattern and then a start letter. qwerty, asdfgh and zxcvbn are the same 'password' in my brain. It's "Password 1, start q, a, or z'.
I have everything written down on how to generate the passwords in a lock box and my wife knows my 'password'. So if I die and everything is locked she could get into any website she wanted just by following the instructions.
All of our joint accounts do actually use our anniversary. Jan 1, 1980. 01Jan1980, etc are all going to generate different end passwords. You have to know both the date and the formatting, which she does.
Stop remembering passwords and start remembering how to get to your password.
I wish that I hadn't commented so that I could mod the parent up. The reason we are in this situation is that the uniform application of the same level of security to different targets. There are *two* targets to think about. The web site operator and you. Unless you are a member of a clandestine state organization, a public figure, or wealthy enough to buy Dice and return /. to the glory days, you really aren't a target. If you are, there isn't information here to help you. Most web sites aren't a direct target. AMC isn't so worried about somebody hacking into their web site and using my account to buy a movie ticket. However, they *should* be concerned that their password database is somehow exfiltrated and cracked. Now anybody reusing a password is a potential victim of financial fraud and will be mad at AMC (even though they shouldn't have used the same password somewhere important). So they make you use something ridiculous. I am not enough of a target to be worth a targeted attack. However there are a lot of low-value targets like me. Put us all together and it is worthwhile so we need enough protection that we can't be aggregated. Hence when you look at encryption (and here is a similar case), the important part is that successfully circumventing on person's security doesn't compromise others. Key loggers and such are effective because you can compromise a lot of machines at once via malware. Then script out the money-stealing part. Password managers ( if reasonably well implemented) don't change this. For that you need some sort of challenge/response or OTP mechanism. But the password manager protects you from the situation where the *server* get hacked. Keep your client machines secure and you are safe from that vector. Password managers are an improvement over not having them which was the original thesis of the article. They aren't a complete solution for high-security situations. It's like locking your door. If a web site *thinks* they need to be more secure than can be done with passwords, have them issue smart cards to their users!
Darn it!
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)