Password Re-user? Get Ready to Get Busy (krebsonsecurity.com)

← Back to Stories (view on slashdot.org)

Password Re-user? Get Ready to Get Busy (krebsonsecurity.com)

Posted by msmash on Tuesday June 7, 2016 @04:00AM from the security-measures dept.

Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.

119 comments

Min score:

Reason:

Sort:

How do they know they are the same? by Anonymous Coward · 2016-06-07 04:05 · Score: 1

Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.
Granted, Sony were caught using plaintext passwords in one of their three SQL injection attacks. But these others?
1. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 04:07 · Score: 1
  
  Surely everyone is hashing the passwords, using different salt etc?
  HA HA HA HA
2. Re:How do they know they are the same? by OzPeter · 2016-06-07 04:09 · Score: 4, Informative
  
  Surely everyone is hashing the passwords, using different salt etc?
  Bwhahahahahahaha You're assuming that these companies have good security practices. How do you think they got hacked in the first place?
  
  --
  I am Slashdot. Are you Slashdot as well?
3. Re:How do they know they are the same? by __aaclcg7560 · 2016-06-07 04:19 · Score: 2
  
  Surely everyone is hashing the passwords, using different salt etc?
  
  Table salt? Kosher salt? Sea salt? Bathroom salt? What kind of salt?
4. Re:How do they know they are the same? by Bengie · 2016-06-07 04:22 · Score: 1
  
  Seems Netflix is not one of them
  
  Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin,
5. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 04:23 · Score: 2, Funny
  
  I think you meant "dadada"
6. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 04:25 · Score: 5, Informative
  
  Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.
  The password lists aren't encrypted. They are in the form of: login_id:password (ie: bob@example.com:example)
  What Netflix, et. el. are doing is taking the list, noticing that they have a user with the same login_id (bob@example.com), and taking the password (example) and hashing it in the same way that their authenticator does. If the hashes match, then they send the user an email saying "Reset your password"
7. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 04:35 · Score: 1
  
  You got it backwards. Linkedin's passwords could be decrypted, Netflix would just have to compare them to what they have on file since they can hash it with their own salt.
8. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 04:35 · Score: 0
  
  Hacker tears salt.
9. Re:How do they know they are the same? by Anubis+IV · 2016-06-07 04:51 · Score: 4, Informative
  
  At least in the case of the MySpace and LinkedIn leaks, the passwords themselves were posted online, so it'd be fairly trivial for Netflix et al. to run the lists through their hashing algorithm and see if it gets any hits against their users.
  LinkedIn was employing a fast hashing algorithm with no salt back in 2012 when their database was stolen. Which is about one step better than plaintext, given that an attacker can hit it at full speed and can crack them en masse because of the lack of salt.
  MySpace apparently began employing doubled-salted hashes in 2013, but the login credentials that leaked were ones that hadn't been used past that time, so MySpace hadn't been able to update them to be more secure since it sounds like they were employing simple hashing prior to that.
  As for Tumblr, they said they employed hash+salt on the database that was leaked, so it should indeed take awhile before anything besides commonly-used passwords start showing up from it.
10. Re:How do they know they are the same? by Ralphus+Maximus · 2016-06-07 05:35 · Score: 1
  
  Surely everyone is hashing the passwords, using different salt etc?
  Table salt? Kosher salt? Sea salt? Bathroom salt? What kind of salt?
  Hillary, is that you?
  
  --
  Nobody's as dumb, as I appear to be
11. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 05:47 · Score: 0
  
  Absolutely the smartest and most prosumer way to do it. I applaud them /"golf clap"
12. Re: How do they know they are the same? by Anonymous Coward · 2016-06-07 06:31 · Score: 1
  
  Bath salts for sure
13. Re:How do they know they are the same? by The-Ixian · 2016-06-07 07:51 · Score: 1
  
  /"golf clap"
  I love that you are making sure that the parser handles the whitespace properly... ;)
  
  --
  My eyes reflect the stars and a smile lights up my face.
14. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 08:40 · Score: 0
  
  I am, right now, working on a website upgrade project with passwords stored raw in a MySQL database with an ASP front end that has NO data sanitization. I literally laughed out loud when I first saw this. On the plus side: creating new user accounts in a new CMS has been very easy and users won't even have to change their password... on their first login at least.
  Unsurprisingly there have been data breaches in the past.
15. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 08:49 · Score: 0
  
  Or doesn't handle < "correctly"; especially since "\" is the C-style escaping character, not "/".
  </golf clap>
  (/. is oldschool people, write proper HTML.)
16. Re:How do they know they are the same? by Ol+Olsoc · 2016-06-07 09:48 · Score: 1
  
  At least in the case of the MySpace and LinkedIn leaks, the passwords themselves were posted online, so it'd be fairly trivial for Netflix
  When I started getting email from Linkedin from friends who were on it, I thought okay. But when I went ot sign up they said they needed my email login and password,
  Apparently a lot of people are stupid, and at least with Linkedin, you already gave them the keys to the kingdom.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
17. Re:How do they know they are the same? by Anonymous Coward · 2016-06-07 10:01 · Score: 0
  
  Hmm. I thought handling the whitespace properly was referring to the quotation marks around "golf clap".
  It's more legible than golf\ clap
18. Re:How do they know they are the same? by vernonB · 2016-06-08 04:42 · Score: 1
  
  Dumb question: how did these password lists come to be unencrypted?
19. Re:How do they know they are the same? by AK+Marc · 2016-06-08 11:39 · Score: 1
  
  So if my username is "user" and my password is "password", Netflix has no way of knowing whether my username/password combination is correct.
  
  No, that seems silly, Netflix can verify a username/password combination as "valid" or "invalid" while their passwords are salted and hashed.
  
  --
  Learn to love Alaska
Centralized password management by houstonbofh · 2016-06-07 04:05 · Score: 1

This might push most people to centralized password management. Yes, i know about Keepass, but tell that to my mother. :) (And is keepass safe now with the latest news?) I do not think this will be a good thing, because now all of your security will be in one very attractive place.
1. Re:Centralized password management by Anonymous Coward · 2016-06-07 04:28 · Score: 0
  
  This might push most people to centralized password management. Yes, i know about Keepass, but tell that to my mother. :) (And is keepass safe now with the latest news?) I do not think this will be a good thing, because now all of your security will be in one very attractive place.
  I can't imagine why I would care if my facebook account was hacked. Even if someone wanted to use my account for identity theft, every bit of information about me was hacked with the DoD and Blue Cross hacks - that's enough info to use my identity. My financial info was stolen at Target. The only thing keeping me safe is that so many others were compromised in those hacks and the odds of using me are around 1 in 300,000,000.
  Netflix, big deal. I might have the inconvenience of too many screens at one time, but again, what are they going to do to me? Put Orang is the New Black in my watch list?
2. Re:Centralized password management by houstonbofh · 2016-06-07 04:53 · Score: 2
  
  Funny you should mention facebook first. It has the most value. It can be used for spearfishing you friends or spamming sunglasses, or directing everyone you know to malware. Netflix is just resold so people can watch free movies.
3. Re:Centralized password management by cellocgw · 2016-06-07 05:08 · Score: 1
  
  And is keepass safe now with the latest news?
  Depends whether you put the whitespace before or after the "p".
  
  --
  https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
4. Re:Centralized password management by Ol+Olsoc · 2016-06-07 09:49 · Score: 1
  
  This might push most people to centralized password management. Yes, i know about Keepass, but tell that to my mother. :) (And is keepass safe now with the latest news?) I do not think this will be a good thing, because now all of your security will be in one very attractive place.
  Keep Ass? Sounds great!
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Both awesome and sad by ausekilis · 2016-06-07 04:16 · Score: 3, Interesting

Sad that theres so much password reuse that this sort of thing is needed... Awesome of these companies to take initiative and let people know their accounts aren't safe.
1. Re:Both awesome and sad by Ravaldy · 2016-06-07 04:34 · Score: 4, Interesting
  
  Sad that theres so much password reuse
  It isn't sad, it's unfortunate that we have to avoid reusing of passwords.
  I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.
  If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.
2. Re:Both awesome and sad by TechyImmigrant · 2016-06-07 04:40 · Score: 2
  
  Sad that theres so much password reuse
  It isn't sad, it's unfortunate that we have to avoid reusing of passwords.
  I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.
  If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.
  I keep track of over 200 passwords, using a password manager. Why aren't you?
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
3. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 04:50 · Score: 0
  
  Maybe some of us spend 8,9,10,12 hours of our computing time where we can't access such a thing or access to such a thing could be suddenly blocked on the whim of an authority completely out of our ability to appeal.
4. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 04:57 · Score: 0
  
  >I keep track of over 200 passwords, using a password manager. Why aren't you?
  So you effectively share one password between all sites? Or do you use another method to secure your password manager?
5. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 05:02 · Score: 0
  
  yes, obviously, but from what attack vector are you worried ?
  I am generally worried about large data breaches and mass attacks. I am generally not worried about a personal attack (I am no one, don't even have a UID after 15 years of lurking here)
  password manager makes having unique passwords and changing them regularly a much easier job.
  I've also found it's been far easier to remember to clear out old accounts as best as possible (some places don't let you delete accounts ... )
6. Re: Both awesome and sad by BlytheBowman · 2016-06-07 05:03 · Score: 1
  
  Tell me where I can go to upgrade my brain so I can remember passwords for 10s or even 100s of sites (especialy "good" passwords such as 13fFxs_-90)xZZq) instead of having to reuse a small pool of passwords or worse, keeping them on post it notes or a plain .txt file. And no, I dont use platform specific or cloud based password 'wallets'. The only other solution is to keep all passwords in a text file zipped into an encrypted zip file (encrypted by Pkzip ir info zip) that most systems, even phones can open. Even this has it's own security problems)
7. Re:Both awesome and sad by AmiMoJo · 2016-06-07 05:04 · Score: 1
  
  It's a shame most of them don't support Two Factor Authentication, or if they do it's via their own app only which I don't want to install on my phone. Support RFC 6238.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
8. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 05:08 · Score: 0
  
  I keep track of over 200 passwords, using a password manager. Why aren't you?
  And when that password manager's security flaw gets hacked, bad actors now have access to all 200 passwords.
9. Re:Both awesome and sad by GTRacer · 2016-06-07 05:13 · Score: 1
  
  I have no idea if I'm smart or dumb or both, but I have technically unique passwords for over 100 sites and work logins. I have a "core" password which I change rarely, plus 3-5 chars pertinent to that website. Have done this for years on the assumption that eventually a big enough site (like say, Slashdot in 2002) would get hit and the attackers would try my /. password everywhere.
  
  --
  Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
10. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 05:24 · Score: 0
  
  queue APK flogging his perfect password solution which he calls /etc/shadow
11. Re:Both awesome and sad by pla · 2016-06-07 05:28 · Score: 4, Insightful
  
  I keep track of over 200 passwords, using a password manager. Why aren't you?
  
  You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security?
  
  Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach?
  
  Hey, I'll admit carrying all those eggs in the same basket looks a lot more convenient than carrying them one by one. But some of us would rather only risk dropping them one at a time, than all 200 at once.
12. Re:Both awesome and sad by Dixie_Flatline · 2016-06-07 05:30 · Score: 1
  
  I re-use passwords all the time. The problem is that people don't know an important password from an unimportant one.
  Tumblr? MySpace? Forums? I use irrelevant, weak passwords. There's nothing there that I really care about. Even LinkedIn falls under that rubric--I'm not sure I'd care if someone else were getting that spam instead of me.
  Some sites I prize a little more highly. They get a better password, maybe shared, maybe not.
  Then there are sites that hold information that I'd rather keep to myself--credit card info, tax info, that sort of thing. They get a very strong password, often generated by my password manager.
  Not all sites are created equal, so it's ridiculous to create a strong, unique password for all of them regardless of their actual importance.
13. Re: Both awesome and sad by Anonymous Coward · 2016-06-07 05:48 · Score: 0
  
  Everyone tries to make this more complicated than it needs to be: https://www.passwordstore.org/
  * gpg encrypted passwords stored in ~/.password-store
  * simple unix commands to retrieve passwords, place them in clipboard, auto-remove from clipboard after a short amount of time, etc.
  Put your ~/.password-store file into a git-repo and sync it to any remote devices you have as well. You are running a secure https webserver at home, right? :-)
14. Re:Both awesome and sad by JustAnotherOldGuy · 2016-06-07 05:48 · Score: 1
  
  If we could trust all entities to secure their shit then we could all use one password
  I like the idea of being able to use one password even though it's a terrible idea.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
15. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 05:57 · Score: 0
  
  Because ultimate point of failure. Next question.
16. Re:Both awesome and sad by LateArthurDent · 2016-06-07 06:06 · Score: 1
  
  Sad that theres so much password reuse that this sort of thing is needed... Awesome of these companies to take initiative and let people know their accounts aren't safe.
  In this day and age, there's no excuse for password reuse because why not use a password manager. That said, password reuse *shouldn't* be a problem. Client-side salt + hash, encrypted session so the hashed password doesn't go down the wire in plain text, second hash server-side for storage + verification. The server you're connecting to shouldn't be able to TELL what your password is, the salt makes it so that an unscrupulous employee can't use a rainbow table to figure it out (or even determine if the same password was used based on the hash, because they would have different salts), and the server-side hash makes it so a data breach doesn't get you access even to that account, much less others where the password was reused.
  That makes it such that the only way you can break a weak password is by trying a bunch of the common ones. Lock out the account after a number of tries, and enforce a certain amount of time between tries even before the lockout, and you honestly shouldn't care if the user picked 1234 for his password (I have the same combination in my luggage), it will be secure. Much more so than depending on your users to be smart about password selection.
17. Re:Both awesome and sad by bmo · 2016-06-07 06:13 · Score: 1
  
  >Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach?
  They lost control of the password reminders and email addresses. My email addresses are out there and have been since forever, and the next oldest (the oldest was on conan.ids.net) is still active, BTW, on TMOK, which forwards to gmail, which forwards to protonmail.
  My password reminder is simply "printer"
  Guessing which brand and model number is impossible.
  I'm going to continue using Lastpass.
  --
  BMO
18. Re:Both awesome and sad by pla · 2016-06-07 06:28 · Score: 1
  
  I would give you a bit more credit in that regard than the average user.
  
  For Joe User, a password "hint" often means either the password itself, or something so trivial as to make it as good as cracked (like "wife's birthday") with publicly available information.
19. Re:Both awesome and sad by TechyImmigrant · 2016-06-07 06:39 · Score: 1
  
  Because ultimate point of failure. Next question.
  One reasonably well protected point of failure, vs 200 horribly poorly defended points of failure where the failure of one compromises the others.
  The password manager makes is feasible to have every password be different and strong. This addresses the common case.
  If you want to better defend your password manager, try 2FA or a yellow sticky note under your eyelid.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
20. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 06:59 · Score: 0
  
  Teamviewer?
21. Re:Both awesome and sad by AthanasiusKircher · 2016-06-07 07:01 · Score: 1
  
  You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security?
  Apparently... This issue has been addressed now by the developer, a testing version of the fix is available and is undergoing testing, and the security recommendations made will be included in the next version of software. There is already a digital signature included in any update that should raise a flag if anyone were to download a bad file from an insecure source.
  I'm not sure what the whole story is (and don't really care enough to read through the endless internet commentary to find out), but it sounds like the guy was dealing with some web hosting constraints for the website, and he didn't want to implement a half-assed solution. But people complained, and he responded. After only a few days of complaints, he appears to have implemented the solution... which is a lot better than I can say for most free software.
  (And just as a sidenote -- anyone who downloads a security product or an update to one without checking to see that it's legit already is engaging in potentially dangerous security protocols. If they are doing this with random software, they could easily be installing a keylogger or something on their machine which could undermine KeePass's security, whether or not it had anything to do with a KeePass update or some other random software asking to install. I agree the developer's attitude was problematic, but his original recommended fix of actually verifying the legitimacy of any updates to security software is actually a BETTER policy than just depending on the fix to KeePass itself.)
22. Re: Both awesome and sad by TimMD909 · 2016-06-07 07:08 · Score: 1
  
  HP DeskJet 500?
23. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 07:09 · Score: 0
  
  I highly doubt that. How many combos can there be? They can just try each one in an automated fashion
24. Re:Both awesome and sad by pla · 2016-06-07 07:35 · Score: 1
  
  but his original recommended fix of actually verifying the legitimacy of any updates to security software is actually a BETTER policy than just depending on the fix to KeePass itself.
  
  As a geek, I would agree with you. As a human - The solution people actually use will always beat the "best" one they don't.
  
  Not only don't most people check signatures, but when an automated system explicitly warns that the signature doesn't match, most people just swear at the vendor for their buggy crap and click "do it anyway".
25. Re:Both awesome and sad by The-Ixian · 2016-06-07 07:55 · Score: 1
  
  I use RoboForm and it runs on all major platforms including Windows Mobile, iOS, Android, Windows and MAC as well as all major web browsers.
  No need to load anything on your company computer. Just use your phone to view the password and type it in.
  
  --
  My eyes reflect the stars and a smile lights up my face.
26. Re:Both awesome and sad by bmo · 2016-06-07 08:37 · Score: 1
  
  >How many combos can there be?
  Tens of thousands at a minimum. My history goes back the earliest home 9-pin dot-matrix and line printers. You know, the things in noise cabinets that impact printed whole lines at a time, 600 lines a minute.
  I've had more than a few to choose from.
  But then it takes a few seconds for each one to be tested by the lastpass server, as the validation loop isn't instantaneous. It's better to just run a username / password combination list using the top 100 most-used passwords, as these are guaranteed to be shared across sites and unlock the vast majority of usernames. You don't need ALL of the accounts, just the ones of dumb people.
  --
  BMO
27. Re:Both awesome and sad by Anonymous Coward · 2016-06-07 10:39 · Score: 0
  
  The KeePass issue only affected whether an update notification was displayed or not. KeePass doesn't auto-update. The end user has to manually download and install any new versions. The binaries are digitally signed and are hosted on Sourceforge that uses HTTPS.
  Does it really matter that a text file that says "the current versions is : foo" is served over HTTPS or not?
28. Re:Both awesome and sad by TechyImmigrant · 2016-06-07 10:47 · Score: 1
  
  >I keep track of over 200 passwords, using a password manager. Why aren't you?
  So you effectively share one password between all sites? Or do you use another method to secure your password manager?
  Each site has a different password that is very long.
  The password manager requires some credentials to open up.
  Then the password can be copied and pasted. No typing required, which prevents keyloggers from grabbing passwords being typed.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
29. Re:Both awesome and sad by TechyImmigrant · 2016-06-07 10:49 · Score: 1
  
  I keep track of over 200 passwords, using a password manager. Why aren't you?
  And when that password manager's security flaw gets hacked, bad actors now have access to all 200 passwords.
  The would need to get the encrypted password file to do that. The password manager isn't and online service. It's a locally running program. This vastly reduced the attack surface or the password manager. I don't use online password managers, because the risks of flaws being exploited are much greater.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
30. Re:Both awesome and sad by TechyImmigrant · 2016-06-07 10:50 · Score: 1
  
  Yes Mr Epson FX-82.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
31. Re:Both awesome and sad by Ravaldy · 2016-06-08 04:20 · Score: 1
  
  I still don't think it's a reasonable solution for the masses.
32. Re:Both awesome and sad by Ravaldy · 2016-06-08 04:34 · Score: 1
  
  I keep track of over 200 passwords, using a password manager. Why aren't you?
  Technology people who think security challenges should be unreasonably transferred over to end users live in a bubble. It's our responsibility to provide reasonable solutions to large problems such as security. Expecting end users to manage password lists is unreasonable. Teaching them how to use a mobile device to receive authorization codes is probably the most reasonable compromise I think of. Facebook, Google, Microsoft have all applied this option to account authentication and I find it reasonably simple. There are obviously some issues with it such as requiring a device with access to the authenticator software but as far as I can see it's the best we have at the moment. Biometric is also another good solution but it's availability on existing devices is lacking to say the least.
  So to answer your question. NO, I do not manage 200 passwords because that's just ridiculous.
33. Re:Both awesome and sad by Ravaldy · 2016-06-08 05:46 · Score: 1
  
  I like the idea of being able to use one password even though it's a terrible idea.
  Human nature fails to allow computer security to work even if every single device and service is 100% safe. I would never recommend one password for all but I think most people can easily manage 3 - 5 passwords. Biometric offers the best "password" available with the most ease of use. Injuries = failure to login but that's why the good biometric solution I've seen offer two biometric signatures.
  Password input will be a story of the past within 15 years. Unfortunately we are still dealing with a large number of people who fail to adapt to the simplest technological concepts such as ATM banking.
34. Re:Both awesome and sad by TechyImmigrant · 2016-06-08 08:35 · Score: 1
  
  You are talking about what might be, rather than what is. Most web sites don't support federated logins or biometrics or anything other than a password that they may or may not handle well.
  I dislike passwords as much as anyone else and I'm aware of better solutions that lead to vendors making god security choices by default. But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen.
  In the meantime, a password manager is an effective tool.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
35. Re:Both awesome and sad by catprog · 2016-06-08 20:23 · Score: 1
  
  And what happens when the biometric 'password' is leaked. You cannot change it.
  
  --
  My Transformation Website
  Kindle Books http://www.catprog.org/rev
  Interactive CYOA http://www.catprog.org/st
36. Re:Both awesome and sad by Ravaldy · 2016-06-09 04:30 · Score: 1
  
  You are talking about what might be, rather than what is.
  The point is that it doesn't have to be this way. Accounting departments have been using key generators since the 90s for dealing with banking. This tech is available now we just need to force it down end user's throat. The first step is to introduce it as OPTIONAL and move towards MANDATORY as the users opting in increases. This will reduce the learning curve since the initial users will help those newly introduced to the new method.
  
  But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen
  You nailed it.
  
  In the meantime, a password manager is an effective tool.
  And as long as that's the means, only a small percentage of users will comply with "the correct way to secure yourself".
37. Re:Both awesome and sad by Ravaldy · 2016-06-09 04:36 · Score: 1
  
  I know I didn't mention it in this post but I did mention in other posts that authentication codes are critical to any password protection. The usage of said code can be partially automated. I see the mobile device being the point of authentication. It's the most logical place for it at the moment.
38. Re:Both awesome and sad by TechyImmigrant · 2016-06-09 04:56 · Score: 1
  
  You are talking about what might be, rather than what is.
  The point is that it doesn't have to be this way. Accounting departments have been using key generators since the 90s for dealing with banking. This tech is available now we just need to force it down end user's throat. The first step is to introduce it as OPTIONAL and move towards MANDATORY as the users opting in increases. This will reduce the learning curve since the initial users will help those newly introduced to the new method.
  
  But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen
  You nailed it.
  
  In the meantime, a password manager is an effective tool.
  And as long as that's the means, only a small percentage of users will comply with "the correct way to secure yourself".
  This is the way the world is. It's not good. The results are apparent.
  Maybe we can go to the IETF and get the browser vendors to uniformly adopt an auth scheme with cipher elimination, ZK, blinding and support for cards and biometrics to replace passwords? Oh wait, that's already been tried time and again and nothing has happened. It's been long enough that it looks more deliberate than mere organizational inefficiency.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Finally security done the right way by Guybrush_T · 2016-06-07 04:16 · Score: 4, Insightful

It is about time security is done from the attacker perspective. Yes, it is a good idea to think that "if an attacker can do it, we can do it too and disable accounts we can compromize". Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.
1. Re:Finally security done the right way by khasim · 2016-06-07 04:43 · Score: 3, Interesting
  
  Not exactly "security done the right way".
  This is mitigation.
  Netflix gets the username/password list AFTER the bad guys have put it up for sale. What other bad guys have also purchased it? What other sites have you used that password on?
  
  Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.
  Not really. The users will just keep modifying their passwords until they pass your checks. Then they'll have a "good" password that they'll re-use on multiple sites.
  It all comes down to how the password will be cracked by the bad guys. That's why re-use is the main concern. Because that means that the bad guys only need to try ONE password for your account on other sites.
  And they've scripted those attacks. They can hit thousands of sites in seconds once they have your re-used password.
  That's why more secure systems use things like the RSA key fobs. So that your password CANNOT be re-used.
2. Re: Finally security done the right way by Anonymous Coward · 2016-06-07 04:44 · Score: 1
  
  Try talking to average users. You will soon stop caring about helping them.
3. Re:Finally security done the right way by internerdj · 2016-06-07 04:54 · Score: 4, Interesting
  
  This is a little disturbing. I got a password reset from Netflix. I thought it was something general. I also thought my netflix password was unique among my accounts. Now I've got no clue what actually was breached.
4. Re: Finally security done the right way by BlytheBowman · 2016-06-07 05:05 · Score: 3, Insightful
  
  How do I use one of those fobs with my Android phone?
5. Re:Finally security done the right way by chispito · 2016-06-07 05:45 · Score: 1
  
  Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.
  Krebs suggests that Facebook et al are checking for password reuse, but this isn't necessarily the case. They can simply force a reset on the account with the same email (or other ID, I suppose) without bothering to check their own hash for reuse of the compromised password.
  
  This has several added benefits: It gives them an excuse to force their users to update their passwords and it provides an additional channel of communication to affected users that they might want to check all their accounts.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
6. Re:Finally security done the right way by chispito · 2016-06-07 06:11 · Score: 1
  
  That's why more secure systems use things like the RSA key fobs. So that your password CANNOT be re-used.
  Two factor authentication does not prevent password reuse. It may prevent an attacker from using compromised credentials, but "password reuse" refers to a person who chooses to use the same password across multiple accounts.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
7. Re:Finally security done the right way by Anonymous Coward · 2016-06-07 07:03 · Score: 2, Informative
  
  Easy enough to find out. Check your email at haveibeenpwned.com
  It will tell you what breaches have contained your email
8. Re: Finally security done the right way by aix+tom · 2016-06-07 07:08 · Score: 1
  
  You would use the fob the same way you use it with a computer. You enter your password, and you enter the number displayed on the fob to log in to the system the fob is configured for.
  There is even an app that turns your android phone into an RSA key fob:
  https://play.google.com/store/...
9. Re:Finally security done the right way by Anonymous Coward · 2016-06-07 07:35 · Score: 0
  
  Krebs suggests that Facebook et al are checking for password reuse, but this isn't necessarily the case. They can simply force a reset on the account with the same email (or other ID, I suppose) without bothering to check their own hash for reuse of the compromised password.
  FB already checks for password reuse. If you try to re-use one you had before (or even make the mistake of trying to log in with an old password) it tells you "you used this password before."
  This is without a password reset, or being on some list, or whatever.
  Comodo does the same thing, they keep password hashes forever so you can never re use the same one... then they force you to change it every 90 days. A total PITA if you are using a corporate account. "Goddamnit! Who changed the password this time?!?!" pasted on the fridge in the break room.
10. Re: Finally security done the right way by Anonymous Coward · 2016-06-07 12:43 · Score: 0
  
  Authy is a better app choice, you have the option of multi-device so that if you have a phone + tablet, you can have the same TOTP on both devices.
for the true slashdotter, fear not. by nimbius · 2016-06-07 04:17 · Score: 1

Facebook and Netflix
Real slashdotters such as myself needn't worry, as Facebooks failure to support elinks/links browsers made it easy to pass up. Netflix neither supports BSD, or Linux, and as we all know is incapable of streaming to the VAX in the basement or even the raspberry pi running crosscompiled gentoo and a custom graphics firmware based on an old episode of Dr. Who, so of course Not-flix will not be an issue.

Linkedin, Tumblr or MySpace.
Linkedin, hah. All our real recruiters spend summers camped out on our front lawn singing poetry and roasting fine cuts of meat in a vain attempt to win our favour. Tumblr for slashdotters? I hardly think the internet has much of an opinion outside the warm green glow...unless you're up late like the rest of us posting comedy gold to the gophernet. and MySpace? Ive got all the music and pop culture I need from the newsgroups and my trusty Sound Blaster Pro Midi...thats right...myspace is laughable once youve heard the DOOM soundtrack in glorious 16 bit audio.

--
Good people go to bed earlier.
1. Re:for the true slashdotter, fear not. by Anonymous Coward · 2016-06-07 04:33 · Score: 0
  
  Real slashdotters such as myself don't even use passwords!
users did not make the "mistake" of reuse by turkeydance · 2016-06-07 04:18 · Score: 0

sites didn't make the "mistake" of woeful security, either.
1. Re:users did not make the "mistake" of reuse by Anonymous Coward · 2016-06-07 04:23 · Score: 0
  
  Nope, everyone made the mistake of trusting something they didn't understand.
Re:Can anyone justify these breaches? by Anonymous Coward · 2016-06-07 04:20 · Score: 0

"Nobody seems to object or criticize the criminals carrying out these attacks."
Perhaps because it goes without saying? What do you want, some hand-waving and tirades against the hackers? Think that will stop them?
"get busy" by Anonymous Coward · 2016-06-07 04:20 · Score: 0

This expression means something other than what the author intended...
1. Re:"get busy" by mrchaotica · 2016-06-07 04:29 · Score: 1
  
  Non-password-reusing Slashdotters don't get to "get busy" -- but we already knew that!
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Depends on the data you want to protect by DidgetMaster · 2016-06-07 04:26 · Score: 4, Interesting

Everyone seems so worried about passwords getting hacked on sites that couldn't care less about. Anything that has information that I want to protect (e.g. bank accounts) has a strong password that I never repeat. But I also have a ton of accounts on news sites and other places that make you get an account just to see anything. I can set all those account passwords to "12345" and couldn't care less if they get hacked. There is nothing in there of any value for someone to steal. I usually use a fake name and address when I set up the account in the first place.
1. Re:Depends on the data you want to protect by Anonymous Coward · 2016-06-07 05:13 · Score: 0
  
  It's easier to just use Bugmenot and related sites for throwaway accounts like that.
2. Re:Depends on the data you want to protect by Anonymous Coward · 2016-06-07 05:23 · Score: 0
  
  I agree. Also there is an alternatuve. If Slashdot demands that I change my password, I wil just close ny accound. Same for LinkedIn. Yes, I have a STRONG password for my bank.
3. Re:Depends on the data you want to protect by idji · 2016-06-07 05:33 · Score: 1
  
  Except if a hacker slanders or vilifies someone or uploads child porn in your name and you then have to defend yourself. The burden of proof is then upon you.
4. Re:Depends on the data you want to protect by Anonymous Coward · 2016-06-07 05:34 · Score: 0
  
  I usually use a fake name and address when I set up the account in the first place.
  I use president@whitehouse.gov and 1600 Pennsylvania Ave, Washington, DC 20500. I figure that way if the site sells the info to spammers or junk mailers, there's a better chance the government will do something to make it harder for sites to sell people's marketing info.
5. Re:Depends on the data you want to protect by Anonymous Coward · 2016-06-07 06:03 · Score: 1
  
  how is the burden of proof on you anymore than if someone created a fake account in your name?
6. Re:Depends on the data you want to protect by Anonymous Coward · 2016-06-07 07:30 · Score: 0
  
  Of course, all the major spammers learned 20 years ago to remove *.gov email addresses. :P
Since these compromises are years old... by Karl+Cocknozzle · 2016-06-07 04:28 · Score: 1

...Obvious question is, are they going to also forbid any other passwords that have ever been leaked elsewhere? And what happens when every major site has been compromised and all its accounts shared online? Will every password from our past life suddenly be verboten, everywhere? That seems... pretty unworkable.

--
Who did what now?
1. Re:Since these compromises are years old... by tomhath · 2016-06-07 04:49 · Score: 1
  
  It really only applies to major sites that you want to protect. You really should be using unique and hard passwords on sites like Facebook and Netflix or anyplace that might have your credit card number (and change them on a regular interval). Password safes are your friend
  Other sites where all you provide is a user handle so you can comment on someone's blog, who cares?
2. Re:Since these compromises are years old... by ShanghaiBill · 2016-06-07 04:59 · Score: 1
  
  Will every password from our past life suddenly be verboten, everywhere? That seems... pretty unworkable.
  Why will it be unworkable? For 32 character passwords, and 100 possible characters (upper, lower, numbers, punctuation) the number of possible passwords is a billion times the number of atoms in the sun. Even if you stick to passwords that are mnemonic, the number of possibilities is still astronomical.
3. Re:Since these compromises are years old... by Anonymous Coward · 2016-06-07 05:26 · Score: 0
  
  My rule is: different pwd strength for different purposes. Hardened Strong passwords for banking, Strong passwords for everything Work/social, 12345 pwd for everything else. You don't want to give away your whole pwd strategy.
TOTP apps can reduce password exposure by tepples · 2016-06-07 04:31 · Score: 1

As I understand it, apps can reduce but not completely eliminate password-related security exposure. When your client side app connects to a web app, the web app needs some way to know that the client app is acting on your behalf. Sometimes this is accomplished using a TOTP app such as Google Authenticator, but then a web app still needs some way to associate a TOTP key with your account in the app. How is this done other than through a password, especially in case the user loses the device with the TOTP app?
If there's something I missed, please help this luddite understand.
1. Re:TOTP apps can reduce password exposure by Anonymous Coward · 2016-06-07 05:33 · Score: 1
  
  Passwords should be encrypted and then stored in a database. From that point on when the password is entered it is encrypted in the same fashion and the encrypted result compared to the result in the database. There is NO need for any web site to know what password you use.
2. Re:TOTP apps can reduce password exposure by tepples · 2016-06-07 13:11 · Score: 1
  
  Passwords should be encrypted and then stored in a database. From that point on when the password is entered it is encrypted in the same fashion and the encrypted result compared to the result in the database.
  If by "encrypted" you mean "hashed thousands of times with salt", I agree. But a web app still needs to know this hash value in order to authenticate you by hashing the password you entered and comparing it to the stored value. I think part of app guy's point is that the very existence of such a password can lead to a weakness in authentication. But until there's a recoverable "something you have" factor that doesn't involve paying a cellular carrier per received text message or per month for an unlimited texting plan, passwords are the best means we have for associating a particular installation of a client-side app with a user identity.
  
  There is NO need for any web site to know what password you use.
  Unless that website is a web-based password manager app.
Use an offline password manager... by Anonymous Coward · 2016-06-07 04:31 · Score: 0

I can't stress how important this is. keepassx or keepass2 are cross OS password managers. Backup the database to a flashdrive.
Great, and that won't be too annoying by Karl+Cocknozzle · 2016-06-07 04:33 · Score: 1

...At some point, having a password exposed one place will make it ineligible to be a password--anywhere, for anyone. I'm sure that won't be too massive of a pain in the ass. Not at all.

--
Who did what now?
1. Re:Great, and that won't be too annoying by Anonymous Coward · 2016-06-07 05:57 · Score: 0
  
  Why? My passwords are randomly generated. It would take a lot of website sign-ups before I have two the same.
Various level of secure passwords. by Anonymous Coward · 2016-06-07 04:38 · Score: 0

I have different passwords of varying levels of security. Because let's face it, some sites are really not important enough to fuss with a password - they require a registration for pretty much just marketing purposes like seekingalpha. If someone took my pw from there, I wouldn't give a rat's ass. The same for any reddit account.
OTOH, why wife takes her passwords seriously and is constantly forgetting them and getting pw resets. Which means, if I had access to her email, I could get all of her super-duper-hard-to-break passwords reset.
FAIL - all of you!
And so what? Post shit on Facebook? "Hi, I'm a gay Mexican Nazi Jew!" Our REAL friends would just wonder WTF is going on and would realize that someone hacked the account.
LinkedIN? So? It's a shit site, too. I canceled mine years ago because it was worthless. Too many shady recruiters and views that had the viewer hidden - what's up with that? Fuck'em. Real jobs are gotten from real connections. Not faceless douchebags on LinkedIN.
Netflix? So, someone schedules a bunch of Twilight movies for me.
IOWs, none of those sites are worth my time and energy to waste.
1. Re:Various level of secure passwords. by Anonymous Coward · 2016-06-07 05:13 · Score: 0
  
  Or you know they post a bunch of horrible stuff on facebook, and a potential employer sees it.
  Netflix, they cancel your membership which would be enough to annoy you, or they just use it to stream and you get booted for account sharing.
  With things staying on the internet essentially forever one inflammatory facebook post could potentially follow you for the rest of your life.
Wait..... by bickerdyke · 2016-06-07 04:57 · Score: 1

Hold on a second:
Wouldn't that mean that facebook and netflix are keeping their users passwords in plain text instead of salted hashes?
How could they find out who used the same credentials at linkedin?
Or is everyone using the same salt???

--
bickerdyke
1. Re:Wait..... by Anonymous Coward · 2016-06-07 05:20 · Score: 0
  
  No.
  What I assume they are doing is getting the rainbow-tabled(de-hashed (is there a good term for this?)) list of from the linkedin dump passwords (which I'm sure is out there) and checking their users for the same email accounts. If they find a matching email/login among their customers they try the password that was used on the linkedin account, if it matches they lock your account until you re-set the password. so exactly the same process someone would do if they took the linkedin dump file rainbow-tabled it then tried every email/password pair on netflix.
2. Re:Wait..... by SilentChasm · 2016-06-07 14:37 · Score: 1
  
  For LinkedIn, the problem with the credentials that were leaked by hackers is that they were not stored securely with proper salt. Within a few days of starting on it, security researchers cracked 78% of the passwords resulting in almost 50 million unique passwords. Attackers undoubtedly did the same over the years since the breach. This gave attackers millions of actual passwords to use in future attacks. As for how Netflix and Facebook can tell you are using the same password, they could get the list of cracked passwords that users are using from the breaches, matching them with email addresses of their own users then hash the password using the algorithm they use along with the salt for that user and compare it to the user's current password hash.
  Here's a blog post about the cracking effort:
  https://blog.korelogic.com/blog/2016/05/19/linkedin_passwords_2016
  And here's an article about why this is so bad:
  http://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/
3. Re:Wait..... by bickerdyke · 2016-06-07 19:12 · Score: 1
  
  ok,thanks.
  
  --
  bickerdyke
Re:Can anyone justify these breaches? by Anonymous Coward · 2016-06-07 05:27 · Score: 0

>btw stealing is wrong
>black markets are bad, m'kay

Uh, "there I fixed it"?
Re:Use APPS, not LUDDITE passwords! by JustAnotherOldGuy · 2016-06-07 05:46 · Score: 0

If you use apps to app apps instead of LUDDITE passwords, you'll be 100% appy and hackproof, since LUDDITE hackers are too stupid to know how to app an app!
Apps!
I love you, Anonymous App Guy...if I see a slashdot article without your app comments then I know it's not worth reading. I'm even thinking of naming my next child "App" in honor of you. If I could get a sex change with a functioning womb, I'd offer to have your child. That's how much I love you, Anonymous App Guy.

--
Just cruising through this digital world at 33 1/3 rpm...
Wait a damn minute... by EmagGeek · 2016-06-07 06:34 · Score: 1

How the hell does Netflix know you re-used your password on other sites? The salted hashes should be different for each site, even if the same password is used.
1. Re:Wait a damn minute... by Anonymous Coward · 2016-06-07 11:26 · Score: 0
  
  Many sites don't encrypt passwords. This is so they can email your password when you lost yours. Yes there are sites that are that stupid, including banks.
Password Complexity Limits by Anonymous Coward · 2016-06-07 06:38 · Score: 1

Today I had to sign up for an online pay account at my State's version of the IRS.
I tried to use a normal complex password like I normally do, which is anywhere between 20 and 30 random characters, numbers, and symbols. The website threw an error and said the password had to be between 6 and 10 characters long, and contain only upper and lower case letters and numbers.
What the fuck kind of shit is that? I canceled the sign up and wrote them a paper letter stating that I would use their online e-pay system when they implemented some real security. In the meantime they can have a check and I'll just leave off the pay-by-mail fee and they can sue me if they want it that badly.
1. Re:Password Complexity Limits by Cro+Magnon · 2016-06-08 04:17 · Score: 1
  
  Yeah, until recently, one of my credit card accounts didn't allow special characters. You'd think a bank would do better than that.
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Insecure passwords are fine by Lord+Bitman · 2016-06-07 08:36 · Score: 1

Not every site that I use is important enough to need a secure password.

--
-- 'The' Lord and Master Bitman On High, Master Of All
re-use by Anonymous Coward · 2016-06-09 00:29 · Score: 0

It's perfectly ok to re-use weak passwords on several sites,as long as their junk sites that have no access to any of your important data.
If an account needs to stay secure,use a semi-random passwords,I pick a book,open 8 pages at random,use the first 4 page numbers to select words from the last four pages,then put together into a password,or you bits of those words to generate a password,it's about as random as you can get without using generator software,which you have to trust to be secure in the first place...
None of my important to me sites had ever been hacked by someone guessing my passwords,those that have possibly been hacked have been failures further up the ladder,if fool's want to hack my social sites etc,then they are really sad...