Slashdot Mirror
Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com)
Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.
Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?
Which is it?
(Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)
Glad to see that TFA gives no bonus to sites favoring hard-to-remember password with stupid special characters combinations...
Passwords need to not be a single dictionary word or name followed by a one followed by an exclamation mark with the first letter capitalized. The really stupid thing to do is issue requirements for including upper case, lower case, numbers, special symbols, etc. and then often within a lower or upper limit and then with symbol restrictions. If a password can't be memorized, it's useless. The only thing that should be mandatory is that the password be long (passphrase), complicated, or both, and perhaps that it fails the "will a computer easily hack it?" test. There's no reason that websites can't do a check for this instead of requiring a password like "Biscuit1!" instead of "biscuit1". I can't tell you how many times I've been forced to create a less useful password on a website because the password security requirements wouldn't let me use any of the passwords I normally use.
If you really want it locked down, U2F (2FA device standard) is the way to go. Currently only supported by technically leading sites: google, facebook, github, but jeez it's such a huge improvement over passwords or password managers. One neat side effect of U2F is that with it in place, the password can be super simple, since with U2F the password is not very important. See the U2F FAQ: https://medium.com/@nparlante/...
Many websites have good password policies - however, too many of them have entirely vulnerable account/password recovery systems.
I am reminded of this story about a clever attacker who convinced GoDaddy to let them into the victim's account by means of the last four digits of a credit card number provided over the phone by PayPal's recovery process: https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd
Securing a site against password-based attacks is a solved problem. Figuring out what to do when people forget their passwords is still hard.
I like being able to use fuck for my netflix password. Why the fuck shouldn't I be able to?
If said someone reuses their password across sites, it can be real bad, but password formation rules are useless against that type of bad password management, you can have the strongest password ever create by man, if you use the same across all your accounts and one dumb webmaster decides to save password as plain text and get invaded, you are fucked the same way!
So children, use password managers, you can use the most simple of the passwords for your logins (albeit with a manager that would be dumb), as long as you use a different one for each.
You can rant about stupid users all you want, they are the users you have. If you have rules that are not reasonably executable by the average user, then your rule is stupid.
How could I ever avoid using 'a' as a password without a dozen BS rules that are different on every fucking site?
Sites "failed Dashlane's tests." Good for them. Recent analysis by real cryptographers shows that password rules are worse than no rules.
And now we have "Dashlane", a nobody who wants to "grade" sites on their "password creation policies."
https://xkcd.com/936/
Bye Dashlane and stop it with your self-serving PR memos. You are a disservice to oxygen-breathing password-users.
E
I have a two character password for one important account. It wasn't important 15 years ago when I created it, but grew in value. Perhaps I should change it, but then I'd be among the millions of others using this service with 8+ character passwords. I'm pretty sure that if a hacker looked at my 2 character password, she would just assume that it was a fragment of some code.
"GoDaddy emerged as the only consumer website with a perfect score" - I hope they've improved; for years they consistently locked me out of my account, requiring calls to tech support. There is a practical limit to the number of obscure requirements for account access. Other companies require phone confirmation (I won't give them my phone #), email or text confirmation, etc. Is it necessary or simply a means to gather more marketable information about users?
Then there are companies who insist that your username or password is incorrect. Yes, the one you've been using all along. You have to go and create a new one (again, wait for a code via email). Then, when you use the same password, the system says you are not allowed to use the same password (it knew you had the correct password all along!). Somewhere behind the scenes is an Eichmann who delights in torturing users.
...omphaloskepsis often...
How about websites adjust their software such that e-mail addresses are not required for registration nor use! Somebody would think that the internet designed to survive nuclear attack would ensure that one website doesn't need to rely on another site for e-mail service!
Seriously fuck you Help Net Security. I really don't care about the security of most sites enough to have to memorize a unique password for them and most sites actually do understand this. Further if it is a site that I do care about the security I want to be able a secure password that I can remember. TR0b@dor is hard as hell for me to remember and will likely be in the first million passwords a cracking program will try. Second for an online attack you need enough entropy to stop an attacker who is rate limited. So 2^30 is likely strong enough (that's 3 common English words). If someone gets your salted hashed password file you are going to need 2^60 bits of entropy. 6 English words. Making be choose a password that is anywhere between those two lengths is either a waste of my time or insufficient security.
I've lost track of how many passwords I have on various sites. Each site has its own rules, that conflict with each other. There's no way I can remember them all. So what do I do? I send myself emails with password hints for each site, or save a list in a password-protected document, or let Chrome remember it, or write them on a sticky note.. If somebody figures out a way to hack Chrome's password vault, a LOT of people are in trouble! Somebody DID hack LastPass.
When building security is very tight, and there's a need for a plumber to come and go, what do they do...somebody props open a door, of course! Passwords are no different. If you make them too hard, people take measures to remember them--measures that make them less secure than if the rules weren't there in the first place!
I hate it when websites take it in their own hands to tell me how good or bad my password is. 1234 is perfectly valid for most of them. They provide nothing of value and i won't give them anything more than that. For those that do matter (i give them CC info for example) I choose my own thing. No need for a dumb mid-level manager to tell me what's good and what's bad.
for example AWS allows the account owner to set the password policy strength:
Options are:
Minimum password length: [ ]
[ ] Require at least one uppercase letter
[ ] Require at least one lowercase letter
[ ] Require at least one number
[ ] Require at least one non-alphanumeric character
[ ] Allow users to change their own password
[ ] Enable password expiration
Password expiration period (in days): [ ]
[ ] Prevent password reuse
Number of passwords to remember: [ ]
[ ] Password expiration requires administrator reset
And at user creation you can assign an MFA device. So i'm thinking these guys didn't test a thing.
https://www.youtube.com/watch?...
Fascism: An authoritarian and nationalistic right-wing system of government and social organization. See also: NAZI's
Requiring UPPERCASE doubles the space while 0-9 only adds 10 digits. It would be better to require mixed CASE than to require digits.
Also, requiring a symbol then allowing ANY symbol would expand the space to typical symbols people use... probably only about 8 symbols cover 90% of passwords. A full brute force would expand to nearly all of unicode! Emjoii included.
Requiring a SPACE might only add 1 digit but it would hint to people to add a whole WORD and I bet you get more in practice than requiring digits.
Strength tests should include the domain name because I've seen some lists where the domain name was used. My own investigating found people will use dates, names, initials, their PIN #, phone, even part of their email address. That kind of easily guessed stuff does not show up in these checkers OR in the stats gathered from break ins. Sites really should not create an account password UNTIL you enter all your account information. The session ID is good enough for tracking logins it surely is good enough to setup an account before creating a password and account name. Everybody does it backwards.
Democracy Now! - uncensored, anti-establishment news
Shock as sites designed for professional use leave responsibility for choosing secure password to their clients!
Exactly.
Your website may not be important to me, so I won't give it a very important password. It may be important to you, but not to me. Especially if you insist on a username and password to do the most basic things.
You want me to log in to download your free software? Sure, I'll create an account - with a wimpy password. I don't care if that software is your heart and soul and you missed your mother's funeral to release it on time. I just want the file.
You want me to log in to comment on your article? Well, ditto. Same for forums as well.
Hell, I fully expect those sites to be hacked, so why use a strong password? Might as well just make it "password" and be done with it - if someone's downloaded the password file then they have all the time in the world to crack it. I might as well assume your site has vulnerabilities that make it easy to steal the password file.
Oh yeah, my Paypal, Amazon and bank passwords? They're nice and secure.
Maybe you should learn first how to correctly express a measure of entropy, and then we can discuss whether n user-chosen words have this entropy. (Little hint: They don't.)
Hi
you chose a password, there is a calculation performed how long a brute force/dictionary attack will take.
Your password will expire after this time.
Calculate the time using this calculator (take the botnet time): https://password.kaspersky.com...
thisisanicepassword => 3 days
this is a nice password => 40 years (maybe maximize on a top limit)
12345678 => 1 second
one two three four => 3 years
correcthorsebatterystaple => 5 years (hmm, maybe they should add that to an exception list)
h4Z7p8d0 => 51 seconds
h4Z7p8d0x3 => 2 hours
h4Z7p8d0x3w1 => 6 days
h4Z7p8d0x3w1bd => 2 years
Atari rules... ermm... ruled.
Maybe his usage of 'entropy' is not correct, but there are easy ways to have long and remeberable passwords.
See diceware.
5 words from a dictionary of 7776 is 7776^5
That's quite a lot.
Equivalent to a 14 lowercase letter password. But instead of memorizing 14 items, you only need to memorize 5
Atari rules... ermm... ruled.
What if they are the most popular sites BECAUSE they are the least secure?
Ease of use is pretty important and people would rather use a less secure, but easy platform than a more secure and complicate platform.
Just recently somebody told me they did not use any protection on their phone, because it was to much trouble to use.
They added fingerprint readers because people are too lazy to type in a 4 pin code.
Don't fight for your country, if your country does not fight for you.
It's more important that a site allow strong passwords, by having long or no length limit, and no character restrictions. Amazon, Google, and LinkedIn, for example, may allow weak passwords, but unlike many sites, they also allow very strong passwords (no length or character restrictions AFAIK). If someone doesn't want a strong password (for example if they insist on trying to remember dozens of different passwords instead of using a password manager) forcing one will just make them write it on a sticky pad. Which may or may not be OK, depending on whether it's a secure environment.
take a deep breath, ass stain.
Have you considered changing banks?
Yes. But when only one bank has ATMs within cycling distance, that makes every other bank much more expensive: withdrawing cash costs ATM fees, depositing checks costs postage, and depositing cash costs postage plus money order fees. In the city where and years when I attended college, there was only one bank.
This is the biggest thing about security of websites. If your site doesn't handle my money, or my real life reputation, then it doesn't need a secure password.
Imagine if every single store you ever visited required you to sign up with all your personal details and carry around a user card before you could walk in the door? Sure you'd put up with it for your favourite grocery store, the local hardware store, and maybe 1-2 others, but you'd quickly say enough is enough and just avoid the mall. The web is increasingly like this, every site wants all your personal details, and for you to remember a username and password just for their site, a site you may not ever visit again. It's insane.
If a streaming video provider doesn't need a strong password, that's fine, the worst case is someone else watches a TV show instead of me, oh the horror! If my bank doesn't require a strong password, that's a problem, but for the rest, give it a rest!
There are two kinds of web-based random string generators: those that generate the password on the server and therefore allow the operator of the site to see every string that is generated, and those that generate the password on the client and therefore require the user to add the site to the browser's whitelist for running JavaScript.
Hint: Two-factor authentication is so dramatically more secure that you're far better off implementing it
Unless it's Twitter, which allows only the login method that's most expensive per use for many U.S. users.
The testing criteria is flawed.
If websites did their security right, there is no issue with it just being "a".
Once you salt, pepper, and hash that letter it becomes just as tricky to hack as "h&t3)__ner!1" -- 64 digits of random looking hex.
A real indicator of a website's bad password storage is if there is a character limit. If they only allow password that are 12 characters or fewer, then you know they are saving the password in a recoverable format. You should also try doing a "Forgot Password"; if they can email your password back in plain text, I wouldn't trust that site with the recipe for a peanut butter and jelly sandwich.
Sure, the data has to be breeched first
Why does the data need to start wearing pants?
That'd be difficult on sites that use a username as part of a user's public identity. For example, someone who reads the comments of all stories on the front page of Slashdot can see the usernames of all logged-in users who have commented on those stories.
Yeah at least when sites have custom logins the profile stays there, more and more are asking to log in via social media or gmail account... why would I want to link anymore information about be on the internet than absolutely necessary?
And if you estimate entropy PROPERLY
What's "properly"? Kolmogorov complexity isn't tractable to compute.
using a sync solution like Dropbox shouldn't be a problem
What I fear is that I would add two passwords on separate machines, and then the ownCloud or Dropbox client gets a merge conflict when it sees that both versions of the password vault file have changed.
Especially if there's a separate keyfile that you don't include on shared storage and instead copy to every client device manually.
How is that done on mobile, especially when iOS didn't have a user-accessible file system last I checked?
See: http://cubicspot.blogspot.com/2012/08/how-to-identify-websites-with-weak.html
8+ - Good
Alphanumeric required - Bad, you allow the attacker to skip testing all alpha-only / numeric-only passwords.
Password strenght meter - We all know they don't work
Logins cannot be brute forces - OK
2-FA auth - doesn't have much to do with passwords
That's fine for passwords that don't affect the path to e-mail. In fact, some sites embrace passwordless login through one-time tokens sent through e-mail. But it wouldn't work for the password to the user's Internet connection (PPPoE, RADIUS, subscription hotspot with a captive portal, etc.) or to the user's e-mail itself.
Nor does it work if your site has a lot of users such as jondeanmack, who expects to be able to register without providing a means of password recovery.
I wouldn't bother.
In their snide remark about entropy above about the calculation being incorrect, the AC has merely just declared that they don't even have a vocabulary of 1000 words (~2^10).