Slashdot Mirror
Password Power Rankings: a Look At the Practices of 40+ Popular Websites (helpnetsecurity.com)
Orome1 shares a report from Help Net Security: Nothing should be more important for these sites and apps than the security of the users who keep them in business. Unfortunately, Dashlane found that that 46% of consumer sites, including Dropbox, Netflix, and Pandora, and 36% of enterprise sites, including DocuSign and Amazon Web Services, failed to implement the most basic password security requirements. The most popular sites provide the least guidance when it comes to secure password policies. Of the 17 consumer sites that failed Dashlane's tests, eight are entertainment/social media sites, and five are e-commerce. Most troubling? Researchers created passwords using nothing but the lowercase letter "a" on Amazon, Google, Instagram, LinkedIn, Venmo, and Dropbox, among others. GoDaddy emerged as the only consumer website with a perfect score, while enterprise sites Stripe and QuickBooks also garnered a perfect score of 5/5. Here's a screenshot of how each consumer/enterprise website performed.
Didn't we just have a (absolutely stupid) story about how password complexity rules are bad?
Which is it?
(Hint: Password complexity rules are a good way to prevent the dumbest of passwords from being used.)
If you really want it locked down, U2F (2FA device standard) is the way to go. Currently only supported by technically leading sites: google, facebook, github, but jeez it's such a huge improvement over passwords or password managers. One neat side effect of U2F is that with it in place, the password can be super simple, since with U2F the password is not very important. See the U2F FAQ: https://medium.com/@nparlante/...
Many websites have good password policies - however, too many of them have entirely vulnerable account/password recovery systems.
I am reminded of this story about a clever attacker who convinced GoDaddy to let them into the victim's account by means of the last four digits of a credit card number provided over the phone by PayPal's recovery process: https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd
Securing a site against password-based attacks is a solved problem. Figuring out what to do when people forget their passwords is still hard.
If said someone reuses their password across sites, it can be real bad, but password formation rules are useless against that type of bad password management, you can have the strongest password ever create by man, if you use the same across all your accounts and one dumb webmaster decides to save password as plain text and get invaded, you are fucked the same way!
So children, use password managers, you can use the most simple of the passwords for your logins (albeit with a manager that would be dumb), as long as you use a different one for each.
You can rant about stupid users all you want, they are the users you have. If you have rules that are not reasonably executable by the average user, then your rule is stupid.
I have a two character password for one important account. It wasn't important 15 years ago when I created it, but grew in value. Perhaps I should change it, but then I'd be among the millions of others using this service with 8+ character passwords. I'm pretty sure that if a hacker looked at my 2 character password, she would just assume that it was a fragment of some code.
"GoDaddy emerged as the only consumer website with a perfect score" - I hope they've improved; for years they consistently locked me out of my account, requiring calls to tech support. There is a practical limit to the number of obscure requirements for account access. Other companies require phone confirmation (I won't give them my phone #), email or text confirmation, etc. Is it necessary or simply a means to gather more marketable information about users?
Then there are companies who insist that your username or password is incorrect. Yes, the one you've been using all along. You have to go and create a new one (again, wait for a code via email). Then, when you use the same password, the system says you are not allowed to use the same password (it knew you had the correct password all along!). Somewhere behind the scenes is an Eichmann who delights in torturing users.
...omphaloskepsis often...
Seriously fuck you Help Net Security. I really don't care about the security of most sites enough to have to memorize a unique password for them and most sites actually do understand this. Further if it is a site that I do care about the security I want to be able a secure password that I can remember. TR0b@dor is hard as hell for me to remember and will likely be in the first million passwords a cracking program will try. Second for an online attack you need enough entropy to stop an attacker who is rate limited. So 2^30 is likely strong enough (that's 3 common English words). If someone gets your salted hashed password file you are going to need 2^60 bits of entropy. 6 English words. Making be choose a password that is anywhere between those two lengths is either a waste of my time or insufficient security.
I've lost track of how many passwords I have on various sites. Each site has its own rules, that conflict with each other. There's no way I can remember them all. So what do I do? I send myself emails with password hints for each site, or save a list in a password-protected document, or let Chrome remember it, or write them on a sticky note.. If somebody figures out a way to hack Chrome's password vault, a LOT of people are in trouble! Somebody DID hack LastPass.
When building security is very tight, and there's a need for a plumber to come and go, what do they do...somebody props open a door, of course! Passwords are no different. If you make them too hard, people take measures to remember them--measures that make them less secure than if the rules weren't there in the first place!
Requiring UPPERCASE doubles the space while 0-9 only adds 10 digits. It would be better to require mixed CASE than to require digits.
Also, requiring a symbol then allowing ANY symbol would expand the space to typical symbols people use... probably only about 8 symbols cover 90% of passwords. A full brute force would expand to nearly all of unicode! Emjoii included.
Requiring a SPACE might only add 1 digit but it would hint to people to add a whole WORD and I bet you get more in practice than requiring digits.
Strength tests should include the domain name because I've seen some lists where the domain name was used. My own investigating found people will use dates, names, initials, their PIN #, phone, even part of their email address. That kind of easily guessed stuff does not show up in these checkers OR in the stats gathered from break ins. Sites really should not create an account password UNTIL you enter all your account information. The session ID is good enough for tracking logins it surely is good enough to setup an account before creating a password and account name. Everybody does it backwards.
Democracy Now! - uncensored, anti-establishment news
Exactly.
Your website may not be important to me, so I won't give it a very important password. It may be important to you, but not to me. Especially if you insist on a username and password to do the most basic things.
You want me to log in to download your free software? Sure, I'll create an account - with a wimpy password. I don't care if that software is your heart and soul and you missed your mother's funeral to release it on time. I just want the file.
You want me to log in to comment on your article? Well, ditto. Same for forums as well.
Hell, I fully expect those sites to be hacked, so why use a strong password? Might as well just make it "password" and be done with it - if someone's downloaded the password file then they have all the time in the world to crack it. I might as well assume your site has vulnerabilities that make it easy to steal the password file.
Oh yeah, my Paypal, Amazon and bank passwords? They're nice and secure.
Hi
you chose a password, there is a calculation performed how long a brute force/dictionary attack will take.
Your password will expire after this time.
Calculate the time using this calculator (take the botnet time): https://password.kaspersky.com...
thisisanicepassword => 3 days
this is a nice password => 40 years (maybe maximize on a top limit)
12345678 => 1 second
one two three four => 3 years
correcthorsebatterystaple => 5 years (hmm, maybe they should add that to an exception list)
h4Z7p8d0 => 51 seconds
h4Z7p8d0x3 => 2 hours
h4Z7p8d0x3w1 => 6 days
h4Z7p8d0x3w1bd => 2 years
Atari rules... ermm... ruled.
What if they are the most popular sites BECAUSE they are the least secure?
Ease of use is pretty important and people would rather use a less secure, but easy platform than a more secure and complicate platform.
Just recently somebody told me they did not use any protection on their phone, because it was to much trouble to use.
They added fingerprint readers because people are too lazy to type in a 4 pin code.
Don't fight for your country, if your country does not fight for you.
It's more important that a site allow strong passwords, by having long or no length limit, and no character restrictions. Amazon, Google, and LinkedIn, for example, may allow weak passwords, but unlike many sites, they also allow very strong passwords (no length or character restrictions AFAIK). If someone doesn't want a strong password (for example if they insist on trying to remember dozens of different passwords instead of using a password manager) forcing one will just make them write it on a sticky pad. Which may or may not be OK, depending on whether it's a secure environment.
Have you considered changing banks?
Yes. But when only one bank has ATMs within cycling distance, that makes every other bank much more expensive: withdrawing cash costs ATM fees, depositing checks costs postage, and depositing cash costs postage plus money order fees. In the city where and years when I attended college, there was only one bank.