Linkedin has a blog post that ends with this sage advice: * Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months. I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two? * Do not use the same password for multiple sites or accounts. So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down. * Create a strong password for your account, one that includes letters, numbers, and other characters. And that each of those passwords needs to be really hard to guess that I change to every few months on 100's of web sites. I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible. What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging. Mike
On 2012-06-08, at 12:48 PM, Michael Thomas wrote:
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
https://agilebits.com/onepassword (1Password) is one solution to managing web site passwords. --lyndon
On 06/08/2012 09:48 AM, Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.
I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two?
* Do not use the same password for multiple sites or accounts.
So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down.
* Create a strong password for your account, one that includes letters, numbers, and other characters.
And that each of those passwords needs to be really hard to guess that I change to every few months on 100's of web sites.
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging. Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites.
The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them. Paul
On 06/08/2012 12:56 PM, Paul Graydon wrote:
Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites.
The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them.
Does your password safe know how to change the password on each website every several months? Mike
On 06/08/2012 10:22 AM, Michael Thomas wrote:
On 06/08/2012 12:56 PM, Paul Graydon wrote:
Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites.
The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them.
Does your password safe know how to change the password on each website every several months?
Mike Oh come on.. now you're just being ridiculous, even bordering on childish. LinkedIn are offering solid advice, routed in safe practices. If you don't want to do it that's your problem. Stop bitching just because security is hard.
On 06/08/2012 01:24 PM, Paul Graydon wrote:
On 06/08/2012 10:22 AM, Michael Thomas wrote:
On 06/08/2012 12:56 PM, Paul Graydon wrote:
Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites.
The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them.
Does your password safe know how to change the password on each website every several months?
Mike Oh come on.. now you're just being ridiculous, even bordering on childish. LinkedIn are offering solid advice, routed in safe practices. If you don't want to do it that's your problem. Stop bitching just because security is hard.
Uh, I'm not the one saying you should change your passwords every month, Linkedin is. If you think it's childish, take it up with them. Mike
On 06/08/2012 01:24 PM, Paul Graydon wrote:
Oh come on.. now you're just being ridiculous, even bordering on childish. LinkedIn are offering solid advice, routed in safe practices. If you don't want to do it that's your problem. Stop bitching just because security is hard.
PS: when security is hard, people simply don't do it. Blaming the victim of poor engineering that leads people to not be able to perform best practices is not the answer. Mike
PS: when security is hard, people simply don't do it. Blaming the victim of poor engineering that leads people to not be able to perform best practices is not the answer.
Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst. Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too. See http://goo.gl/iL9EP for suggestions. Have a nice weekend, -a
On 06/08/2012 01:41 PM, Alec Muffett wrote:
PS: when security is hard, people simply don't do it. Blaming the victim of poor engineering that leads people to not be able to perform best practices is not the answer. Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk
We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.
Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too. See http://goo.gl/iL9EP for suggestions.
A lot has changed from 1995, and still we're using technology that is essentially unchanged from the 1960's. For my part, on my app/website (Phresheez), the app actually auto-generates passwords for the user so that they don't have to type one in. I do this mainly because people hate typing on phones, but it has the nice property that if you have a password exposure event, you do not have the cascading failure mode that Linkedin has now unleashed. With apps and browsers that can remember passwords why are we still insisting that users generate and remember their own bad passwords? That's one reason that I find the finger wagging tone of that Linkedin post extremely problematic -- they have obviously never even considered thinking beyond the current bad practice. Mike
On 8 Jun 2012, at 21:55, Michael Thomas wrote:
With apps and browsers that can remember passwords why are we still insisting that users generate and remember their own bad passwords? That's one reason that I find the finger wagging tone of that Linkedin post extremely problematic -- they have obviously never even considered thinking beyond the current bad practice.
That's a fair point, well made; in practice I try to educate people on how to choose a good password by showing them bad ones and giving them a list of "Don'ts"; giving them a tool would be easier but then you have a race to the bottom for platform neutral tools which are well-written, don't repeat plaintexts and don't serve off a central authority like a website. In some ways when faced with a challenge like that I would prefer people learned how to pick their own. One pentester-friend of mine can now determine which in department employees of his customer reside because each department circulated its own rules on "how to choose a secure password" and the templates/technique are distinct from one department to the next. He brute-forces a password (possible because the passwords are 8 characters-ish and reasonably short, thereby making templates irrelevant) and then reprograms his cracking software to mess with the per-department template to crack the rest of the users in a shorter time. Having people make up their own passwords reduces scope for that sort of behaviour - you crack some of the clueless folk but the overall quantity of breaks may be reduced. Also: someone earlier mentioned "the password anti-pattern" - just to clear up a misapprehension, password security is not itself the aforementioned "anti-pattern"* but instead the actual "password anti-pattern" is (for example) surrendering your Blog password to a third party like Flickr so that it can post photos to your blog on your behalf. This sort of problem is solved by OAuth which community (unsurprisingly) is from whence the password-anti-pattern term was popularised; Google's "application-specific password" scheme addresses another aspect of the same issue. More concisely the "password anti-pattern" is "giving your password away or using it untowardly". -a
On Jun 8, 2012, at 1:41 PM, Alec Muffett wrote:
PS: when security is hard, people simply don't do it. Blaming the victim of poor engineering that leads people to not be able to perform best practices is not the answer.
Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk
We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.
Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too. See http://goo.gl/iL9EP for suggestions.
Have a nice weekend,
-a
Would it really be that hard to release a coordinated One-Time Password system that consumers could readily use across multiple sites? Owen
On Fri, Jun 08, 2012 at 03:17:25PM -0700, Owen DeLong wrote:
On Jun 8, 2012, at 1:41 PM, Alec Muffett wrote:
PS: when security is hard, people simply don't do it. Blaming the victim of poor engineering that leads people to not be able to perform best practices is not the answer.
Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk
We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.
Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too. See http://goo.gl/iL9EP for suggestions.
Have a nice weekend,
-a
Would it really be that hard to release a coordinated One-Time Password system that consumers could readily use across multiple sites?
Doesn't seem *that* hard; my current employer has done quite a bit of heavy lifiting for you: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en http://code.google.com/p/google-authenticator/ [yes iOS and blackberry as well] Also, if you just want very lightweight implementation for paper codes, try http://code.google.com/p/otpauth/ -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote:
PS: when security is hard, people simply don't do it.
I think this is exactly right. The idea that we are going to train everyone on earth to keep eleventy billion distinct passwords in their heads -- or in a "password safe" that is either (1) under someone else's control because it's a web service or (2) inaccessible half the time because it's on their laptop and they're using their phone now and OMG -- is preposterous. (This without mentioning that they also have to remember the username that goes with it, which is _also_ variable.) We have an engineering challenge here, and the PKI we have so far doesn't work. No, I have no magic answers. I'm not that smart. Michael Thomas is still right about this. Best, A -- Andrew Sullivan Dyn Labs asullivan@dyn.com
KeePass, KeyPassDroid and Dropbox. I'm sure it will just get simpler as time goes on. My mom uses a key database just fine. On Jun 8, 2012 4:49 PM, "Andrew Sullivan" <asullivan@dyn.com> wrote:
On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote:
PS: when security is hard, people simply don't do it.
I think this is exactly right.
The idea that we are going to train everyone on earth to keep eleventy billion distinct passwords in their heads -- or in a "password safe" that is either (1) under someone else's control because it's a web service or (2) inaccessible half the time because it's on their laptop and they're using their phone now and OMG -- is preposterous. (This without mentioning that they also have to remember the username that goes with it, which is _also_ variable.)
On Fri, Jun 08, 2012 at 05:00:14PM -0400, Tyler Haske wrote:
KeePass, KeyPassDroid and Dropbox.
Yes, of course, I'll just upload all my passwords to a place totally under the control of someone (well, actually, _two_ other ones) else, and then pray that there never turns out to be a nasty attack against the programs and algorithms I used. (I'm more concerned about the programs. Obviously, if SHA-2 or whatever breaks, we gots bigger problems than all my personal passwords.) I'm not trying to be dismissive. Those are excellent stopgap measures. They're not a solution. Best, A -- Andrew Sullivan Dyn Labs asullivan@dyn.com
On 2012-06-08, at 2:07 PM, Andrew Sullivan wrote:
I'm not trying to be dismissive. Those are excellent stopgap measures. They're not a solution.
There is no "solution." Security is about risk management, nothing more. The only way to ensure your personal passwords are never compromised is to kill yourself after destroying all physical copies of those passwords. While ultimately secure, you won't be able to do your daily online banking. --lyndon
---- Original Message -----
From: "Lyndon Nerenberg" <lyndon@orthanc.ca>
The only way to ensure your personal passwords are never compromised is to kill yourself after destroying all physical copies of those passwords. While ultimately secure, you won't be able to do your daily online banking.
No, but on the positive side, the issue will be less pressing to you. User-side authentication security is a multi-dimensional problem, and it is probably not theoretically possible to optimize any given instance for all of the possible vectors simultaneously. Different individuals need to make their own threat estimate, and decide what approach they want to take to it. Of course, 95% of the affected audience wouldn't know what the phrase "threat estimate" meant, even if you threatened them. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On 06/08/2012 11:07 AM, Andrew Sullivan wrote:
KeePass, KeyPassDroid and Dropbox. Yes, of course, I'll just upload all my passwords to a place totally under the control of someone (well, actually, _two_ other ones) else, and then pray that there never turns out to be a nasty attack against
On Fri, Jun 08, 2012 at 05:00:14PM -0400, Tyler Haske wrote: the programs and algorithms I used. (I'm more concerned about the programs. Obviously, if SHA-2 or whatever breaks, we gots bigger problems than all my personal passwords.)
I'm not trying to be dismissive. Those are excellent stopgap measures. They're not a solution.
Best,
A If you don't trust DropBox, try SpiderOak for an added layer of encryption.
In my case I rely on Password Safe (http://passwordsafe.sourceforge.net/), Password Gorilla (https://github.com/zdia/gorilla/wiki/) and Dropbox. PasswordSafe has android and windows clients. The windows client will work under wine on linux if you really want, but it's a bit of a pain. Password Gorilla is a TCL app that is cross-platform that reads PasswordSafe files. There are a number of iPhone clients for passwordsafe mentioned on the Password Gorilla page linked above. Dropbox keeps the safe sync'd between locations (including phone). In each of them adding, fetching or changing a password is simple and involves only a few clicks. I've got somewhere approaching 200+ passwords in mine. On 06/08/2012 11:00 AM, Tyler Haske wrote:
KeePass, KeyPassDroid and Dropbox.
I'm sure it will just get simpler as time goes on.
My mom uses a key database just fine. On Jun 8, 2012 4:49 PM, "Andrew Sullivan"<asullivan@dyn.com> wrote:
On Fri, Jun 08, 2012 at 01:30:42PM -0700, Michael Thomas wrote:
PS: when security is hard, people simply don't do it. I think this is exactly right.
The idea that we are going to train everyone on earth to keep eleventy billion distinct passwords in their heads -- or in a "password safe" that is either (1) under someone else's control because it's a web service or (2) inaccessible half the time because it's on their laptop and they're using their phone now and OMG -- is preposterous. (This without mentioning that they also have to remember the username that goes with it, which is _also_ variable.)
On Fri, Jun 8, 2012 at 2:00 PM, Tyler Haske <tyler.haske@gmail.com> wrote:
KeePass, KeyPassDroid and Dropbox.
I'm sure it will just get simpler as time goes on.
I second this! I deploy KeePass via MS GPO. No formal training on the application for the end-users but we do one-on-one with end users when we can. I have converted a bunch of users to Keepass. I personally use the KeyPassDroid and Dropbox which is good for end users even if they forget their windows sign-in or need a SSID login. We have some roboform users that think its great, which I don't doubt but I say to them I paid $0 for keepass how much did you pay? -- Joe
On 06/08/2012 01:35 PM, Lyndon Nerenberg wrote:
On 2012-06-08, at 1:22 PM, Michael Thomas wrote:
Does your password safe know how to change the password on each website every several months? Yes.
I run a website. If it can change it on mine, I'd like to understand how it manages to do that. Mike
On 2012-06-08, at 1:41 PM, Michael Thomas wrote:
I run a website. If it can change it on mine, I'd like to understand how it manages to do that.
I log in to your website, change my password, and the software picks up that I've changed the password and updates the safe accordingly. The software doesn't initiate the password change, it just notices it and updates its database accordingly. Sorry, I should have explained that more clearly. If you have a Mac or a Windows box, download the 1Password 30 day trail and take it for a run. It really is a useful bit of software. No, it doesn't work on my *BSD, Solaris, or Plan 9 machines. But it does sync across all my Mac, Windows, and Android gear, and the Android client lets me pull up passwords on my phone when I'm on one of the systems that doesn't have a native 1Password client, or when I am on the road. --lyndon
On 06/08/2012 02:01 PM, Lyndon Nerenberg wrote:
On 2012-06-08, at 1:41 PM, Michael Thomas wrote:
I run a website. If it can change it on mine, I'd like to understand how it manages to do that. I log in to your website, change my password, and the software picks up that I've changed the password and updates the safe accordingly. The software doesn't initiate the password change, it just notices it and updates its database accordingly. Sorry, I should have explained that more clearly.
If you have a Mac or a Windows box, download the 1Password 30 day trail and take it for a run. It really is a useful bit of software. No, it doesn't work on my *BSD, Solaris, or Plan 9 machines. But it does sync across all my Mac, Windows, and Android gear, and the Android client lets me pull up passwords on my phone when I'm on one of the systems that doesn't have a native 1Password client, or when I am on the road.
Ah, ok. Still Linkedin's contention that I should log in to every account that I've created and change the password is still silly -- nobody's going to do that. That said, if there were a standardized way to get these password vault software -- or whatever else wanted to manage them -- to do key refresh, I'd be happy to implement it for my site. To my knowledge, such a protocol does not exist. Mike
On 08/06/12 2:01 PM, Lyndon Nerenberg wrote:
the Android client lets me pull up passwords on my phone when I'm on one of the systems that doesn't have a native 1Password client, or when I am on the road.
Does the Android client know how to automagically login to 100001 different Android Apps with your 1Password saved passwords? Does the iDevice client know how to automagically login to 10000001 different Apple Apps with your 1Password-saved passwords? Because if it doesn't do this automagically, it's not going to work for most people. jc
I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two?
Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals. It's pretty commonsensical once the threat is understood.
So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down.
Yes; of course more than a couple of dozen random passwords or passphrases will be hard to remember, so look into something like 1Password, PasswordSafe or LastPass to help you with that - amongst others. It goes without saying that your password database should be protected by something really quite long but memorable to you.
* Create a strong password for your account, one that includes letters, numbers, and other characters.
And that each of those passwords needs to be really hard to guess that I change to every few months on 100's of web sites.
Yes. My 1Password configuration for my work system is for 16 character random passwords, sprinkled with punctuation and mixed case. My home one is less thoroughly set up but is being migrated to the same. They are this way because I have both read and understood the performance statistics for some software called "Hashcat" which I have seen burn through every single 1 thru 8 character lowercase alphanumeric password in 32 minutes, on a single Alienware gamer laptop. Imagine what it can do on AWS.
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
Stop using your brain, use a computer.
What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging.
Yes, some people evidently do. -a
Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals.
It's pretty commonsensical once the threat is understood.
Given that most compromised passwords these days are stolen by malware or phishing, I'm not understanding the threat, unless you're planning to change passwords more frequently than the interval between malware stealing your password and the bad guys using it. I agree that keeping a big file of unsalted hashes is a dumb idea, but there isn't much that users can do about services so inept as to do that. R's, John
On 8 Jun 2012, at 22:59, John Levine wrote:
Given that most compromised passwords these days are stolen by malware or phishing, I'm not understanding the threat, unless you're planning to change passwords more frequently than the interval between malware stealing your password and the bad guys using it.
I agree that keeping a big file of unsalted hashes is a dumb idea, but there isn't much that users can do about services so inept as to do
Hi John, I can't easily reconcile the statement that "most passwords … are stolen by malware/phishing" with the subsequent para referring to the likes of LinkedIn (6.5 million apparently without usernames) or Playstation Network (77 million with PII) or RockYou (32 million IDs) … but then I lack stats for the former, perhaps you can tell me how many tens-of-millions of people got phished last year? Creditcards scraped by malware may touch that number, but might be themselves outpaced by wholesale CC database theft. Sometimes password changing is done for reducing the window of opportunity, other times it is for education, yet more times it's for both, or to get everyone to refresh their password so the new Bcrypt or SHA512crypt hash algorithm can be enabled and the crummy old short Unix passwords (aaU..z/8FAYEc) can be expunged. With the right tools your identity can be quite (shall we say?) agile and involve a lot of hard work for bad guys to hit. That's the goal. Turning the matter on its head: How tragic would it be for someone still to be using the same password that they were using in the Playstation hack, 14 months after the event? Is 14 months a excusable length of time for someone not to have changed their password after a break? I would say not - but then would 6 months be any more excusable? Or 3 months? How long is it excusable to not get around to changing a known-to-be-hacked password? And what if you don't know you've been hacked? In this game of diminishing time windows and not being sure about whether User-A's password was taken but User-B's was not, perhaps the best strategy is to assume that all passwords are likely broken after a period of time and to change all of them - but that idea does not appeal to everyone; I can see why, but perhaps my goals are different. -a
Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.
I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two?
* Do not use the same password for multiple sites or accounts.
So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down.
* Create a strong password for your account, one that includes letters, numbers, and other characters.
And that each of those passwords needs to be really hard to guess that I change to every few months on 100's of web sites.
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging.
Mike
Different passwords have different security clearances. Some stuff, especially all those "security questions" just has to be stored somewhere retrievable. Joe
On Fri, Jun 8, 2012 at 12:48 PM, Michael Thomas <mike@mtcc.com> wrote:
So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down.
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
No actually, it's not impossible. I use 1password, you might use LastPass. They both work on Android, iPhone, Linux, Mac, Windows. I have over 900 passwords in that system, and I don't know any of them. They're all 8-14 characters. All random. I know my master password, and no one on the Internet has a copy of that. On some systems, I have a Yubikey with a 45 character master password. Change your habits. Fix the password anti-pattern. -j
On 2012-06-08 15:48, Michael Thomas wrote:
* Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months. * Do not use the same password for multiple sites or accounts. * Create a strong password for your account, one that includes letters, numbers, and other characters.
And how about "Do not store your passwords using unsalted sha1?" Simon -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca
----- Original Message -----
From: "Michael Thomas" <mike@mtcc.com>
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging.
Whether those rules are *practical* is orthogonal to whether they're necessary. Ob: https://xkcd.com/792/ https://xkcd.com/936/ Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On Fri, Jun 08, 2012 at 12:48:38PM -0700, Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.
Um, no. If the site in question has security issues sufficiently egregious that someone can obtain the hashed password table (particularly if it's one that's unsalted...and I'm looking at you, LinkedIn) then we can presume that any reasonably competent attackers can and will acquire it more than once. (That is, they won't post it publicly and ask for help...because they don't need any help. I strongly suspect that this is history, not a prediction.) Changed hashes between successive retrievals indicate account access which in turn indicate live accounts which in turn indicate accounts of higher value which in turn should mean that password cracking resources (such as botnets and clouds) are best focused on those. (Of course if the site is blithely allowing brute-force attacks ad infinitum, then this gets even worse.) And the process of "changing passwords" is fraught with its own issues, particularly when done via portable devices...like, say, smartphones with keystroke loggers installed. CarrierIQ, anyone? And what about (other) malware resident on user systems? Is it better (a) for a user to never log into example.com, thus never presenting their username/password pair for harvesting by malware or (b) to be compelled to log into example.com every few months...thus given resident malware a fresh shot at capturing this information? (Information which, by the way, is probably in use at other sites.) Then there are the human factors: encouraging someone to frequently update their password is contrary to encouraging them to select, memorize and use a strong password. Yet the latter is exactly what we want users to do. One way to mitigate -- but not solve -- this problem is for sites to stop retaining so much data: you can't surrender a secret you don't have. Sites need to use a system of account expiration to purge their rolls of disused accounts which no longer serve any purpose -- except to crackers who may find that X's password from some site that X last visited in 2007 may be quite useful elsewhere in 2012. This is a relatively simple process to implement, and it's something that some mailing lists have done for years. "Your subscription is expiring unless you do the following dance" doesn't work perfectly, but it's at least comprehensible to the overwhelming majority of end users because it fits conceptual models that they've seen elsewhere. Of course this would mean that example.com would have to stop bragging about its 4 million users and admit that 3.7 million of them haven't been there more than once, thus its actual real live user base is 300K and won't the advertisers be VERY interested in that number? So the question becomes: does example.com really, truly, want to try to mitigate the risk to its users by aging out old and disused account data, or does it want to try to keep its stock price propped up and make its 3Q numbers based on a user count that's largely fictional? Yes, well, I'm being cynical but I'm also serious: there are undoubtedly kazillions of completely disused accounts splattered across a hundred thousand web sites. Every single one of those that's deleted incrementally reduces aggregate risk, and if they're not actually being used, then there's no *technical* reason why they should remain. As I said above, this isn't a solution: it's just mitigation. But it appears from this thread and many, many others over the years that we're some way off from a solution, so can't we at least agree to do what we can to shrink the size of the problem while we're arguXXXXdebating how to solve it? ---rsk
On 09/06/12 05:48, Michael Thomas wrote:
Linkedin has a blog post that ends with this sage advice:
* Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.
I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember each one of them and dutifully update them every month or two?
* Do not use the same password for multiple sites or accounts.
So the implication is that I have 100's of passwords all unique and that I must change every one of them to be something new and unique every few months. And remember each of them. And not write them down.
* Create a strong password for your account, one that includes letters, numbers, and other characters.
And that each of those passwords needs to be really hard to guess that I change to every few months on 100's of web sites.
I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does yours. So what you're telling me and the rest of the world is impossible.
What's most pathetic about this is that somebody actually believes that we all really deserve this finger wagging.
They have some things correct in this and some are complete hogwash. Changing your password does not provide any additional security. It is meant to give protection against your credentials having being discovered, but if they have been compromised in that way, they'll have the one you change it to in next to no time too. If the hashes have been compromised, then yes, it's time to change the password. Having a different password for every website is very important though, as demonstrated many times when these lists of passwords and associated usernames turn up. Anyone who uses the same password on multiple sites will find that they have their accounts on multiple services accessed instead of just the original. What is needed are unique, highly difficult to guess passwords for each of them and that's where something like a password safe comes in. KeePassX is a cross platform and can be configured so that it needs a key file and password. I keep several of them with varying levels of importance. My banking details safe is only opened on a very secure computer. What LinkedIn need to do is improve their security so that they don't leak hashed passwords. Giving mostly correct advice like this shouldn't need to be prompted by a large security event.
On 06/08/2012 05:59 PM, Ted Cooper wrote:
They have some things correct in this and some are complete hogwash.
Changing your password does not provide any additional security. It is meant to give protection against your credentials having being discovered, but if they have been compromised in that way, they'll have the one you change it to in next to no time too. If the hashes have been compromised, then yes, it's time to change the password.
Having a different password for every website is very important though, as demonstrated many times when these lists of passwords and associated usernames turn up. Anyone who uses the same password on multiple sites will find that they have their accounts on multiple services accessed instead of just the original.
I agree that it's important, but everything about the current state of affairs makes that impossible except for geeks that care about password vaults, apparently. The great unwashed masses, however, do not do this and there is no reason to expect that they will do it any time soon. My own experience with auto-generating hard passwords and dealing with password recovery is that it seems to work really well, and that it puts the onus on the *website* instead of the user. Every browser has a password rememberer these days that happily fills in your username and password. Every app that needs access can do the same thing. It doesn't get you key rotation [*], but with passwords which are essentially random and unique per site it's less necessary because you don't have the cross-site contamination vulnerability. Mike [*] key rotation is largely orthogonal, but I suppose that it's feasible to cook up a scheme that even got you that.
On Fri, Jun 8, 2012 at 9:48 PM, Michael Thomas <mike@mtcc.com> wrote:
Linkedin has a blog post that ends with this sage advice:
The sagest of which is to ask you to change your password on LinkedIn itself, *before* actually plugging the hole that led to the passwords leaking in the first place. Almost as sagely, they're only invalidating the passwords positively identified as having leaked, rather than assume all have, despite several security researchers concluding that the passwords that were posted publically were only a subset of those that were stolen. -link
participants (19)
-
Alec Muffett
-
Andrew Sullivan
-
Jay Ashworth
-
JC Dill
-
Joe Maimon
-
Joe Provo
-
JoeSox
-
John Adams
-
John Levine
-
Lyndon Nerenberg
-
Michael Thomas
-
Owen DeLong
-
Paul Graydon
-
Rich Kulawiec
-
Simon Perreault
-
Ted Cooper
-
Terje Bless
-
Tyler Haske
-
valdis.kletnieks@vt.edu