Password Security Catch-All Thread

Gremlin wrote:

So, who's looking forward to the Internet of Things? :D

I'm going to be in Dubai next month for the Internet of Things World Forum (not as an attendee, but my company is working the event). Frankly, any time I see a demonstration or talk about the "Internet of Things", I hope to hear how fundamental security issues are going to be addressed, but it just doesn't seem to come up.

Much as I dearly love computers the Internet of things sounds genuinely terrible.

Heck, it's the internet of things that make internet thing. Many factories assembly lines are now connected to corporate networks, and are therefore hackable. We aren't quite to the point of Vinge's "Rainbows End" yet, but I'm already wondering how long it will be before we see a STUXNet-like failure on an assembly line.

DanB wrote:

Much as I dearly love computers the Internet of things sounds genuinely terrible.

This. Here's a "hilarious" example.

Did anyone else have LastPass get disabled by Firefox? Something about a failure in add-on signing?

Edit: never mind, I figured it out, you just have to re-install the plug in.

WizKid wrote:

Did anyone else have LastPass get disabled by Firefox? Something about a failure in add-on signing?

Edit: never mind, I figured it out, you just have to re-install the plug in.

When I updated to the 64bit build that happened to me.

EvilDead wrote:
WizKid wrote:

Did anyone else have LastPass get disabled by Firefox? Something about a failure in add-on signing?

Edit: never mind, I figured it out, you just have to re-install the plug in.

When I updated to the 64bit build that happened to me.

It was disabled for me today. I didn't (intentionally) upgrade to the 64-bit build, but it says I have Firefox 43 so maybe that's what happened.

Firefox 43 requires extensions to be signed/verified. Removing and re-adding LastPass gets you the latest version of the extension, which is signed.

My work is changing their password policy:

As [we] continues to grow, we become more of a target for hackers. As is our policy we have just concluded our annual network security assessment from a third party and have been advised to make the following changes to password security. Our current password policy was the same as some of the larger companies that have had recent network breaches. For policies similar to ours, 7% of the passwords can be compromised within 10 minutes. Passwords such as Winter2015 or any proper name followed by a number like Jimmy0827 are easily hacked with the sophisticated software and hardware that these hackers have access to. What is sometimes forgotten is that your password is not just access to your email, it is also access to our network. So although you may not consider your email as having anything sensitive, hackers use the logins to access all of the network, not just emails.

With this in mind, we are changing our “password” policy to a “pass phrase” policy. Starting on January 4th, any new or renewing passwords will be required to use a minimum of 13 characters. While long “passwords” can be hard to remember, “pass phrases” should be a lot easier. They can be anything from a simple sentence, song lyric, or movie titles. They can and are encouraged to use spaces, punctuation and capitalization.

Here are a couple examples:
I have 3 kids.
Eye of the Tiger!
The Wizard of Oz.

Requirements for the policy are as follows:
1. Minimum of 13 characters (spaces and punctuation count as characters)
2. Contain three of the following four: Upper case, lower case, number, or symbol
3. You cannot use part of your user name. (Example: username john.smith cannot use “I love John Deere!”
We appreciate your cooperation in helping us as we grow as a company to be as secure as we possibly can.

Thoughts?

Pass phrases are easy to remember which might be a problem if someone sees your password.

I think "Ih3kthteott" is far better than "I have 3 kids that have the eye of the tiger" Both are easy to remember but only one can be remembered at a glance.

IMAGE(http://imgs.xkcd.com/comics/password_strength.png  )

Passphrases have some issues (if they're known to be just words they can often be dictionary-guessed, for one) but they're leaps and bounds better than the 'password1234' things that usually get used now. If you're implementing a password policy, you have to keep how people are actually going to use them in mind, not just the theoretical safest way.

A password manager that sits behind a nice long complex passphrase is closest to ideal that we have at the moment. Even that has its weak points, but security is inherently a long series of tradeoffs.

Password phrases are only "hard" to guess, as xkcd claims, if you attempt to guess them on a character-by-character basis. Cracking tools have been updated to run dictionary attacks of multiple space-separated words, which drops their difficulty to crack significantly.

That said, for average dumbass user, using passphrases is probably a step up from the horrible short 1-word-with-maybe-a-number passwords so many of them are using now.

The policy's suggestions of movie titles and song lyrics is rather unnerving, though.

Yeah, for a passphrase to be more secure than a normal password, the words should be random, and definitely NOT lyrics, quotes, or any other normal arrangement of words.
'We come from the land of the ice and snow' is far worse than 'song zeppelin houses viking', which is, admittedly, still not great.

duckilama wrote:

'song zeppelin houses viking', which is, admittedly, still not great.

Great, now I have to change all my passwords. (Though to be clear, the pass phrase came from my WIP alternate history novel about the nobles houses of Zeppelin and Harald Hardrada fighting for control of the skies of Europe in mighty clinker airships, A Song of Ice and Thermite.)

Passphrases are a reasonably good idea; the possible issue is that many people will likely converge on similar, redundant easily guessable phrases if left to their own devices; the abc123 problem once again. Also the email as sent will almost certainly encourage people to reuse the 3 given examples. My friend at cambridge Uni is a sys admin there and they have a fairly vast blacklist of passwords and passphrases which are rejected if users try them.

Ideally providing users with a clientside tool which generates a long(ish) actually random passphrase would be better.

DanB wrote:

Ideally providing users with a clientside tool which generates a long(ish) actually random passphrase would be better.

At one of my aerospace jobs, we used a DEC VAX/VMS system. When you needed to reset your password, the system would present you with a short list of nonsense words that it made up of syllables that you might be able to remember. You could only use passwords from these lists, although if you did not like any you could keep requesting a new list until it gave you one you could remember.

This was before the internet was widely available, and this particular system was completely isolated from other networks anyway.

There's really two separate problems here:

1. How do I generate a password for myself that gives me the security I need.
2. How do we set up a password policy so the average user has a decent password (and more importantly, decent security, which isn't quite the same thing).

Gremlin wrote:

There's really two separate problems here:

1. How do I generate a password for myself that gives me the security I need.
2. How do we set up a password policy so the average user has a decent password (and more importantly, decent security, which isn't quite the same thing).

The answer isn't better password policies, it's to do away with passwords. Multifactor authentication that relies on what you have (usually a phone) and what you are (some form of biometrics) are far more secure than what you know (a password or phrase); once made easy, this will trump passwords in a material way.

Biometrics are terrible for security because if people manage to spoof my identity I can't go out and generate new retinas, DNA or fingerprints.

Public-private key encryption on the other hand lets me verify my unique identity (somewhat anonymously) and if it is compromised I can trivially pick some other massive long number and updating it invalidates any compromised credentials in the wild.

DanB wrote:

Biometrics are terrible for security because if people manage to spoof my identity I can't go out and generate new retinas, DNA or fingerprints.

On top of the problem of revocation, biometrics are terrible in that, once leaked, they are uniquely identifying to you. It's like using your social security number for your password. When leaked, it's not only a key to an account, but also an identifying piece of data that links your real life self to that account.

A leaked password lets me get into [email protected]'s account. A leaked fingerprint provides a way to track down who personhater4 actually is.

Biometrics are, as has been pointed out, flawed. On top of the revocation issue and the uniquely identifying issue, all of the easy biometrics can be detected by far more than the intended user.

I literally leave my fingerprints all over the place, including the surface of my smartphone. And you don't even need that: high-res photos of fingers are sufficient to recreate fingerprints. Eye scans can be hacked with a printout of photo of an iris that's only 75 pixels across.

I think fingerprint access to smartphones provides one huge win though--it encourages people to create stronger passwords, or to create passwords in general. While it's possible to lift a print off of whatever, this is a much higher barrier than the phone not having a password because the owner doesn't like typing one in. Or having a simple 4-digit code like 1234. Remember that the most commonly used password on the internet is 123456. Simply reducing the frequency that someone has to remember/type a password tends to incline people towards using more secure passwords, and that's a good thing.

Fingerprint for phone unlocking isn't terrible, as it's localized (it's just on my phone, not a remote account). It's basically an alternative to leaving the phone unlocked completely, as people would do because passwords for each unlock are a hassle.

Here is some security hilarity.

The wife and I have decided to start using a food delivery service (because we have no convenient supermarkets and currently no regular car access). We've gone with these guys https://www.riverford.co.uk/ as we've had personal recommendations.

Although the site looks nicely built and modern, filling out account details, addresses and billing info was NOT a user friendly experience however the real horror came with entering my credit card details. They are not handling this themselves and are using the 3rd party service www.worldpay.com

That's not so unusual and I didn't think so much of it until worldpay sent me 2 emails in plain text.

Email 1:
A welcome email featuring an agreement ID which identifies my account sent in plain text
If you have compromised my email you can use this number and my email address to reset my password

Email 2:
Worldpay account details.
My account details including my password in plain text; which I guess I don't have to explain.
The email also includes an instruction that I should "change it to something easy to remember"

So I changed my password to something more secure but also discovered along the way they won't accept passwords longer than 12 chars.

On the plus side there appears to be no trivial way you can get my full CC number from worldpay but you can extract enough information to masquerade as me with just about any other service I use (last 4 digits of CC, billing address, etc...)

I am pretty f*cking amazed and outraged

I signed up for something this weekend and they made me change my password from the automatically generated one on my first login. Probably a good policy, right? Sure so I generated a nice 24 character password with LastPass and updated it. Then I got the password confirmation email, also fairly good policy right?

Except my super strong password was in plain text in the email.

I signed up for something this weekend and they made me change my password from the automatically generated one on my first login. Probably a good policy, right? Sure so I generated a nice 24 character password with LastPass and updated it. Then I got the password confirmation email, also fairly good policy right?

Except my super strong password was in plain text in the email.

This isn't 100% related but ProtonMail in Switzerland looks like an interesting end-to-end, clientside encrypted webmail service. You can reserve your name and get access in about a week. I've held off from donating until I'm able to have a play with it.

https://protonmail.com/invite

DanB wrote:

This isn't 100% related but ProtonMail in Switzerland looks like an interesting end-to-end, clientside encrypted webmail service. You can reserve your name and get access in about a week. I've held off from donating until I'm able to have a play with it.

https://protonmail.com/invite

That's cool, except the problem with end-to-end security has always been getting people you want to send email to support it. Me and my five crypto buddies might all use GPG or ProtonMail or whatever, but 99% of the people I want to contact will never do so.