Nature security breach prompts password reset
The website of science journal Nature has suffered a security breach that resulted in the potential exposure of users' login credentials. The login credentials were stored in an encrypted form, making them hard to extract. But Nature.com has still opted to reset the passwords of affected users, as a precaution. Nature.com sent …
Ordinary people are kinda in a pickle. They're told not to write down passwords (since they can be intercepted or copied), and you hear news of biometrics systems being tricked, which leaves one recourse for users: rote memorization. Thing is, even the human brain has its limits, and scrambled-up passwords (the best kind) are hard to remember one, let alone a bunch. Little wonder passwords are recycled--nothing feels worse than a forgotten password. So I ask this of the tech world. How can people surf securely, even to such places as banking sites, while having a bad memory?
What's the real risk of the cross site password attack?
Lets say that the hackers manage to decrypt a password. They know it's a password that belongs to John Smith because that data was there as well.
How do you from there to hacking John Smiths paypal account, or his ebay account, or his bank account?
If they had got john smiths email address it might become possible, for some sites at least, although probably not his online banking (if they could even guess what bank he used).
But based on what's been reported here, there's virtually no danger through using a common password, at least in this case.
Thats why I dont bother with remembering passwords anymore. I just use passwordsafe (free at http://passwordsafe.sourceforge.net/ )
Of course this brings the problem that you have to remember the original password, and if someone got into that then they would have all of your passwords. If your really paranoid you can put your password file inside something like a truecrypt volume.
At the most you then have 2 passwords to remember, you can also bring it with you (portable cd/usb etc) just make sure you always have a good backup of it.
Ill grab my coat, its the one with the 30 character randomly generated password written on the post-it in the inside left pocket.
"So I ask this of the tech world. How can people surf securely, even to such places as banking sites, while having a bad memory?"
I dunno, a locally stored encrypted file with all your passwords stored in maybe? Only one (strong) password to remember, and your data is relatively safe (what are the odds of a physical security breach PLUS a cracking of you 256-bit AES encrypted file?)
Depends on whether the password hashes were salted or not. If we assume for a moment that this is the result of an SQL injection attack then it's likely that the attackers have the user's email and a hashed password. If the hashes were not salted then a good number of them will be retrievable in a short space of time using rainbow tables. As the article says, with this info the attackers will then be in a position to log in to more valuable accounts elsewhere, such as paypal, which also asks for email address + password.
A quick look at Nature.com reveals they use email addresses as user names, do those may well have been compromised as too.
It's not implausible that if a gang of would-be identity thieves were able to acquire a large number of username/password pairs for any site they would have some success logging into more sensitive sites by trying those pairs.
For that matter, anyone who legitimately has access to usernames and passwords (e.g. Nature) could do the same thing.
I'm a reasonably security paranoid person, and yet I still don't have 50 different passwords for the 50 different web sites I visit that require authentication. (OK, maybe there aren't 50 of them but there are certainly a lot.) I keep separate passwords for highly secure sites (banking, etc), but sites that aren't storing secure information for me don't get unique passwords. The survey would suggest that there are really folks out there that have a unique password for each and every podunk web site that requires authentication. Really? Are you out there? How on earth do you remember that many passwords?
So, I might make a a word such as k1prn@ts (pron kippernats) as a password, which i find makes them easily remember-able yet obscure enough to make them virtually immune to simple brute forcing or social engineering tricks.
If you need a good 'strong' password, take a phrase, book, or film title (with several words) that you easily remember and use the initial (or last, or second, or whatever) letters. Phrases or titles with numbers and names are especially useful
For example:
"Snow White and the seven dwarfs" could become SWat7d.
Not long enough? Use "Disney's Snow White and the seven dwarfs" - D'sSWat7d
(P.S. probably not a good idea to use this example as a password now...)
Exactly Charles.
Bank sites and anything else that accesses money should use two-factor authentication. Making people generate obscure passwords and change them every 5 minutes is less secure, not more.
For a bunch of sites (like Nature), the password is securing their data, not mine. So they get a very simple password - if they try to force me out of this, chances are I won't use the site at all.
http://passwordmaker.sourceforge.net/
As long as I have internet, I have access to all my passwords, and as they are not stored anywhere, you can't find 'em.
(although I do keep a backup of some of them within a truecrypt file on ma computer!)
Despite working in an environment which encourages good security practices I will happily admit to using common passwords across websites. My only saving grace is that I have three passwords of different complexity for 'normal' sites where sites such as ElReg get a low grade password, since when it comes right down to it I there is no risk to me in any data you may have kept about me, while sites where I have 'reward points' (frequent flyer/supermarket etc) get a higher complexity since the points have a value of sorts.
When it comes to online banking etc each site has it's own password of at least 10 characters plus one bank has given me a secureID type token generator. This brings the password total to about eight which is about as many as I want to try to remember since I don't want to cycle through them to find the right one.
Using the interesting characters at the back-end of "ASCII" (using ALT-numeric pad ) you can create a map of your route to work, say, (possibly with some smiley faces 0x01 & 0x02 representing places where nice people live). Since pictures are easy to remember it's a doddle to produce a 64-character (8x8) password.
I use it all the time.
Nice one. So, courtesy of whoever purloined this lot in conjunction with the nice template reproduced here, I foresee a few mails going out to those addresses along the lines of:
"I regret to inform you that our Press Site...........<blah>......please reauthenticate your details at the following URL: http://moodyserver2.thieves.are.us."
"create a map of your route to work"..."0x01 & 0x02"..."Since pictures are easy to remember it's a doddle to produce a 64-character (8x8) password."
Interesting... so, you found a bank (or other organization) whose website:
-will take a 64-char password (never seen any but why not)
-allows the full ASCII range in passwords (a lot of those I've seen don't even allow punctuation marks)
-displays passwords as you type them (erm)
-allows 7 line breaks in passwords so as to make a 2-D, 8x8 picture.(*cough* *cough* *cough*)
Wow. Just wow.
Not to mention that it would be, like, 210 key strokes. Efficiency at its best ;-)
"I use it all the time."
I'm sure you do. As for me, I just code a SSH client (in C) in the password field, that connects to my computer and retrieves the password directly from the corresponding file. As coding in C is easy, and the actual passwords are stored on your machine, it is a doodle to have passwords the length you wish. I use mp4 movies as passwords all the time.
Now I'm sure that's not what you meant, but it did sound like it....
Sign up, sign up for The Register's weekly IT security newsletter - click here
