The Register® — Biting the hand that feeds IT

Feeds

Fring cops to unchangeable passwords

Do you use Fring? Do you change your passwords regularly? If you answered yes to both then you're lying, as Fring has admitted that changing the password isn't an option. Fring is an identity-aggregator which combines instant messaging and VoIP applications, routing connections through its servers to provide an integrated …

This topic is closed for new posts.
Anonymous Coward
FAIL

My immediate reaction...

...was to hold my hands up in horror and say "you can't change your password?!? WTF?"

Being able to change the password isn't a new or novel concept.

These guys need a good kick in the collective scrote.

dave 46
Grenade

Fine as an option, just don't mandate it please

Across the IT world every month millions of people change their passwords by increasing the single digit they were forced to put in by 1.

I seriously wonder what the point is, if the password is sufficiently complex and the system has measures in place to block + warn of brute force attempts, what is it helping?

Is "Tommy1", "Tommy2","Tommy3" etc really good practise? The fact is if the password is not good enough, changing the number every 30 days isn't going to magically improve it.

M Gale
FAIL

Oh come on..

..really?

How hard can "to send a new password to your email address, click here" be to implement? As hard as PHP mail()? Christ...

Ami Ganguli
WTF?

Password changing is security theatre

Nobody has ever explained to me why I should change my password regularly. I much prefer to choose a good, secure password once, and then keep it. If I have to change my password regularly, inevitably I have to resort to simpler passwords, since there's no way I can come up with a new memorable-but-secure password every few months.

Yes, I have had to resort to this on several occasions - I choose a nice secure password the first time I create an account, then some brain-dead administrator forces me to change it. After three or four password changes, I end up having to resort to "StupidFirstPassword", "StupidSecondPassword", etc., or writing the password on a post-it in my desk drawer. Not very secure, but the only realistic way to keep all the passwords straight.

Obviously this assumes you don't do stupid things, like enter your password into unencrypted forms. But if you do that sort of thing, changing your password regularly isn't going to help you.

fatchap
Go
Reply Icon

Strength in depth

The normal reason is that IF someone does manage to guess your password (or read it over your sholder, or install a key-logger, or just replay the content of the traffic etc.) they will only have access to your account for the life of that password. Once you change it they will have to go through the same process to access your account.

Pretty straight-forward reason really.

Cameron Colley
Reply Icon

Two words: Rainbow Tables

Just how secure does your password have to be to make it unbreakable in 30 days of computing time?

That said, for some purposes I tend to agree that regular password changes aren't necessarily the best idea.

JP19
Reply Icon

Limited reasons

The only benefit of regular password change is to prevent further exploitation of an undetected compromised password.

Damage limitation, but, how often can damage be done undetected?

If you are going to hassle users better to concentrate on avoiding damage in the first place.

The link I previously posted had some interesting cost vs benefit analysis.

Anonymous Coward
Thumb Down
Reply Icon

Same password for everything, eh?

"Nobody has ever explained to me why I should change my password regularly."

That wasn't the point: The point is that you _can't_ change it.

Tell us that you don't need to change password? Ever.

Sam Liddicott

It shouldn't be hard

Fring should just have the real password a secret, and let the user have a meta-password which unlocks the single real Fring password to unlock the various protected passwords.

When the Fring user wants to change his Fring password (the meta-password) the real secret password doesn't change but is just re-encrypted with the new meta-password.

SSH public keys are often protected in a similar way.

I expect that all Fring uers will need to create a new account ^H^H^H^H^H^H^H upgrade their account to use the new secure "you can change your password" feature.

Sam

M Gale
Reply Icon

If Fring are doing it right...

...even they won't know what your password is. That's what (preferably salted) MD5 is for, or more recently, the various SHA hashing algorithms. All they have in their database is a jumble of characters. Go look up "one way encryption" for more information.

Doesn't explain why you can't have a new randomly-produced password mailed to you though. The password is then valid for the next 24 hours and if used, replaces your old password. Hell, I've written things similar to this myself. Fring, get in contact. I'm looking for some work at the moment. I hear £60/hour is dirt cheap for an IT consultant.

And if a service lets you have your existing password mailed back to you, be afraid. It means they store your password in plaintext.

Frank Sattler
FAIL

Who's Fring?

Never heard of them. And it sounds like there's a reason for it.

JP19

The importance of regularly changing passwords

http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/

Cameron Colley

I always distrusted Fring anyhow.

What's the source of revenue for an app that stores a bunch of your usernames and passwords. I'm glad now that decided against using it and waited for native Skype on my phone so only have one (changeable) password to remember.

Pascal Monett

Another service I will not be using

Thank you, El Reg, for keeping me informed of all these malware services I do not want to touch with a 20-foot bargepole.

On a related note, who the hell thought it was a good idea to never even ALLOW password changing ? In what IT universe does that person exist ? Does he use Hotmail ?

Winkypop
Joke

Password?

What's so special about: ************ ?

Robert Carnegie

Certain attacks are impossible -

- if your Fring password isn't actually stored, it's just used to unlock your vault. What I mean is, there isn't a table of seeds or hashes, a list of users who can be ripped off wholesale, the only thing there is data files that are encrypted with users' individual passwords.

However:

(1) You still could change password by providing the old password to decrypt your vault and a new password to encrypt your vault again;

(2) It's worth attacking if one very valuable password is in there (bet someone already tried to get the nuclear launch command codes out of one Very Important Person's Blackberry);

(3) Dictionary Attack.

But at least no rainbow tables. If they do guess Obama's password then I (hypotheitically usingdthe service too) am safe, except from the nukes.

This topic is closed for new posts.