Do you use Fring? Do you change your passwords regularly? If you answered yes to both then you're lying, as Fring has admitted that changing the password isn't an option. Fring is an identity-aggregator which combines instant messaging and VoIP applications, routing connections through its servers to provide an integrated …
My immediate reaction...
...was to hold my hands up in horror and say "you can't change your password?!? WTF?"
Being able to change the password isn't a new or novel concept.
These guys need a good kick in the collective scrote.
Fine as an option, just don't mandate it please
Across the IT world every month millions of people change their passwords by increasing the single digit they were forced to put in by 1.
I seriously wonder what the point is, if the password is sufficiently complex and the system has measures in place to block + warn of brute force attempts, what is it helping?
Is "Tommy1", "Tommy2","Tommy3" etc really good practise? The fact is if the password is not good enough, changing the number every 30 days isn't going to magically improve it.
Oh come on..
How hard can "to send a new password to your email address, click here" be to implement? As hard as PHP mail()? Christ...
Password changing is security theatre
Nobody has ever explained to me why I should change my password regularly. I much prefer to choose a good, secure password once, and then keep it. If I have to change my password regularly, inevitably I have to resort to simpler passwords, since there's no way I can come up with a new memorable-but-secure password every few months.
Yes, I have had to resort to this on several occasions - I choose a nice secure password the first time I create an account, then some brain-dead administrator forces me to change it. After three or four password changes, I end up having to resort to "StupidFirstPassword", "StupidSecondPassword", etc., or writing the password on a post-it in my desk drawer. Not very secure, but the only realistic way to keep all the passwords straight.
Obviously this assumes you don't do stupid things, like enter your password into unencrypted forms. But if you do that sort of thing, changing your password regularly isn't going to help you.
Strength in depth
The normal reason is that IF someone does manage to guess your password (or read it over your sholder, or install a key-logger, or just replay the content of the traffic etc.) they will only have access to your account for the life of that password. Once you change it they will have to go through the same process to access your account.
Pretty straight-forward reason really.
Two words: Rainbow Tables
Just how secure does your password have to be to make it unbreakable in 30 days of computing time?
That said, for some purposes I tend to agree that regular password changes aren't necessarily the best idea.
The only benefit of regular password change is to prevent further exploitation of an undetected compromised password.
Damage limitation, but, how often can damage be done undetected?
If you are going to hassle users better to concentrate on avoiding damage in the first place.
The link I previously posted had some interesting cost vs benefit analysis.
Same password for everything, eh?
"Nobody has ever explained to me why I should change my password regularly."
That wasn't the point: The point is that you _can't_ change it.
Tell us that you don't need to change password? Ever.
It shouldn't be hard
Fring should just have the real password a secret, and let the user have a meta-password which unlocks the single real Fring password to unlock the various protected passwords.
When the Fring user wants to change his Fring password (the meta-password) the real secret password doesn't change but is just re-encrypted with the new meta-password.
SSH public keys are often protected in a similar way.
I expect that all Fring uers will need to create a new account ^H^H^H^H^H^H^H upgrade their account to use the new secure "you can change your password" feature.
If Fring are doing it right...
...even they won't know what your password is. That's what (preferably salted) MD5 is for, or more recently, the various SHA hashing algorithms. All they have in their database is a jumble of characters. Go look up "one way encryption" for more information.
Doesn't explain why you can't have a new randomly-produced password mailed to you though. The password is then valid for the next 24 hours and if used, replaces your old password. Hell, I've written things similar to this myself. Fring, get in contact. I'm looking for some work at the moment. I hear £60/hour is dirt cheap for an IT consultant.
And if a service lets you have your existing password mailed back to you, be afraid. It means they store your password in plaintext.
Never heard of them. And it sounds like there's a reason for it.
The importance of regularly changing passwords
I always distrusted Fring anyhow.
What's the source of revenue for an app that stores a bunch of your usernames and passwords. I'm glad now that decided against using it and waited for native Skype on my phone so only have one (changeable) password to remember.
Another service I will not be using
Thank you, El Reg, for keeping me informed of all these malware services I do not want to touch with a 20-foot bargepole.
On a related note, who the hell thought it was a good idea to never even ALLOW password changing ? In what IT universe does that person exist ? Does he use Hotmail ?
What's so special about: ************ ?
Certain attacks are impossible -
- if your Fring password isn't actually stored, it's just used to unlock your vault. What I mean is, there isn't a table of seeds or hashes, a list of users who can be ripped off wholesale, the only thing there is data files that are encrypted with users' individual passwords.
(1) You still could change password by providing the old password to decrypt your vault and a new password to encrypt your vault again;
(2) It's worth attacking if one very valuable password is in there (bet someone already tried to get the nuclear launch command codes out of one Very Important Person's Blackberry);
(3) Dictionary Attack.
But at least no rainbow tables. If they do guess Obama's password then I (hypotheitically usingdthe service too) am safe, except from the nukes.