Computer scientists have discovered that password re-use is far more prevalent than previously thought after comparing a sample of matched passwords that spilled out at a result of the revenge attack by Anonymous against security researchers HBGary with the earlier Gawker password breach sample set. Hackers affiliated with …
or Lastpass for free. Allow you to generate complex random passwords when you sign up for things online. Remembers them for you too.
No affiliation, just a happy user.
Title like thing
Maybe the researchers should drop an email to the addresses involved and just ask the users whether, as at x date, they used the same password in a more secure site as well?
I'd imagine that those who answer would be fairly honest especially if they are told "it's for science"
KeePass is good too (and also free).
Browsers could probably handle this a lot better than they currently do.
Especially when used with Dropbox. Also both have Android apps (probably for other platforms too but I don't have the money to buy the handsets to check)
iphone/ipad have it
but you can't move the file between DB and KPX like you can on an Android
Why go to the trouble of generating complex random passwords if you're then going to store them all on the same electronic post-it? How long until someone cracks that and gets all your passwords at once?
I second that!
I've never understood the password vault model - much better to have a system that generates a strong password every time from something memorable. I use Deadbolt Password Manager (http://www.deadboltpasswordgenerator.com)
1. You can store the vault in a more secure location then real post-its. To crack the vault you have to be able to get your hands on it first.
2. A vault can be copied to additional locations so you can have access to your passwords from multiple locations if necessary.
3. Unless you use a weak password for the vault or the vault has a weakness in key generation, you should have changed your passwords at least once sometime in the years it will take to crack.
The problem I find, with this situation, is that, these days, there are just so many things that want to be password protected.
If you do (as we all know we should) and have a different complex password for everything that requires one, AND change them every 6 weeks (or whatever) then you are going to need some way of storing them.
I know that where I work, due to the 6 week change policy, and (seemingly) infinite password history for one of our pieces of software, many of our users do the password1, password2 etc.. method, others keep them written in their draws.
Is it really any worse to have, say 4 or 5 passwords ranging from one or two for very important things, a couple of less important things, and one for all those websites that you use your old dead email account to sign up to?
and for all the commentators suggesting password storing services and / or apps what if keePass / Roboform / Lastpass get hacked? You are potentially really f**ked then!
I have enough trouble trying to remember Pins for anything other than the three bank cards I use most, the lesser used ones - forget it.. I tried recently to remember a replacement one for another card but then the pin for one of the cards I use all the time just dropped right out of my head. That was really frustrating, realising this as trying to use it. And the last thing I want to do is re-use card pins!
I also recently upgraded a bank account to get all the extras it came with which resulted in a heap more passwords <and User names!> to try and remember for the different services.. Why not just use the email address as user name or better still let me get to the services via the internet banking!
Good article. It's really not that surprising to find high degree of password re-use as well as easily compromised passwords. There are some easier ways to create secure, unique and easy to remember passwords. More good tips - http://dshepherdhowto.com/password-recreational-browsing/
Blackberries have a "password storage app" for storing passwords (duuuuuh), and it has a "generate random password" feature. I've been using it lately for site passwords I don't really trust. I used to have a generic password for non-critical sites, but that one was cracked by the Gawker bust. So now I've changed passwords, and any site that looks like it might have the Gawker "security" model will have a random generated password.
You shouldn't really just MD5 the password, otherwise you might as well store it in plain text, rainbow tables make it just as easy to find out what it is. Really you should mix it with some other stuff first, for instance we have a GUID for each user which can't change and then password is combined with the GUID for the user...
Re: Bad dev
I thought md5 was a hash function. It's not reversible?
It is but unless you 'salt' the hash by combining other unknown data with it you are vulnerable to raindow tables and such like (a rainbow table is a precomputed hash of known weak passwords, so all you have to do is look up a hash that matches your unknown password and you either have discovered the password, or lucked out and found a string combination which yields the same hash as the hash to be cracked).
In the past I have used guid's (like Tom 15 suggested) and other unique readonly identitifiers associated with a users account along with a secret key value all concatenated together before the hash is generated. That way in order to crack the password not only would the cracker have to guess a unique value generated by the users account being created, but the users password and the secret key which is highly. Although if the servers are rooted your probably buggered as all this does is make the hashes rainbow table resistant, weak passwords still are vulnerable to brute force etc.
Re: Re: Bad dev
Correct, but the previous poster was referring to a technique called salting I believe.
If the password is hashed then a rainbow table (which can be downloaded nowadays I bet for common hashing mechanisms) can be generated and compared against the hashes i.e. the same password will always generate the same hash (you can even see which accounts share the same hash and therefore the same password.)
If you use salt added to the password before you hash then even identical (entered) passwords will be different due to the salt; a hacker would have to generate a rainbow table for each account using the salt; it makes brute forcing harder (not impossible) as each password has to be individually attacked.
GUIDs are a good salt as they are random. Database IDs are not so good as it is not uncommon for the admin user to be user #1 so it is quite easy to pre-compute a rainbow table with a 1 prefix/suffix to common passwords and word lists.
How you merge the salt with the password can help if you avoid just prefix/suffix and find some other way of merging the salt and password together before hashing, but now we are heading into security through obscurity territory - adventurers beware.
Security however is through depth as well as breadth.
"weak passwords are still vulnerable to brute force etc"
I do a similar thing to disguise passwords as you (my method involves ROT-PRNG on the password characters along with a 20-character string interlaced with them) but there is one more thing I do to reduce the chance of brute-forcing, and it's something that used to be done a lot in days of yore but of late seems to have been forgotten.
That is, limit failed login attempts. My method is 3 strikes and the account is locked, and the owner sent an email advising them of the hack attempt, with a link for them to click on to reactivate the account. (The link doesn't log them in though, they still need to enter username and password to do that.) So attempting to log in on one of my customers' accounts means you need to get it right within 3 tries or fail completely. It's easy to do, and compensates a lot for peoples' tendency to use weak passwords.
Finally, my system logs the IP addresses of repeated login attempts after an account is locked, and notifies me of the ISP owning that address so I can advise them of the hack attempts if necessary.
Surely you want to merge the salt with the password after hashing, otherwise you can never work out the salt. I personally think a security mistake some people make is to not alter the salt after a password change, it becomes plainly obvious were the salt is.
The whole business of hashed passwords is imo security though obscurity. Sure, a password hash can't be actually be reversed but it needs to be consistent, so guesswork will eventually win out... then salting, separated fields, for password and salt.... easily known salt... (might make it 1000 times harder there)... an unknown salt at least requires a bit more work to find out where the salt is, unless of course, there is a code breach.
the rainbow table is to reverse it
A hash isn't supposed to be reversible, but you can create a rainbow table of all the possible hashes for a given combination of passwords, then use the table "in reverse" to find all the possible passwords for a given hash. It's just an awfully big table of numbers - pretty easy to generate on a modern computer...
The salt is combined with the password before hashing. You can store the salt in plain text in the table next to the password hash (one for each user).
When a user enters their password it gets combined with the salt and then hashed. If it matches the hash value then the user is let in, otherwise no. This defeats rainbow table attacks which look up the hashed password in a large database of password hashes.
The only advantage I can see of concealing or encrypting the salt is that someone can attempt to break each password one by one to get back to the original plain text - this however is infeasible and is the reason people started making rainbow tables in the first place.
If you put the salt if first the position is never given away as the entire hash changes with just one character different in the salt. Putting it in after is just obfuscating the hash and is easily crackable.
By the time someone is using rainbow tables you can pretty much presume that they have your entire password file/db, any web code, and anything else in your back end database - otherwise what is the point of using them? This means that they already know where you put your salt (it's in the code after all). They already know what your 'secret' salt is as well.
If you have put in the salt after the hash then you'll need to go back and look at that...
Hashing passwords is not security through obscurity - it's a peer reviewed open technique that is mathematically proven (given the absence of Quantum computing and that P=NP is not true)
I re-use passwords.
And if you managed to get hold of my oft-used passwords and the list of sites I use them on... well, you'd be able to make me look like a dick on a lot of forums, I guess. Not much else.
I don't have Gawker or rootkit logins, but they don't sound like sites I would bother having unique passwords for: I save those mostly for banking, social networking, and work.
Accounts that I use to buy stuff have strong passwords. Accounts for forums and news sites are weaker, reused in other forums and if someone got them, meh.
+1 from me too
If I couldn't give a monkey's uncle about the security of the site, then it gets my standard low grade easy password. I only save the tricky stuff for sites that can charge me money...
I'd go so far as to say that most people I know in IT make a point of re-using simple passwords for "low value" web site, yeah someone could make me look like a dick on forum, but I'm pretty sure that I do a better job of that than most hackers would. (A skiddie's post would be way out of line with my usual idiocy, so fairly easily detectable.) All these people make sure as hell to keep their private stuff just that, banks, home, etc all have non-trivial passwords...
Sites such as El Reg and other fora get throw-away passwords. The same throw-away password, in fact. Anyone who figures out what it is (and it's a dictionary word, unusual only in where I stuck the caps) can log into any such site that I infest and pretend to be me.
Serious sites, such as my bank, get 12 to 16 digit passphrases with rAndoM cApS, numb3rs, $ymbols, and c0mBin@t1ons of the above. Usually using a phrase from a non-Indo-European language. And usually misspelled. My stuff isn't impossible to break, just hard.
Least I'm not one of the only people who has security levels... generic junk accounts, then secure passwords for other things. I used to be more generic, foolishly, and I was taught the error of my ways by a company I worked for being a bunch of wannabe spies.
As above. It's all very well having a locker but I can sometimes use three computers plus my smartphone in one day to access the same Web sites, how can I port my passwords between them? Much simpler to have a simple password for all sites that are social or media related and save the memory-busters for your bank account, etc.
Neilsen isn't everyone's favourite but he's right about some things. People just can't be arsed investing the time to learn complex sequences of codes or instructions for operating things, whether that be accessing a Web site or programming a DVR. It's simplicity and seamlessness that is key to Apple's success, etc, etc.
At my work I need to access 30 or so systems that have varying user IDs and mostly have heterogenous password requirements and expiry periods. Coupled with the fact that I don't access many of them for weeks at a time, how on Earth can I be expected to do this all in my head? (disclaimer: I didn't say that I don't!)
The luggage padlock of passwords.
I use the same password for all my junk accounts, and its the same password I've been using for 10 years. Not familiar with rootkit.com, but Gawker would definitely qualify as a junk account if I had one there. I probably should graduate to using some password tool for them someday, but for the time being I'm not too worried.
Surely this is what most people do.
I think it's exactly this. As with you and several other commentors, I simply use a shared semi-throwaway password for any of the myriad forums/commenting/random other website that wants a password for no good reason I use - I then have another password for fewer more important things (online shops I buy from regularly), another for email, and another for online banking.
If some sloppy admin of some random forum gets his password db exploited, sure, i'll look like a password re-user (though, my password is re-used but still not exactly short or easy to crack) but that password doesnt help get to anything important to me, and simply having to switch to a new password for any low-importance site I use is much easier than having to use and remember different passwords for all of the eleventy billion different places that want one (I don't particularly consider browser addons that generate + store passwords for me a solution, as I regularly want/need to access things from remote locations, plus, software developers do abandon their projects regularly).
It's gawker ffs
a) Remembering my passwords.
b) Not using a email/password that is also valid for that email account.
I can only remember about 3 passwords. As my priority is remembering them, I use 2 of them all the time and have 1 for important stuff. Important stuff mainly = my encrypted disk image which holds all my work and bank details.
..Jussi may have been fired.
The IRC chat between Anonymous and HBGary (including Aaron, Penny etc) is here - fun stuff. It's basically HBGary pleading with anon not to release the remaining e-mails (Greg, who happens to be Penny's hubby). When Aaron joins (about half way down) it all turns nasty again.
Just search for Jussi
Play your cards right
But even with the most conservative estimate of password re-use - 31 per cent - from real world data of the users of the two tech sites is much lower than previously published studies, which suggest somewhere between 12 and 20 per cent.
Higher or lower?
If databaset is not a real word then it should be.
And this is news?
Look its human nature to pick a series of passwords and use them for everything.
John Doe will use one series of passwords for all of his banking accounts.
He'll use a different series of passwords for work stuff.
He'll use a single one for all that internet pron stuff he looks at so no one catches him.
The reason I say series is that some sites make you change your password every so often so you end up going through a series of rotations.
The point is that you can't always remember what password you used for what account, so you then have to write them down somewhere. Usually on an electronic device in a password encrypted file so you can get access to them... ;-)
So of course people will reuse a password?
The Flame is for the fact that this is so obvious that its not really news!.
Forums one thing..
...and I likewise use low-quality passwords in forums, mainly because of the need to be able to remember them when working in several places. But, not for things that matter.
The more worrying aspect though, is the growing trend towards global web-access to company files. Here, Microsoft enforce 'password complexity' which sounds clever but isn't. In fact, password-complexity rules disbar a lot of strong but memorizable passwords, and enforce the use of either non-memorizable or else weak passwords. For example the reasonably strong "nobodywilleverguessthispassword" is disbarred, but the very weak "Password1" is, ridiculously, allowed.
That, and I've never understood the reasons for forcing password-expiry. If the user has to keep changing the password, it more-or-less guarantees they will use "Password1" .. "Password2" and so on INSTEAD of a strong password which they only need memorize once.
What is password expiry meant to achieve anyway? If a hacker has had access to my files for 42 days, does it make any difference if I disallow an extra few days' access? Most likely (s)he will have done any damage they're gonna do, gotten fed-up and gone elsewhere long before then.
IMHO the best passwords are those which have a regular vowel/consonant structure, and thus look like words, but are nonsense. These are surprisingly easy to remember, but shouldn't be crackable by dictionary methods.
I currently have over 600 accounts with various websites. ok, so I've been on the internet a long time, but is that so unusual? It's no surprise at all that people re-use passwords.
How many accounts do other people have?
too see just how useless an unsalted MD5 hash is, try this:
Create a hash of a simple string using any MD5 generator, eg http://www.adamek.biz/md5-generator.php - try your first name or something.
Then take the generated hash string and simply search for it on google and you will see many translated results from various rainbow tables
re: you will see many translated results
except I didn't, and my name is common in several languages. Positive results for a few strings like "password" and "anonymous" are unsurprising, but Google didn't produce hits for various obvious or weak passwords.
a good system?
Password services are a single point of failure as are the USB key solutions. And maintaining a secure set of passwords is beyond most peoples brain power. So to be secure you need a good system, here's what I do:
1. take a random secure string and memorise it, e.g. "1A2b3C4D"
2. decide break points, e.g. after characters 3 and 5 "1A2][b3][C4D"
3. inject two letters signifying the password context into the first break, e.g. hotmail could be "HO"
4. inject a rotating numeric, or character for password rotation in the second position, e.g. "1", or "a"
...so you get "1A2HOb31C4D" - when you rotate it after 6 weeks or whatever, it becomes "1A2HOb32C4D"
for gmail rotation 1 would be "1A2GMb31C4D"
easy to remember - or at least work out, but hard-ish to crack. This approach does have its flaws but I think it's the best compromise.
anon, because well... duh!
Yep, here's the title
You are rather trusty of El Reg server admins skills....
In other news
People discovered to keep their car, house, office and shed keys on the same keyring. Also evidence for people keeping notes, coins and credit/debit cards in the same wallet.
only looks at crap passwords
the thing is, this only looks at passwords that can be broken with brute force. that probably means these people had pretty crap passwords, below average secure at least, and are therefore less savvy in general, and therefore much more likely to be using the same password for everything.
i think overall the percentage would be a lot lower.
Missing the Point?
The point here is that it's impossible for ost of us to use multiple secure passwords. They're impossible to remember. And the more uncrackable they become, the less useful they are.
And as for trusting a piece of software to generate and manage passwords... That could be compomised at some point in the future, if it's not already...
Password technology has outlived it's usefulness for secure applications. For low secuity needs like web forums, it's good enough, even with re-use.
We need secure keys, not the ones in the unix model, but something I can carry around with me, plug into a networked computer anywhere, and be able to access all my secure accounts safely by typing in a simple pin for the key. Citrix have a system like this, but it's not universal. And generally restricted to a single company.
Kwrrwra lbs&ie sufura
Since we're all sharing our strategies, here's mine:
I have a "base" quite secure password that is never used (at least not anymore. I belive I used it 10 years ago or somesuch) and then use key offsets. One site will have the "base", but all characters shifted by one key to the left, another to the right, up, down (with wrap-around to the other side of the keyboard if neccesary) etc. Easy to remember, and I haven't seen references to keyboard analysis by the bad guys yet. And even then the base is still semi-random or at least very much not in any dictionary.
And weak throwaways on forums of course.
Other things to consider
For a lot of websites, where having a password just lets me read stuff, I don't really care if someone hacks into my account. In fact, the password I use for those sites is the same as the made up username I use when they have no business knowing who I am.
Secondly, how am I supposed to remember hundreds of different ultra-secure passwords? I would have to keep them all somewhere that isn't very secure.
I use a pattern made up of a prefix and postfix that are site related and a common base joined with punctuation.
I use a different bases for low, medium and high risk sites.
Even then it's too many combinations to remember, as lots of site won't take punctuation marks or have other stupid restrictions, so I keep a per site prompt (not the actual password) in a GPG file.
My GPG and SSH pass-phrases aren't written down at all anywhere. They are quite long and contain mixed cases, punctuation.
I know there are risks but OpenID like login appeals to me for the low level sites as I really, really don't want any more passwords to add to the mix.
Then I have the same nonsense at work with even more passwords, but there they rotate them so I have them written down and printed (just hints) out as it's just impossible to get anything otherwise...
Cracking Passwords Gromit.
"Joseph Bonneau, the Cambridge University researcher who carried out the exercise"
So this scientist has openly admitted to cracking passwords - when is he going to be arrested?
Considering that even some penetration testers have got into serious trouble for doing the job they were employed to do ...
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
- FTC to mobile carriers: If you could stop text scammers being jerks that'd be just great