Feeds

back to article Sony hack reveals password security is even worse than feared

An analysis of password re-use from data spilled via the Sony and Gawker hack reveals that consumer password security is even more lax than we might have feared. A million Sony users' password/username IDs and 250,000 Gawker login credentials, each stored in plain text, were exposed via separate hacks. In each case hackers …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge

Depends what the security is for

On Gawker, passwords merely allow registered users to post comments. They don't give access to your bank account, or to your email / iTunes / Amazon / Paypal accounts. It's perfectly acceptable to use a simple password on Gawker (or even on El Reg), so long as you use multiple more complex passwords where needed. Personally I'm not *that* bothered if somebody posts comments in my name.

A useful password mnemonic I was taught is to take a line from a song, then take the first letter from each word or each syllable. Additional characters can be derived from word sounds or appearances. For example: "Is this the way to Amarillo" becomes "Ittw2Am%"

4
0
Thumb Up

"A useful password mnemonic...

... I was taught is to take a line from a song, then take the first letter from each word or each syllable. Additional characters can be derived from word sounds or appearances. For example: "Is this the way to Amarillo" becomes "Ittw2Am%""

Have you ever worked for me?

0
0
Bronze badge

Quite possibly

If password "Whbbmpap" can be derived from the first eight words of your company's website's tagline (the bit below the flash animation), then yes, it was you. And I recall you did like beer!

0
0
TRT
Silver badge
Facepalm

Well, what did you expect?

There's so many thousands of websites where you have to register now, of course you'll reuse passwords. I have a password I use for almost everything which cannot initiate a financial transaction. Email and banking have much more secure and unique passwords, and I don't use social networking. Mind you, that Gawker and Station passwords were reused is a bit lame.

6
0
Happy

Of course you can.

For generic sites like this you can easily make up a password that's unique enough, all you have to do is to create yourself a algorithm to create a password for any site. It sounds more complicated than it is, but I've explained it to a few people, and they all love it. The beauty is you always know what your password is for a site, even if you cant remember the actual password!

Basically make your algo simple by combining attributes about the site to easily create a password. So for example combine the following:

the background\foreground colour of the site's logo

the last\first x number of letters of the site name

the sites initials, maybe doubled up. (eg ttrr for The Register)

always having the 2nd, and\or 3rd letter capitalised

You get the idea. So for here I could have the password 'redster' (background colour of the logo and the last 4 characters) And for slashdot, Id have 'greenhdot'.

Now naturally someone could get a selection of your passwords and figure out what your doing, but lets face it, if they are targeting you specifically (rather than the drones who use the same password everywhere) you have other issues.

0
0
Yag
Trollface

"the background\foreground colour of the site's logo"

And you'll be screwed at the first graphic overhaul of the site...

2
0
Meh

Password management...

I've been using LastPass for about 6 months... All my passwords are unique and strong. And I don't have to remember any of them. Great little browser plugin for Free use, and about £8 a year for the iPhone / Android app with the "Pro" version. Worth every penny.

1
0
Happy

Firefox has done this for a long time.

Firefox -> options -> security -> 'use master password.'

Then you simply let it remember your user names and passwords as you go along, and they are protected under a master pass.

0
0
Happy

In the "Cloud"

Does FF store them on your computer or online? If they're on your computer and it blows up, how do you get your passwords back?

If they're online - where are they? How are they stored? Lastpass have published papers (which seem to stand up to scrutiny) on how they achieve all this...

0
0

Firefox Sync

If you have Sync (it's in by default on FF4, an addon for earlier iterations) you can get all your browser settings (including passwords) syncd to a FF server out there in a 'cloud'. It's encrypted before it gets there with a strong key you define, so they can't sniff it.

It's not perfect, apparently there are ways of 'sniffing' the password store in FF on the desktop but I'm not overly bothered by this. By using Sync I have the same browser settings/bookmarks/passwords/themes at home and work.

0
0
Anonymous Coward

LastPass vs FF

both are options but all that is happening is that the risk and control is being moved around.

Using FF as an example - the data is stored in the cloud where *you* have no control over it. This is akin to trusting Sony to protect your data......

Its protected by a strong key but this is something the user has to define and hopefully make "strong enough."

There are still risks - if the cloud service is compromised, if the implementation of encryption is not a sound as claimed or if you lose the "strong key."

By far the better solution is for people to take individual responsibility for their access credentials, learn where it is important to use good passwords and where it isnt and for websites to stop demanding password based logins for even the most trivial activities.

0
0
Meh

No suprise there then.

From the movie Hangover 2: "Your password in baloney1?" "Yes - it used to be baloney, but then they made me add a number"

3
0
Silver badge

Duh!

Troy Hunt gets PAID for this?

The mind boggles ...

0
3
Stop

I see what you did there...

As by just saying Sony, you hope people just assume PSN. The PSN data has never been released, it's unlikely it ever will, and it's unlikely anyone actually got anything. (Clearly Sony can't categorically say they didn't get anything, so have to paint a worst-case).

The reality is, the PSN hack was a storm in a teacup, stirred by the media.

0
3
Anonymous Coward

Why bother with complex passwords?

Not much point thinking up a password that you won't remember is there? If you have to write it down, it's failed anyway.

By the same token, you might as well use a simple password, as it's not the password that is being broken these days, it's the insecure servers holding our insecure passwords, in plain text thats the problem here.

3
2
Gold badge
Unhappy

Re: why bother

"If you have to write it down, it's failed anyway."

Hideously wrong. Please don't post such advice in a public place. Oh, hang on...

For any system that is internet facing, the number of potential bad guys is "several gazillion". The number of potential bad guys who can read a post-it note stuck to your monitor is "several". (Ironically, the latter group, despite having a much easier task, are generally less interested because they usually already have access to the protected system.) The smart approach is to *write down* a complex stem to defeat the former group, and then append something you can remember to defeat the latter.

5
0
Anonymous Coward

Forced complex passwords

I remember working at a certain company using VMS (youngters can look it up on Wikipedia :) You were forced to change your password every 28 days. You were given a list of 6 passwords to choose from, or get another random batch. Password length varied (my boss' was something like 20 characters.) The password would be absolutely completely random.

If anyone was sick, you just lifted up their DEC220 keyboard & read their password off the bottom. You knew it was right because it wasn't 1 of the hundreds that were crossed out; they were the old ones. Yeah, complex passwords _SO_ much more secure!

My boss got the BofH in trouble once by saying he had been unable to do any work for half a day because it took that long to get a password option that he would be able to remember :)

3
0

DEC and passwords

What, you guys had VT220s and nobody thought of using the answerback string as an autologin?

0
0
Silver badge
Happy

Answer-back string

Unfortunately, this would be SOOO insecure, as the answer-back string is triggered remotely.

As can (believe it or not) the programmable function keys of a VT220. I'm sure that I spent some time twenty years or so ago, writing a program that would set a PFK (on the shifted function keys IIRC), and then trigger it.

All you needed was write access to the device, and you cold make the current user apparently run anything you wanted them to! Similar techniques worked for HP2392 as well.

This was with UNIX, not VMS, so I'm not sure that this was possible unless you were already were a privileged user (could you so it through Phone, I wonder).

0
0

This post has been deleted by its author

FAIL

passwords

isn't this the fundemental flaw with the modern use of passwords, they are either so complex you don't remember or so easy they are insecure. With so many systems requiring passwords we need some better system. I am fed up with phoning some company that I briefly had dealings with a couple of years ago and hearing the shock when i tell then I have no idea what my password is.

I also worry about using password services, it assumes you completely trust the service that is generating and storing them for you. So is "LastPass" safe to trust my life to? There is a huge pot of cash waiting for someone who can come up with a better solution

1
0
Silver badge

One of the big mysteries of the Internet.

"How do you build necessary trust in an environment where you can't really trust anyone?"

Or IOW how do Bob and Alice prove they are really who they are...when they don't even know each other?

Solve THAT one and you'll probably be solving problems that go far beyond the Internet. Then again, you may also stir up a very big moral hornet's nest, too, given that the only practical solutions that come to mind would make police states drool.

After all, that is ANOTHER big mystery of the Internet: "How is it possible to be BOTH anonymous AND trustworthy?"

3
1

RE: Password vaults

That's what I've been wondering too. How secure are these and what are the reputable ones?

0
0

How lastpass works...

http://www.techrepublic.com/blog/security/lastpass-is-it-the-password-manager-for-you/3291

Maybe in this day and age of password security, El Reg could do a feature or series on password management tools etc so us more techie types can start educating the general public...?

3
0
Linux

No need

To write down anything or remember many (complex or not) passwords.

Lastpass has already been mentioned, personally I prefer KeePass.

Hardly rocket science, but need to enlighten people to the existence of these little helpers when a similar feature is not included with the OS.

2
0
Silver badge

Password Safe

In my experience the best way to create passwords is:

1. Unique passwords for sites like banks, paypal, ebay, Amazon

2. Strong passwords for sites which hold personally identifying data or credit card data

3. Throwaway passwords for forums and so on. Probably the same password but it doesn't have to be, e.g. maybe you take the first 6 chars of the site and tack it on the end of your password

Store the lot in password safe and protect them with a strong memorable passphrase. And use the browser's password remembering abilities to remember unimportant sites you visit but can't be bothered to remember on a daily basis.

4
0
Holmes

Biometric?

Can't you remember which finger did you use for password? You have 9 more retries. 19, if you are willing to use your toes. Simples as pie, safe as houses. Just wash your hands to avoid false readings.

Why won't anybody use biometric? If big sites (hello, Gmail, Hotmail, Ebay) start allowing biometric, provided you have a fingerprint reader, you can get the habit started. (I understand some notebooks have them, and Windows 7 fully supports it.) No more passwords, then, or they become backup method (table saw users come to mind here). The whole vicious circle "I won't provide biometric alternatives because nobody has the reader / I won't provide the fingerprint reader because nobody supports it " can be broken easily, just make it REALLY easy, or force the user to 16-digit passwords with non-alfa keys, (which sucks btw).

Of course passwords for regular sites will be simple, easy to remember and type, while Banking stuff should be way more secure.

0
3
Anonymous Coward

Biometrics

Are good in high security installations where you can control who will establish accounts.

Better still, with biometrics when you compromise one system, you do them all.... Its not like we can change our fingerprints between sites.

1
0
Paris Hilton

Re: Biometric

Fingerprint scanners are a big fail. You leave prints all OVER the place, and if you can lift a good copy of a print, you can clone, and gain access to what the lock is trying to keep you out of. A better solution would be retinal scans. I was looking into this a while ago, but at the cost of $30,000 a scanner it was a no-go. I'm sure they have come down in price since then, but the great thing about it is as far as I know, it can not be reproduced (the retina)--fooled maybe. The cool thing about it was it stored 200+ users for one device, and if your office had multiple "readers" they were able to talk to each other and be able to store 200+ different users on each device. --and I have been out of the retina scanning loop for a while. New model from Panasonic BM-ET330 does 1000 local users and cosing $2-3k. Ripping someone's eye from their socket would result in a failed read, however, if you got them drunk enough, or drugged them, i'm sure you would gain access.

For me, I use OTP's (One Time Password)

I type a random word or phrase, encrypt it, and take an excerpt from the encrypted garbage thats displayed. Unless its a "general" site, then I use a garbage password.

Paris because she add's "1" after "password" too.

0
0
Coat

yup thats expected

I once worked in a IT repair shop, a woman came in saying she had forgoten her password and could i reset it, while reaching for my copy of ERD i noticed a post-it sticking out from under the battery, on there was every password she used with usernames and descriptions!

I have 4 passwords ranging from dont give a monkeys (no offence but el'reg is in that cat :p) up to a 28 charcater alphanumericsymbolic password which i honestly have to sit and think about before typing in this is used exclusivly for anything to do with money.

Its common practice to use a short simple password for most things my PSN password required me to press right and up that was it because using a controller is a pain in the arse :p

but it was only used for PSN and my credit card details were not logged so there we go.

Live IT or die by IT never has it beared more truth.

0
0
Linux

Password Managers

I don't know about the others, but LastPass only stores your passwords in encrypted form - 256-bit AES encryption, to be precise. Given distributed.net haven't cracked 72-bit RC5 yet, I'd say 256-bit encryption is fairly secure. You can download a copy of your vault for local storage - so as long as you don't forget your master password it's pretty safe - especially if your memory is not that great. If you fork out for LastPass Premium, you get offered the choice of two factor authentication, which increases security further.

LastPass is also multi-platform and multi-browser, so it'll work pretty much anywhere. The only issue I've found is that on a few sites (e.g. Wikia) it doesn't automatically recognise the username and/or password fields, so you have to use its menu options to copy / paste them into the relevant fields.

1
0
Silver badge
FAIL

It really doesn't matter how complex you make your password

If it's going to be stored in plain text on an insecure* web site.

* or even a 'secure' one, for that matter.

2
0

What about two factor auth?

We all need to start using something like a SecurID tag for banking + credit card + paypal. (as well as a pin or password). The only problem will be having to carry several of these around with you, so it would be nice if the major players would play nicely together so you could share a token.

Or biometric instead of token.

Can't see how that's gonna work on a playstation though? Too difficult to input the generated number.

Or smartphones.

We're screwed.

0
0

Or smartphones

Use the camera to take a picture of your retina?

0
0
Anonymous Coward

RSA

Wasnt SecurID the culprit for the Lockeed Martin attack?

Rather than looking for ways to complicate the difficult issue of authentication / trust we should engineer our systems better.

1
0
FAIL

"We all need to start using something like a SecurID tag for banking + "

You mean like the ones made by RSA who were hacked, so all their SecurID tags are compromised (See Lockheed Martin)

1
0
Bronze badge
Thumb Down

Except that

...with two-factor authentication you're still only half-way there.

0
0
FAIL

title is req'd & contain letters &/or digits - which is more secure than most site's pword rules

I've got what I consider "secure" passwords for use on certain systems, these use as many of the guidelines I can but sadly these are usually for trivial systems. The number of times I've tried to use a secure password on a system only to get a message back that it doesn't meet their criteria or I can only use letters makes me tear my hair out.

This usually results in an "arrggh" moment and using a password that is pretty high up on every list I have seen of weak passwords just so I can get in the bloody system to do what I want to.

2
0
Angel

as with so many things, mr adams has already been there

It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense.

LastPass etc sound very much like the Ident-i-Eeze to me.

2
1

Password safe

I started using password safe software recently, and reset all my passwords to be unique per site and use the software to generate new random passwords. The problem I've found is that a large proportion of sites seem to be completely broken when it comes to entering new passwords which are either too long (they rarely tell you the maximum length they accept) or using non-alpha characters. It's not uncommon to enter a new password (say) 30 chars long with the odd { or ^, the site accepts it, then hey presto you can't log in afterwards because their authentication is broken.

1
0
Coat

PayPal

Paypal already has a security token available, which I have been using for a few years now. It is labelled "Vasco Identity Protection". This sort of thing helps but I would not want one for each site I had a password for!

0
0
Meh

Re: PayPal

Not any more, at least the only thing referenced on their website is an SMS based token service - personally I'd rather use a hardware token generator but maybe that's just because I don't really like using my phone.

0
0
Trollface

Hunt concludes that the only safe password is "one you can't remember".

"one you can't remember" - is this with or without the quotes?

7
0

the only safe password is one you can't remember

Oh boy, the end-user community that I support must have *extremely safe* passwords

Must dash, there's another reset request in the mailbox...

0
0
Boffin

Security and Passwords

There are some massive assumptions being made here - most of it feeing the "ZOMG! Passwords are so insecure, buy [product]" or the constant pressure from some security consultants to defend against totally out of context threats.

I post comments on dozens of blogs / forums etc., each one needs a password. I have no great interest in making this a complex password or even a strong one. I also have no real interest in setting up different ones for each site. If you hack my El Reg account, you can use that password to post as me in quite a few places. I can live with that.

My internet backing password and email account passwords are different and different from each other.

Equally, the idea that having passwords made up of a single character type is "bad" is nonsense as the Sony / Gawker issue shows.

Complex passwords are only there to make it hard for someone to brute force a system. If the password is stored as a text file (or badly hashed etc) then it doesnt matter how complex it is. You have only made life hard for yourself.

Likewise, if a site sets up an internet access point which DOESNT limit the number of attacks, then madness will ensue. It will only be a matter of time before the password falls no matter how complex it is.

If you are talking about a site that lets you make five attempts before locking and needing a reset, then you can pretty much use ANY three character password with a good level of security. Anything longer will not fall to a brute force attack so the threats will compromise it whatever length it is.

1
0
Anonymous Coward

Excatly.

Exactly.

I admin a number of systems. Those have unique, long, mixed case alphanumeric passwords containing lots of letters and numbers in recognised secure fashion.

Similarly secure passwords exist for anything that has the ability to cause me any financial liability.

Forums and comments sections like el reg where the "threat" is that someone might be able to post an comment in my username (oh no! The horror!) have one reasonably good shared password for the lot, simply because I don't care much about them being compromised.

0
0

Strong passwords would help how, exactly?

Right, so they've done this analysis on data from two sites that were hacked and had all their passwords revealed - INCLUDING ALL THE STRONG ONES. So, the people who used strong passwords on Gawker and Sony are just as stuffed as the people who used weak ones.....

0
0
Holmes

Password complexity vs password length

Actually, password length is more important than password complexity.

given two, completely random passwords, one containing only lower case characters and the other containing characters from all the typeable characters, a 10-character lowercase password would be harder to crack than a 7-character complex password. The lowercase password would be considerably easier to remember, too. If you want to take it to extremes, a 14 digit number would be harder to crack than the 7-character complex password.

You try explaining that to a PCI or SOX auditor though!

2
0
Bronze badge

Yes, if only.

There's no reason why an 10 character alphabetic-only password shouldn't be hwgsvexf. (No, that isn't ROT13. As far as I know.)

Easier to type, too, than "the1Tdepartmentcangof@ckthemselves-2011-06".

It it needs to be longer than 10 now, there's gqrmlhatdfi. To name only one.

By all means let it be either the initials of a memorised phrase or of one that you make up for that use, although not one that they made you learn at school.

0
0

Complexity

I wouldn't have thought that "ilovebakedbeans" is harder to crack than "Cj4$Vf7^" (incidentally, I don't use either - I just made them up on the spot). A lot depends on what the theoretical hacker's brute force algorithm is. If it starts off with a dictionary based attack, your declaration of fondness for a food will probably be found quicker than the shorter, completely random string.

Of course, many blogging sites are doing away with password databases entirely, instead relying either on authentication via third party sites (Facebook, Twitter, Google, OAuth) or even, for the ultimate in low security, Gravatar (only a nickname and email address required to post comments - no password except to customise your Gravatar profile).

However, for those sites which do still rely on a password database, there's really no excuse for storing it in plaintext in a location that can be read by anyone other than root / administrator. *NIX systems currently salt and hash passwords, then store the file in a location only root can read. According to Wikipedia, even that's not impregnable, but it's presumably a darn sight harder to access the file and the passwords contained within it than on the Sony Pictures and Grawker fora.

There's another potential issue, tangenitally related to passwords. Never mind hackers, many sites implement tracking cookies / web bugs that can follow you around and determine the sites you visit. Perhaps worryingly, courtesy of Ghostery I've discovered that many implement several different tracking cookies simultaneously, with some using nearly a dozen different trackers. That information is probably far more useful to companies / advertisers than your login credentials...

...unless you're smart enough to be running an ad blocker, script blocker, tracking cookie blocker and LSO blocker simultaneously.

0
0

Page:

This topic is closed for new posts.