Trustwave's SpiderLabs has completed an analysis of the passwords dumped on the Internet in this month’s eHarmony breach, and reached the depressing conclusion that too few people really seem to care about password strength. Having recovered 80 percent of the 1.5 million passwords in the dump file, the company says only 0.5 …
"Next we noticed, that no single password was found more than three times. This brings into question the integrity of the original dump"
They didn't seem to notice that it also brings into question the validity of their conclusions.
“this brings into question the integrity of the original dump"
“this brings into question the integrity of the original dump and the possibility of modification by the dumper”
Hahaha that made me chuckle - yes I am that juvenile! Come on man, I read the Register, whatcha expect!
Pot calling the kettle black
Here we have a company that sold a signing cert berating individuals for sloppy password management? http://www.theregister.co.uk/2012/02/14/trustwave_analysis/
Well I guess they would know a thing or two about sloppy management of secrets.
Re: Pot calling the kettle black
And they complained about insufficient sample size...
As much as the stats being off the underlying issue remains. If I see another article saying "no salting" or some shitty old hashing mechanism I think I'm going to find the Head of IT of that company in question and punch them in the head.
Crap salting and hashing methods (if at all...) are not excusable. What excuse do you have to store them in plain text? What excuse do you have of storing them in an insecure mechanism, even ignoring best practise for storing them, even then. None. Nothing. Nadda.
You can never be 100% certain your database is not going to escape but allowing brute force password crackers to possibly retrieve 1.2 million passwords in 72 hours is total incompetence.
I might have to get bring back the old password matrix idea... or at least some key vault on my phone. This is getting ridiculous.
Nothing wrong with purely alphabetical per se, password length is more important than including sp3c1al ch@ract3r$
...are the initials of your word choices. That is to say, I agree.
Having said that, acronyming the words displayed on the screen is not good passwording.
Quite a few sites do not let you use special characters.
No special characters
True. Why is that, in this day and age?
It can't be a technical limitation, surely? Just lazy developing?
Sad but true..
I've run into many sites that refuse to accept a password as valid while you have special characters in it. It wouldn't be so bad but then they limit the password field to something like 12 characters so you can't even make it all that complex.
Re: Sad but true..
Or Santander, who won't allow more than 4 consecutive letters or numbers - so passphrases are out! :-\
Re: Sad but true..
One of our systems doesn't even allow *any* characters to be repeated ...as I found out on the third attempt to pick a password it would accept.
Really. Would a "full list of rules" link have been all that hard to put *somewhere*?!
...I kept a record of what these rules were to avoid the same rigmarole when I'm obliged to change it in future (most likely after I've had it reset because I can't remember what it made me use in place of what I originally wanted...)
Perhaps people intentionally use weak passwords on sites like that because they don't care? I regularly use weak passwords when signing up for random sites because it wouldn't really bother me if an account like that got compromised.
As for weak password storage, a lot of sites even store passwords in plain text or a reversible form... One way to tell is to see what the forgotten password function does, if it sends you your previous passwords then its clearly not hashed.
As for why companies do this...
Firstly they have the terrible example of microsoft, windows passwords are also unsalted, are based on MD4 and even more ridiculously can be used without cracking them at all (google for pass the hash). When 99% of companies out there have important data on systems like that, using something like plain MD5 to protect a dating website is actually way above average.
It seems everyone writing a webapp wants to reinvent the wheel... You need simple and well documented functions for storing passwords in the application frameworks, preferably something based on the common password format used by unix so that new ciphers can be seamlessly integrated over time.
In the grand scheme of things, plain MD5 isn't all that bad, a lot of webapp authors seem to implement their own totally proprietary schemes that have all kinds of ridiculous flaws.
Re: Weak passwords
Well I wouldn't say Unix is an example of all that is good, there are still far to many servers that truncate passwords to 8 characters.
Web app designers need hitting round the head with Java 6, there's a password library in there which does it all for you.
Intentionally Weak passwords
Hear hear. Whenever I sign up for some semi-useless cack I don't care about being linked to me, I sign up as Tony Hawk with password popopo00. I reuse passwords on low priority sites so I don't have seven hundred strong passwords swimming through my head when I'm trying to remember my banking login or my Steam account pw or somesuch.
Re: Weak passwords
I've seen a few low-importance sites that require a high security password. I keep a few high security passwords, and a couple low security. If I give one of my high-securities to a low-importance website, then I risk my important stuff being compromised.
If a low-importance website won't accept my low-security passwords, and it's not important enough for my high security - I don't register :(
BeThere earned my ire recently. I forgot my password on their website, so I had to reset. I tried to reset to my high security password and it forbid me from re-using my password! Like I'm going to make up yet another password just for them!
Re: Intentionally Weak passwords
Check out #4 in " 8 Websites You Need to Stop Building" http://theoatmeal.com/comics/websites_stop
I wonder how many of the passwords were along then lines of jesussaves lordourchrist or similar...
I'd rather be able to use something like: correct horse battery staple (yes I read XKCD, so sue me), than being forced to use Upper and lower case, a special character AND a number in a more than 6 less than 12 character password (like my school is forcing me to do. And they even refuse to see reason when I point out the flaws in their plan. (Incidentally, lost password calls to the Helldesk have gone up 3-fold since implementation of that stupid policy)
When I encounter requirements like that, I just think 'fuck this'. And end up doing something like writing the password down, or bargain that I will be able to change the password later.
My company is even worse. As well as 8+ characters, with 3 from upper/lower/number/special they make us change it every month. It wont allow incrementing of the previous password, or re-use of any one of the last 12 passwords. If they make the requirements that rigorous, surely they can let us use them for a quarter at a time...
I never thought I'd ever resort to it, but now I have a post-it stuck under my keyboard with the password on (with the last two characters reversed to foil cleaners/colleagues).
Don't increment passwords: add a month identifier (1111, 1211, 0112, 0212, etc). They'd have to have a particularly clever algorithm to detect that?
Yeah, I'd do that, but they actually demand that the new password does not contain a string of letters the same as the previous password.
So if the old one is: StrawberryPancake2012, the new one cant even be: PancakePie123. (Because both contain Pancake.)
Also, can't contain your username or (part of) your real name.
Doesn't that mean they have to be storing your password with reversible encryption? seems like a bit of a security fail there...
10 character min length, and 45 day mandatory change
a site I have to use for placing orders.
I used a very good password, not knowing about the 45 day mandatory change. Cant use a password you used in the last 7 changes.
password is a sequence of numbers + the next letter in the alphabet - capitalized
That seems to be the case, yes.
And the reason they "needed" this enhanced security? They were (finally) going to implement a cross-site login, so I could go from email to intra-net to educational management system without having to log-in every time. (Why they didn't require a secure password for ANY of these sites before is still a mystery wrapped and encoded with an enigma. (Ohh, and they still can't manage to build a website capable of working in firefox. In 20ANDBLOODY12!)
There's a simple trick for medium-security passwords with daft requirements for numbers and letters. Pick yourself an algorithm for constructing an alphanumeric password based on the keyboard layout - 1q2w3e4r being a ridiculously simple example - and then all you have to remember is your pattern. If they insist on you changing it frequently, you can simply move the pattern about on the keyboard.
!QAZ2wsx - next month move across a row. You ought to be able to remember the move back to the start every ten months. (I suggest you do something slightly different to this, but keeping the same principle, just in case I'm the black hat at your office.)
This report makes a big assumption that all passwords and systems are equal. There are too many sites these days that require some sort of login for someone to have truly unique passwords per system (Yes, I am aware of tools like LastPass etc., but most people don't use them). Most people I know, when we've discussed the issue of passwords, say they use a system where they have a set of passwords they use, and the least secure of them is used for the most throwaway logins.
How many people reasonably would use the same password for EHarmony as they do for their Bank or email? (Yes, I am aware that there are a lot of idiots out there, but the assumption that all systems are equal in their importance is a big oversight when judging the use of passwords)
KeePass is your friend
Just to recommend KeePass (http://keepass.info) - never have to remember a password again (well, just the one that locks KeePass itself!). Generate very long unguessable random combinations of characters (special ones included) and you're all set.
Available for fans of Linus, Bill and Steve (plus all the major mobile platforms)
Just remember to back up the database Oh, and keep a copy on a memory stick if you use other machines.
Re: KeePass is your friend
Quite so. I was just about to post about KeePass myself. (I actually use the *nix rewrite, KeePassX.)
Re: KeePass is your friend
Keep your KeePass database on Dropbox or Goodgle Drive, then you can get to it wherever/whenever you need it.
Re: KeePass is your friend
and so can google, and anyone else
Re: KeePass is your friend
...which doesn't matter because they can't break the encryption KeePass uses.
What annoy me are these guessing games, where the site can't say in advance what their password policy is, oh no, that would be too easy.
So, for instance, as per usual I get KeePassX to generate a random password for a site I'm registering with.
"Your password may contain only letters, numbers, and underscores".
OK, let's do it again, then.
"Your password must be between 5 and 20 characters".
[Gritted teeth] OK...
American express wouldn't let me use the password I wanted as to was too long, I think they limit to 8 chars, Amex!?!!
Just had three goes to remember the memorable name for my bank which I haven't used for years... Yes it was memorable but so are a few hundred others!
Length beats special chars - hmmm, what length, what chars? there must be a formula for that...
Re: memorable info
When it comes to memorable information, invent:
"I'm Fred Bloggs, born 01/01/1958 in Timbuktu, dog's name = fido, favourite food = biscuits, first girlfriend = The Queen"... as long as you're consistent across sites, no-one's ever going to sniff that from Facebook, driving licences, etc.
I worked at place that had password requirement as follows. 1 up case and one lower case. had to be 10 charters exactly. No less no more . must have a number. The number can not be at the beginning or end. You You must the password every 30 days. If you forget your account is locked out. You can only change the password every 24 hours.
- Analysis Oh no, Joe: WinPhone users already griping over 8.1 mega-update
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- OK, we get the message, Microsoft: Windows Defender splats 1000s of WinXP, Server 2k3 PCs
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star