Spotify resets too
So is spotify, email this morning.
Dropbox is forcing users to reset passwords that haven’t been changed since mid-2012, when LinkedIn suffered a mega-breach. An email sent to Dropbox users this morning informed them that the reset was solely a preventative measure, and not as a result of any new breach. Dropbox said that no accounts have been breached and the …
So is spotify, email this morning.
And Opera Sync too (email this morning).
... and 123-Reg. Two e-mails: the first saying they were going to force a password update by the 1st August, the second correcting this to the 1st September. After this deadline, passwords that haven't been updated and those that are insecure won't work any more.
Nothing to see, move along.
I'm all for strong passwords, although in my experience forcing users to change passwords on a (short) regular basis is a two edged sword, in that too often, and they start putting passwords on post-it notes.
I think this is more for that significant chunk of the population who re-use passwords across multiple services.
The current advice from various agencies (and there have been articles about it on here just lately) is:
a) Pick a long password. Complexity is not on the same order of magnitude as length.
(e.g. an 8-letter, lower-ASCII set password gives 128^8 possibilities. A ten-letter, alphabet only password give 52^10 possibilities.
128^8 = 72057594037927936
52^10 = 144555105949057024
An 8-character, all-symbol password takes half the time to guess than a 10-character, only alphabetical letters password.)
b) Don't force your users to change it too often. In fact, some places recommend NO forced changes unless you have reason to suspect the account is compromised.
And if you have any sense:
c) Pick several good passwords and use them according to purpose. Rather than an individual password per site, that you would need to write down or store in some software somewhere, choose levels of passwords:
- Critical, secure, ultra-sensitive
I use the above system, so my Register password is my "junk" password that will only let you into other "Junk" level accounts that I have, even if you tried. My services that I care about have another entirely different password. My services that could cost money (credit cards, bank accounts, etc.) have another entirely different level of password. And anything more important has yet another level of password.
This way you have a handful of memorable passwords that never need to be written down, you know what password a service should be using based on what it does or stores for you ("I forgot my banking password, but it should be my 'finance' level one"), compromise of some lowly forum doesn't lead to compromise of your bank accounts, and if someone gets into your PayPal, they pretty much have access to your credit card etc. anyway so you want to go and change them all (obviously) but they won't "elevate" their access beyond the account that's compromised.
I worked for a company that issued all passwords as 20 random characters. Users couldn't change. No normal person could remember them, so passwords were just copied from the original email.
Marginally better than post-it, but only just...
But, cumulatively, my banks require me to have:
father's middle name
favourite subject at school
favourite holiday destination
secure key password
street grew up on
Verified by Visa password
city born in
first boss's first name
make of first car
telephone banking passnumber
Internet banking passnumber
mobile app passcode
place of birth
most memorable teacher
Some of these could be subject to your rules, but in practice the only way to deal with them is unique answers, fictitious where appropriate, stored securely (preferably offline).
A password stored in an email residing in your inbox is potentially accessible to the whole internet, whereas a password on a post-it is accessible only to people who come into your office.
Exactly. Post-its are bad physical security but, unlike password lockers, cannot be hacked remotely.
Though I suppose you could put your password locker on a separate, air-gapped system.
That is an awful lot of passwords, but don't worry. You'll only need to know one of them to convince someone at the call centre that you should have access to all of your accounts.
Security is job one.
@Lee D - All my passwords are stored in the encrypted database of my password manager. I only remember one password - to the password manager. All my site credentials will have a different password for each site so if some gets my El Reg credentials they only have one site they log into.
I'm also a fan of Lee D's system - 99 times in a 100 I know the likely password from memory. Or the previous password for a security level, missed when I last did a global "change all passwords," sweep, a semi-annual practice.
Barring that, I'm a heavy user of "Reset password" and will sometimes abandon a site if that's too cumbersome.
For some reason user forums are a specific problem, which leads to multiple accounts of the Barry, Barry1, Barry2 variety.
Pick a reasonably long eBook and keep it on your phone. Pick a random line number, e.g. line 7 of every page. Every time you need a password pick a random page of the book and use line 7. Then instead of remembering a very long password just remember the page number.
It's not a secure enough method for government work or anything like that but it'll do for most people's private email, forum accounts, etc.
it asked me a few minutes after logging in, which was amusing. It reckoned I had not changed it since 2012, which is a bit rum because I only signed up this February....
I believe this https://xkcd.com/936/
so all my passwords are "correct horse battery staple"
For them to decide they should remind users about this? Checking on inactive and spoofed accounts more like
I signed up when Ubuntuone was cancelled, in the process of evaluating better services, currently trying out Mega (really nice webpage, well laid out and helpful). Only really use Cloud for non-critical file storage and device transfer.
I have a parent who was always forgetting passwords and pin numbers... and wanted to write them down... So I suggest that if she needed to write down a password/pin, conceal it in some way.
So for a long time her pin number was written down as part of a phone number in amongst other phone numbers and simple passwords were written down as part of a sentence.
As for writing down passwords at home, I see no problem with that if you live in a trusting environment. My late aunt used to keep all hers written down in a little book in her desk drawer along with walk throughs/guides to do things that I'd taught her on her computer... as an 80yr old who'd suffered a couple of strokes and had memory issues it allowed her to do many things still as her tech support (me) was 250 miles away and unable to remote in due to her being in the countryside on a barely 1Mb connection.
A friend of mine has mental problems. She knows passwords need to be non-obvious and secure, but normally forgets her password a few days after creating it, so she writes them down on pieces of paper which she loses wihtin a couple of weeks.
The password reset mechanism usually depends on having the email address you had when you created the account - but since she loses passwords often, this includes email passwords. Recovering an email account requires you to have the phone you had when you created the account - but she looses phones frequently too. So she creates a new accounts frequently.
Why do none of these dingbats have a way to contact them to retrieve the accounts?
I suspect she, and others like her, account for 75% of all gmail and FB users, and they want to claim high user numbers.
I recently decided to change ISPs, and since I would be losing my old email address (Long since forwarded to gmail.) I decided to go through all the online services that I regularly use, update the email address, and while I was at it change all the passwords. Making them unique, and difficult to break/bruteforce.
I also started using KeePass to keep them all sorted.
Had the email from Dropbox this morning... But I normally change my password everytime I get a new phone... Because I only use dropbox for uploading pictures taken on my phones to it (along with drive) to view on my PC... and only change my phone every 3yrs... I can never remember my password after that long and have to reset it anyway.
So since 2012 I'm on my 3rd phone and would have changed it at least twice since then.
I have three very secure passwords.
The rest, I couldn't care less about.
They're all the same.
I keep living in hope that someone will hack into them & lock me out.
Incentive to actually get a life rather than delude myself my opinion on forums means jack shit.
Alas, as much to your chagrin as it is to mine.
It has yet to pass.
Experimenting with a Nextcloud, pizero and a hardrive round at a friends. Seems to work so far.
Need to see if I can get two people cohosting with me (and me for them) and thats all sorted.
Lots of stupid advice about adding %X99 to them to make them hard to remember. But never the basic thing.
Use (a few) strong passwords on sites you care about.
Use a weak password everywhere else.
Biting the hand that feeds IT © 1998–2018