back to article Netflix reminds password re-users to run a reset

Netflix has reminded people whose user IDs are circulating in breach-lists to check their security and if necessary reset their passwords. The issue resurfaced late last week, when an Adweek writer posted that he'd received a “reset your password” message: “As part of our regular security monitoring, we discovered that …

  1. a_yank_lurker Silver badge

    Someone is awake

    Netflix seems to realize that users may not be aware of a breach and are being proactive - a very commendable act.

  2. Jamesit

    "As part of our regular security monitoring, we discovered that credentials that match your Netflix email address and password were included in a release of email addresses and passwords from a breach at another company"

    How would Netflix know what the password is, Wouldn't the password be stored as a one way hash?

    1. Dan 55 Silver badge

      They can try the password given in the breach list. At least one would hope that's what they're doing.

    2. Korev Silver badge

      How would Netflix know what the password is, Wouldn't the password be stored as a one way hash?

      They can take a list of passwords and then hash them; if the hash is the same as the one on their systems then they can alert the user.

      FYI you can see if an account with your email address has been hacked in a number of major breaches here.

    3. Velv Silver badge
      Boffin

      Yes, but since NetFlix should know their own authentication algorithms they can simply pass the provided password through their authentication process and see if it comes out as a pass or fail.

      The biggest danger now for NetFlix (or any other company) is that a malicious user inside NetFlix could run a batch of passwords through the authentication process to generate a list of known good passwords and sell those. So no matter how well NetFlix is hashed and salted it can now potentially be compromised on a mass scale due the the bad practises of others.

      1. Anonymous Coward
        Anonymous Coward

        biggest danger now

        Having designed and implemented the user management modules for a number of public and B2B web services I would fall under one of those people who could do that. However I certainly would not be able to do that without it being detected.

        The amount of CPU resources that would be required to get a useful amount of account passwords would trigger resource montoring alerts. Getting and transferring a dump form the database would leave an audit trail. It would probably be easier to change some software to intercept the incoming requests so I could get the password when it is checked. While code is peer reviewed and software checked against checksums there would be ways to circumvent it with admin access.

    4. Myvekk

      Email and password?

      More likely, they just checked the email addresses & whoever wrote the message didn't write it clearly enough. Or exaggerated to get people to take it more seriously...

  3. John Arthur
    Thumb Up

    Amazon too

    I had an almost identical email from Amazon last week saying it had changed my password to protect my account and to log in with 'forgot password'. Full marks to Amazon too!

    1. Boothy

      Re: Amazon too

      I like Amazons approach.

      Not just an email warning like some sites (which no doubt many users would simply ignore), but a forced reset, therefore hopefully blocking anyone who's accessing your account unauthorised, forcing the user to actually do something to gain access to the services again.

  4. Cuddles Silver badge

    LinkedIn, Tumblr, MySpace, Yah!oo...

    ...also TalkTalk, Sony, Ashley Madison, Home Depot and the US Government, to name just a few of the big examples from the last couple of years that I can remember off the top of my head. It would probably just be easier to send out these emails to everyone every couple of months; it's a pretty good bet everyone's details will have been stolen again by then.

  5. Anonymous Coward
    Anonymous Coward

    Ban sites from using email addresses as a username

    I really don't see why so many sites use the email address as the username. Other than sites needing to store one less tinny item of information per user (an actual username), it seems to provide no real benefit (that I can see) over using an actual username to log in, but does seem to have lots of potential downfalls.

    To me, the site should use an actual username for logging in, with the email address just being a field within the users profile (hidden by default). At least then if the account log in details leak, a user could change the username, as well as the password.

    Also I'd assume if only username and passwords are leaked, the information is likely less valuable than an email combo, as you can't spam a user name.

    1. Geoff Campbell
      Facepalm

      Re: Ban sites from using email addresses as a username

      Christ, no!

      That gets *really* horrible, fast. 148 different web site accounts, all with very subtly different requirements for user names. Email addresses all the way, please!

      GJC

      1. Julz

        Re: Ban sites from using email addresses as a username

        Just like the horrible 148 different rules for passwords. <email address> != <user>

        1. Geoff Campbell

          Re: Ban sites from using email addresses as a username

          Certainly if sites could settle on a universal set of rules for passwords that would be very nice. I use a password generator these days to make up unique 20-character passwords for each site, and even so I occasionally have to tweak the settings as some sites don't like some of the characters it uses.

          GJC

          1. Cuddles Silver badge

            Re: Ban sites from using email addresses as a username

            "Certainly if sites could settle on a universal set of rules for passwords that would be very nice."

            It doesn't even need to be a very long set of rules. Here's my idea for such a ruleset:

            1) Do whatever the fuck you want.

            Seriously, that's all that's needed. If someone is capable of typing it in on a regular keyboard, there's no reason not to allow it as a password. You should always be parsing input properly so no-one can try the old Bobby Tables kind of trick, so there's no reason to exclude any standard characters, and there's never any reason to enforce a set number of various types of character or to have the ridiculously small maximum limits. The only restriction that has any reason to exist is a sensible maximum length.

            Any more rules than that are just doomed attempts at trying to save people from themselves. Sites are constantly trying to force minimum lengths, mixes of character types, and so on, but everyone still manages to use "password1" or some variant with minor substitutions. You just can't force people to use a good password if they don't want to, so don't bother trying. Allow those who do understand security to use strong passwords instead of hobbling them with pointless restrictions, and allow everyone else to use password1 if that's what they're desperate to use.

            Alternatively, there is one way to force people to use better passwords - when they enter a new password you try to break it and reject any that are broken inside a given time. You don't want to spend too much time and resources on it, so obviously you're not going to be able to enforce passwords that will definitely stand up to a dedicated hacking effort, but at the very least you can get rid of all the password1s and 12345s. Any set of rules for passwords is an attempt to only allow passwords that are difficult to break, and they're generally not very good at managing that. The best way to actually get passwords that are difficult to break is to try to break them and only allow the ones that are difficult.

            1. Geoff Campbell
              WTF?

              Re: Ban sites from using email addresses as a username

              Absolutely.

              Rather bizarrely, I've even had sites refuse a 20-character password for being too long. What is this, the 1950s?

              GJC

    2. Fuzz

      Re: Ban sites from using email addresses as a username

      This wouldn't fix anything. A compromised database will almost certainly include the email address alongside the username and anybody who is reusing passwords across sites will also be reusing usernames.

  6. Lotaresco

    Passwords

    Today I'm despairing about the site that attempted to improve security by changing password rules. I tried to log in and was directed to change my password to match the "new password policy". That policy is that "All passwords must contain three numbers (only) one 'special' character and must start with a capital letter all passwords must be exactly 12 characters long. This represents a significant improvement in security,"

    No it doesn't you muppets, you've just reduced the entropy of your passwords by specifying a fixed length of which three characters must be numeric. This is actually worse than your previous "minimum of eight chars, no maximum" policy that it replaces.

    1. Dan 55 Silver badge
      Facepalm

      Re: Passwords

      I just can't get my head round the number of people in IT who, when asked to do something, come up with the exact opposite.

      1. Boothy

        Re: Passwords

        I suspect this would have been a management decision, and the people in IT likely tried to tell them why it was a bad idea, and would simply have been ignored.

        That's why in any decent company, you should have a dedicated, and suitably qualified security expert, that the management are not allowed to overrule.

  7. Crazy Operations Guy Silver badge

    Certificate-based authentication

    I wish certificate-based authentication would have caught on by now. Passwords are terrible need to be thrown out. It seems ridiculous that our security hangs on a string of characters that are difficult for a human to remember but are trivial for a machine to guess.

    Even if we don't move to certificates, I'd still like to get rid of security questions since the information they ask for can be found on Social Networking sites, blogs, information dumps, or for noteworthy people, Wikipedia. Its especially annoying when they ask "What is your favorite color?" then impose a 7-character minimum...

  8. M man

    Here's an idea , (a bit mad) sign up pages should log in to your email address using the password you give them, if it succeeds then reject the password. Should negate the largest risk factor resulting from a breach, others getting into your email account.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019