back to article We've, um, changed our password policy, says CafePress amid reports of 23m pwned accounts

Twee T-shirts 'n' merch purveyor CafePress had 23 million user records swiped – reportedly back in February – and this morning triggered a mass password reset, calling it a change in internal policy. Details of the security breach emerged when infosec researcher Troy Hunt's Have I Been Pwned service – which lists websites …

  1. Khaptain Silver badge

    GDRP would have had a field day....

    But since CafePress are American, it's money first, with privacy contributing merely as an afterthought.

    1. Just a geek

      Re: GDRP would have had a field day....

      The site is accessible from the EU and therefore GDPR applies. I'm not sure how the EU would force the issue but this could be an interesting test case.

      1. ocflyfish

        Re: GDRP would have had a field day....

        'The site is accessible from the EU and therefore GDPR applies. I'm not sure how the EU would force the issue but this could be an interesting test case."

        To see if overreaching laws can be applied across the world? We settled that issue back in 1776.

        1. Santa from Exeter

          Re: GDRP would have had a field day....@ocflyfish

          Hadn't realised it had been quite that long that the Yanks thought their laws applied everywhere.

  2. Jamie Kitson

    Unique Usernames

    It's pretty easy for most of us to use unique usernames already, many email providers will accept plus addresses or similar and those of us with whole domains can use any local part / subdomain we like.

    1. FrogsAndChips Silver badge

      Re: Unique Usernames

      Email providers, yes, but a lot of websites will still consider a plussed address as 'invalid format', despite what RFC2822 says. It's more reliable to have your own domain and use a unique LHS for each vendor.

      1. e^iπ+1=0

        own domain and use a unique LHS

        Indeed; however I'd still like to be allowed to choose a username instead of being forced to use the email address as my username.

        1. vir

          Re: own domain and use a unique LHS

          I would like for more websites to include the option to interact as a guest.

        2. FrogsAndChips Silver badge

          Re: own domain and use a unique LHS

          I'm not too convinced about that. If you already reuse your email address, chances are you will reuse your username too. If you use a password manager to create unique passwords, you are already safe from credential stuffing attacks, a unique username will offer you little extra protection. Finally, the website will still store your email address as a way of contacting you, and in case of data breach it's certainly both your username and email address that will get pwned.

          1. JBowler

            Re: own domain and use a unique LHS

            >If you use a password manager to create unique passwords, you are already safe from credential stuffing attacks, a unique username will offer you little extra protection.

            It's not necessary to have both a username and a password, one is sufficient. I've been continuously annoyed by sites that required you to make up a username often without allowing me to include '@'. It has been even more impossible than making up a safe password (though that is pretty difficult given the arbitrary restrictions web sites impose.)

            Indeed usernames are identifiable and allow the crackers to look up your username in their database and find all sorts of useful information that can be used to answer the insecurity questions. Better just to just have a username like:

            7H%PJ8vk78c!vVF96J!nMD7GDbVZZvl@F05&p#cRDnOS8Qd0oozhxMqzKajiiD@v

            And no password. Of course that only works if the username contains a lot more than 66 random bits otherwise it will get very difficult to ensure the user name is unique given that there are about 2^33 people on the planet. (FWIW the above user name contains around 400 random bits.)

            John Bowler

            John Bowler

            1. Graham 32

              Re: own domain and use a unique LHS

              There are problems to just using a password. Some that come to mind...

              - How to reset forgotten password.

              - You phone a company because something can't be done online. How do you identify which account you use without also telling the cell centre staff your password?

              - When signing up for an account if, by pure chance, you pick a password that someone else is using the site needs to say you can't use it, but you now know it's a valid account and you have access to it.

        3. Doctor Syntax Silver badge

          Re: own domain and use a unique LHS

          "however I'd still like to be allowed to choose a username instead of being forced to use the email address as my username"

          The extreme worst case is a site-issued username generated from other data such as a concatenation of real name and DoB (yes, I have a site that uses that).

          Keepass will generate passwords that look like line noise. Perhaps a useful addon would be an option to generate usernames, preferably pronounceable ones.

      2. anothercynic Silver badge

        Re: Unique Usernames

        And it's not like our favourite friends who do the credential dumping don't already know about RFC2822 and do their own little cleanup... bob+site@x.com and bob+site2@x.com are after all just... bob@x.com. So you try bob@x.com with the found credential and... shock horror it works. Nuff sed.

    2. Nick Stallman

      Re: Unique Usernames

      Interestingly it seems that O365 does not support plus addresses which can be quite annoying.

  3. Anonymous Coward
    Anonymous Coward

    Honest question...

    What happens if your password manager goes titsup (or the disk it's installed on)? What good, trustworthy managers exist that have an independent recovery system?

    Also how easy is it to transition back off them? For example, I use Bit Defender as my AV, but have been wary of using its password manager as it seems to risk lock-in.

    Any advice welcome.

    1. Anonymous Coward
      Anonymous Coward

      Well...

      "What happens if your password manager goes titsup (or the disk it's installed on)?"

      Some of them store the details in cloud (useful for multi-device access, but arguably a bad idea for security), but this is a backup issue, not a Password Manager issue. At the end of the day you can't expect your password safe to sort out your backup processes.

      "Also how easy is it to transition back off them?"

      All the Password Managers I have used allow you to export the contents to text or XML. With many warnings that you are exposing your passwords, 'natch.

    2. Frank Bitterlich

      Re: Honest question...

      What happens if your password manager goes titsup (or the disk it's installed on)?

      Same answer as with your family photos, music collection, and business documents: You restore from your backup.

    3. Flywheel Silver badge

      Re: Honest question...

      All you need to do is keep a backup on a different device. If you update your primary device database, close it, then reopen it to make sure it's not corrupt. Then copy it to your backup device.

      Then, if you discover a corrupt password database on your primary device, copy the known good one from your other device. It's another step, but if you have hundreds of passwords it's worth it.

    4. Shrek

      Re: Honest question...

      You print out the username and password (plus any emergency 2FA codes) of your email account(s) and stash it somewhere safe, that way you can generally bootstrap your recovery using "Reset my Password" links on websites.

      You may want other important accounts saved in the same way.

      FWIW I use 1Password... if you really want to move elsewhere it is possible to export everything to a text file if you need to. It does pose a risk in terms of being a single target but, on balance, it allows me to easily have a unique password for every single site (as well as unique email - as was mentioned earlier using + addressing/sub-domaining).

    5. Captain Scarlet Silver badge

      Re: Honest question...

      If my password manager goes titsup then I use the password reset feature (As the only password I can remember is my email username and password).

      I actually do this whilst away from my password file anyway, its therefore there just for convenience when at home.

    6. JBowler

      Re: Honest Question

      Password managers have to work across all devices. Since most of us use more than one device simultaneously that means the data has to be replicated across the devices.

      The failure modes are:

      1) You forget your password/lose your security key and can't get access to the PW manager anywhere. Solution: they have recovery strategies based on emails (normally).

      2) Somehow the PW manager provider gets hacked. Solution: none; all is lost.

      (2) is the consequence of strong passwords; necessarily they have to be stored somewhere (if you can remember them they aren't strong), so you are putting all your eggs in one basket. The assumption is that it is a safer basket than Cafe Press, or, for that matter, Capital One, or, for that matter, GitHub and that you really do use a strong password for your password manager (plus extra authentication; I use a YubiKey).

      John Bowler

      1. Is It Me Bronze badge

        Re: Honest Question

        I use KeePass with the database file on a private cloud host, this gives me access across all my devices and each device holds a backup in the local cache.

        This works for all main desktop OSs (Win, OSX, Linux) plus main mobile OSs Android and IOS

  4. Doctor Syntax Silver badge

    "I wonder, if we shouldn't be using unique usernames and passwords for each site."

    He's an expert and he's only wondering? What will it take to make him sure?

    Of course we should. We all used to until sites decided to use email addresses as user IDs. And it's even worse when some sites - looking at you PayPal - hand out the email address to other parties and can't even see what's wrong with that when it's draw to their attention. Given that most folk only have one email address anyway the password is the only meaningful credential. No wonder people wiitter on about 2FA. With any reasonable policy about user IDs it would be 3FA.

    1. Pascal Monett Silver badge

      Completely agree. It is a sad indicator of the state of our Internet that so-called "experts" are only wondering. We've been hearing for years that you shouldn't re-use passwords, so the conclusion seems pretty inescapable if you have the slightest amount of logic.

      That said, password managers. Yes, definitely use one, but not necessarily a commercial product. After all, for accessing your Internet web sites from home, a notepad (with actual paper, not the Microsoft product) is largely sufficient and not at all hackable from the Internet. And before some of you attack me about having to access your passwords from multiple locations, not all of Internet users are such power users. Most people use the Internet from their home computer and that's it.

      A notepad is enough for that. Oh, and a sense of organization.

      1. Da Weezil

        Define home computer? my disabled Sister - hardly a power user - has a laptop, smartphone and a desktop .... oh and a tabet. she is also dyslexic.. not that that is too much of an issue, but the fact is this non power user often uses the internet when NOT at home on a "portable device" - using a password manager where she needs to input user details.

        "Most people use the internet from thier home computer and thats it" ???? How 1990s is that view?

      2. Doctor Syntax Silver badge

        "And before some of you attack me about having to access your passwords from multiple locations, not all of Internet users are such power users."

        Restricting where and by how many devices you access stuff that you think deserves good security should be a part of your security strategy. Otherwise you're trading security for convenience and we know where that's likely to lead.

    2. Carpet Deal 'em Bronze badge
      Facepalm

      He's an expert and he's only wondering? What will it take to make him sure?

      Is the term "rhetorical question" anywhere in your vocabulary?

      1. Doctor Syntax Silver badge

        Is "outright statement" in yours?

    3. Grikath

      He may have forgotten the [sarcasm] tag there....

      After all, inflection doesn't really work in flat text.. And using a [rolleye] may be seen as ...unprofessional...

    4. EnviableOne Bronze badge
      Facepalm

      PayPal

      they are a law unto themselves, there only easily accessable 2FA is SMS based, and they dont see an issue there either, or with the alternative method of Security questions too...

      If you search the web you can create an TOTP token that you can use but this requires an element of trust in a third party and doesnt turn off the security questions option either

      Now if PayPal offered their own TOTP second factor set-up it would be a start

  5. Fred Fallacy

    I got the email from HIBP ...

    But had never heard of Cafe Press, and don't seem to have an account there. So I'm a little confused.

  6. Free treacle

    Keep it safe!

    Best way to keep track of your unique username/passwords is to log them physically somewhere secure near your device. Someone breaking in to your home or office isn't going to be bothered with a notepad of your passwords and you don't have to entrust anyone but you to store your credentials should a digital breach occur (you are using different username & passwords for each site, right?).

    Just a thought

    1. FrogsAndChips Silver badge

      Re: Keep it safe!

      I'm pretty sure a burglar would be quite interested in a notepad with passwords, if not for them, at least for a friend in the business.

  7. TechBearMike

    Tactics

    While it doesn't allow for two-way communication, if you're signing up for a website mainly to get one-way newsletters, promos, etc., I use abine's email alias service (Blur). If I start getting dodgy emails from a site that I registered on with the alias, I simply turn that alias off. Any further spam to that address bounces back to the sender. You can then delete that alias completely. Problem solved. And it's free.

    Second idea: if you're signing up for a commercial site and not actively engaging in buying from them, don't put in all your info unless it's required. And you could always put in bogus info (fight fire with fire). If and when you're ready to purchase something, change to your real info, order your merch, and then revert to the bogus info. Change password, too.

    Yeah, sites should be more careful, but so should consumers.

  8. JBowler

    I got the pwnage message but CafePress denies it knows my email

    It's weird; I got the email from Hunt but I didn't recognize the site. I might have been there, but I have no record in my password manager and a search of my email suggests I've never communicated with them. Nevertheless I went to the web site as soon as I got the email (26 hours ago) and tried to do a password result (i.e. I said I had forgotten my password). The web site denied knowing my email.

    I suppose I might have submitted an order without creating an account but it would have to have been a very long time ago, before I started using GMail.

    John Bowler

  9. Evil_Tom

    Unique usernames?

    Isn't there a feature in gmail that if you put a suffix in the email address it'll pump the received emails to a folder.

    so if you have emailaddy@gmail.com and give someone emailaddy+thereg@gmail.com and give that email address to someone, any emails to emailaddy+thereg@gmail.com can be sent, via a rule into a folder.

    They don't offer aliases otherwise, but this is an alternative, perhaps. I've just also read that outlook does the same thing.

    A clever person will notice a pattern, but if you get a lot of spam you know where it's coming from.

  10. EnviableOne Bronze badge
    Facepalm

    Unique Usernames

    no problems, as most password managers, in fact all that i know of, store both username and password, so remebering them is the same as passwords...

    so why cant we do this .....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019