Archives

Passwords: time is being called

Prompted by a piece on Charles Arthur’s Overspill blog I took at look at LeakedSource which has a database of leaked usernames and passwords.

There are two main ways for passwords to leak. One is that a web site had its user database hacked and stolen. The other is that malware on a user’s machine steals all the passwords stored in your their web browser and sends them off to hackers.

This last has become a huge problem. Passwords and logins are an inconvenience, and many of us love being able to have the browser store them, giving near-automatic login for favourite sites. Thanks to the magic of cloud, we can also have them sync across all our devices automatically. Nice.

Unfortunately, if you ever had a nagging sense that this is not security best practice, you were right.

I have been on the internet since the late eighties and have hundreds of logins. Many were created under protest – you have to log in to read our article, or get support, or download our trial. The nature of my work is that I often need to research things quickly, and new logins come with the territory. I found several results when searching for my email on LeakedSource. Some I knew about: LinkedIn, Adobe, MySpace, Tumblr (this last only recently revealed); others I had not thought about. I signed up for Xsplit, for example, though I have not used it for years, and did not realise that the passwords had been stolen.

image

In my case, all the accounts are ones that either I do not care about, or for which the passwords were changed, or both. That is not the end of it though. There is potential embarrassment if someone logs into, say, a forum posing as you and starts posting spam or abuse. Further, if you use the same password elsewhere a determined hacker can attempt other logins, that have not been hacked, and try their luck. There may also be information stored with the logins, such as date of birth, address, secret questions and so on, which could help in password recovery attempts or identity theft. If someone manages to crack into your email account, the vulnerability is much greater since many passwords can be reset simply via emailed password recovery links.

Well, we have known for years that passwords alone are a poor way to protect security. The situation has escalated though, with huge databases of email addresses, usernames and passwords widely available.

What does that mean? A few observations.

  • The only sane way for anyone moderately active on the internet to manage their passwords is with a password manager. You should create an unique password for every login and store them in an encrypted password manager. It’s not perfect; someone may manage to hack your password manager. But it is the best you can do for most sites.
  • Using a Facebook, Google or Twitter login for small sites that support it is probably better than creating new credentials, if those new credentials do not follow best practice. On the other hand, this means the consequences of losing the master login being hacked are greater; and the site may cajole you into posting links on Facebook, Google or Twitter to promote itself. I do not like the idea of building dependence on one of these advertising giants into my daily internet usage; but there it is.
  • Follow a de minimis approach in completing information when registering for sites. In my case, nothing that is not a required field normally gets completed.
  • Do not rely on your fancy system for creating unique passwords for each login, like three letters from the site name plus your first telephone number or whatever. If you can work it out, a hacker can as well.
  • Be aware of the risks of saving passwords in the web browser. Personally I rarely do so. In particular, it’s probably a bad idea for sites where you can spend money, Amazon, eBay, PayPal and the like.
  • Secret questions are not there to help your security. They are there to undermine your security and to reduce the chance of you calling support. They are in effect supplementary passwords. I suggest making up new secret questions for each site that insists on them, and storing them in your password manager. Example: best gibber: flogalot. Putting stuff like mother’s maiden name, first school and so on is identity theft heaven.

How do we fix this? Nobody seems to know. Some things are improving. 2-factor authentication is more widely available and you can use it on many of the main sites now. Unencrypted logins (ie HTTP rather than HTTPS) are now a rarity though I still see them.

Still, if the problem gets worse, there is more incentive for it to get better.

Related posts:

  1. Why are web sites still storing passwords? Monster, USAJobs blunder highlights the risks
  2. One of the best features of Office 365 vs BPOS: setting passwords not to expire
  3. Google offers the web a new language called Dart – but why?
  4. More RSS madness from Microsoft – this time it’s Live Mail
  5. Time to stop using non-generic collections

2 comments to Passwords: time is being called

  • Bob F

    No need to create your own secret questions, just make up unique (and false) answers for each site and store them with your password. For example, Q: Your favorite sports team? A: Whosville Warhawks. Don’t make up unpronounceable answers that look like strong passwords because occasionally you may need to answer your secret questions over the phone during support calls.

  • Clyde Davies

    I have to say that I think that many companies who demand passwords bear the large part of the blame. I worked once with a fairly crappy piece of custom support call software, and the clown who wrote it demanded that the password was exactly eight characters, contained a mixture of upper and lowercase letters, numbers and a special character! Inevitably people who used it had to make up a password specially for that system, and inevitably they wrote it down somewhere negating the point of having it in the first place. And these were support calls that were being protected, not the Crown Jewels.