Another Site Breached - Time to Change your Passwords! (If you can that is)
So after yesterday's news that eBay had been compromised, and that the compromise was in play for a good 2-3 months (short in comparison to many), I decided it was time to change my passwords. Yes - ALL of them.
Don't get me wrong, I do change my passwords - really. Not as frequently as I should, but it happens. I decided to use my little "make me a random string" character generator script, and set them all to 32 char gobbledygook. Except for the ones that have 10, 16 or 20 character maximums that is (really? that limit was a good idea why?)
So I dug through all my applets, "saved password" tabs and saved notepads to find them all, and change them all. It's amazing how many logins you can accumulate over the years. It's also amazing how many of these logins have my credit card info (eeps). eBay, Paypal, Apple, travel sites - it really starts to add up.
What did I find when I got going on this?
- For starters, since the last time I reset almost EVERY site has let their marketing and "design" folks at their site layout. The password change is almost universally hidden 4-10 or more clicks and menus deep in the interface.
- Many sites now disable the "paste" function. So if you have a complex password, you can't cut and paste it - you have to type it from the keyboard. This also breaks many "password keeper" applications. So what does this encourage? Simple passwords, that's what. Just because you can enable a neat feature doesn't meant that it's helpful.
- Don't even get me started on Facebook. I'm not even sure how i got to the menu (it took a while), but when I did, password change was under "General" instead of "Security". Like so many other sites, "security" to Facebook is about Authorization (who can see me) rather than Authentication (credentials). And the 3rd A" in "AAA" - Accounting - is not available to the end user, only to the system administrators. So if someone has attacked and/or compromised your account, the only folks who see that are the ones who review the logs. Oh - and I guess that's a problem too.
- Facebook does have a nice "log me out of other devices" option during the password change though. So if it's an attacker who's compromised your account, they can punt you offline as they change your password. They phrased it the other way though - I guess it's a race to see who gets to the password change page first.
- I'm still working on my Apple password. Apparently they've decided that my favourite book as a child doesn't meet their literary standards, so they've changed it. More likely, what I typed in is still there and is case sensitive - and knowing me, it's either all lower case, or the one Cap in the phrase is accidental. Long story short, I can't answer the challenge phrases. And the "send me an email" trapdoor didn't work - no email yet.
What does this all add up to? Web designers really have made it increasingly difficult for us to protect our credentials. Almost every site has emphasised the "friends and sharing" functions, and this has crowded the "protect your credentials" stuff into the background. Challenge phrases are great I suppose, but making challenge phrases case sensitive is a really bad idea. Not a single site in my list had a periodic password change requirement.
The other big conclusion? It'd be nice if more sites implemented two factor authentication - that way a password breach wouldn't be such an emergency or such big news.
Long story short, when sites say "we've been breached, please change your password", I think that's in the nature of a dare or a challenge - it's not as easy as it sounds.
===============
Rob VandenBrink
Metafore
Comments
And that is a very good thing since such a requirement only serves to encourage simple passwords.
Anonymous
May 22nd 2014
1 decade ago
For sites that deal with financial information, I do not store my secret question/answer in LastPass. I also do not register any device, which forces me to answer questions each time I log in. I keep my questions/answers in an encrypted file on my Ubuntu laptop. I also do not answer these questions with "proper" responses. For example: Question: "What is your mothers maiden name?" Answer: "1965 Mustang". That way, even if you get to know me or OSInit me, you wont get my answers.
I use my own domain as my email for financial records, so no need to store that password. I know it by heart.
Just my two cents.
Anonymous
May 22nd 2014
1 decade ago
web designer seems to never be security conscious user
- strength maximum ... why? if you do things cleanly, you store a salted hash and the rest doesn't matter. same for no-space/no-special characters restrictions
- copy/paste forbidden. Sometimes you can pass through it by disabling javascript, sometimes not
- yeah, changing password is hard to find. just did for ebay and it's clearly not a 1-click step
- as for security questions, I usually put password-like answers which are also store in my password safebox (keepassx) but once, I found it was not recognized: not sure if there was some string encoding which changed or whatever (special characters stripped or not recognized?) but had a hard time to reset my password through customer service because of that. => that's the time when you think, a regular check of reset process would be appropriated like too many things which are in best effort mode.
I also enabled more and more 2FA but strangely, it seems to stay uncommon in north america at least in consumer space.
In Canada, there is no 2FA used for bank transfer or online payments compare to Europe (at least France) where it's almost all the time.
See http://twofactorauth.org/ but still a bit too US-centric and doesn't say what is enforced / default / most used option. I would supposed it's clearly not the most used for now.
And if NAS manufacturer like synology can use Google Authenticator, why the hell banks, retails and other couldn't...
Anonymous
May 22nd 2014
1 decade ago
lastpass.com and passpack.com support two factor authentication using Yubikeys and its really easy to support them in your own network too.
I'm not affiliated with Yubico, just a happy user of their product.
Anonymous
May 22nd 2014
1 decade ago
The other big conclusion? It'd be nice if more sites
implemented two factor authentication - that way a password
breach wouldn't be such an emergency or such big news.
-------
I'm not sure that this ends up being a good idea, since many people reuse passwords for multiple sites.
If a 2FA site gets their password database stolen, the site owners may decide to postpone or even refrain from asking users to change their password. After all, the "other factor" mitigates the risks while admitting a breach is (commercially) embarrassing and may involve a lot of help desk work.
Anonymous
May 22nd 2014
1 decade ago
Anonymous
May 22nd 2014
1 decade ago
Anonymous
May 22nd 2014
1 decade ago
To add to the issue, different sites have different password requirements. Some sites require this-and-that while others still don't allow special characters (like Fidelity) since they claim that allowing special characters in passwords makes them more vulnerable to SQL injection. So then you are stuck with not only trying to have different passwords for every site, but dealing with different password requirements as well. It's absolutely ridiculous.
I don't usually like regulation. But I think we are at a point where the government needs to step in and enforce a universal password compliance standard... so we can at least move beyond the different password requirements with every site. Because right now when it comes to passwords, it's truly the wild west out there... anything and everything goes.
Anonymous
May 22nd 2014
1 decade ago
Anonymous
May 22nd 2014
1 decade ago
Anonymous
May 23rd 2014
1 decade ago