In a funny (scary?) case of coincidence, the password problem became got highlighted in TechMeme just weeks after I came under an attack that caused me to rethink my password strategy. My login credentials got compromised at a Gmail account that I only use for mail-lists: – I fixed it soon, no harm done. Two month earlier my eBay account got hijacked, and while I was p***ed at eBay not doing anything about it, again, I could regain control, and changed all related accounts (PayPal ..etc, before suffering any consequences).
Then I started to think: what’s the point in stealing an account at a site like, let’s say photo sharing? The hijackers really can’t benefit… or can they? Then it hit me: I am (well, I was, until that point) just like 61% of Internet users, using the same userid/password combination on all sites. To purpose of attacking not-so-critical sites may just be to harvest login credentials, which the bad guys then can feed to their bots to try on all sorts of financial sites. Oops.. now I had a crisis. Needless to say I spent the next half day researching the subject and changing my login credentials.
Now, while I am fairly opinionated, I am by no means expert on Internet security best practices, so instead of trying to dispense advice, I am opening to subject to discussion, and hope to get some real feedback. Here are some of the options we all have:
- Use the same, or very few userid/password combos on all sites, so we can remember them without having to write them down or physically store them in any form. This may not have been that bad… years ago, when we all accessed less than a handful sites. With the proliferation of Web usage, this practice has become a timebomb waiting to explode.
- Use some variation of the basic credentials, simple enough to remember the actual “algorithm”, i.e. some characters from the site name combined with your own “standard” keywords. The benefit is that you use different credentials on every site (which you probably would not remember, but can re-construct every time), and still don’t need to record all the passwords. The weakness is that once the bad guys get hold of two-three sites, they can pretty much figure out your simple algorithm.
- Use different credentials on every site, preferably strong ones. The benefit is obvious, very secure, but it would be impossible to remember, so you would need to record them somewhere, whether on paper or electronic form, which itself is a huge security risk.
- Use different, strong credentials, and use a “password manager” system. There have been a number of client (PC) based solutions, or ones that code your information on a USB stick, but I don’t want to depend on anything tied to a physical location/device. I am experimenting with Web-based solutions, but am not fully convinced. OpenID got a huge boost today, with Yahoo adapting it. The system I am trying out is PassPack: here’s why Passpack’s founder thinks her solution is significantly different from OpenID. I can tell you it’s a hell of a pain to log in to PassPack – I guess it’s supposed to be that way. But other than the inconvenience, whether it’s Passpack, OpenID, or any online system, I am worried that if the info there ever gets compromised, it will expose everything.
With that, I’d like to turn this over to the security experts (I hope I have some amongst my readers). What do you think? What’s the ideal Web-login policy?
Update: How could I not think of this? (via Web Worker Daily)
Related posts: ReadWriteWeb, The Guardian, TechCrunch, Jeremy Zawodny’s blog, InfoWorld, Mark Evans, Compiler, CyberNet, Identity Woman, WeBreakStuff, Mashable!, Ars Technica, and many others.
Most likely, the bad guy is not targeting you, and don’t have time to try your specific combination algorithm on your specific password. They’ll just use the list to brute force their way into as many accounts they can, and ignore the rest. Variations are not that bad.
For significant sites, password management tool would allow you to use long cryptic passwords that are hard to brute force, but also impossible to remember, and let you crypt the password list itself.
Oh, yes, that’s what I meant, perhaps wasn’t clear: use bots to acquire login credentials from “low-stakes” sites, that are perhaps less protected, then also use brute force to try those very same credentials on financial sites.
The thing is, there are so many techniques being used by professionals with large computing power, that I don’t feel any password you can remember is good enough. The ones I use are large sequences of random letters, numbers and symbols, impossible to remember (unfortunately) but hard to crack.
For low stake sites, variants are good enough. If you’re worried about someone stealing NYT passwords and using them to hack WSJ subscriptions, I think a variant is good enough protection. They won’t try that hard.
But the most important thing to remember is that “low stake” is very subjective. I don’t use Flickr enough to care for a crypto-strong password there, but if you’re a professional photographer with a strong presence there, you should be concerned.
The two questions to ask are:
1. Would an account compromise hurt me in any way? Even if it’s just a spambot uploading porn to your blog, or someone impersonating you on Twitter.
2. Would someone target my account directly? Spambots go after low hanging fruits, but if someone is targeting you directly, they’ll focus all these resources on a single account.
Password managers, as painful as they are to use daily, are much less painful than cleaning up the damage.
Assaf,
Separating low/hi-stakes sites makes sense to me. As for password managers, if not entirely controlled by you (e.g. on PC, USB stick, etc.), but on the Web, what do you think of the risk of the service being compromised?
Thanks!
If you take PassPack for example, all the data is strongly encrypted on their servers and in transit, so I’m not worried about their servers being compromised … the data is useless to hackers.
PCs and USB keys can be stolen, lost, or hacked into when you leave the room (or if you’re running some network services, even when you’re in the room). And most people don’t encrypt their home directory, password lock their computer, or even close their password manager after using it.
I’m a big fan of PassPack for one reason. It’s annoying as hell to use, but only because they force you to follow security practices. The login procedure is complicated for a reason, as is the auto-logout. And by taking you to the login form, they prevent the accidental typing of passwords in clear text, when you focus on the wrong field.
So in terms of usability, they’re much more secure than other password managers I tested, which let you break all the rules. Only downside is that you can’t use it offline, otherwise, I’d say go for it.
Assaf,
I guess the “golden path” is then:
– separate low/high stakes sites
– variation for low stakes
– PassPack for high stakes (i.e. financial sites).
This feels like a reasonable compromise to me: I don’t log in to the financial sites too often, and avoid the PassPack annoyance with the others.
I’ll wait a bit for other feedback, then update the post.
Thanks:-)
Hi all,
Tara from PassPack here. Wow, I knew we had some user interface changes to make (in the pipeline) but you seem to have a really strong reaction.
Can you guys point me in the right direction — what is the part you find most annoying about using PassPack? I’d like to find it and make it better for you.
I use PassPack daily and know what *I* want to change, but getting your feedback would be really helpful, especially since we have an update coming up.
Thanks! Much appreciated.
Cheers,
Tara
Tara, I only used PassPack briefly before reverting back to KeePass.
Some suggestions for improvement:
1. Use my e-mail address, not login name. I rely on password managers to remember all the different login names.
2. Remember me on my main computer, so I don’t have to enter my login name. It’s annoying and doesn’t add security.
3. Allow for login with a short password, see below.
4. With that password I should be able to view most items and create new ones, no need for a second password (packing key).
5. Use secondary, longer, password for accessing high stake credentials, the ones I’m really protective of.
6. Quick copying of passwords to clipboard. I like how in KeePass I can click on an item, and Ctrl-C to copy the password to the keyboard.
Most of my passwords are not for bank accounts or anything sensitive, they’re for accessing hundreds of not-that-important sites, so they don’t need to be guarded closely.
The weakest link for most passwords is my e-mail account, you can use it to retrieve lost passwords, by being more demanding than my e-mail login, PassPack annoys but doesn’t make me more secure.
It needs to be really simple to access credentials for low-stake sites, and only get insistent for high-stake sites.
If you think there is no problem with one trivial site being compromised, just think of the single red paper clips story. A hacker could use the cred they gain from access to one account to verify their identity in a more substantial part of the net, gradually working their way up till you suddenly notice this b*st*rd has taken over your domain, hosting, website and is moving in your bank account and patting your kids on the head.
db
For Windoze boxes I use Roboform and Roboform2Go. It generates passwords and saves forms and notes with encryption. GoodSync (by same company) let’s you sync your local machine with your memory key. I have no complaints except that they don’t make a version for Linux! Does anyone know of a similar solution for Linux? I have tried other password managers but none matched the ease of use that Roboform provides.
A second for RoboForm2Go. It’s a sanity-saver. After wrestling with this growing frustration for years, this finally gave me a workable solution. Great little app. Even imports all of your saved logons from Firefox or IE. I found logons I’d long forgotten.
I use both OpenID and PassPack and think they’re both great… if a site has OpenID, that is my first choice, but no everyone supports it yet ๐
In those cases I use PP, or for many passwords for things that cannot possibly accept OpenID (my SIM card encryption passcode).
Besides, you need somewhere to keep a copy of your OpenID password ๐
@Assaf “Use my e-mail address,”
There are some people that think its better not to expose info like that from a username –
You could of course set your username to be the same as your email address ๐
The reason AFAIK for this is that some people think it is better not to expose info like an email address from the username, since your username is known by PassPack.
It probably doesn’t really matter, but your username is only encrypted 1 time – between you and PassPack. That means if someone cracked the HTTPS encryption (extraordinarily unlikely, i know) they they could see your username. PP is great because even in that unlikely circumstance, your private data is still secure!
One option you might like is that the next version should support OpenID authentication, so instead of a username and pass, you would just enter your OpenID url.
To view your password store you still must enter the packing key, but this should effectively make login a one-password one-click login.
So to reiterate: use them both
(sorry for double post ๐ )
@tom My e-mail address would also be known to PassPack. If not, that is something to worry about. It may be extremely unlikely, but if there’s a security breach, I want to be informed.
My e-mail address travels over SMTP, unencrypted, so I’m not too concerned about the unlikely even that someone cracks it while traveling over HTTPS.