Password Re-user? Get Ready to Get Busy (krebsonsecurity.com) 119
Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.
How do they know they are the same? (Score:1)
Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.
Granted, Sony were caught using plaintext passwords in one of their three SQL injection attacks. But these others?
Re: (Score:1)
Surely everyone is hashing the passwords, using different salt etc?
HA HA HA HA
Re: (Score:2, Funny)
I think you meant "dadada"
Re:How do they know they are the same? (Score:5, Informative)
Surely everyone is hashing the passwords, using different salt etc?
Bwhahahahahahaha You're assuming that these companies have good security practices. How do you think they got hacked in the first place?
Re: (Score:3)
Surely everyone is hashing the passwords, using different salt etc?
Table salt? Kosher salt? Sea salt? Bathroom salt? What kind of salt?
Re: (Score:1)
Surely everyone is hashing the passwords, using different salt etc?
Table salt? Kosher salt? Sea salt? Bathroom salt? What kind of salt?
Hillary, is that you?
Re: How do they know they are the same? (Score:1)
Bath salts for sure
Re: (Score:2)
Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin,
Re: (Score:1)
You got it backwards. Linkedin's passwords could be decrypted, Netflix would just have to compare them to what they have on file since they can hash it with their own salt.
Re: (Score:2)
No, that seems silly, Netflix can verify a username/password combination as "valid" or "invalid" while their passwords are salted and hashed.
Re:How do they know they are the same? (Score:5, Informative)
Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.
The password lists aren't encrypted. They are in the form of: login_id:password (ie: bob@example.com:example)
What Netflix, et. el. are doing is taking the list, noticing that they have a user with the same login_id (bob@example.com), and taking the password (example) and hashing it in the same way that their authenticator does. If the hashes match, then they send the user an email saying "Reset your password"
Re: (Score:2)
/"golf clap"
I love that you are making sure that the parser handles the whitespace properly... ;)
Re: (Score:1)
Re:How do they know they are the same? (Score:5, Informative)
At least in the case of the MySpace and LinkedIn leaks, the passwords themselves were posted online, so it'd be fairly trivial for Netflix et al. to run the lists through their hashing algorithm and see if it gets any hits against their users.
LinkedIn was employing a fast hashing algorithm with no salt back in 2012 [arstechnica.com] when their database was stolen. Which is about one step better than plaintext, given that an attacker can hit it at full speed and can crack them en masse because of the lack of salt.
MySpace apparently began employing doubled-salted hashes in 2013 [myspace.com], but the login credentials that leaked were ones that hadn't been used past that time, so MySpace hadn't been able to update them to be more secure since it sounds like they were employing simple hashing prior to that.
As for Tumblr, they said they employed hash+salt on the database that was leaked [inc.com], so it should indeed take awhile before anything besides commonly-used passwords start showing up from it.
Re: (Score:2)
At least in the case of the MySpace and LinkedIn leaks, the passwords themselves were posted online, so it'd be fairly trivial for Netflix
When I started getting email from Linkedin from friends who were on it, I thought okay. But when I went ot sign up they said they needed my email login and password,
Apparently a lot of people are stupid, and at least with Linkedin, you already gave them the keys to the kingdom.
Centralized password management (Score:2)
Re: (Score:3)
Re: (Score:2)
And is keepass safe now with the latest news?
Depends whether you put the whitespace before or after the "p".
Re: (Score:2)
This might push most people to centralized password management. Yes, i know about Keepass, but tell that to my mother. :) (And is keepass safe now with the latest news?) I do not think this will be a good thing, because now all of your security will be in one very attractive place.
Keep Ass? Sounds great!
Both awesome and sad (Score:4, Interesting)
Re:Both awesome and sad (Score:5, Interesting)
Sad that theres so much password reuse
It isn't sad, it's unfortunate that we have to avoid reusing of passwords.
I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.
If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.
Re: (Score:3)
Sad that theres so much password reuse
It isn't sad, it's unfortunate that we have to avoid reusing of passwords.
I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.
If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.
I keep track of over 200 passwords, using a password manager. Why aren't you?
Re: (Score:2)
I use RoboForm and it runs on all major platforms including Windows Mobile, iOS, Android, Windows and MAC as well as all major web browsers.
No need to load anything on your company computer. Just use your phone to view the password and type it in.
Re: (Score:2)
I still don't think it's a reasonable solution for the masses.
Re: (Score:2)
>I keep track of over 200 passwords, using a password manager. Why aren't you?
So you effectively share one password between all sites? Or do you use another method to secure your password manager?
Each site has a different password that is very long.
The password manager requires some credentials to open up.
Then the password can be copied and pasted. No typing required, which prevents keyloggers from grabbing passwords being typed.
Re: (Score:2)
I keep track of over 200 passwords, using a password manager. Why aren't you?
And when that password manager's security flaw gets hacked, bad actors now have access to all 200 passwords.
The would need to get the encrypted password file to do that. The password manager isn't and online service. It's a locally running program. This vastly reduced the attack surface or the password manager. I don't use online password managers, because the risks of flaws being exploited are much greater.
Re:Both awesome and sad (Score:5, Insightful)
You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security [engadget.com]?
Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach [krebsonsecurity.com]?
Hey, I'll admit carrying all those eggs in the same basket looks a lot more convenient than carrying them one by one. But some of us would rather only risk dropping them one at a time, than all 200 at once.
Re: (Score:2)
>Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach?
They lost control of the password reminders and email addresses. My email addresses are out there and have been since forever, and the next oldest (the oldest was on conan.ids.net) is still active, BTW, on TMOK, which forwards to gmail, which forwards to protonmail.
My password reminder is simply "printer"
Guessing which brand and model number is impossible.
I'm going to continue using Lastpass.
--
BMO
Re: (Score:2)
For Joe User, a password "hint" often means either the password itself, or something so trivial as to make it as good as cracked (like "wife's birthday") with publicly available information.
Re: (Score:2)
Re: (Score:2)
>How many combos can there be?
Tens of thousands at a minimum. My history goes back the earliest home 9-pin dot-matrix and line printers. You know, the things in noise cabinets that impact printed whole lines at a time, 600 lines a minute.
I've had more than a few to choose from.
But then it takes a few seconds for each one to be tested by the lastpass server, as the validation loop isn't instantaneous. It's better to just run a username / password combination list using the top 100 most-used passwords,
Re: (Score:2)
Yes Mr Epson FX-82.
Re: (Score:2)
You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security?
Apparently... This issue has been addressed [keepass.info] now by the developer, a testing version of the fix is available and is undergoing testing, and the security recommendations made will be included in the next version of software. There is already a digital signature included in any update that should raise a flag if anyone were to download a bad file from an insecure source.
I'm not sure what the whole story is (and don't really care enough to read through the endless internet commentary to find out), but it sou
Re: (Score:2)
As a geek, I would agree with you. As a human - The solution people actually use will always beat the "best" one they don't.
Not only don't most people check signatures, but when an automated system explicitly warns that the signature doesn't match, most people just swear at the vendor for their buggy crap and click "do it
Re: (Score:2)
I keep track of over 200 passwords, using a password manager. Why aren't you?
Technology people who think security challenges should be unreasonably transferred over to end users live in a bubble. It's our responsibility to provide reasonable solutions to large problems such as security. Expecting end users to manage password lists is unreasonable. Teaching them how to use a mobile device to receive authorization codes is probably the most reasonable compromise I think of. Facebook, Google, Microsoft have all applied this option to account authentication and I find it reasonably simp
Re: (Score:2)
You are talking about what might be, rather than what is. Most web sites don't support federated logins or biometrics or anything other than a password that they may or may not handle well.
I dislike passwords as much as anyone else and I'm aware of better solutions that lead to vendors making god security choices by default. But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen.
In the meantime, a password manager is an effect
Re: (Score:2)
You are talking about what might be, rather than what is.
The point is that it doesn't have to be this way. Accounting departments have been using key generators since the 90s for dealing with banking. This tech is available now we just need to force it down end user's throat. The first step is to introduce it as OPTIONAL and move towards MANDATORY as the users opting in increases. This will reduce the learning curve since the initial users will help those newly introduced to the new method.
But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen
You nailed it.
In the meantime, a password manager is an effective tool.
And as long as that's the means, only a small percentage of
Re: (Score:2)
You are talking about what might be, rather than what is.
The point is that it doesn't have to be this way. Accounting departments have been using key generators since the 90s for dealing with banking. This tech is available now we just need to force it down end user's throat. The first step is to introduce it as OPTIONAL and move towards MANDATORY as the users opting in increases. This will reduce the learning curve since the initial users will help those newly introduced to the new method.
But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen
You nailed it.
In the meantime, a password manager is an effective tool.
And as long as that's the means, only a small percentage of users will comply with "the correct way to secure yourself".
This is the way the world is. It's not good. The results are apparent.
Maybe we can go to the IETF and get the browser vendors to uniformly adopt an auth scheme with cipher elimination, ZK, blinding and support for cards and biometrics to replace passwords? Oh wait, that's already been tried time and again and nothing has happened. It's been long enough that it looks more deliberate than mere organizational inefficiency.
Re: (Score:2)
Because ultimate point of failure. Next question.
One reasonably well protected point of failure, vs 200 horribly poorly defended points of failure where the failure of one compromises the others.
The password manager makes is feasible to have every password be different and strong. This addresses the common case.
If you want to better defend your password manager, try 2FA or a yellow sticky note under your eyelid.
Re: (Score:2)
If we could trust all entities to secure their shit then we could all use one password
I like the idea of being able to use one password even though it's a terrible idea.
Re: (Score:2)
I like the idea of being able to use one password even though it's a terrible idea.
Human nature fails to allow computer security to work even if every single device and service is 100% safe. I would never recommend one password for all but I think most people can easily manage 3 - 5 passwords. Biometric offers the best "password" available with the most ease of use. Injuries = failure to login but that's why the good biometric solution I've seen offer two biometric signatures.
Password input will be a story of the past within 15 years. Unfortunately we are still dealing with a large number
Re: (Score:1)
And what happens when the biometric 'password' is leaked. You cannot change it.
Re: (Score:2)
I know I didn't mention it in this post but I did mention in other posts that authentication codes are critical to any password protection. The usage of said code can be partially automated. I see the mobile device being the point of authentication. It's the most logical place for it at the moment.
Re: Both awesome and sad (Score:1)
Re: (Score:2)
It's a shame most of them don't support Two Factor Authentication, or if they do it's via their own app only which I don't want to install on my phone. Support RFC 6238.
Re: (Score:2)
Re: (Score:2)
I re-use passwords all the time. The problem is that people don't know an important password from an unimportant one.
Tumblr? MySpace? Forums? I use irrelevant, weak passwords. There's nothing there that I really care about. Even LinkedIn falls under that rubric--I'm not sure I'd care if someone else were getting that spam instead of me.
Some sites I prize a little more highly. They get a better password, maybe shared, maybe not.
Then there are sites that hold information that I'd rather keep to myself--credit
Re: (Score:2)
Sad that theres so much password reuse that this sort of thing is needed... Awesome of these companies to take initiative and let people know their accounts aren't safe.
In this day and age, there's no excuse for password reuse because why not use a password manager. That said, password reuse *shouldn't* be a problem. Client-side salt + hash, encrypted session so the hashed password doesn't go down the wire in plain text, second hash server-side for storage + verification. The server you're connecting to shouldn't be able to TELL what your password is, the salt makes it so that an unscrupulous employee can't use a rainbow table to figure it out (or even determine if the
Finally security done the right way (Score:5, Insightful)
Re:Finally security done the right way (Score:4, Interesting)
Not exactly "security done the right way".
This is mitigation.
Netflix gets the username/password list AFTER the bad guys have put it up for sale. What other bad guys have also purchased it? What other sites have you used that password on?
Not really. The users will just keep modifying their passwords until they pass your checks. Then they'll have a "good" password that they'll re-use on multiple sites.
It all comes down to how the password will be cracked by the bad guys. That's why re-use is the main concern. Because that means that the bad guys only need to try ONE password for your account on other sites.
And they've scripted those attacks. They can hit thousands of sites in seconds once they have your re-used password.
That's why more secure systems use things like the RSA key fobs. So that your password CANNOT be re-used.
Re: Finally security done the right way (Score:3, Insightful)
Re: (Score:1)
You would use the fob the same way you use it with a computer. You enter your password, and you enter the number displayed on the fob to log in to the system the fob is configured for.
There is even an app that turns your android phone into an RSA key fob:
https://play.google.com/store/... [google.com]
Re: (Score:2)
That's why more secure systems use things like the RSA key fobs. So that your password CANNOT be re-used.
Two factor authentication does not prevent password reuse. It may prevent an attacker from using compromised credentials, but "password reuse" refers to a person who chooses to use the same password across multiple accounts.
Re: Finally security done the right way (Score:1)
Try talking to average users. You will soon stop caring about helping them.
Re:Finally security done the right way (Score:5, Interesting)
Re: (Score:2, Informative)
Easy enough to find out. Check your email at haveibeenpwned.com
It will tell you what breaches have contained your email
Re: (Score:2)
Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.
Krebs suggests that Facebook et al are checking for password reuse, but this isn't necessarily the case. They can simply force a reset on the account with the same email (or other ID, I suppose) without bothering to check their own hash for reuse of the compromised password.
This has several added benefits: It gives them an excuse to force their users to update their passwords and it provides an additional channel of communication to affected users that they might want to check all their accounts.
Re: (Score:2)
users did not make the "mistake" of reuse (Score:1)
Re: (Score:2)
Non-password-reusing Slashdotters don't get to "get busy" -- but we already knew that!
Depends on the data you want to protect (Score:5, Interesting)
Re: (Score:2)
Re: (Score:1)
how is the burden of proof on you anymore than if someone created a fake account in your name?
Since these compromises are years old... (Score:2)
...Obvious question is, are they going to also forbid any other passwords that have ever been leaked elsewhere? And what happens when every major site has been compromised and all its accounts shared online? Will every password from our past life suddenly be verboten, everywhere? That seems... pretty unworkable.
Re: (Score:2)
It really only applies to major sites that you want to protect. You really should be using unique and hard passwords on sites like Facebook and Netflix or anyplace that might have your credit card number (and change them on a regular interval). Password safes are your friend
Other sites where all you provide is a user handle so you can comment on someone's blog, who cares?
Re: (Score:2)
Will every password from our past life suddenly be verboten, everywhere? That seems... pretty unworkable.
Why will it be unworkable? For 32 character passwords, and 100 possible characters (upper, lower, numbers, punctuation) the number of possible passwords is a billion times the number of atoms in the sun. Even if you stick to passwords that are mnemonic, the number of possibilities is still astronomical.
Great, and that won't be too annoying (Score:2)
...At some point, having a password exposed one place will make it ineligible to be a password--anywhere, for anyone. I'm sure that won't be too massive of a pain in the ass. Not at all.
Wait..... (Score:2)
Hold on a second:
Wouldn't that mean that facebook and netflix are keeping their users passwords in plain text instead of salted hashes?
How could they find out who used the same credentials at linkedin?
Or is everyone using the same salt???
Re: (Score:2)
For LinkedIn, the problem with the credentials that were leaked by hackers is that they were not stored securely with proper salt. Within a few days of starting on it, security researchers cracked 78% of the passwords resulting in almost 50 million unique passwords. Attackers undoubtedly did the same over the years since the breach. This gave attackers millions of actual passwords to use in future attacks. As for how Netflix and Facebook can tell you are using the same password, they could get the list of c
Re: (Score:2)
ok,thanks.
Wait a damn minute... (Score:1)
How the hell does Netflix know you re-used your password on other sites? The salted hashes should be different for each site, even if the same password is used.
Password Complexity Limits (Score:1)
Today I had to sign up for an online pay account at my State's version of the IRS.
I tried to use a normal complex password like I normally do, which is anywhere between 20 and 30 random characters, numbers, and symbols. The website threw an error and said the password had to be between 6 and 10 characters long, and contain only upper and lower case letters and numbers.
What the fuck kind of shit is that? I canceled the sign up and wrote them a paper letter stating that I would use their online e-pay system w
Re: (Score:2)
Yeah, until recently, one of my credit card accounts didn't allow special characters. You'd think a bank would do better than that.
Insecure passwords are fine (Score:2)
Not every site that I use is important enough to need a secure password.
TOTP apps can reduce password exposure (Score:2)
As I understand it, apps can reduce but not completely eliminate password-related security exposure. When your client side app connects to a web app, the web app needs some way to know that the client app is acting on your behalf. Sometimes this is accomplished using a TOTP app [wikipedia.org] such as Google Authenticator, but then a web app still needs some way to associate a TOTP key with your account in the app. How is this done other than through a password, especially in case the user loses the device with the TOTP ap
Re: (Score:1)
Passwords should be encrypted and then stored in a database. From that point on when the password is entered it is encrypted in the same fashion and the encrypted result compared to the result in the database. There is NO need for any web site to know what password you use.
Re: (Score:2)
Passwords should be encrypted and then stored in a database. From that point on when the password is entered it is encrypted in the same fashion and the encrypted result compared to the result in the database.
If by "encrypted" you mean "hashed thousands of times with salt", I agree. But a web app still needs to know this hash value in order to authenticate you by hashing the password you entered and comparing it to the stored value. I think part of app guy's point is that the very existence of such a password can lead to a weakness in authentication. But until there's a recoverable "something you have" factor that doesn't involve paying a cellular carrier per received text message or per month for an unlimited t
Re: (Score:1)
If you use apps to app apps instead of LUDDITE passwords, you'll be 100% appy and hackproof, since LUDDITE hackers are too stupid to know how to app an app!
Apps!
I love you, Anonymous App Guy...if I see a slashdot article without your app comments then I know it's not worth reading. I'm even thinking of naming my next child "App" in honor of you. If I could get a sex change with a functioning womb, I'd offer to have your child. That's how much I love you, Anonymous App Guy.