
Urgent security warning that may affect all internet users - mazsa
http://community.namecheap.com/blog/2014/09/01/urgent-security-warning-may-affect-internet-users/
======
orofino
The question for us, as technologists, is what are we doing about this?

2FA is nice, but not the end all, be all. OAuth has largely failed to gain any
reasonable traction. Using Facebook login means Facebook gets to track me as I
move around the web.

Our users reuse passwords, primarily due to the proliferation of dozens or
often hundreds of online accounts that a single individual has. We can't
expect people to use password managers (they're complicated and then
centralize everything into a single point of failure). Forcing people to use
crazy passwords just results in weaker passwords.

I was hopeful that something like persona from Mozilla would catch on, but
that has failed. Where are we with replacing the password? It is flawed
technology.

On top of this we have the compounding factor that our systems are more
complicated than ever and it appears that they're simply impossible to secure.
Too many layers exist with too much code. Many sites just don't both with even
hashing password, meaning those of us that care, are just kind of throwing our
hands up and saying "well it wasn't my site that was compromised, so it isn't
my fault". All the while, bad guys walk in the front door because we've
decided to ignore the reality of the situation.

I know I'm not providing a constructive alternative here, but I'm a bit
ashamed that we've even let it get this far. We're failing those that rely on
our systems. I don't have the answer, but would love to hear some ideas about
what can be done.

~~~
drewcrawford
> Where are we with replacing the password?

The state of the art of the technology, in my opinion, is GRC's SQRL:
[https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

However I think you have captured something essential in the idea that Mozilla
Persona "failed to catch on", and it wasn't, as far as I can tell, for
technical reasons.

The real problem is that any change from the username/password system has a
cost (in programmer hours, and support retraining, etc.) and so long as
"nothing is broken" it is hard to justify diverting funds from features that
are customer-visible to providing a defense against an attack that is arguably
the user's fault anyway (password re-use).

To me this issue is sort of a monument to the strange insincere lipservice we
pay to technology and technologists. Of course technology is business-critical
and of course we work to hire the best and brightest, etc. But somehow
organizations keep storing passwords in plain text in spite of the fact that
engineers who work there know better.

~~~
dingdingdang
> The state of the art of the technology, in my opinion, is GRC's SQRL:
> [https://www.grc.com/sqrl/sqrl.htm](https://www.grc.com/sqrl/sqrl.htm)

This idea SERIOUSLY needs more attention, Steve is basically presenting a
complete blueprint for how to do web login security right on everything from
smartphones to desktops. A startup could run this implementation-wise and if
the hype was right it could be a massive hit.

------
ted0
Hey all, Teddy from Namecheap here. Happy to answer any questions here or at
ted@namecheap.com.

As always, we advise turning on 2-factor authentication on your account.

~~~
lobster_johnson
OT, but why is that providers like Namecheap implement 2FA but not
organizational team support?

If I set up 2FA, only my device can log in. If I become unavailable for some
reason, none of my team members can access the account. The only way to do
this is for all team members to do the 2FA setup at the same time, which I
believe will seed the generator so that they will all produce the same
sequence of tokens. But that's just unacceptable. It's like renting an office
and only getting a single key.

I find it amazing that in this day and age, most providers still conflate the
concepts of "login" and "account". I log _into_ an account; that login is a
set of credentials giving me access, but one account obviously must support
multiple logins.

Without a clean separation, you turn employees into single points of failure.
Shared account credentials is a potential security risk. And it makes it
harder to lock out employees who leave the company once given access. And of
course, it makes auditing harder because you just have the IP.

Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS
and iWantMyName, all set up like this. Cloud-oriented providers like Digital
Ocean and Mailgun, same problem. AWS does the right thing.

~~~
ted0
We actually have a little-known feature, which allows you to grant domain
modification rights to other Namecheap users.
[https://www.namecheap.com/support/knowledgebase/article.aspx...](https://www.namecheap.com/support/knowledgebase/article.aspx/192/46/how-
do-i-grant-some-modification-rights-to-other-users)

You can also add other phone numbers to your 2FA preferences, although I can
understand if that's annoying for your colleagues if everyone is getting an
SMS on every login.

~~~
prawn
(Namecheap user here. Just set up 2FA.)

Could you have people adding multiple phone numbers to the 2FA process and
then allow someone to set their preferred, whitelisted number for the SMS?

I need to grant access to a second account to purchase services on my behalf.
Does your solution of granting domain modification access work in that case or
are we going to have to deal with the SMSes?

Also, is there a plan to upgrade the internal tools that don't much the newer
public design? It's pretty jarring.

~~~
ted0
The new account panel / internal tools are in development and will roll out
soon.

With the existing 2FA, you can set a primary or disable a number without
deleting it. This could work for what you're describing.

------
Negitivefrags
As someone who runs an online game we find that a huge percentage of our users
arrive pre-compromised.

Vast quantities of people wander around from site to site using the same
email/password combo that has been compromised a long time ago.

We do a GeoIP check now and send an email with an unlock code any time someone
logs in from a different city than last time. This reduced the account
compromise problem significantly. Most of these pre-compromised people have a
different password on their email at least.

~~~
SomeCallMeTim
As someone who plays online games, I get really, really annoyed when I'm
forced to create a password to log in.

ALL non-secure online sites that need to identify users should allow for
Google or Facebook authentication, or I will never try to access the game from
my phone or tablet.

I refuse to use the same password everywhere, but that means I have a password
vault _on my computer_. If I need to create a password and I'm on my phone, I
simply click "close" (and uninstall if necessary). I sympathize with those
"precompromised accounts," given that it's such a user interface failure (not
to mention arrogant) to require a new password for every single little
service/game/whatever.

OTOH, if I can "login with Google" and/or Facebook, both of those are already
authenticated on my phone, and through the magic of OAUTH I can securely
connect to your game without needing to generate a password. Certainly having
the OPTION to create a password is fine; there will be people who hate
Google/Facebook/whatever and who won't use them. But not having the option is
an instant fail for me.

Not saying you're doing it wrong, since I don't know what game you're talking
about, but I've certainly encountered many games that have no OAUTH options.

~~~
jwr
Some of us use password managers like 1Password and get really, really annoyed
when we're forced to use Google or Facebook to log in.

There are two sides to this - some prefer convenience and are happy to give up
some control. Others do not want to depend on a third party and want to have
control themselves.

~~~
SomeCallMeTim
I already mentioned that I use a password manager. The problem comes if I have
to create a password on my phone, where I have a read-only copy of the
password vault.

OAUTH is a far better solution in general. If there were a standard privacy-
respecting third-party to replace the Google and Facebook options, I'd be all
over it. But I'll happily let Google know that I'm playing a game in exchange
for not having to manage yet-another-password.

------
junto
Funnily enough there was a HN post yesterday that looked like a phishing
attempt on namecheap accounts:

    
    
      Gift HN: Unused domain 'appstores.io' with ~11 months registration left
    
      Post your namecheap username and I'll pick someone at
      random in 24 hours and push it to the winner.
    

[https://news.ycombinator.com/item?id=8250981](https://news.ycombinator.com/item?id=8250981)

Maybe it was genuine, but if I had posted my name cheap account name there, I
think I'd want it deleted now.

------
diafygi
> The group behind this is using the stored usernames and passwords to
> simulate a web browser login through fake browser software. This software
> simulates the actual login process a user would use if they are using
> Firefox/Safari/Chrome to access their Namecheap account.

So basically PhantomJS? Or is it more sophisticated than that?

Also, this might actually let me see if I'm in the list, since I will get an
unsolicited 2FA text if they try my account.

~~~
cbhl
My guess would be Selenium.

~~~
jtheory
Doubt it -- that's using _real_ browser software, and I imagine it would also
be way too slow for effective large-scale brute force attempts.

------
saosebastiao
I've seen a huge uptick in spam email the last few days, and although I have
no indication that I've been hacked, I feel as though I should probably fear
for the worst and aggressively change all my passwords from their current
kindergarten security levels. Is there a widely accessible, secure, multi
platform, free/libre password manager that is recommendable as easy to use? I
reuse passwords because its easy to remember, and I'm hoping there is
something out there that is light years better than those I found the last
time I tried (2007).

~~~
reitanqild
I've used Keepass for a few years. Takes a little setup (2 plugins I think) to
get form flling on web pages.

I also use lastpass.com for most of my stuff. While not libre it is free and
multiplatform. (I still pay to get mobile sync.)

------
morgante
This is a good reminder that we all need to encourage our friends, family, and
colleagues to not use the same password everywhere. Almost all of them
currently do.

The best solution I've found thus far is getting them to use 1Password or the
like. They still only have to remember 1 password, and the browser extensions
make it trivial to log in different places. If necessary, buy them the
software.

------
scoot
It seems like an API to check compromised account / password combinations
against a database of breached accounts could be useful.

Websites could check users aren't reusing a compromised password either at
account creation, or as a one-time check as existing user log in.

~~~
scoot
If you disagree, please reply with why. Save the downvotes for spam, trolls,
jokes, memes and genuinely off-topic comments.

The concept of securely checking the hash of a chosen password against a
database of known compromised credentials hosted by a trusted 3rd seems like a
reasonable addition layer of security to me. I'd love to hear counter-
arguments.

------
randunel
google cache:
[http://webcache.googleusercontent.com/search?output=search&s...](http://webcache.googleusercontent.com/search?output=search&sclient=psy-
ab&q=cache%3Ahttp%3A%2F%2Fcommunity.namecheap.com%2Fblog%2F2014%2F09%2F01%2Furgent-
security-warning-may-affect-internet-
users%2F&oq=cache%3Ahttp%3A%2F%2Fcommunity.namecheap.com%2Fblog%2F2014%2F09%2F01%2Furgent-
security-warning-may-affect-internet-
users%2F&gs_l=hp.3..0l4.1863.2917.0.3062.8.8.0.0.0.0.327.1155.0j3j2j1.6.0....2...1c.1.52.psy-
ab..3.5.985.0.4xL6TNZG-bs&pbx=1)

~~~
terravion
Thanks for pointing to a cached version. ...strange that the original is
unavailable.

~~~
tamar
The original should be available without issue. Can you please let me know
what happens when you try to access it? What ISP are you using?

Thanks, Tamar from Namecheap

~~~
davidu
Your server is not handling the load.

~~~
tamar
Thanks. Getting a mix of results here - server issues (should be fine), and
404s - but the page wasn't deleted. Not sure what it is but we'll keep an eye
on it. Thanks!

------
MarkMc
For sensitive sites like this, users should not be given the option to use the
same username/password as other websites: The username should be issued by the
site in the form Sally379687 or Fred965912

~~~
foxylad
What Namecheap do is better - two-factor authentication. usernames are not
meant to be secret, and forcing users to look up a username as well as a
password is going to be annoying.

Off-topic, I switched to Namecheap (from GoDaddy) a couple of years ago, and
have been impressed. Things like two-factor auth and being aware of and
publicising this attack are all signs of a good corporate citizen doing things
right.

~~~
MarkMc
It would only be better if namecheap _mandated_ two factor authentication.

Giving the user the option to use poor security is like a bank that lets its
customers decide what bank vault to install, then blames its customers when
they are robbed.

------
Gustomaximus
The way I have organised is to have 5 varying levels. This limits the volume
of passwords I have to recall whilst maintaining variety. While there is still
opportunity for cross-use if one is hacked it does create breakage points from
areas more likely to be hacked and avoids a single point of failure. It's
structured something like this;

1) Random sign-ups.

2) Slightly personal information e.g. Hackernews

3) Personal or slightly financial: e.g. mail accounts

4) Financial: e.g. Banking/Share trading

5) Work accounts

I've been wondering if I should expand this to have the same as above but
bring in a component of the URL into the password to create variance for all
but keeping it easy to remember. Does that seem a good method or do people
have better systems?

~~~
elbenshira
Why not just use:

[https://lastpass.com/](https://lastpass.com/)

[https://agilebits.com/onepassword](https://agilebits.com/onepassword)

[http://keepass.info/](http://keepass.info/)

~~~
Gustomaximus
Isn't there greater risk in using these than my method?

My logic: If one of these solutions e.g. LastPass is compromised then I am
compromised across all sites. They may even bypass 2 factor authentication
that goes via my email/messaging. Whereas using my method if one website gets
hacked then I only give access to a segment. If it is worst case and a
financial site is compromised they still don't have the password for accounts
where they could see any 2-factor authentication messages. Does that make
sense or am I missing something?

~~~
voxic11
You are missing something, LastPass and other password services don't actually
store your information in any way they can read them. What they do is store
the password information as a encrypted blob and the public key derived from
your password. When you "log in" you actually are running the key derivation
function on your password locally then signing a message with your private key
and sending that to Lastpass. When they receive the signed message they check
it against your public key and if it passes they send you your password
information. Which you then decrypt clientside. So anyone who compromises
lastpass gets nothing except a bunch of encrypted blobs and public keys. The
only way to get at your lastpass information is to retrieve the unencrypted
copy off your computers memory, but if a hacker can do that they can just
steal your passwords as your type them in anyways.

------
supercoder
"504 Gateway Time-out"

Seems we were all too late....

~~~
oliverdavenport
Google's cache:
[http://webcache.googleusercontent.com/search?q=cache:http://...](http://webcache.googleusercontent.com/search?q=cache:http://community.namecheap.com/blog/2014/09/01/urgent-
security-warning-may-affect-internet-users/&ion=1&espv=2)

------
AdamGibbins
I get a 404?

~~~
sandis
Permalink results in 404, but the post is still viewable on the blog homepage:
[http://community.namecheap.com/blog/](http://community.namecheap.com/blog/)

~~~
matthewdrussell
Direct link [http://community.namecheap.com/blog/2014/09/01/urgent-
securi...](http://community.namecheap.com/blog/2014/09/01/urgent-security-
warning-may-affect-internet-users/)

------
yuvadam
Hyperbole much? WTF is this "urgent"? How might this affect "all internet
users"?

A hacker group is trying dictionary attacks. Wow.

Flagged.

~~~
SomeCallMeTim
What you're saying is factually incorrect.

A hacker group has accumulated thousands (millions?) of email+password pairs.
Anyone who uses the same password on all sites could be compromised, even if
their password is 16 characters and random (i.e., immune to dictionary
attacks).

~~~
ted0
Tim is right. The group has actually acquired ~1.2 billion passwords, which is
a obviously a widespread beach.

~~~
97s
Does anyone know a list of the sites they got this data from?

~~~
nwh
There's been stories for a while of massive malware infections sniffing
usernames and passwords of infected users. Simply because there's little to
give away that such an activity is going on (ie, if you were spamming or
mining bitcoin there would be a real-world impact shown immediately) it's
extremely hard to confirm or deny if this is happening and at what scale. In
my mind it doesn't seem unlikely that would be happening though. Combined with
large websites like LinkedIn being compromised, you're looking at a very, very
big problem.

