

Choosing a bad password, the Rebekah Wade way. - jgrahamc
http://blog.jgc.org/2011/07/choosing-bad-password.html

======
16s
I find in talking with people about passwords that most have the "it won't
happen to me" syndrome or the "I'm not that important" syndrome and thus they
feel it is OK to use weak passwords. The last person I spoke with about this
used this logic, "It's not like I work for the CIA. So why bother?"

And always, after their account becomes compromised, they understand that the
bad guys may just want access to resources so they can send spam, or do other
illegal things. Sadly, it seems to always take something like this to make the
point fully understood and after that the person is fully on-board with
password security.

Just my experience.

------
thaumaturgy
So, there are more and more murmurings about this in comments on posts like
this one. I guess I'll kick this one off this time:

Passwords make for terrible security. Non-computer folk just don't want to
devote the necessary headspace required to do it right. Hell, I handle this
stuff for other people all the time, generate on average a few new random
passwords of varying lengths every day, have memorized tons of the buggers --
including some rather ugly ones -- and I'm _still_ not doing it right.

No, I don't know what would be better than passwords.

But I'm looking forward to it when it shows up.

~~~
JonnieCache
I predict that these problems will be finally solved when commodity webcams
are good enough for secure retina/iris scanning.

~~~
robtoo
Unfortunately, this doesn't solve the problem:

To do iris-scanning security, there must be a back-end database with the
characteristics ("fingerprint") of each user's iris.

This database will be secured as strongly/effectively as a password database
because it contains authentication credentials.

Unfortunately, password databases get broken into, and similarly iris
databases will also get broken into.

The attacker then has to simply convert the iris fingerprint back into an
image to replay to the authentication process.

This is probably easier than reversing a password hash (because the
fingerprinting algorithm is unlikely to be optimised against reversing), and
certainly no harder.

(This is assuming untrusted client-side hardware.)

~~~
jbri
Ideally, you wouldn't store the iris fingerprint itself - that's just as bad
as storing a cleartext password today.

Rather, a good solution would involve deriving a (site-specific) token from
the fingerprint and handing it off to the remote service, which then deals
with it in much the same way we expect sites to deal with passwords.

This, of course, presupposes that we can retrieve a consistent and unique
fingerprint from the same iris from various different images of it, and breaks
down if all we can do is check an iris image to see if it matches a
fingerprint.

~~~
robtoo
You appear to be suggesting that the real security benefit would come from
off-loading the authentication process onto a third party, but we can already
do that with password authentication by using OpenID / Facebook Connect /
whatever.

It's not clear how using iris fingerprints rather than passwords really adds
anything other than to increase the risk of a false negative, and introducing
a third party dependency.

(I do take your point about storing a hash of the iris fingerprint, though.
How this would intefere with the matching process is, I guess, outside of both
our areas.)

~~~
jbri
The real security benefit, I guess, is that people don't need to remember
_any_ passwords. The biggest weakness of password schemes is that most people
choose weak passwords that they can remember, rather than strong passwords. If
you could consistently derive a password from biometric data, then that
sidesteps the entire issue (there are no "weak fingerprints").

And if you could consistently derive the key from the biometric data entirely
on the client, then you wouldn't even need an authentication provider, instead
transparently treating the resulting authentication token as a password.

~~~
robtoo
If you use a biometric fingerprint instead of a password you will soon find
that passwords can be changed, but biometrics can't.

If a password database is compromised, you have a problem, but you can change
everyone's passwords.

If an iris database is compromised, you _really_ have a problem.

Biometrics are also susceptible to replay attacks, where sort-of-alternatives
(such as tokens) aren't.

~~~
jbri
Which is why, as I mentioned, you _don't store the biometrics_. You don't even
send them to the remote service.

Hash + Salt on the client, submit the result. Unique salt for each remote
service, and you can change it for a particular remote service if it turns out
they do stupid shit with it.

------
StavrosK
I'm sorry, but when was the last time anyone heard of anyone _guessing_ a
password? Sure, it's a very easy password to brute force, but it doesn't
matter that it's the number of the paper, because nobody would have thought to
try it, along with the thousands of other things it could be, each spelt in a
variety of ways.

It's much more probable that they brute-forced it in microseconds from the md5
hash, which is where the actual weakness is. I will go so far as to say that,
had they used bcrypt, this would have not been broken, because people don't
usually go around gathering personal data about you to try by hand (unless you
have the CIA interested, that is, and then they can get in in easier ways).

~~~
younata
I pulled a machine out of a garbage pile once. Booted it up, it required a
password, I guessed "password" and it logged me in as the CEO of the company.

So, in your case, the last time you heard of anyone guessing a password was
about a second ago.

~~~
klbarry
A college student I know likes to play a certain online game. Some accounts
have items and status symbols that are valuable in-game, but the accounts are
abandoned for years. Some names are even intrinsically valuable (names like
"Sun" or something like that). This college student, at least once a month,
guesses the correct password for these old accounts based on information the
users provided years ago.

~~~
younata
That is far cooler than what I did: your friend actually engages in an
intellectual exercise, I just got lucky with a guess.

~~~
klbarry
Your story is certainly one to remember though (and lucky that it was a
business owner!) I have to say though, it's quite fascinating to watch my
friend work. She would make a gifted detective...

------
crocowhile
And still this is yet another hacking that has little to do with choosing a
bad password but with the use of the wrong algorithm to store it (md5) and
poor implementation of security on the server.

~~~
robtoo
Choosing (one of) your phone numbers as a password really is _all about
choosing a bad password_.

The back-end could be using bcrypt with a ridiculous work factor, and server
security could be state of the art, but choosing your phone number as a
password will always be a poor decision.

~~~
pbhjpbhj
> _but choosing your phone number as a password will always be a poor
> decision_

Always? OK, I've reset my HN password to [one of] my phone number. So you can
log in as me now?

No of course you can't. You don't even know how many digits it is, did I
include + for an international number, did I use brackets, hyphens, dots (
_comme une gars Francais_ )? How will you connect my online ID with my phone
number¹?

Once you have my password what are you going to do? Right flames and lose me
karma? I can just start a new account if needs be, nothing lost really.

For many accounts a phone number is probably a good enough password IMO. For
accounts that handle money? No way. For email accounts that receive reset
passwords? Not a chance. For posting drivel on tech chat forums ... it'll be
fine!

\--

¹ If you can I'd prefer you didn't print it.

~~~
robtoo
FWIW, a couple of minutes googling found 3 seemingly-valid phone numbers for
you.

~~~
pbhjpbhj
Ha, I have 4 (actually 5 but I don't remember the twilio one) ... do you want
to give me the end digits for confirmation purposes, last 4 digits should be
enough.

~~~
robtoo
_deleted_

~~~
pbhjpbhj
Lolz, totally forgot about whois!!

Interestingly I searched for the numbers as I'd use them along with a
substring of my username and didn't find them. Did you really Google or were
you using the term generically? I tried both Google and Bing.

Well done now you can destroy my HN karma (no not really).

~~~
robtoo
First google hit for "pbhj" is an seomoz profile for a web person person in
the UK, which superficially matches the fact that pbhjpbhj has an account on
hacker news and their previous comment here had talked about living in the UK.

The seomoz profile lists a couple of websites. One of those sites has a phone
number on the /contact page, and the /about page on the other links to another
business (not totally sure how I originally found that, but this is currently
the quickest way to get there.)

That business has a couple more phone numbers listed on their homepage, which
also matches the phone numbers on the shopfront on google street view.

This can also be cross-checked with whois.

A bit more googling (literally) of your names found an alternative (possibly
old?) address in the same town, and googling that pulled up a fourth number.

~~~
pbhjpbhj
Nice work courteous and complete. Funny because I usually do this the other
way around. I'm not getting the SEOmoz profile high in the SERPs.

I never used to give away my location but got tired of anonymity for it's own
sake. Think I'll be reviewing my online exposure now. It's been something I've
worried over a little recently but it's hard to keep work/home separate (which
I prefer) in many ways. Thanks for getting back to me.

------
genghy
This is a great way to choose a password. If her password was selected because
of the tip line displayed in bold at the top of the page, then this is
probably the ONLY site she uses the password for. Assuming the site isn't
holding any sensitive information, the most someone could do by accessing her
account here is comment under her username.

If the passwords are stolen (as happened here) the passwords are worthless in
that they won't give access to any other sites she may have accounts at,
including her banking and other sensitive accounts.

------
jwcacces
Why was the salt her name?

