That said, I want to recognize Facebook's impressive and fast response to this release - where they 'disabled' all accounts linked to emails in these text files and made them go though a bunch of tests e.g. when is our birthday, what is the name of this friend.. etc.
Anyway, scary stuff, and it goes to show that even with the most secure password - you are not safer than the root user (gawker) / site security (Sony).
Thanks for letting us know. We'll see you soon.
<3 the Politidirektoratet
Oh, did you forget your username? Is your caps lock key on?
Even (edit: fake) celebrities known for crazy beards and drunken movies have an opinion on login security: http://twitter.com/GALIFlANAKIS/status/77372216957861888
Maybe the two-step auth method by Google (and by banks before) recently or a tweak of it is the way to go?
I don't care how it works. Just make it work, because this is stupid.
Whoever does that, and manages to get the major players behind it, is going to be the next Mark Shuttleworth, if not Mark Zuckerberg.
The hardware key is just a token... it doesn't even need to be hardware. There just needs to be some trusted third party who can vouch that user U is at machine M at time T, and field all login requests on U's behalf without a lot of manual labor or memory work on U's part.
For those cases where I don't want persistent representation, the service could be configured to ask me to enter a password when I first try to access any of the sites they handle for me, and every half-hour thereafter, or whatever.
Facebook will be in a good position to do something like this before long, if they aren't already. I don't want to use Facebook logins for this because the company has far too much baggage in other areas. It needs to be a Verisign-type company that does nothing but logins and stores nothing but username/password pairs.
Uh, wait. This means they can log in into every account of yours. How secure you think that is?
Having said that, 1Password and Dropbox sync running on my phone, iPad, laptop, and desktop is actually a _very_ useable "single strong passphrase" multiple password management solution.
Does anyone know how secure my iPassword database is when stored on the key-shared-with-anyone-Dropbox-allows encrypted S3 buckets? (or in my not-all-that-unlikely-to-get-lost-or-stolen phone/ipad/laptop.) Their page says they use openssl with 128bit keys, and I use an 18 character password (upper & lower case, spaces and punctuation, but with 3 dictionary words separated with punc/spaces). I'm reasonably happy that's "secure enough" for me - if anyone's going to get my passwords it'll most likely be by court order (or rubber hose cryptography)
Of course, it's a closed-source app, so it'd take a fair bit of work to _prove_ to yourself that they're actually "doing the right thing" with the password database crypto.
Maybe you have to actually show up physically and give a DNA sample. Oh dang, you have an evil identical twin?
- Do you guys actually think the current situation is OK, with respect to the way Joe Sixpack and Jane Boxwine manage their security credentials?
- Do you think the situation will magically get better on its own without some significant centralization?
- Do you think social networking companies like Facebook or advertising companies like Google -- neither of whom consider end users to be their actual customers -- are the right ones to assume such a role?
Not only that, but some sites won't accept special characters in the password... now what do I do? I break out some crappy password that I have a chance in hell remembering.
If that really is the case, they are probably throwing out whether each character is upper or lowercase as well :/
This might explain why so many people used the same password for Gawker and SonyPictures.
This is much more reasonable than asking everybody to remember 50 unique passwords.
This doesn't surprise me at all. Non-alphanumeric characters are hostile for users to type in often. Add other peripherals like phones and a PS3 controller and it's even harder.
Now for the ampersand...just hold the 7 and reach for the shift key... &%$#$ FUCK! The little bastard just BIT ME!
I'm sorry, you're absolutely correct - those non-alphanumerics ARE hostile.
Heck, at one place, n was 12. Go figure.
Additionally, entering symbols on a phone keypad or touch screen is usually a little harder.
This means your passwords always have different hashes, which will reduce brute force attacks. Depending on the complexity of your formula and how much time the attacker has, it may not be possible to work out your GMail password from your Sony one.
Another password tip I read was moving your hands up (or right) 1 row when typing. For example, "a" becomes "q". This adds an extra step to creating a dictionary for an attack so should secure your password a bit.
If I were entering I would use an easily guessed password for it because I don't care that much about the account. Email and banks get much better passwords.
I have interviewed a few people about their password strategies and quite a few seem to have a tiered password approach. But that is still an easy setup to exploit, as I explain here:
Furthermore, I've noticed in my interviews that few people realize that the account they need to guard most is their e-mail account. They may have a 3 password strategy but, it goes something like:
worst password: forums, news sites, Sony, etc.
better password: email, social
best password: banks, brokerage, commerce
Once someone gets into your main email account, it's usually pretty easy to break into all the other accounts unless you have a unique password for every account.
Discussing quality of passwords is only relevant in the context of a system that has no other weak points that can be easier/faster exploited than the passwords themselves.
And even then...key loggers, trojans, phishing, script injection etc...they can all capture passwords of arbitrary length and complexity...
I would be curious to see statistics around break-in where the root cause was actually hackers reverse engineering/guessing an unknown password vs obtained access using a password they obtained otherwise or simply bypassed any username/password mechanisms altogether. I have a feeling the latter two would comprise 99+%.
You'll see that if you simply do the following, it will stop or at least limit the damage from the most common forms of password theft:
"Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password."
1. Eight chars minimum.
2. At least three different types of chars out of these four: small and large letters, digits and special symbols.
3. No known words of any language and no names, not even interchanged with digits like 3 for E, 5 for S, 1 for l or 7 for T.
4. HTTPS secure login.
5. Never show or transmit unencrypted passwords.
Unfortunately too many website designers don't even know these rules or don't care to enforce them on their members. Some sites don't even allow special symbols or do not have a minimum length requirement.
If your site stores even more sensitive information like credit card data, SSNs &c. then this requirements and more are even prescribed by industry standards and in some cases even the law.
It's too bad PSN didn't care about any of this. They could have at least accepted PayPal payments, so that credit card data would not have been stored on their servers.
Well, assuming that you know the hash, because if you don't, things don't get that easy. I'm assuming systems that salt passwords don't store the salt in a row of their database, but with security, or the lack of it, everything seems to be possible.
If you're storing it in a place more secure than where you're storing the password hashes, why not store the password hashes there in the first place?