2FA is nice, but not the end all, be all. OAuth has largely failed to gain any reasonable traction. Using Facebook login means Facebook gets to track me as I move around the web.
Our users reuse passwords, primarily due to the proliferation of dozens or often hundreds of online accounts that a single individual has. We can't expect people to use password managers (they're complicated and then centralize everything into a single point of failure). Forcing people to use crazy passwords just results in weaker passwords.
I was hopeful that something like persona from Mozilla would catch on, but that has failed. Where are we with replacing the password? It is flawed technology.
On top of this we have the compounding factor that our systems are more complicated than ever and it appears that they're simply impossible to secure. Too many layers exist with too much code. Many sites just don't both with even hashing password, meaning those of us that care, are just kind of throwing our hands up and saying "well it wasn't my site that was compromised, so it isn't my fault". All the while, bad guys walk in the front door because we've decided to ignore the reality of the situation.
I know I'm not providing a constructive alternative here, but I'm a bit ashamed that we've even let it get this far. We're failing those that rely on our systems. I don't have the answer, but would love to hear some ideas about what can be done.
The state of the art of the technology, in my opinion, is GRC's SQRL: https://www.grc.com/sqrl/sqrl.htm
However I think you have captured something essential in the idea that Mozilla Persona "failed to catch on", and it wasn't, as far as I can tell, for technical reasons.
The real problem is that any change from the username/password system has a cost (in programmer hours, and support retraining, etc.) and so long as "nothing is broken" it is hard to justify diverting funds from features that are customer-visible to providing a defense against an attack that is arguably the user's fault anyway (password re-use).
To me this issue is sort of a monument to the strange insincere lipservice we pay to technology and technologists. Of course technology is business-critical and of course we work to hire the best and brightest, etc. But somehow organizations keep storing passwords in plain text in spite of the fact that engineers who work there know better.
This idea SERIOUSLY needs more attention, Steve is basically presenting a complete blueprint for how to do web login security right on everything from smartphones to desktops. A startup could run this implementation-wise and if the hype was right it could be a massive hit.
I know this can be hard/impossible in some situations. I've lost those battles for things that are much more trivial than replacing large parts of the authentication system. However, if you keep beating that drum and take any opportunity to push that goal, you can sometimes create the time to work on something like this.
Are your customers requesting some kind of compliance (SSAE or something of the like)? Use that as leverage. See the recent news (or not so recent higher profile Sony hack news)? We should really address some of our shortcomings.
The problem then becomes, what is the market pushing towards so that you can help push that forward. Right now there isn't a clear answer, solutions keep dying on the vine.
I've bought 1Password for everyone in my family, and nagged them into using it. I console people online to do the same, or use keepassx, or last pass.
It's not effortless security, that's for sure. In a perfect world we would have a better system than passwords. But we live in a world of compromises, and I feel it's presently the wisest course of action.
keepass or keepassx should be googled.
Usually I just want to buy the item, not become 'a member'.
I talked with two people from Mozilla at a conference in February and was disappointed (though not altogether surprised) to discover they couldn't articulate the compelling reason why someone would move to using Persona. For something to mainstream, the marketing, positioning and ease-of-use is crucial. They had no answers other than 'privacy' and 'ease of use' -- which while valid, aren't going to convince my aunt & uncle to adopt something new. Until they've been hacked, scammed and otherwise suffered pain.
All that is needed is a service (Microsoft, Google, Apple, Facebook) that you trust as your password manager and is integrated either with the sites you browse or the browser you use.
Having read Apple's iOS security document (http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.p...) I have just the right combination of convenience, ease of use, and feeling secure with their services to use keychain for most of my password needs.
Of course, it's not clear that password brute-forcing was what led to the recent leaks of celebrity nude selfies, and not even complely clear that they came from iCloud (though a lot of clues point that way). But regardless, they do illustrate the risks of relying on cloud storage generally, regardless of who provides it.
I'd want at least two layers of different encryption types (generated by distinct software) protecting any such file if it were to be stored in the cloud. That way if one software package or one encryption algorithm were compromised, there would at least be a chance the other layer would protect it.
So at the moment I put my vault on my laptop and copy it directly to my phone, but I don't copy it into the cloud, ever.
I might consider using something like SpiderOak  in conjunction with a Keepass encrypted container, for instance. But I haven't even done that.
What about you load a site, get an HTTP 401 response, your browser sends back an auth header with a password generated for that domain name, based on some secret global key/password. Then in response, most sites would set a cookie. To change the password, you could have a second header that has the new password, along with the original. No usernames needed. The browsers would have a global password for cases of shared computers. Log out buttons on sites just remove the cookie. Or without cookies, just have the browser send the auth header each time until a native log out button is pressed.
> What about you load a site, get an HTTP 401 response, your browser sends back an auth header with a password generated for that domain name, based on some secret global key/password.
You essentially describe a password manager with deterministic password generation. It has all the upsides and downsides of a regular one, except migrating passwords is harder (you need to change them instead of storing them).
The only way to do this would be to use a password manager in an Saas mode... and if it gets cracked then you're completely doomed and lose all access to all services.
People probably assume that the time saved by not caring about security is greater than the time they will lose if (when) they're attacked, and they may be right.
What exactly is hard about it?
Also: if the database gets corrupted, you lose access to all services; if you have backups then it's a little less safe; if the main password for the database is strong you may forget it (or need to write it down somewhere outside the system); if it's not strong it's not safe.
Don't impose any restrictions on what the password should be, e.g. "Must not contain any special chars. Must contain a number..."
Use the word "pass phrase" instead of "password". Encourage people to use memorable phrases and quotes as their pass phrase. The English language has approx. 250,000 words. If a pass phrase contains 4 words, that's 1.62764322e+20 permutations. That's a naive view since "habit osteopath circumference telephone" isn't a particularly memorable password. With this in mind, You could use statistics to reduce the number of permutations, but that's no small feat.
Use email addresses instead of user-names.
Finally, use Bcrypt.
As always, we advise turning on 2-factor authentication on your account.
If I set up 2FA, only my device can log in. If I become unavailable for some reason, none of my team members can access the account. The only way to do this is for all team members to do the 2FA setup at the same time, which I believe will seed the generator so that they will all produce the same sequence of tokens. But that's just unacceptable. It's like renting an office and only getting a single key.
I find it amazing that in this day and age, most providers still conflate the concepts of "login" and "account". I log into an account; that login is a set of credentials giving me access, but one account obviously must support multiple logins.
Without a clean separation, you turn employees into single points of failure. Shared account credentials is a potential security risk. And it makes it harder to lock out employees who leave the company once given access. And of course, it makes auditing harder because you just have the IP.
Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS and iWantMyName, all set up like this. Cloud-oriented providers like Digital Ocean and Mailgun, same problem. AWS does the right thing.
You can also add other phone numbers to your 2FA preferences, although I can understand if that's annoying for your colleagues if everyone is getting an SMS on every login.
Could you have people adding multiple phone numbers to the 2FA process and then allow someone to set their preferred, whitelisted number for the SMS?
I need to grant access to a second account to purchase services on my behalf. Does your solution of granting domain modification access work in that case or are we going to have to deal with the SMSes?
Also, is there a plan to upgrade the internal tools that don't much the newer public design? It's pretty jarring.
With the existing 2FA, you can set a primary or disable a number without deleting it. This could work for what you're describing.
It's certainly something we are aware of and multiple logins are planned.
We are using Authy as two-factor authentication service provider and they allow you to use multiple devices: http://blog.authy.com/multi-device
1. Log in
2. Click "Menu" (in the top right portion of the page)
3. Expand the "My Account" submenu (if it didn't already automatically expand when the menu appeared)
4. Click "Manage Profile" (5th from the bottom of the "My Account" submenu)
5. On the next page that appears, look for "Two Factor Authentication" on the left side under "Personal Settings"
I have been using 2FA on NameCheap since you added the feature, but it's one of the more annoying implementations -- compare to Google's 2FA setup, for example. There I have to jump through the hoop of getting an SMS once a month (and verify my password a bit more frequently).
For NameCheap, it's every single time I log in, which translates to every single time I need to do or check something in my account.
This is probably only a minor annoyance for most of your customers; for me it sometimes means I can't sign in. I live in an area with fairly poor mobile coverage, so internet access & ability to receive an SMS do not always coincide. I'm also not tied to my mobile, so I may need to go find it where it's charging downstairs (or plug it in if it's dead) before I can continue.
I'd really appreciate either the option of a code generator (Google Authenticator, Authy, etc.), or a longer "remember-me" time -- it's rather more likely that my phone would be stolen than my laptop... so letting the laptop I've just double-authenticated be a "thing I have" is perfectly valid.
We've been waiting for ages for another 2FA option from Namecheap, either Authy or Google Auth. Now I'm just registering my domains elsewhere and when my Namecheap domains come up for renewal I'm jus transferring out.
I’m curious what evidence you have that ties these login attempts to the CyberVor (1.2bn) hacked credentials database specifically?
Given that (to my knowledge) none of the data from this database has yet been leaked publicly, couldn’t the credentials being used for these attacks be coming just as easily from any number of sources, or previously-disclosed databases (Adobe, LinkedIn, Forbes, etc.)?
Just trying to distinguish “what we know” from “what we suspect”, here. Thanks!
TOTP is a standard, it's great, there are open source implementations, and it's easy to integrate. Google even has that pam module. Use it.
1) Blocking phishing: where are you typing that code into? the real site? Are you sure......zeus-in-the-mobile coming at you
2) and once you are into the actual site and you want to do something of value, man-in-the-browser becomes an issue
>>>> this sums it up http://blogs.computerworld.com/data-security/24250/financial...
oh yes, and the 34 banks that have been spear-phished and SMS compromised know about it too.......
That's rubbish. 2FA means 'something you know and something that you have'.
What you know is your account credentials, what you have is your phone.
This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.
If you use true TOTP, i.e. Google Authenticator, then the code is generated via a secret key that lives on your phone, and nothing ever leaves your phone besides printing to screen and showing it to you when you need to log in.
Therefore, SMS "two factor" is not only costly and annoying, but ineffective.
Can I get my upvote back?
and they don't have your account credentials, that's the other half of the two factor approach
As to why it may be on-topic here: the activity reported by NameCheap in the OP lines up pretty well with the reports of a large collection of compromised accounts in the hands of a criminal group.
I know you wouldn't want to provoke panicked overreactions, or risk customers thinking that this indicates a flaw in NameCheap's security, but direct contact is essential for this kind of ongoing attack.
> continue to update our customers through our blog and social media
I'm not sure what percentage of your customers this will actually reach, but surely not a majority (certainly not me, anyway).
At last count, I have several hundred logins with various online services. I do not want a note every time one of them is subject to a dictionary attack, no matter the scale.
Vast quantities of people wander around from site to site using the same email/password combo that has been compromised a long time ago.
We do a GeoIP check now and send an email with an unlock code any time someone logs in from a different city than last time. This reduced the account compromise problem significantly. Most of these pre-compromised people have a different password on their email at least.
ALL non-secure online sites that need to identify users should allow for Google or Facebook authentication, or I will never try to access the game from my phone or tablet.
I refuse to use the same password everywhere, but that means I have a password vault on my computer. If I need to create a password and I'm on my phone, I simply click "close" (and uninstall if necessary). I sympathize with those "precompromised accounts," given that it's such a user interface failure (not to mention arrogant) to require a new password for every single little service/game/whatever.
OTOH, if I can "login with Google" and/or Facebook, both of those are already authenticated on my phone, and through the magic of OAUTH I can securely connect to your game without needing to generate a password. Certainly having the OPTION to create a password is fine; there will be people who hate Google/Facebook/whatever and who won't use them. But not having the option is an instant fail for me.
Not saying you're doing it wrong, since I don't know what game you're talking about, but I've certainly encountered many games that have no OAUTH options.
There are two sides to this - some prefer convenience and are happy to give up some control. Others do not want to depend on a third party and want to have control themselves.
OAUTH is a far better solution in general. If there were a standard privacy-respecting third-party to replace the Google and Facebook options, I'd be all over it. But I'll happily let Google know that I'm playing a game in exchange for not having to manage yet-another-password.
I know the Keepass file is nominally password protected, but once I upload a Keepass file with all my important passwords to a site like Dropbox, there's no way to ever recall it reliably.
So if there's a Dropbox security hole, someone can potentially grab a copy. And then if there's a Keepass security hole (or if they otherwise acquire my password), then all my important passwords are compromised.
To me it's a form of "two factor" authentication for my passwords: One factor is the passphrase, the other is the physical file itself. And one of those is defeated if I upload the file to some cloud service.
IMO the security controls that I have in place for my vault files are strong enough to make it too expensive for a general attack on files in Dropbox to be cost effective.
I find 3rd party authentication without the slightest appeal. Maybe it's a teensy bit easier.
But playing games? Why do I care if Facebook or Google knows I play a particular game? On Android Google is going to know what games I have anyway.
"MAYBE" it's easier? On a PHONE?! Let's see, I can click "Google" to log in, and I'm done, or I can...open my key vault, enter my 16-character-random-password into my key manager using a touch keyboard, and then do the copy/paste of the user name and the password.
What? I don't have a password for this site yet? Then I have to get my computer and generate the password there, because I don't trust "the cloud" with my critical password vault, encrypted or not.
It's so much easier to use OAUTH it's not even a close comparison.
Actually, is that still even OpenID? Or is it something more proprietary?
Gift HN: Unused domain 'appstores.io' with ~11 months registration left
Post your namecheap username and I'll pick someone at
random in 24 hours and push it to the winner.
Maybe it was genuine, but if I had posted my name cheap account name there, I think I'd want it deleted now.
So basically PhantomJS? Or is it more sophisticated than that?
Also, this might actually let me see if I'm in the list, since I will get an unsolicited 2FA text if they try my account.
I also use lastpass.com for most of my stuff. While not libre it is free and multiplatform. (I still pay to get mobile sync.)
The best solution I've found thus far is getting them to use 1Password or the like. They still only have to remember 1 password, and the browser extensions make it trivial to log in different places. If necessary, buy them the software.
Websites could check users aren't reusing a compromised password either at account creation, or as a one-time check as existing user log in.
The concept of securely checking the hash of a chosen password against a database of known compromised credentials hosted by a trusted 3rd seems like a reasonable addition layer of security to me. I'd love to hear counter-arguments.
Thanks, Tamar from Namecheap
Edit: worked now.
Off-topic, I switched to Namecheap (from GoDaddy) a couple of years ago, and have been impressed. Things like two-factor auth and being aware of and publicising this attack are all signs of a good corporate citizen doing things right.
Giving the user the option to use poor security is like a bank that lets its customers decide what bank vault to install, then blames its customers when they are robbed.
I've got accounts with two brokers. One has good tools which I can use with simulated ledgers but won't manage SIPPs. It has a crap password which I can remember and bang in whenever I want to check performance. The other's password is in KeePass and requires a small but significant effort to access. You could argue that the former doesn't want my "business" but if they started handling SIPPs or if I start doing some speculation I'd convert instantly. Is my low level leeching worth an instant convert?
1) Random sign-ups.
2) Slightly personal information e.g. Hackernews
3) Personal or slightly financial: e.g. mail accounts
4) Financial: e.g. Banking/Share trading
5) Work accounts
I've been wondering if I should expand this to have the same as above but bring in a component of the URL into the password to create variance for all but keeping it easy to remember. Does that seem a good method or do people have better systems?
My logic: If one of these solutions e.g. LastPass is compromised then I am compromised across all sites. They may even bypass 2 factor authentication that goes via my email/messaging. Whereas using my method if one website gets hacked then I only give access to a segment. If it is worst case and a financial site is compromised they still don't have the password for accounts where they could see any 2-factor authentication messages. Does that make sense or am I missing something?
Seems we were all too late....
A hacker group is trying dictionary attacks. Wow.
A hacker group has accumulated thousands (millions?) of email+password pairs. Anyone who uses the same password on all sites could be compromised, even if their password is 16 characters and random (i.e., immune to dictionary attacks).
Suppose you have a domain registered with Namecheap (or really anyone). You've reused your password and the attackers get into your account at the registrar. What does that get them?
First they change the MX record for your domain. Immediately they're receiving all your email. Now that they control your email they can get a domain-validated certificate for your domain. Then they can change all your other DNS records to point at their servers and operate them with valid TLS certificates and MITM all the connections to your real servers. Then they can collect all the credentials of users using your website including the administrative credentials that allow them to compromise your real servers. Now they have all your data and your users' data and your password database and your website is hosting malware.
There are very few things more compromising to large numbers of people than attackers quietly getting control of multiple legitimate active domains.