back to article Sony hack reveals password security is even worse than feared

An analysis of password re-use from data spilled via the Sony and Gawker hack reveals that consumer password security is even more lax than we might have feared. A million Sony users' password/username IDs and 250,000 Gawker login credentials, each stored in plain text, were exposed via separate hacks. In each case hackers …

COMMENTS

This topic is closed for new posts.
  1. Buzzword

    Depends what the security is for

    On Gawker, passwords merely allow registered users to post comments. They don't give access to your bank account, or to your email / iTunes / Amazon / Paypal accounts. It's perfectly acceptable to use a simple password on Gawker (or even on El Reg), so long as you use multiple more complex passwords where needed. Personally I'm not *that* bothered if somebody posts comments in my name.

    A useful password mnemonic I was taught is to take a line from a song, then take the first letter from each word or each syllable. Additional characters can be derived from word sounds or appearances. For example: "Is this the way to Amarillo" becomes "Ittw2Am%"

    1. The Beer Monster
      Thumb Up

      "A useful password mnemonic...

      ... I was taught is to take a line from a song, then take the first letter from each word or each syllable. Additional characters can be derived from word sounds or appearances. For example: "Is this the way to Amarillo" becomes "Ittw2Am%""

      Have you ever worked for me?

      1. Buzzword

        Quite possibly

        If password "Whbbmpap" can be derived from the first eight words of your company's website's tagline (the bit below the flash animation), then yes, it was you. And I recall you did like beer!

  2. TRT
    Facepalm

    Well, what did you expect?

    There's so many thousands of websites where you have to register now, of course you'll reuse passwords. I have a password I use for almost everything which cannot initiate a financial transaction. Email and banking have much more secure and unique passwords, and I don't use social networking. Mind you, that Gawker and Station passwords were reused is a bit lame.

    1. Anonymous Coward
      Happy

      Of course you can.

      For generic sites like this you can easily make up a password that's unique enough, all you have to do is to create yourself a algorithm to create a password for any site. It sounds more complicated than it is, but I've explained it to a few people, and they all love it. The beauty is you always know what your password is for a site, even if you cant remember the actual password!

      Basically make your algo simple by combining attributes about the site to easily create a password. So for example combine the following:

      the background\foreground colour of the site's logo

      the last\first x number of letters of the site name

      the sites initials, maybe doubled up. (eg ttrr for The Register)

      always having the 2nd, and\or 3rd letter capitalised

      You get the idea. So for here I could have the password 'redster' (background colour of the logo and the last 4 characters) And for slashdot, Id have 'greenhdot'.

      Now naturally someone could get a selection of your passwords and figure out what your doing, but lets face it, if they are targeting you specifically (rather than the drones who use the same password everywhere) you have other issues.

      1. Yag
        Trollface

        "the background\foreground colour of the site's logo"

        And you'll be screwed at the first graphic overhaul of the site...

  3. CraigRoberts
    Meh

    Password management...

    I've been using LastPass for about 6 months... All my passwords are unique and strong. And I don't have to remember any of them. Great little browser plugin for Free use, and about £8 a year for the iPhone / Android app with the "Pro" version. Worth every penny.

    1. Anonymous Coward
      Happy

      Firefox has done this for a long time.

      Firefox -> options -> security -> 'use master password.'

      Then you simply let it remember your user names and passwords as you go along, and they are protected under a master pass.

      1. CraigRoberts
        Happy

        In the "Cloud"

        Does FF store them on your computer or online? If they're on your computer and it blows up, how do you get your passwords back?

        If they're online - where are they? How are they stored? Lastpass have published papers (which seem to stand up to scrutiny) on how they achieve all this...

        1. GrumpyJoe

          Firefox Sync

          If you have Sync (it's in by default on FF4, an addon for earlier iterations) you can get all your browser settings (including passwords) syncd to a FF server out there in a 'cloud'. It's encrypted before it gets there with a strong key you define, so they can't sniff it.

          It's not perfect, apparently there are ways of 'sniffing' the password store in FF on the desktop but I'm not overly bothered by this. By using Sync I have the same browser settings/bookmarks/passwords/themes at home and work.

          1. Anonymous Coward
            Anonymous Coward

            LastPass vs FF

            both are options but all that is happening is that the risk and control is being moved around.

            Using FF as an example - the data is stored in the cloud where *you* have no control over it. This is akin to trusting Sony to protect your data......

            Its protected by a strong key but this is something the user has to define and hopefully make "strong enough."

            There are still risks - if the cloud service is compromised, if the implementation of encryption is not a sound as claimed or if you lose the "strong key."

            By far the better solution is for people to take individual responsibility for their access credentials, learn where it is important to use good passwords and where it isnt and for websites to stop demanding password based logins for even the most trivial activities.

  4. ptpeetee
    Meh

    No suprise there then.

    From the movie Hangover 2: "Your password in baloney1?" "Yes - it used to be baloney, but then they made me add a number"

  5. jake Silver badge

    Duh!

    Troy Hunt gets PAID for this?

    The mind boggles ...

  6. SteveBalmer
    Stop

    I see what you did there...

    As by just saying Sony, you hope people just assume PSN. The PSN data has never been released, it's unlikely it ever will, and it's unlikely anyone actually got anything. (Clearly Sony can't categorically say they didn't get anything, so have to paint a worst-case).

    The reality is, the PSN hack was a storm in a teacup, stirred by the media.

  7. Anonymous Coward
    Anonymous Coward

    Why bother with complex passwords?

    Not much point thinking up a password that you won't remember is there? If you have to write it down, it's failed anyway.

    By the same token, you might as well use a simple password, as it's not the password that is being broken these days, it's the insecure servers holding our insecure passwords, in plain text thats the problem here.

    1. Ken Hagan Gold badge
      Unhappy

      Re: why bother

      "If you have to write it down, it's failed anyway."

      Hideously wrong. Please don't post such advice in a public place. Oh, hang on...

      For any system that is internet facing, the number of potential bad guys is "several gazillion". The number of potential bad guys who can read a post-it note stuck to your monitor is "several". (Ironically, the latter group, despite having a much easier task, are generally less interested because they usually already have access to the protected system.) The smart approach is to *write down* a complex stem to defeat the former group, and then append something you can remember to defeat the latter.

    2. Anonymous Coward
      Anonymous Coward

      Forced complex passwords

      I remember working at a certain company using VMS (youngters can look it up on Wikipedia :) You were forced to change your password every 28 days. You were given a list of 6 passwords to choose from, or get another random batch. Password length varied (my boss' was something like 20 characters.) The password would be absolutely completely random.

      If anyone was sick, you just lifted up their DEC220 keyboard & read their password off the bottom. You knew it was right because it wasn't 1 of the hundreds that were crossed out; they were the old ones. Yeah, complex passwords _SO_ much more secure!

      My boss got the BofH in trouble once by saying he had been unable to do any work for half a day because it took that long to get a password option that he would be able to remember :)

      1. Rob Carriere

        DEC and passwords

        What, you guys had VT220s and nobody thought of using the answerback string as an autologin?

        1. Peter Gathercole Silver badge
          Happy

          Answer-back string

          Unfortunately, this would be SOOO insecure, as the answer-back string is triggered remotely.

          As can (believe it or not) the programmable function keys of a VT220. I'm sure that I spent some time twenty years or so ago, writing a program that would set a PFK (on the shifted function keys IIRC), and then trigger it.

          All you needed was write access to the device, and you cold make the current user apparently run anything you wanted them to! Similar techniques worked for HP2392 as well.

          This was with UNIX, not VMS, so I'm not sure that this was possible unless you were already were a privileged user (could you so it through Phone, I wonder).

  8. This post has been deleted by its author

  9. Ian Adams
    FAIL

    passwords

    isn't this the fundemental flaw with the modern use of passwords, they are either so complex you don't remember or so easy they are insecure. With so many systems requiring passwords we need some better system. I am fed up with phoning some company that I briefly had dealings with a couple of years ago and hearing the shock when i tell then I have no idea what my password is.

    I also worry about using password services, it assumes you completely trust the service that is generating and storing them for you. So is "LastPass" safe to trust my life to? There is a huge pot of cash waiting for someone who can come up with a better solution

    1. Shaun 1

      RE: Password vaults

      That's what I've been wondering too. How secure are these and what are the reputable ones?

    2. Charles 9

      One of the big mysteries of the Internet.

      "How do you build necessary trust in an environment where you can't really trust anyone?"

      Or IOW how do Bob and Alice prove they are really who they are...when they don't even know each other?

      Solve THAT one and you'll probably be solving problems that go far beyond the Internet. Then again, you may also stir up a very big moral hornet's nest, too, given that the only practical solutions that come to mind would make police states drool.

      After all, that is ANOTHER big mystery of the Internet: "How is it possible to be BOTH anonymous AND trustworthy?"

    3. CraigRoberts

      How lastpass works...

      http://www.techrepublic.com/blog/security/lastpass-is-it-the-password-manager-for-you/3291

      Maybe in this day and age of password security, El Reg could do a feature or series on password management tools etc so us more techie types can start educating the general public...?

  10. Wortel
    Linux

    No need

    To write down anything or remember many (complex or not) passwords.

    Lastpass has already been mentioned, personally I prefer KeePass.

    Hardly rocket science, but need to enlighten people to the existence of these little helpers when a similar feature is not included with the OS.

  11. Anonymous Coward
    Holmes

    Biometric?

    Can't you remember which finger did you use for password? You have 9 more retries. 19, if you are willing to use your toes. Simples as pie, safe as houses. Just wash your hands to avoid false readings.

    Why won't anybody use biometric? If big sites (hello, Gmail, Hotmail, Ebay) start allowing biometric, provided you have a fingerprint reader, you can get the habit started. (I understand some notebooks have them, and Windows 7 fully supports it.) No more passwords, then, or they become backup method (table saw users come to mind here). The whole vicious circle "I won't provide biometric alternatives because nobody has the reader / I won't provide the fingerprint reader because nobody supports it " can be broken easily, just make it REALLY easy, or force the user to 16-digit passwords with non-alfa keys, (which sucks btw).

    Of course passwords for regular sites will be simple, easy to remember and type, while Banking stuff should be way more secure.

    1. Anonymous Coward
      Anonymous Coward

      Biometrics

      Are good in high security installations where you can control who will establish accounts.

      Better still, with biometrics when you compromise one system, you do them all.... Its not like we can change our fingerprints between sites.

    2. bio toxicens
      Paris Hilton

      Re: Biometric

      Fingerprint scanners are a big fail. You leave prints all OVER the place, and if you can lift a good copy of a print, you can clone, and gain access to what the lock is trying to keep you out of. A better solution would be retinal scans. I was looking into this a while ago, but at the cost of $30,000 a scanner it was a no-go. I'm sure they have come down in price since then, but the great thing about it is as far as I know, it can not be reproduced (the retina)--fooled maybe. The cool thing about it was it stored 200+ users for one device, and if your office had multiple "readers" they were able to talk to each other and be able to store 200+ different users on each device. --and I have been out of the retina scanning loop for a while. New model from Panasonic BM-ET330 does 1000 local users and cosing $2-3k. Ripping someone's eye from their socket would result in a failed read, however, if you got them drunk enough, or drugged them, i'm sure you would gain access.

      For me, I use OTP's (One Time Password)

      I type a random word or phrase, encrypt it, and take an excerpt from the encrypted garbage thats displayed. Unless its a "general" site, then I use a garbage password.

      Paris because she add's "1" after "password" too.

  12. DrXym

    Password Safe

    In my experience the best way to create passwords is:

    1. Unique passwords for sites like banks, paypal, ebay, Amazon

    2. Strong passwords for sites which hold personally identifying data or credit card data

    3. Throwaway passwords for forums and so on. Probably the same password but it doesn't have to be, e.g. maybe you take the first 6 chars of the site and tack it on the end of your password

    Store the lot in password safe and protect them with a strong memorable passphrase. And use the browser's password remembering abilities to remember unimportant sites you visit but can't be bothered to remember on a daily basis.

  13. FL1X
    Coat

    yup thats expected

    I once worked in a IT repair shop, a woman came in saying she had forgoten her password and could i reset it, while reaching for my copy of ERD i noticed a post-it sticking out from under the battery, on there was every password she used with usernames and descriptions!

    I have 4 passwords ranging from dont give a monkeys (no offence but el'reg is in that cat :p) up to a 28 charcater alphanumericsymbolic password which i honestly have to sit and think about before typing in this is used exclusivly for anything to do with money.

    Its common practice to use a short simple password for most things my PSN password required me to press right and up that was it because using a controller is a pain in the arse :p

    but it was only used for PSN and my credit card details were not logged so there we go.

    Live IT or die by IT never has it beared more truth.

  14. mittfh
    Linux

    Password Managers

    I don't know about the others, but LastPass only stores your passwords in encrypted form - 256-bit AES encryption, to be precise. Given distributed.net haven't cracked 72-bit RC5 yet, I'd say 256-bit encryption is fairly secure. You can download a copy of your vault for local storage - so as long as you don't forget your master password it's pretty safe - especially if your memory is not that great. If you fork out for LastPass Premium, you get offered the choice of two factor authentication, which increases security further.

    LastPass is also multi-platform and multi-browser, so it'll work pretty much anywhere. The only issue I've found is that on a few sites (e.g. Wikia) it doesn't automatically recognise the username and/or password fields, so you have to use its menu options to copy / paste them into the relevant fields.

  15. Chris Miller
    FAIL

    It really doesn't matter how complex you make your password

    If it's going to be stored in plain text on an insecure* web site.

    * or even a 'secure' one, for that matter.

  16. Steve Button Silver badge

    What about two factor auth?

    We all need to start using something like a SecurID tag for banking + credit card + paypal. (as well as a pin or password). The only problem will be having to carry several of these around with you, so it would be nice if the major players would play nicely together so you could share a token.

    Or biometric instead of token.

    Can't see how that's gonna work on a playstation though? Too difficult to input the generated number.

    Or smartphones.

    We're screwed.

    1. Fr Barry

      Or smartphones

      Use the camera to take a picture of your retina?

    2. Anonymous Coward
      Anonymous Coward

      RSA

      Wasnt SecurID the culprit for the Lockeed Martin attack?

      Rather than looking for ways to complicate the difficult issue of authentication / trust we should engineer our systems better.

  17. Anonymous Coward
    FAIL

    "We all need to start using something like a SecurID tag for banking + "

    You mean like the ones made by RSA who were hacked, so all their SecurID tags are compromised (See Lockheed Martin)

    1. NogginTheNog
      Thumb Down

      Except that

      ...with two-factor authentication you're still only half-way there.

  18. Anonymous Cowherder
    FAIL

    title is req'd & contain letters &/or digits - which is more secure than most site's pword rules

    I've got what I consider "secure" passwords for use on certain systems, these use as many of the guidelines I can but sadly these are usually for trivial systems. The number of times I've tried to use a secure password on a system only to get a message back that it doesn't meet their criteria or I can only use letters makes me tear my hair out.

    This usually results in an "arrggh" moment and using a password that is pretty high up on every list I have seen of weak passwords just so I can get in the bloody system to do what I want to.

  19. envmod
    Angel

    as with so many things, mr adams has already been there

    It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

    Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense.

    LastPass etc sound very much like the Ident-i-Eeze to me.

  20. Rob O'Connor

    Password safe

    I started using password safe software recently, and reset all my passwords to be unique per site and use the software to generate new random passwords. The problem I've found is that a large proportion of sites seem to be completely broken when it comes to entering new passwords which are either too long (they rarely tell you the maximum length they accept) or using non-alpha characters. It's not uncommon to enter a new password (say) 30 chars long with the odd { or ^, the site accepts it, then hey presto you can't log in afterwards because their authentication is broken.

  21. Anonymous Coward
    Coat

    PayPal

    Paypal already has a security token available, which I have been using for a few years now. It is labelled "Vasco Identity Protection". This sort of thing helps but I would not want one for each site I had a password for!

    1. Anonymous Coward
      Meh

      Re: PayPal

      Not any more, at least the only thing referenced on their website is an SMS based token service - personally I'd rather use a hardware token generator but maybe that's just because I don't really like using my phone.

  22. Anonymous Coward
    Trollface

    Hunt concludes that the only safe password is "one you can't remember".

    "one you can't remember" - is this with or without the quotes?

    1. Jimbo 6

      the only safe password is one you can't remember

      Oh boy, the end-user community that I support must have *extremely safe* passwords

      Must dash, there's another reset request in the mailbox...

  23. Anonymous Coward
    Boffin

    Security and Passwords

    There are some massive assumptions being made here - most of it feeing the "ZOMG! Passwords are so insecure, buy [product]" or the constant pressure from some security consultants to defend against totally out of context threats.

    I post comments on dozens of blogs / forums etc., each one needs a password. I have no great interest in making this a complex password or even a strong one. I also have no real interest in setting up different ones for each site. If you hack my El Reg account, you can use that password to post as me in quite a few places. I can live with that.

    My internet backing password and email account passwords are different and different from each other.

    Equally, the idea that having passwords made up of a single character type is "bad" is nonsense as the Sony / Gawker issue shows.

    Complex passwords are only there to make it hard for someone to brute force a system. If the password is stored as a text file (or badly hashed etc) then it doesnt matter how complex it is. You have only made life hard for yourself.

    Likewise, if a site sets up an internet access point which DOESNT limit the number of attacks, then madness will ensue. It will only be a matter of time before the password falls no matter how complex it is.

    If you are talking about a site that lets you make five attempts before locking and needing a reset, then you can pretty much use ANY three character password with a good level of security. Anything longer will not fall to a brute force attack so the threats will compromise it whatever length it is.

    1. Anonymous Coward
      Anonymous Coward

      Excatly.

      Exactly.

      I admin a number of systems. Those have unique, long, mixed case alphanumeric passwords containing lots of letters and numbers in recognised secure fashion.

      Similarly secure passwords exist for anything that has the ability to cause me any financial liability.

      Forums and comments sections like el reg where the "threat" is that someone might be able to post an comment in my username (oh no! The horror!) have one reasonably good shared password for the lot, simply because I don't care much about them being compromised.

  24. Phil Endecott

    Strong passwords would help how, exactly?

    Right, so they've done this analysis on data from two sites that were hacked and had all their passwords revealed - INCLUDING ALL THE STRONG ONES. So, the people who used strong passwords on Gawker and Sony are just as stuffed as the people who used weak ones.....

  25. Bog witch
    Holmes

    Password complexity vs password length

    Actually, password length is more important than password complexity.

    given two, completely random passwords, one containing only lower case characters and the other containing characters from all the typeable characters, a 10-character lowercase password would be harder to crack than a 7-character complex password. The lowercase password would be considerably easier to remember, too. If you want to take it to extremes, a 14 digit number would be harder to crack than the 7-character complex password.

    You try explaining that to a PCI or SOX auditor though!

    1. Robert Carnegie Silver badge

      Yes, if only.

      There's no reason why an 10 character alphabetic-only password shouldn't be hwgsvexf. (No, that isn't ROT13. As far as I know.)

      Easier to type, too, than "the1Tdepartmentcangof@ckthemselves-2011-06".

      It it needs to be longer than 10 now, there's gqrmlhatdfi. To name only one.

      By all means let it be either the initials of a memorised phrase or of one that you make up for that use, although not one that they made you learn at school.

    2. mittfh

      Complexity

      I wouldn't have thought that "ilovebakedbeans" is harder to crack than "Cj4$Vf7^" (incidentally, I don't use either - I just made them up on the spot). A lot depends on what the theoretical hacker's brute force algorithm is. If it starts off with a dictionary based attack, your declaration of fondness for a food will probably be found quicker than the shorter, completely random string.

      Of course, many blogging sites are doing away with password databases entirely, instead relying either on authentication via third party sites (Facebook, Twitter, Google, OAuth) or even, for the ultimate in low security, Gravatar (only a nickname and email address required to post comments - no password except to customise your Gravatar profile).

      However, for those sites which do still rely on a password database, there's really no excuse for storing it in plaintext in a location that can be read by anyone other than root / administrator. *NIX systems currently salt and hash passwords, then store the file in a location only root can read. According to Wikipedia, even that's not impregnable, but it's presumably a darn sight harder to access the file and the passwords contained within it than on the Sony Pictures and Grawker fora.

      There's another potential issue, tangenitally related to passwords. Never mind hackers, many sites implement tracking cookies / web bugs that can follow you around and determine the sites you visit. Perhaps worryingly, courtesy of Ghostery I've discovered that many implement several different tracking cookies simultaneously, with some using nearly a dozen different trackers. That information is probably far more useful to companies / advertisers than your login credentials...

      ...unless you're smart enough to be running an ad blocker, script blocker, tracking cookie blocker and LSO blocker simultaneously.

      1. Anonymous Coward
        Boffin

        Re Complexity

        "I wouldn't have thought that "ilovebakedbeans" is harder to crack than "Cj4$Vf7^""

        Except it isnt, unless the attacker is doing a dictionary attack which has the phrase "ilovebakedbeans" hard coded into its data store.

        Even if the attacker uses rainbow tables, the question is how long are they going to keep attacking.

        If your password is subject to dedicated attackers who can resource long term attacks (eg. its the access password for the nuclear launch codes and its hash has fallen into the enemy's hands), then you need very long, very random AND very complex passwords. (note, there is an element of contradiction there).

        If this is a normal password, even an internet banking one, then length trumps complexity. Most attacks appear to aim for about 8-12 character passwords. It takes too long to try the possible alternatives that longer passwords offer.

        This is even more difficult for the attacker if there are no rules on what your password can be. As others have said, if you demand one upper, one lower or one number then you REDUCE the possible number of passwords an attacker must try.

        For reference: (assumes an attacker can try 1 billion combinations per second)

        A 15 character, all lower case, password has 1.6 sextillion combinations and would take in excess of 50,000 years to brute force. Example: ilovebakedbeans

        An 8 character complex password has 7.2 quadrillion combinations and will likely be cracked in under 84 days. Example: Cj4$Vf7^

        The best rule of thumb is to set your password policy as 18 characters made up from any ASCII printable character and dont restrict what people can pick - so they can have all letters, all numbers etc. This gives you about 4x10^35 combinations and would take about 1x10^19 years to brute force.......

  26. Anonymous Coward
    Thumb Down

    LostPass ?

    This LastPass you like...is that the same one that got hacked last month?

  27. Heff
    Boffin

    really? kids, lets me say that again KIDS used weak passwords?

    Im flabbergasted. shocked. amazed. you want strong passwords or other multi-level security to work, either bundle a security dongle with the device (especially if you're going to take the stance that the device remains yours, fuck you sony, thankyouverymuch) sure, you have to replace dongle and open a tech support center for kids that cant seem to find their ass with both hands and a flashlight, but at least you have security.

    As for everyone else; you want password security? generate a random 20-character string, print it out and tape it to your monitor. all you have to do is remember which site/program its for. job done.

    again, I'm shocked that 8-year olds don't give a toss about security and just want to play games. Baffling shit. but I'm sure Sony took reasonable steps like binding the device using GEOip or something similar, so someone attempting to log in from Russia into some Kansas kids account would be stopped by a bunch of bullshit, right? right.

  28. Will Godfrey Silver badge
    Unhappy

    Password Mistakes

    Organisations that *insist* on at least one number in the password, are actually weakening it by reducing at least one character from 94 possibilities to 10.

    Users should be advised to make use of all the typeable characters, but never be forced to use any.

    A bank I know of asks for two characters from your password apparently at random - only it is not. It is always in sequence.

    Say you have a 7 character password. If the first character it asks for happens to be the 5th one, it will never ask for 1,2,3 or 4 as the second request.

  29. D S Hodgson

    Not important

    Why do people who create web sites think their site is important to the users? Most sites aren't important so people use the same password for them all - and that's the safest strategy for them. That way they only need to remember a small number of unique passwords for the important sites.

    Most strange are the unimportant sites which try to enforce a complex password policy - delusions of grandeur?

  30. Mike 137 Silver badge
    Stop

    It's all the fault of the stupid user - of course

    This is the same stupid argument that has been around since Noah - that the user is responsible for covering the provider against attacks on the infrastructure.

    It should be obvious that once the systems are breached, passwords are moot. It's the responsibility of the provider to [a] hash the passwords, [b] seed them before hashing, and [c] harden the hash database server against attack.

    Passing the buck to the end user by insisting on unmanageable "strong" passwords while leaving the infrastructure wide open [a] doesn't work, [b] is an unwarrantable imposition on the user and [c] is a poor excuse for incompetent systems management. We have to stop doing it.

  31. Tom 13

    Any security expert who thinks users can remember

    different passwords for every site they visit which meets their minimum complexity and length requirements needs to be taken out back and summarily shot. It simply isn't possible for the vast majority of the population.

  32. Anteaus
    Stop

    Assumes no bruteforce protection

    All of this assumes sites have no bruteforce protection. If a site does have some form of bruteforce protection, then even short passwords are very secure, provided they're not directly guessable.

    Notably, Microsoft's server products lack bruteforce protection, and they are one of the main proponents of complex passwords.

    1. Anonymous Coward
      Anonymous Coward

      Some sites are crazy

      I am somewhat amused by some financial services sites which tell you you must have a stronmg unique password, but then also tell you that only alphanumeric charcters are allowed, that passwords are not case sensitive, that at least two of your password characters must be numeric, at least two must be alphabetic, and password length must be between 5 and 8 characters, don't lock the account after repeated failed login attempts, and provide a very fast login failure if you get the password wrong. Often such sites have a simple way of resetting the password (and do it on line, not via email) just requiring answer to one (or sometimes two) predefined questions which you have to select from a very short list (something like mother's maiden name, first school, favorite food, favorite author, and wife's birthday - or some other short list where you would expect that a lot of people know the answers to most of the questions).

      Such sites tend to have the most draconian Ts&Cs about who is responsible for security and how you (not they) are liable if your account is hacked.

      I avoid using such sites, fo obvious reasons.

This topic is closed for new posts.

Other stories you might like