
"Next we noticed, that no single password was found more than three times. This brings into question the integrity of the original dump"
They didn't seem to notice that it also brings into question the validity of their conclusions.
Trustwave's SpiderLabs has completed an analysis of the passwords dumped on the Internet in this month’s eHarmony breach, and reached the depressing conclusion that too few people really seem to care about password strength. Having recovered 80 percent of the 1.5 million passwords in the dump file, the company says only 0.5 …
As much as the stats being off the underlying issue remains. If I see another article saying "no salting" or some shitty old hashing mechanism I think I'm going to find the Head of IT of that company in question and punch them in the head.
Crap salting and hashing methods (if at all...) are not excusable. What excuse do you have to store them in plain text? What excuse do you have of storing them in an insecure mechanism, even ignoring best practise for storing them, even then. None. Nothing. Nadda.
You can never be 100% certain your database is not going to escape but allowing brute force password crackers to possibly retrieve 1.2 million passwords in 72 hours is total incompetence.
I might have to get bring back the old password matrix idea... or at least some key vault on my phone. This is getting ridiculous.
One of our systems doesn't even allow *any* characters to be repeated ...as I found out on the third attempt to pick a password it would accept.
Really. Would a "full list of rules" link have been all that hard to put *somewhere*?!
...I kept a record of what these rules were to avoid the same rigmarole when I'm obliged to change it in future (most likely after I've had it reset because I can't remember what it made me use in place of what I originally wanted...)
Perhaps people intentionally use weak passwords on sites like that because they don't care? I regularly use weak passwords when signing up for random sites because it wouldn't really bother me if an account like that got compromised.
As for weak password storage, a lot of sites even store passwords in plain text or a reversible form... One way to tell is to see what the forgotten password function does, if it sends you your previous passwords then its clearly not hashed.
As for why companies do this...
Firstly they have the terrible example of microsoft, windows passwords are also unsalted, are based on MD4 and even more ridiculously can be used without cracking them at all (google for pass the hash). When 99% of companies out there have important data on systems like that, using something like plain MD5 to protect a dating website is actually way above average.
It seems everyone writing a webapp wants to reinvent the wheel... You need simple and well documented functions for storing passwords in the application frameworks, preferably something based on the common password format used by unix so that new ciphers can be seamlessly integrated over time.
In the grand scheme of things, plain MD5 isn't all that bad, a lot of webapp authors seem to implement their own totally proprietary schemes that have all kinds of ridiculous flaws.
Hear hear. Whenever I sign up for some semi-useless cack I don't care about being linked to me, I sign up as Tony Hawk with password popopo00. I reuse passwords on low priority sites so I don't have seven hundred strong passwords swimming through my head when I'm trying to remember my banking login or my Steam account pw or somesuch.
I've seen a few low-importance sites that require a high security password. I keep a few high security passwords, and a couple low security. If I give one of my high-securities to a low-importance website, then I risk my important stuff being compromised.
If a low-importance website won't accept my low-security passwords, and it's not important enough for my high security - I don't register :(
BeThere earned my ire recently. I forgot my password on their website, so I had to reset. I tried to reset to my high security password and it forbid me from re-using my password! Like I'm going to make up yet another password just for them!
I'd rather be able to use something like: correct horse battery staple (yes I read XKCD, so sue me), than being forced to use Upper and lower case, a special character AND a number in a more than 6 less than 12 character password (like my school is forcing me to do. And they even refuse to see reason when I point out the flaws in their plan. (Incidentally, lost password calls to the Helldesk have gone up 3-fold since implementation of that stupid policy)
My company is even worse. As well as 8+ characters, with 3 from upper/lower/number/special they make us change it every month. It wont allow incrementing of the previous password, or re-use of any one of the last 12 passwords. If they make the requirements that rigorous, surely they can let us use them for a quarter at a time...
I never thought I'd ever resort to it, but now I have a post-it stuck under my keyboard with the password on (with the last two characters reversed to foil cleaners/colleagues).
Yeah, I'd do that, but they actually demand that the new password does not contain a string of letters the same as the previous password.
So if the old one is: StrawberryPancake2012, the new one cant even be: PancakePie123. (Because both contain Pancake.)
Also, can't contain your username or (part of) your real name.
That seems to be the case, yes.
And the reason they "needed" this enhanced security? They were (finally) going to implement a cross-site login, so I could go from email to intra-net to educational management system without having to log-in every time. (Why they didn't require a secure password for ANY of these sites before is still a mystery wrapped and encoded with an enigma. (Ohh, and they still can't manage to build a website capable of working in firefox. In 20ANDBLOODY12!)
a site I have to use for placing orders.
I used a very good password, not knowing about the 45 day mandatory change. Cant use a password you used in the last 7 changes.
Soo...
password is a sequence of numbers + the next letter in the alphabet - capitalized
soooooooooooo stupid.
There's a simple trick for medium-security passwords with daft requirements for numbers and letters. Pick yourself an algorithm for constructing an alphanumeric password based on the keyboard layout - 1q2w3e4r being a ridiculously simple example - and then all you have to remember is your pattern. If they insist on you changing it frequently, you can simply move the pattern about on the keyboard.
This report makes a big assumption that all passwords and systems are equal. There are too many sites these days that require some sort of login for someone to have truly unique passwords per system (Yes, I am aware of tools like LastPass etc., but most people don't use them). Most people I know, when we've discussed the issue of passwords, say they use a system where they have a set of passwords they use, and the least secure of them is used for the most throwaway logins.
How many people reasonably would use the same password for EHarmony as they do for their Bank or email? (Yes, I am aware that there are a lot of idiots out there, but the assumption that all systems are equal in their importance is a big oversight when judging the use of passwords)
Just to recommend KeePass (http://keepass.info) - never have to remember a password again (well, just the one that locks KeePass itself!). Generate very long unguessable random combinations of characters (special ones included) and you're all set.
Available for fans of Linus, Bill and Steve (plus all the major mobile platforms)
Just remember to back up the database Oh, and keep a copy on a memory stick if you use other machines.
What annoy me are these guessing games, where the site can't say in advance what their password policy is, oh no, that would be too easy.
So, for instance, as per usual I get KeePassX to generate a random password for a site I'm registering with.
"Your password may contain only letters, numbers, and underscores".
OK, let's do it again, then.
"Your password must be between 5 and 20 characters".
[Gritted teeth] OK...
American express wouldn't let me use the password I wanted as to was too long, I think they limit to 8 chars, Amex!?!!
Just had three goes to remember the memorable name for my bank which I haven't used for years... Yes it was memorable but so are a few hundred others!
Length beats special chars - hmmm, what length, what chars? there must be a formula for that...
When it comes to memorable information, invent:
"I'm Fred Bloggs, born 01/01/1958 in Timbuktu, dog's name = fido, favourite food = biscuits, first girlfriend = The Queen"... as long as you're consistent across sites, no-one's ever going to sniff that from Facebook, driving licences, etc.
I worked at place that had password requirement as follows. 1 up case and one lower case. had to be 10 charters exactly. No less no more . must have a number. The number can not be at the beginning or end. You You must the password every 30 days. If you forget your account is locked out. You can only change the password every 24 hours.