back to article SaaS outfit to users: Change password! Or don't. Oh, go on then

Online accounting enfant terrible Xero has apologised for telling too many people to change their passwords, when they didn't need to change their passwords even though it wouldn't hurt them to change their passwords. Xero has boiled up out of New Zealand with a SaaS accounting package that has sufficient smarts and looks that …

  1. Lusty

    Why don't they just add AAD authentication? That way the SaaS vendor never gets your password and the user gets single sign on. Good to see another SaaS vendor kicking the incumbents ass too. Won't be too much longer before startups rewrite the whole data centre :)

    1. Lusty

      turns out they do integrate with AAD, so this wouldn't have affected those users who had integrated accounts.

      1. MatthewSt Silver badge

        Sort of...

        It supports it to the extent that you tell AAD your password, install a password manager-style plug in and then AAD will type your password into the password box for you instead of you logging in yourself. That's unless it's changed in the last 6 months.

        1. Lusty

          Re: Sort of...

          All the other AAD services seem to be federated these days.

  2. Ken Moorhouse Silver badge

    Old password...

    Old Password:-

    zZghjgjhgj9889798*&^*&^&*^

    New Password:-

    Password1

    My feeling is that this is what will happen when people are asked to change their password too frequently. They will arguably have a tendency to pare down their security in order to keep track of it. The consequences are that, rather than strengthening their security, they are weakening it.

    What is desperately needed IMHO are tools which tell the user how near the password crack attempts are getting to their chosen password. This is I think impossible for a vendor to implement if they're using "trapdoor" encryption, such as MD5 to store passwords in a login table, but a doddle if they are stored using reversible encryption. My reasoning is that it is unnecessary for a password to be changed if dictionary attacks are nowhere near the mark. The exception to this is a leak where a password is divulged and a baddie gets in in one go without failed attempts. Genuine users who mistype their passwords should confirm when they successfully login that the x failed attempts which preceded the successful attempt were theirs, not anyone elses.

    1. Tony S

      Re: Old password...

      @Ken Moorhouse

      I've seen that happen so would agree totally.

      People (including IT) had previously had fairly strong passwords, that were changed about every 6 months. The new security policy of changing the password every 40 days, along with no self re-set and poor helpdesk experience meant that staff were using january13, february13, march13 etc.

      IT were using mylifesuxjan13, mylifesuxfeb13, mylifesuxmar13 etc.

    2. Lusty

      Re: Old password...

      My main bugbear is when I have to be over 8 characters, have to have a number, but for some reason best known to the amateur nobber in charge of the system am not allowed a special character. Normally this is in an attempt to use Pa5$w0rd as a last resort when signing up to see cat pictures on some trivial website. Obviously cat pictures need to be very secure.

  3. themagoo

    I especially enjoyed how the email contained a 'change your password' link - prefect for the Phishermen to copy and redirect. Doh!

  4. Ben Tasker

    Personally I'm glad they sent the mail out, as it gave me a heads up that they hadn't actually deleted my account when they said they did a year ago.

    Granted there was no data in there but I try not to leave the net scattered with defunct accounts.

    They're currently "looking into" removing my account properly this time

    1. Lusty
      Big Brother

      In the UK at least, the recommendation is to not actually delete accounts fully because marking the account is the only way to comply with the legal obligation to let someone opt out of mailings etc. Granted they shouldn't have been mailing you, but don't expect them to 100% remove your info from the database if the law there is like it is here.

      In theory, this means that when you opt out of something you should never, ever hear from the company again until you opt in or sign up again. In practice this is rarely the case - I've opted out of Argos mailings about 1000 times and every time I buy something the buggers opt me back in despite my obvious choice to the contrary. If I could be arsed I'd ask them more forcefully with a reference to the DPA but I'm way too lazy and not as bothered as I probably seem :)

    2. Anonymous Coward
      Anonymous Coward

      "deleted my account when they said they did"

      Yeah I assume everybody does that. I used to send an email with a read receipt request demanding actual deletion. I've pretty much given up these days. Its just really irritating with services like this where you have to put in real data, rather than lie and sign up with a mailinator.com address which is what I normally do.

      That non-deletion is frankly extremely dodgy, yours, you say is empty, but normally accounts would likely hold bank details, probably of third parties like employees for processing pays. Nasty.

  5. This post has been deleted by its author

  6. Jin

    Changing PW A to PW B to PW C to PW A to PW B to PW C ------?

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    Incidentally, biometrics are dependent on passwords in the real life. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. And, in a world with passwords killed dead , we have no safe sleep. Passwords will stay with us for long.

  7. Aximilli

    What a mouthful!

    "Xero has boiled up out of New Zealand with a SaaS accounting package that has sufficient smarts and looks that industry incumbents realise they need to hire the software equivalent of a personal stylist and life coach to guide them through a makeover before the bright young thing in the office makes them look frumpy and slow."

    ...What?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like