back to article Friday FYI: 9 out of 10 of website login attempts? Yeah, that'll be hackers

Up to 90 per cent of the average online retailer's login traffic is generated by cybercriminals trying their luck with credential stuffing attacks, Shape Security estimated in its latest Credential Spill Report. The biz crunched the numbers [PDF] on 51 organizations across a range of global sectors that reported having an eye- …

  1. vtcodger Silver badge

    password reuse

    "so try not to reuse the same password on every site, eh?"

    There's an assumption here that I care whether someone hacks into my Register account using my reused password. Actually, I couldn't care less.

    But what about my bank account? You think I'm crazy enough to bank on line? That's not going to happen unless and until "they" come up with an authentication scheme that is both a lot more secure than those in common use -- and a lot less inconvenient.

    1. LenG

      Re: password reuse

      Even a poorly implemented login tends to be significantly more convenient than trying to find somewhere to park near a bank branch. Or are you going to do all your banking over the phone?

      In the bad old days you tended to have to have a user-id and a password. Nowadays the user-id tends to be an email id which is unique to a user and is used across a range of accounts. This effectively means that your security is dependent entirely on your password rather than a PW/id combo which was intrinsically stronger as there was no guarantee that the id was fixed for a given individual.

      Two (or better) factor id, preferrably with biometric or random-number gizmo involved, really needs to become more ubiquitous. Unfortunately coping with the "thats too much of a bother" mentality makes these more or less unavailable even for people who are willing to use them.

      1. Martin an gof Silver badge

        Re: password reuse

        more convenient than trying to find somewhere to park near a bank branch

        I recently tried to set up a bank account with my eldest, online. We had wanted to do it in-branch, but it's a small branch and the next time an adviser would be on site with a free slot was in two weeks.

        Ignoring the two weeks wasted after our first application online was "lost" (might as well have waited for the adviser), it still takes them a week to decide whether or not he needed to bring additional ID into a branch, then another few days before they send out paperwork to sign, then up to another fortnight before the PIN and card arrives.

        Contrast this with the experience of a friend who was able to go into a branch of exactly the same bank - a bigger branch with a resident advisor. They saw an advisor within an hour, and 30 minutes later they walked out of the branch with all paperwork completed, with the PIN etc. dropping through the post a week or so later.

        Online (in this case) was neither easy nor convenient. In-branch was both.

        M.

        1. RobinCM

          Re: password reuse

          Other banks are available...

          I believe that one of the top rated banks in the UK for customer service exists entirely online, not that I'm a customer, but perhaps you choose unwisely?

          1. Martin an gof Silver badge

            Re: password reuse

            perhaps you choose unwisely?

            I think the point I was making was that online is not necessarily more convenient. We looked at several banks. Having a local branch was one criteria. All banks have a lot of checks they need to do before opening a "new to them" account, and there is no way that can possibly be more convenient online because they have to have sight of official documents - photo ID, household bills, that sort of thing.

            The online process could possibly have been a bit quicker (five days to decide if they need more ID?) but the in-branch process is effectively instant if you take the correct documentation with you.

            The main problem we had - and it was not unique to this bank, it would have been the same at nearly all of the other banks with branches in our town - was that there was no permanent in-branch adviser. To be honest we are beginning to think it would have been quicker and more convenient to wait until the next appointment was available - about a fortnight!

            M.

        2. Pen-y-gors Silver badge

          Re: password reuse

          @Martin an gof

          If you live in rural-ish Wales, the question young people will soon be asking is "What's a bank branch?" - All the banks are shutting down local branches as fast as they can.

          There's no thought of the impact, or looking at ways to mitigate the impact. Granted that branches are less important than they used to be - hole in the wall for cash, internet and phone banking etc, and the local manager was stripped of all authority years ago. Now it's usually 'computer says no' if you go in to ask for an overdraft.

          But they have their uses - why can't the banks work out some arrangement for a shared branch system so that humans who prefer face-to-face can get service. And what about businesses who need to bank cash? I use the Post Office, but they don't usually have night safes!

          1. Martin an gof Silver badge

            Re: password reuse

            If you live in rural-ish Wales, the question young people will soon be asking is "What's a bank branch?"

            Good point. We are fortunate that although we live in a rural-type area, it's only ten minutes by car (traffic permitting) from a reasonably-sized town (20-ish by bus*, 30 or 40 by bike), at which there are (if I have counted correctly) branches of nine banks and building societies. To get there, however, you have to pass through two smaller towns, neither of which has a single remaining bank, though both do have post offices / po counters which offer banking facilities.

            Best of both worlds (lucky us), but I'm fully aware this isn't the case everywhere. I suppose that if your banking needs are reasonably simple, once you have got set up an online bank probably works very well but it does lack the empathy and experience of a "Real Person". There are still some things where speaking to someone face-to-face remains the best way of doing things.

            M.

            *this bus goes down the "main road" which is about a 10 minute walk from the actual hamlet where we live, there's one every 15 minutes at some times of day. There is a bus stop about 200 yards from the house, but that bus takes a complex circular route through several small villages and passes at three really odd and inconvenient times.

          2. Alan Brown Silver badge

            Re: password reuse

            "All the banks are shutting down local branches as fast as they can.

            There's no thought of the impact, or looking at ways to mitigate the impact. "

            Bank branches are not a social service. You can't legislate them open and if you tried I'd guarantee that would result in the rate of closures going _up_ even if plenty of subsidisation was on offer.

      2. Twanky

        the "thats too much of a bother" mentality

        For historical reasons I have an account with a bank that uses an additional factor (after username and password) of three characters from my 'memorable information'. The system prompts for a different set of three characters each time I login and requires me to select the correct responses from a drop down list... How much more bother could it be to just type in a six digit code which changes every 30sec?

      3. Sgt_Oddball Silver badge

        Re: password reuse

        My bank still enforces unique user id, not using email addresses. They also use 2fa for adding new payments and logging on to the website. On mobile you can set up biometrics. So I think it's just a matter of having a good bank for it.

        1. Alan Brown Silver badge

          Re: password reuse

          "My bank still enforces unique user id, not using email addresses. They also use 2fa for adding new payments and logging on to the website. On mobile you can set up biometrics. "

          And if its the one I think it is, the end result is that you end up with a "curated" version of the website with less overall security vetting than if you'd logged in via an ordinary browser.

          But they don't like people pointing that out. You can test it easily enough though.

          1. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: password reuse

      until "they" come up with an authentication scheme that is both a lot more secure than those in common use -- and a lot less inconvenient.

      Are you one of the "I want everything, and easy, and until this happens I will mope" people?

      Protip: Unless you have enough money to buy a couple of personal assistants, you better use what's available.

      1. vtcodger Silver badge

        Re: password reuse

        "Are you one of the "I want everything, and easy, and until this happens I will mope" people?"

        Not especially. More a "Sooner or later you folks should acknowledge that what you're doing isn't working and quite possibly will never work" sort of person.

        Doesn't mean one can't use the Internet for entertainment, access to information, casual conversation and many other things. Just that it truly may not be a satisfactory vehicle for command and control, financial activity and some other activities.

        "you better use what's available"

        Why would I use a defective and potentially dangerous tool when there are safer alternatives? Why would anyone?

    3. This post has been deleted by its author

  2. JohnFen

    Checks out

    That's about what I see on the websites that I run.

    1. Alan Brown Silver badge

      Re: Checks out

      "That's about what I see on the websites that I run."

      To be honest i'm surprised it's that low. Anyone not using mod_throttle, fail2ban, open proxy banlists and suchlike in this day and age needs their head read.

      For Imap(s) and smtp(s) ports it's closer to 99.99% of all login attempts.

      1. Kevin McMurtrie Silver badge

        Re: Checks out

        Upvote for this. The odds of successfully guessing a password are inconsequential when the cost of performing the guessing is zero. Cutting off the networks supporting criminal activity is required.

        1. DropBear
          Mushroom

          Re: Checks out

          As a counterpoint, I'd like to extend a lovely bouquet of carefully chosen deadly curses to those acerebral primates who insist on throwing me a captcha after an otherwise successful login on the first attempt, from an IP address that cannot possibly be flagged having been in my use for at least several days prior.

          You're welcome to enable TOTP 2FA if you think you must and I'll gladly use it, or you can even mail me a link to click on if you have actual solid grounds for actual justifiable suspicion, but DO NOT throw me captchas when I did nothing wrong or suspicious. I regularly have to give up trying to "solve" them after a dozen "yeah okay but solve one more page of these continuously replaced tiles" follow-up requests without any signs of slowing down.

  3. Anonymous Coward
    Anonymous Coward

    Ummmm.......

    A deeper question is why, given the weak state of credentials, companies don’t adopt better security? Options here include mandatory use of multi-factor authentication (MFA), better detection of credential stuffing and more data sharing.

    Oh you want to know why? Because the persons in charge consider that "no-one knows that the website exists in any case" and that it is secure because "it has been updated only 5 years ago". So no problem running Node.js in a manner reminiscent of putting balls out of train windows? Nope, none at all. IT guys are wont to diss whatever was installed before they were hired anyway by extremely skilled guys runnning Apache servers as root. And anyway, who would guess password "SecureMe1234". Now, we have customer complains that their FTP access is not working today...

    1. Martin an gof Silver badge

      Re: Ummmm.......

      "no-one knows that the website exists in any case"

      About 18 months ago I registered a domain with the intention of (eventually) hosting my own email server. Within a day or so I was getting SEO and similar spam to the email address I used. I worked out how to "hide" this from whois, but am still getting the emails.

      I gave the domain DNS A and MX entries, but I didn't get around to setting up my server until a few weeks ago. For all that time, any connection attempt would have resulted in nowt as the router blocked everything incoming.

      Within an hour or so of opening port 25, Postfix was logging multiple attempts to connect from IPs with dodgy credentials. I have no doubt that port 80 would attract the same were it open (and it may be, soon, if I get webmail going). Apart from DNS, the address is not advertised anywhere.

      It's not rocket surgery. Keep an eye on domain registrations, add new ones to the list your automated script keeps banging away at. You never know, one day someone might open something you can exploit.

      Before I had the fixed IP and the domain the router logged continuous low-level "incoming" activity - mostly trace_route. Someone out there is just iterating through addresses again and again and again and hoping that one day they'll find something open. I dare say that occasionally, they do.

      I'm not a time-served sysadmin. In these matters I'm strictly an amateur. I'm relying on good guidance and doing things step-by step to avoid trouble. It does feel a bit like I'm under siege though!

      M.

      1. Sgt_Oddball Silver badge

        Re: Ummmm.......

        I just used to leave a listener script that black listed It's after 5 failed attempts at logging to an open port (3389 for RDP for example). Anything that attempted wp/admin in the url attempt got perma banned straight away (It's a sure sign of a WordPress hacking attempt and since I'd rolled my own CMS then it certainly isn't anyone doing nice things).

        Used to find hacking attempts dropped off quiet sharply after that.

        1. This post has been deleted by its author

  4. SVV

    Another reason this is such a successful exploit

    Often you have to register on a site with an email address to confirm you're not a lazy bot by then clicking on an an emailed link,but the site then requires that email address as the "username".

    Most people only have one email address.

    Credentials stolen, assume person uses same email address and password on every site.

    Bingo.

    Of course many of us have different email accounts, and use different passwords for each site. But this whole thing about using the email address is making things far too easy for the bad guys. So how about asking for an email when registering, using it to confirm identity, but then letting a user choose a unique private username for the site? That would prevent lots of damage.Useranmes and passwords stolen from an unencryted user table would only affect that site. Maybe a, cough, popular tech site, cough, could also think about this for new registrations? (Some people on here for years may not have that old email anymore)

    1. Steve Davies 3 Silver badge
      Pirate

      Re: Another reason this is such a successful exploit

      Have an upvote for talking about the site username.

      Forcing people to use an email address for the username is tantamount to leaving the door half open.

      Once a user has their email hacked, all their contacts get slurped away and the hackers have a lovely lot of data to start using for hacing other sites.

      IMHO, it should be a criminal offense to force users to use an email address as a site username.

      The sentence should be something like helping to remove fat-bergs from sewers. That will stop them re-offending.

      1. RobinCM

        Re: Another reason this is such a successful exploit

        If the credential databases from multiple sites are stolen, they'll either include the email address in addition to the username, or people will use the same username on multiple sites.

        It'll make some impact, but I don't think it's the kind of panacea that people make it out to be.

        Plus, people forget them, leading to knock on issues with the site holder then having to have a "remind me what my sign in details are" feature, with all the score for abuse that brings with it.

        Two factor, done right, all the way for me.

    2. Mark 85 Silver badge

      Re: Another reason this is such a successful exploit

      Quite a few sites are using that scheme of a "unique username" and not email to log in. It should be used by all sites but most sites that I see selling products use the email addy and a password and therein is the problem. It just takes a few popular sites for you to be compromised. Funny thing is, all the sites I visit that don't sell things use the username to log in... except for that one certain tech site that should change the log in from "email" to user name. <twiddles thumbs><whistles>

      1. DropBear

        Re: Another reason this is such a successful exploit

        If you think I would use and remember a different "username" for each of the hundred or so various places I might need to log into anywhere from every day to every five years, you're off your rocker. I can't help but wonder what exactly you'd stand to gain compromising any of these forum identities (not that anyone gives a #$@ about what I write even when I'm the one doing it) and various web shop logins (none of them stores payment methods since I pay cash on delivery, or paypal on international ones). Amazon, Ebay, PayPal logins use passwords not used elsewhere and the email they all converge into has a unique password and 2FA. But the other hundred ones are more or less the same (secondary) email-as-id and password, you're welcome to have a go at it...

    3. JohnFen

      Re: Another reason this is such a successful exploit

      "Most people only have one email address."

      But everyone has access to disposable email addresses.

  5. a_yank_lurker Silver badge

    Root Issue

    The root issue is that some users reuse passwords when they should not being do so.Obviously any site that has one's financial information should have its own strong password unrelated to any others. Ditto for email accounts, Failbook, Twatter, etc. Since that covers a good portion of one's active accounts one may as well as have strong, unique passwords for every account. If keeping track of them is difficult learn to use a password manager.

  6. Gene Cash Silver badge

    Not just websites

    Open an ssh port, and you'd better have fail2ban running, or there will be hundreds of logins a day, at least on my home machine.

    1. Alan Brown Silver badge

      Re: Not just websites

      "there will be hundreds of logins a day"

      ATTEMPTS! Hundreds of ATTEMPTS!

      At least that's what I hope you meant, else I wouldn't want to be schlepping around your home network.

      And it's per hour here.

      The bastion server at $orkplace was seeing hundreds per minute until I added fail2ban into the mix, now it's just per day.

  7. ThatOne Silver badge
    Devil

    Follow the money

    > abandon traditional credentials completely in favor of physical and biometric authentication mechanisms

    And how is that more secure? It isn't (in the end there are still 0s and 1s going through the wire), but it requires expensive gadgets one can sell to the suckers...

    1. DropBear

      Re: Follow the money

      So in your mind the same user id and password repeated again and again, probably over multiple sites, is the exact same thing as a never-twice-the-same reply to a cryptographic challenge generated based on a crypto key that never leaves the auth key hardware...? Interesting...

  8. Anonymous Coward
    Anonymous Coward

    'in favor of physical and biometric authentication - no credentials to steal'

    No credentials to steal? Only your whole permanent identity surely?

    ~~~~~~~~~~~~~~~~~~~~~

    “Unlike a password, an individual’s faceprint is permanent, public and uniquely identifies its owner, As a result, should a bad actor gain access to the faceprint data, the ramifications could last forever’’

    https://www.bloomberg.com/news/articles/2017-09-15/why-iphone-x-face-recognition-is-cool-and-creepy-quicktake-q-a

    ~~~~~~~~~~~~~~~~~~~~~

    https://www.bbc.co.uk/news/technology-39965545

    http://www.theregister.co.uk/2018/01/08/smartphones_security_enhancements_just_make_them_more_dangerous/

    https://www.theregister.co.uk/2017/07/10/malware_scum_snack_on_lunchroom_kiosks/

    https://www.theregister.co.uk/2017/05/24/ccc_beats_samsung_iris_scanner/

    https://www.theregister.co.uk/2016/03/09/boffins_bust_biometrics_with_inkjet_printer/

    1. mrtom84

      Re: 'in favor of physical and biometric authentication - no credentials to steal'

      Exactly, biometrics are just passwords that cannot be changed.

      1. Mark 85 Silver badge

        Re: 'in favor of physical and biometric authentication - no credentials to steal'

        And other than DNA, anything will change with time and/or accident.

        1. Alan Brown Silver badge

          Re: 'in favor of physical and biometric authentication - no credentials to steal'

          "other than DNA, anything will change"

          DNA changes too. Look up telemeres for starters.

  9. Shadow Systems Silver badge

    An honest question.

    What if the moment one site announced that it had been hacked, every other site that required a log in automaticly sent a password reset link to the registered email address' of every user they have, thus forcing the users to create a new password in order to log in once more?

    Sure it would be a pain to the users, sure it would mean constant resets from all the breaches, but it would stomp on a criminal's ability to use a stolen password to log in since they would also have to have gained access to the email account in order to intercept/use the emailed password reset link.

    I realize it won't do anything for the lag between reported breaches & the auto-triggered reset emails, but it might cut down on the criminal's ability to use a stolen password to access as many accounts, right?

    I'm asking an honest question so please don't downvote me, instead enlighten/educate me as to why it isn't a good idea. Thanks! =-)

    1. frank ly

      Re: An honest question.

      So, if the Hungarian national karate association website gets hacked, I have to change my password for The Register, Imgur, YahooMail, etc? I don't think that's reasonable, proportionate or sensible.

      How about, in that case, The Hungarian national karate assiciation sends an email to all its registered members telling them to change passwords on other sites if they've been foolish enough to reuse their password?

    2. Donn Bly

      Re: An honest question.

      Dozens of websites are compromised every hour, let alone day. How many times a day do you want to reset all of your passwords?

    3. Twanky

      Re: An honest question.

      As a DoS attack vector this would be awesome.

  10. Anonymous Coward
    Anonymous Coward

    I am registered on loads of websites...

    ... but apart from banking, I use the same password on most of them (due to a quirk of circumstances, my reg password happens to be unique), however, i do use unique (but guessable) email addresses. How safe am I, and doesn't everyone hash passwords anyway?

  11. tentimes

    Different password? Not credible.

    I use two or three passwords and I can remember NO more than that. Most people are like me. Use a password manager to generate passwords you say? NO! If it goes down I am totally screwed - it's a common point of failure for all the websites I need to use on a daily basis.

    1. Anonymous Coward
      Anonymous Coward

      Re: Different password? Not credible.

      1. Not all password managers are online only.

      2. If you don't learn to tolerate the minor inconvenience of using a password manager then your "need" to access many websites a day using weak recycled passwords is going to result inmajor inconvenience when your account on one of those vital sites is hacked. Your call.

      1. Martin an gof Silver badge

        Re: Different password? Not credible.

        Not all password managers are online only.

        I don't think that's the only issue with password managers. Online is convenient because it can synchronise your password list across multiple devices, but you rely on the people behind the manager either continuing to run the thing or having a sensible migration strategy should they run out of money or just get bored.

        So there's that danger - what happens if the particular manager you use is abandoned for any reason? How do you access your passwords? Can they be migrated to a new system?

        What if the password manager software turns out to have a vulnerability which means it's possible to lift passwords from it? Are you confident that the team behind the manager is keeping on top of such threats?

        But by far the biggest issue is, what happens if your "key" password is compromised? In those circumstances it's possible (particularly if many of the sites you use insist on email as username) that a miscreant - by compromising just one password - suddenly gains access to several others.

        Note that I'm not saying that other methods are necessarily "better", but as with any scheme that puts lots of eggs into a very small number of baskets ("cloud?"), when it does go wrong, the potential for chaos is very much greater. The only truly secure scheme is very long, very random passwords, unique to every site and kept only in your brain. This is, however, utterly impractical. I have enough trouble remembering the names of my work colleagues, let along multiple strings of two dozen random characters. Oh yes, and you still need a migration strategy - how to get those passwords out of your brain and into someone else's in the event that your brain flakes out.

        :-)

        M.

        1. Anonymous Coward
          Anonymous Coward

          Re: Different password? Not credible.

          I use Firefox's built in password manager. It synchronises across devices and has two-factor support. I never save important passwords like banking.

          There are a lot of throwaway sites where I have used the same crappy password, like those shops that insist you register before showing you prices.

          It reckon the Firefox one is secure enough but if be interested in opinions. The major downside is while you can use a master password you can't if you want to sync the database.

        2. JohnFen

          Re: Different password? Not credible.

          "what happens if the particular manager you use is abandoned for any reason?"

          If it's not cloud-based, then nothing. Your non-cloudy software doesn't suddenly stop working just because it gets abandoned.

          "What if the password manager software turns out to have a vulnerability which means it's possible to lift passwords from it?"

          In my case, you need to have physical access to my phone in order to lift passwords from it.

          "But by far the biggest issue is, what happens if your "key" password is compromised?"

          First, how would that happen? Again, talking about non-cloudy password managers, you aren't using your master password anywhere else, and you aren't sending your password over a network. The only way that it could be lifted would be if someone managed to install a keylogger or somesuch on your machine. If that's the case, then all bets are off no matter what.

          I agree, though, that using a password manager that involves the cloud or talks in any way over a network is a risk I would never be willing to take.

          1. Martin an gof Silver badge

            Re: Different password? Not credible.

            In my case, you need to have physical access to my phone in order to lift passwords from it.

            So your phone presumably has a lock code. I understand your points about cloud platforms, and that's mainly what I was pointing out myself, but to rely on a bit of technology that could fall out of your pocket or your backpack and give anyone who picks it up the possibility of accessing your entire digital life?

            No thanks.

            M.

            1. JohnFen

              Re: Different password? Not credible.

              "So your phone presumably has a lock code"

              Sure, but more importantly, my password manager stores the passwords encrypted, and you need to know the master password in order to decrypt them. If I lose my phone, I may be vulnerable to a well-funded attacker that has access to serious hardware to crack the crypto, but I'm pretty safe against anyone else.

    2. JohnFen

      Re: Different password? Not credible.

      "If it goes down I am totally screwed"

      Use a password manager that doesn't live in the cloud. The one I use lives on my phone and stores all the passwords there. It doesn't rely on third party servers at all. Make regular backups of the passwords it's storing.

  12. Anonymous Coward
    Anonymous Coward

    password manager, change passwords all the time.

    Our auditors (in NZ) recommend we use a password manager. I don't know, as these software programs might be written by trustworthy people, but some might not. Some might be written by one of several governments, I don't care about the latter.

    Our auditors (in NZ) also recommend our policies force password change every 1-3 months on hundreds of staff. I think our auditors (in NZ) are twats.

    1. Martin an gof Silver badge

      Re: password manager, change passwords all the time.

      Our auditors (in NZ) also recommend our policies force password change every 1-3 months on hundreds of staff.

      I realise it's the wrong country, but if you can do so without ruffling too many feathers it might be worth pointing your auditors in the direction of this discussion and this guidance from the UK government.

      Of course, el Reg also discussed the matter (and has done so many times over the years), but I find that "the powers that be" tend not to take the advice of a site like this terribly seriously.

      Our passwords have an enforced change every 42 days with a 19-deep no-repetition stack. This means that many people cheat the system "mypassword01!" --> "mypassword02?" etc. There's no "no dictionary words" rule. On top of that we are a 7-day operation, but IT only works 5 days, so if you happen to forget your password on Saturday morning, you can also forget doing anything that requires access to a computer until Monday.

      M.

      1. Anonymous Coward
        Anonymous Coward

        Re: password manager, change passwords all the time.

        "mypassword01!" --> "mypassword02?"

        My ex employer (one of the it giants) enforced this policy. But not 01mypassword 02mypassword etc.....

      2. Alan Brown Silver badge

        Re: password manager, change passwords all the time.

        > Our passwords have an enforced change every 42 days with a 19-deep no-repetition stack. This means that many people cheat the system "mypassword01!" --> "mypassword02?" etc. There's no "no dictionary words" rule

        When you start applying psychology to password space, this kind of approach turns out to be amongst the worst possible ones as it forces users to change their passwsord regardless of the entropy in them, breeds resentment of IT and encourages them to write the things on stickies found on the sides of monitors/under keyboards.

        A decent system looks at the "crackability" of the password and assigns a lifetime based on it. That means users choosing dumb passwords like 12345678 will find they need to change it again in 2 minutes, but someone choosing a _passphrase_ like "That's a fucking battery horse Staple Alpha" might find they can keep it for a year.

      3. Anonymous Coward
        Anonymous Coward

        Re: password manager, change passwords all the time.

        "On top of that we are a 7-day operation, but IT only works 5 days"

        No, you're a 5-day operation, but your management is kidding itself that they're playing with the big boys.

        1. Martin an gof Silver badge

          Re: password manager, change passwords all the time.

          No, you're a 5-day operation, but your management is kidding itself that they're playing with the big boys.

          It may surprise you to know that IT isn't actually our core business and we are a 7-day-a-week business. Opening hours vary across the group but the site at which I work is only closed (industrial action / weather aside) for three days each year. The place would continue to operate quite well for a while if we had a sudden and catastrophic failure of all IT, but it would become progressively more difficult as time went on, and managers might start to take notice if we had to close the site shops for lack of card facilities.

          M.

    2. MonkeyCee

      Re: password manager, change passwords all the time.

      "I think our auditors (in NZ) are twats."

      It sounds like they are doing their job, recommending basic level of password changing and using a password manager so users don't have to choose easily memorable passwords. 2FA on the password manager would be a good idea, as it's a single point of weakness.

      Security is always inconvenient. Does every staff member have a key/pass to let them into the appropriate areas, or do you leave all the doors unlocked?

      The more sensitive your job, the more you have to accept heightened security. Donkeys years ago I worked for the Corrections (prisons etc) IT support On a normal service desk, a user will call for a password reset and there will be no checks that this person is who they say they are. Fast, convenient but hella insecure. For corrections we'd call them back, on their listed number. Slower but more secure.

      Security is also seen as a waste of time right up until the lack of it bites someone in the ass.

      Auditors are there to point out things that a company should be doing but aren't. Your company is taking risks with a lack of password changing, so it's up to you to decide if it's worth the risk.

      1. Martin an gof Silver badge

        Re: password manager, change passwords all the time.

        Security is always inconvenient. Does every staff member have a key/pass to let them into the appropriate areas, or do you leave all the doors unlocked?

        Every staff member may well have a key, but the important point is that site security doesn't require them to hand in their keys every 30 days and pick up new ones.

        A slightly better analogy might be a key card / pass / RFID tag as unlike a traditional lock, these can be changed at will, but still, they are not changed every 30 days. In general they are only changed when lost or mislaid or a member of staff is "let go".

        As for whether changing a password regularly increases - or actually decreases security, I'd suggest you might like to read the links I posted a little earlier.

        M.

    3. Alan Brown Silver badge

      Re: password manager, change passwords all the time.

      "Our auditors (in NZ) recommend we use a password manager. "

      One of the more disturbing parts of password managers is that LogMeIn has quietly been hoovering up all the competition over thge last few years.

      Which isn't very nice if you've been avoiding logmein due to their rather lax security practices along with their rather unique approaches to other peoples' security systems.

  13. theunregistered

    bring it on

    No way, except using a pass manager,i use keypass 2.3.91, which is not affiliated in any way with other very similar names. it works from a flash drive, you can have a 10000000 character password to get in, and it seamlessly logs you in without using a keyboard. i also use text pin log ins so no one can actually log in unless i get the 4 or 6 digit pass. makes life a bit slower, but hey, what's the rush, buying if i had gone out would have taken hours...a few extra seconds logging in is the smallest of small prices to pay for 100% surety. Also, use 100% safe security, yes, i know they are saying we are spied on, but the likes of Kaspersky are so safe, no point in skimping. eset also are quite good and Norton, although Norton is a more bloated and slow software.

  14. Duncan Macdonald Silver badge

    Blacklist credential stuffers

    If more than 5 incorrect login attempts are seen from the same IP address inside 10 minutes then blacklist the address for the next 24 hours (all login attempts referred to a simple static web page that just displays "Your IP address has been blacklisted for 24 hours due to repeated incorrect login attempts"). This will reduce the amount of traffic from credential stuffers.

    As for a password manager - old school - pen and paper or a text file held on a USB stick on your keyring.

    For memorable passwords that are difficult to guess for sites such as paypal try the following - a car registration number (not that of your own current car) and an equipment type number eg LN61DUP+gtx1080 .

    1. Alan Brown Silver badge

      Re: Blacklist credential stuffers

      "If more than 5 incorrect login attempts are seen from the same IP address "

      Or any of the hotbutton ones commonly found in secureity advisories.

      It's also worth trawling the logs to see what combos keep showing up.

    2. Alan Brown Silver badge

      Re: Blacklist credential stuffers

      "For memorable passwords that are difficult to guess"

      Which raises the question of why so many sites in this century are STILL restricting passwords to 8 (or if they're generous 12) character maximums instead of allowing passphrases.

      qwertypo was adequate in the 1970s. not now.

    3. Anonymous Coward
      Anonymous Coward

      Re: Blacklist credential stuffers

      Does work I’m afraid. They use password stuffing tools that use only one or two IPs per login. The best you can do on IP whackamole is block logins from countries that should not be using your website, or use google invisible captcha for every login - just don’t tell the ceo, management will never sign such a potential sales reducing thing to be permitted.

  15. Neoc

    "More long-terms solutions include WebAuthn, an emerging standard that would abandon traditional credentials completely in favor of physical and biometric authentication mechanisms. The advantage of that would be that there are no credentials to steal"

    Because it worked so well for that German MP... Her fingerprints got outed - how is she going to change her biometric log-in?

    https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands

    1. JohnFen

      Biometrics make absolutely terrible password replacements. I am still astounded that people continue to push this fundamentally flawed idea.

  16. Anonymous Coward
    Anonymous Coward

    2fa? wtf?

    2FA to login in to a online retail site? Are you crazy.

    After reluctantly accepting the ciso’s well argued case, the ceo will watch nervously after go live, and the nano second sales drop 2FA will be removed forever and the CISO never trusted again.

    Unless 2FA becomes law to protect personal data it will never be widely adopted because management want sales to be easy, with zero risk of customers giving up.

    1. DropBear

      Re: 2fa? wtf?

      I don't see why there would be any sales drop if 2FA is _enabled_ as an _optional_ feature for those who wish to use it. I can't see any harm in promoting it on the site either, within reasonable limits. You could even offer a modest financial incentive like a 5-10% discount campaign for those who switch over and stick with it (or maybe some sort of bonus accumulating with each 2FA login). There's no need to just drop it on everyone like a ton of bricks, whatever got you by so far can probably keep doing it for the immediate future for those who don't switch 2FA on right away...

    2. JohnFen

      Re: 2fa? wtf?

      I avoid 2FA systems operated by Google, Facebook, etc. like the plague because I don't want to give any personal data to those companies if I can avoid it.

      However, if a site that I'm shopping on anyway had one (that they operated themselves), I'd certainly do it. After all, I'm already giving that site all the personal data they need in order to complete the transaction, so my exposure is not increased.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021