We've, um, changed our password policy, says CafePress amid reports of 23m pwned accounts Twee T-shirts 'n' merch purveyor CafePress had 23 million user records swiped – reportedly back in February – and this morning triggered a mass password reset, calling it a change in internal policy. Details of the security breach emerged when infosec researcher Troy Hunt's Have I Been Pwned service – which lists websites …
'The site is accessible from the EU and therefore GDPR applies. I'm not sure how the EU would force the issue but this could be an interesting test case."
To see if overreaching laws can be applied across the world? We settled that issue back in 1776.
I'm not too convinced about that. If you already reuse your email address, chances are you will reuse your username too. If you use a password manager to create unique passwords, you are already safe from credential stuffing attacks, a unique username will offer you little extra protection. Finally, the website will still store your email address as a way of contacting you, and in case of data breach it's certainly both your username and email address that will get pwned.
>If you use a password manager to create unique passwords, you are already safe from credential stuffing attacks, a unique username will offer you little extra protection.
It's not necessary to have both a username and a password, one is sufficient. I've been continuously annoyed by sites that required you to make up a username often without allowing me to include '@'. It has been even more impossible than making up a safe password (though that is pretty difficult given the arbitrary restrictions web sites impose.)
Indeed usernames are identifiable and allow the crackers to look up your username in their database and find all sorts of useful information that can be used to answer the insecurity questions. Better just to just have a username like:
7H%PJ8vk78c!vVF96J!nMD7GDbVZZvl@F05&p#cRDnOS8Qd0oozhxMqzKajiiD@v
And no password. Of course that only works if the username contains a lot more than 66 random bits otherwise it will get very difficult to ensure the user name is unique given that there are about 2^33 people on the planet. (FWIW the above user name contains around 400 random bits.)
John Bowler
John Bowler
There are problems to just using a password. Some that come to mind...
- How to reset forgotten password.
- You phone a company because something can't be done online. How do you identify which account you use without also telling the cell centre staff your password?
- When signing up for an account if, by pure chance, you pick a password that someone else is using the site needs to say you can't use it, but you now know it's a valid account and you have access to it.
"however I'd still like to be allowed to choose a username instead of being forced to use the email address as my username"
The extreme worst case is a site-issued username generated from other data such as a concatenation of real name and DoB (yes, I have a site that uses that).
Keepass will generate passwords that look like line noise. Perhaps a useful addon would be an option to generate usernames, preferably pronounceable ones.
And it's not like our favourite friends who do the credential dumping don't already know about RFC2822 and do their own little cleanup... bob+site@x.com and bob+site2@x.com are after all just... bob@x.com. So you try bob@x.com with the found credential and... shock horror it works. Nuff sed.
What happens if your password manager goes titsup (or the disk it's installed on)? What good, trustworthy managers exist that have an independent recovery system?
Also how easy is it to transition back off them? For example, I use Bit Defender as my AV, but have been wary of using its password manager as it seems to risk lock-in.
Any advice welcome.
"What happens if your password manager goes titsup (or the disk it's installed on)?"
Some of them store the details in cloud (useful for multi-device access, but arguably a bad idea for security), but this is a backup issue, not a Password Manager issue. At the end of the day you can't expect your password safe to sort out your backup processes.
"Also how easy is it to transition back off them?"
All the Password Managers I have used allow you to export the contents to text or XML. With many warnings that you are exposing your passwords, 'natch.
All you need to do is keep a backup on a different device. If you update your primary device database, close it, then reopen it to make sure it's not corrupt. Then copy it to your backup device.
Then, if you discover a corrupt password database on your primary device, copy the known good one from your other device. It's another step, but if you have hundreds of passwords it's worth it.
You print out the username and password (plus any emergency 2FA codes) of your email account(s) and stash it somewhere safe, that way you can generally bootstrap your recovery using "Reset my Password" links on websites.
You may want other important accounts saved in the same way.
FWIW I use 1Password... if you really want to move elsewhere it is possible to export everything to a text file if you need to. It does pose a risk in terms of being a single target but, on balance, it allows me to easily have a unique password for every single site (as well as unique email - as was mentioned earlier using + addressing/sub-domaining).
Password managers have to work across all devices. Since most of us use more than one device simultaneously that means the data has to be replicated across the devices.
The failure modes are:
1) You forget your password/lose your security key and can't get access to the PW manager anywhere. Solution: they have recovery strategies based on emails (normally).
2) Somehow the PW manager provider gets hacked. Solution: none; all is lost.
(2) is the consequence of strong passwords; necessarily they have to be stored somewhere (if you can remember them they aren't strong), so you are putting all your eggs in one basket. The assumption is that it is a safer basket than Cafe Press, or, for that matter, Capital One, or, for that matter, GitHub and that you really do use a strong password for your password manager (plus extra authentication; I use a YubiKey).
John Bowler
"I wonder, if we shouldn't be using unique usernames and passwords for each site."
He's an expert and he's only wondering? What will it take to make him sure?
Of course we should. We all used to until sites decided to use email addresses as user IDs. And it's even worse when some sites - looking at you PayPal - hand out the email address to other parties and can't even see what's wrong with that when it's draw to their attention. Given that most folk only have one email address anyway the password is the only meaningful credential. No wonder people wiitter on about 2FA. With any reasonable policy about user IDs it would be 3FA.
Completely agree. It is a sad indicator of the state of our Internet that so-called "experts" are only wondering. We've been hearing for years that you shouldn't re-use passwords, so the conclusion seems pretty inescapable if you have the slightest amount of logic.
That said, password managers. Yes, definitely use one, but not necessarily a commercial product. After all, for accessing your Internet web sites from home, a notepad (with actual paper, not the Microsoft product) is largely sufficient and not at all hackable from the Internet. And before some of you attack me about having to access your passwords from multiple locations, not all of Internet users are such power users. Most people use the Internet from their home computer and that's it.
A notepad is enough for that. Oh, and a sense of organization.
Define home computer? my disabled Sister - hardly a power user - has a laptop, smartphone and a desktop .... oh and a tabet. she is also dyslexic.. not that that is too much of an issue, but the fact is this non power user often uses the internet when NOT at home on a "portable device" - using a password manager where she needs to input user details.
"Most people use the internet from thier home computer and thats it" ???? How 1990s is that view?
"And before some of you attack me about having to access your passwords from multiple locations, not all of Internet users are such power users."
Restricting where and by how many devices you access stuff that you think deserves good security should be a part of your security strategy. Otherwise you're trading security for convenience and we know where that's likely to lead.
they are a law unto themselves, there only easily accessable 2FA is SMS based, and they dont see an issue there either, or with the alternative method of Security questions too...
If you search the web you can create an TOTP token that you can use but this requires an element of trust in a third party and doesnt turn off the security questions option either
Now if PayPal offered their own TOTP second factor set-up it would be a start
Best way to keep track of your unique username/passwords is to log them physically somewhere secure near your device. Someone breaking in to your home or office isn't going to be bothered with a notepad of your passwords and you don't have to entrust anyone but you to store your credentials should a digital breach occur (you are using different username & passwords for each site, right?).
Just a thought
While it doesn't allow for two-way communication, if you're signing up for a website mainly to get one-way newsletters, promos, etc., I use abine's email alias service (Blur). If I start getting dodgy emails from a site that I registered on with the alias, I simply turn that alias off. Any further spam to that address bounces back to the sender. You can then delete that alias completely. Problem solved. And it's free.
Second idea: if you're signing up for a commercial site and not actively engaging in buying from them, don't put in all your info unless it's required. And you could always put in bogus info (fight fire with fire). If and when you're ready to purchase something, change to your real info, order your merch, and then revert to the bogus info. Change password, too.
Yeah, sites should be more careful, but so should consumers.
It's weird; I got the email from Hunt but I didn't recognize the site. I might have been there, but I have no record in my password manager and a search of my email suggests I've never communicated with them. Nevertheless I went to the web site as soon as I got the email (26 hours ago) and tried to do a password result (i.e. I said I had forgotten my password). The web site denied knowing my email.
I suppose I might have submitted an order without creating an account but it would have to have been a very long time ago, before I started using GMail.
John Bowler
Isn't there a feature in gmail that if you put a suffix in the email address it'll pump the received emails to a folder.
so if you have emailaddy@gmail.com and give someone emailaddy+thereg@gmail.com and give that email address to someone, any emails to emailaddy+thereg@gmail.com can be sent, via a rule into a folder.
They don't offer aliases otherwise, but this is an alternative, perhaps. I've just also read that outlook does the same thing.
A clever person will notice a pattern, but if you get a lot of spam you know where it's coming from.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
