back to article About half of popular websites tested found vulnerable to account pre-hijacking

Two security researchers have identified five related techniques for hijacking internet accounts by preparing them to be commandeered in advance. And they claim that when they analyzed 75 popular internet services, almost half were vulnerable to at least one of these techniques. Avinash Sudhodanan, an independent security …

  1. Pascal Monett Silver badge

    The problem is convenience

    Sure, it is very convenient to Sign in With FaceBook/Google/Microsoft.

    On the other hand, security experts have been constantly repeating for years that you should not use the same passwords for all sites you sign up for.

    How does that compute ? It doesn't. Where does that get us ? To this sort of problem.

    I never sign up with any 3rd-party identifier. I manage my own passwords and I don't sign up to social platforms (well, Google signed me up for Hangouts when I got my Gmail account, but I'll be damned if I use it).

    I'm glad they found solutions to correct the issue, but I still won't use those kinds of services.

    Good luck hijacking my 24-character passwords.

    1. Justthefacts Silver badge
      Unhappy

      Re: The problem is convenience

      Yes, but how does that help from getting bypassed by password recovery? Most websites allow you to recover simply from your email, in which case email account becomes the Single Point Security Failure. If the email is 24characters, presumably that’s either password manager (just moved the issue left one link), or you use CorrectHorseBatteryStaple, in which case the problem is that hackers read xkcd too, and that’s only 56 bits of entropy really.

      I’m not criticising, rather I think that there’s just no good way to be secure with passwords only, should be 2FA.

      1. Pascal Monett Silver badge

        Um, it's the password that is 24 characters, not the email.

        And no, I don't use xkcd because, indeed, hackers can read it too. And I'm not going to tell you how I forge my passwrods because hackers can this too.

        Trust me. My passwords have 192 bits of entropy.

    2. nintendoeats

      Re: The problem is convenience

      The reason they tell you not to use the same password in multiple places is that awesome website A might have great security, but crappy website B might store your password in plaintext. So if crappy website B leaks your password, all the effort on securing awesome website A has been a waste.

      The premise of these centralized logins is to reduce the attack service by JUST having awesome website A manage security, so crappy website B never knows anything about credentials and therefore cannot leak them.

      I'm not saying that I agree with this system, but the reasoning is more sophisticated than you are giving it credit for.

      1. Justthefacts Silver badge

        Re: The problem is convenience

        Well, yes, I do sort of agree. I handle that a bit differently by having different root passwords for different categories of stuff. Throwaway (assume that these *will* be compromised, but all they know about me is my email address), Low Security, Medium Security, Critical, Financial1, Financial2

        Low security doesn’t have card details.Medium has card details.Critical and Financial must have 2FA.

        And when I had an employer, that was different too.

  2. Anonymous Coward
    Anonymous Coward

    UserID = eMail = FAIL

    ANY online service that uses text it cannot control as a users ID (such as an email address) is a noddy service and should be treated as a toy.

    The online service provider must be able to control the ID whilst the user controls the password.

    Simples.

  3. sitta_europea Silver badge

    Single sign-on. I wonder if anybody's calculated how many billions of losses it's caused?

    1. Justthefacts Silver badge

      Password managers

      *All* of those clever password managers are effectively Single Sign On. Doesn’t matter whether it’s something open source like BitWarden. Or explicit but from a hated megacorp, like using Chrome to generate and store your passwords in-browser. Or distributed to an online website, like Facebook login.

      At core, it’s all the same security issue. You can’t *reliably* store N different keys in your brain. Therefore you have to put all the keys in one cupboard and lock them with one master key. If that master key gets compromised, you’re screwed.

      1. TiredNConfused80

        Re: Password managers

        You kind of can...

        Have the same basic password for each site (complexpassword@$% for example) and then add on the website / company to it for each site so for example Registercomplexpassword@$% etc etc).

        Then have a dedicated one for your email / bank.

        Should protect you from one site being hacked (the same password with your email address won't work on any other site) but is still easy to remember.

        Obviously if enough sites get cracked and someone compares all of the passwords associated with a given email then you may be in trouble....

        1. MJB7

          Re: Password managers

          I used to use a system like that (Actually, it was an add-in that hashed the root password and the domain together and then encoded the result). The problem is that when ebay was hacked, and forced a password reset, I had to use a different root password for ebay.

  4. Anonymous Coward
    Anonymous Coward

    Pre create?

    Flashback : I got signed up to a dating site ( name includes "fish")

    It wasn't me. So either someone put in the wrong email or marketing thought "I have a cunning plan"

    So how to stop the email?

    Can't delete the account without logging in.

    Can't login without a password reset.

    So there's now a record of me accessing an account I never opened!

    Anonymous because I don't want to be sued for something I had nothing to do with!

  5. LateAgain

    Why did using your own ouath provider get stopped?

    For a short time you could "login via..." and put a url to an identity provider.

    I had stack exchange via a Google apps login, I think.

    Then it all went away.

    Why?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like