Microsoft: You NEED bad passwords and should re-use them a lot Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon. Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked …
The researchers are idiots. Even a minimally important account can be used if pwned for -say- posting kiddieporn links or terrorist comms; and that account would be tied to at least your IP address. You'd have a real job in court trying to explain that it wasn't you.
Plus if it's your account, then there's probably some real data in there that can be used to help with identity theft. And that's just two obvious misuses...there are some real evil bastards out there.
There's no perfect answer; but an offline, encrypted piece of software to remember PROPER AND UNIQUE passwords for you isn't half bad.
"pushing users to light up even a small amount of grey matter "would be wasteful"."
The same would appear to apply to researchers.
This post has been deleted by its author
Unless your PC is also compromised, then said kiddy-porn or terrorist postings would be traced back to other IP addresses where it was logged in under control of the hackers.
The bottom line is people are shit at security, and some things (like regular password resets[1]) don't help at all. What MS recognise is that not all accounts are equal, and the consequences need to be weighed up against the effort of remembering passwords.
[1] Assume that you are forced to change password one per year, as my work proposes. If your password has been randomly compromised then the mean time to exploit it is 6 months. Just how long does a hacker need to have it to install a trojan and/or create another account for mischief?
So why bother unless there has just been a major breach and they KNOW that everything has to be reset?
Forget the k1dd13 p0rn. It can be used to spearfish you back or spearfish one of your contacts. Go and explain that it is not you to the hapless victim after that.
Unfortunately, the only known solution to the password problem equates to a full loss of internet anonymity and privacy. Namely, you can drop the passwords altogether if you use client certificates (and tie the important ones to a physical key storage). So for the time being we still use passwords - they are like democracy (as per Benjamin Franklin quote): they are bad, but we are yet to figure out anything better.
"Forget the k1dd13 p0rn. It can be used to spearfish you back or spearfish one of your contacts. Go and explain that it is not you to the hapless victim after that."
Err... no. Let's take the example of what I do on el Reg. I use a certain throwaway email account (from gmail) and a nice simple password. i use the same throwaway account and password on other sites. Exactly the same. Should someone get into el Reg's (or one of the other sites') logon database, they will find... an account which is useless for them, as everyone I know _knows_ that I use that account as a throwaway (I used it on USENET, for God's sake) and will ignore anything sent using it. If I see anything heading my way which uses that account I would be very, very, VERY suspicious of it unless I _KNEW_ that it's legit. And even then I'd check it out.
And, oh, should there be a site which requires me to 'register' using identifiable data, such as address, and I don't think that they need that data, they get fake data. Spearphishing doesn't work very well when they have the wrong info.
Now, if the contact is linked to a credit card, or is otherwise of value, I use a real password. If the contact is of no value, I use a simple, easy to remember password. The worst that can happen with my setup on el Reg is that someone can post stuff in my name.
"The worst that can happen with my setup on el Reg is that someone can post stuff in my name."
Oh well, that happens to me All The Time! All of my silly, offensive or just in general rubbish comments (like this very one) were written by an unknown idiot on the 'net who posts stuff in my name, using my fake e-mail address and simple password.
It would help if every single friggin' website didn't want you to create an account with password for no reason at all except to nab your details and spam you with rubbish. For example e-shopping site - it's conceivable that I might buy 1 item from a site and never return. They only need shipping address, email, credit card for the one transaction, after which they don't need to keep any of this data. BUT they insist on capturing and storing all this data, pretending it's for my convenience just in case I ever buy anything from there again, when in reality it's for their convenience to grow their sales, send out spam, have a digital willy-measuring contest about 'number of registered users' etc
...they are like democracy (as per Benjamin Franklin quote): they are bad, but we are yet to figure out anything better....
I don't think Franklin ever said anything like that, though the evils of democracy were frequently discussed by his contemporaries. He commented that democracy was like two wolves and a lamb voting on what they should have for lunch.
The quote nearest in meaning to your comment is probably Churchill's "...democracy is the worst form of Government except for all those other forms that have been tried from time to time.…" (House of Commons speech, Nov 1947)
What is "an offline piece of software"? If it's on an on-line device, it's not really off-line in the security sense, even if it's not designed to access the web itself. Every on-line device is exposed and on such a device, encrypted, schmencrypted. The password text has to be decrypted to be used and at that point it's up for grabs. Also, you are creating a single point of failure, if that piece of software you've got gets beaten, all of your on-line identities and data are exposed. Lastly, I consider someone using hacked Reg accounts to disseminate illegal content unlikely, plus even ordinary message board admins do a pretty good job of spotting when a known user is logging in from a weird IP address.
What is "an offline piece of software"? If it's on an on-line device, it's not really off-line in the security sense, even if it's not designed to access the web itself.
OK, a piece of software that doesn't itself access the internet then, even if the host machine is connected. I did say it wasn't perfect; but it's the best solution I can think of. 100% better than using the same easy password for multiple accounts anyway.
"There's no perfect answer; but an offline, encrypted piece of software to remember PROPER AND UNIQUE passwords for you isn't half bad."
And how do you get access to that piece of software if you're not using your own controllable PC? I get dragged into the Work Programme once a week, and it takes me several attempts to log into various jobsearch sites because my PC at home remembers my password for them, not me. I've spent the weekend walking across the North York Moors and popped into a library to check my email. How would that library be able to store my password for me?
I use Keepass which has a 'droid version as well as PC. I think they have a Linux version, too.
I have it on my home and work PCs and my phone. And another copy on a USB stick that I can use with any PC that will let me run a program from a USB stick. Always have my web sites/passwords with me (80+), and they all have distinct, hard-to-crack passwords. The only one I need to remember is the master one. I've had lots of attempts made to break into my accounts, but none have succeeded.
Some manufacturers require that you create an account before you can download a data sheet. They really need your false name, fictitious address, name of your first pet and the premium rate phone number of your favourite charity. I keep a list of these things handy in case someone else has not already created an account for 'username@example.com' with password 'password'.
There are times when a simple common password is the best choice.
Wow. That's the most unpopular thing I've ever said on this forum. All the downvotes in the world aren't going to convince me that re-using passwords is a good idea though.
@ J.G.Harston - Does your library access allow for using USB sticks? If yes, then something like this might do it for you:
http://portableapps.com/apps/utilities/keepass_portable
[quote]
Does your library access allow for using USB sticks? If yes, then something like this might do it for you:
http://portableapps.com/apps/utilities/keepass_portable
[/quote]
I for one can say I've never lost a USB stick*. Even if I did, it wouldn't be a problem changing every single password ever just in case it fell into the wrong hands. Nor would it piss me off to find it again 2 days later. Sign me up :)
*I couldn't back that up**
**The comment, not the USB stick.
When demanded an email address on what I regard as a don't-need-to-know basis, I usually use "none@forget.it"
Not sure how well that works out for you - in my experience nigh-on every website demanding an email address also checks it by sending a confirmation string there, so rubbish addresses get you precisely nowhere. Thankfully, there are plenty of disposable, short-lifetime mail address suppliers...
The owner of monkeys.com got royally pissed off a long time ago with people using twelve@ and turned it into a spamtrap.
Using fake details has been around forever. It's one of the reasons that confirmation messages get sent these days.
I have started advising those foolish enough to ask me that they should routinely lie when filling out those questions used to validate your identity, especially when the sites involved are high value (e.g. banking, medical, et cetera). It makes it less valuable to harvest information from social media and other online sources. Obviously, this does not eliminate the risk of identity theft, but it helps secure individual sites.
As far as passwords are concerned, I find that a pattern-based system works fairly well. You need only remember the pattern used and a starting point for a given site. For example, if my base pattern was 1qaz@WSX and I wanted to apply it to El Reg's site, I would start at the letter T (for www.Theregister.co.uk/) and transpose: tgb5YHN^.
Some of us are actually human--not automatons capable of instantly recalling every 25-digit Microsoft product code for every PC we own!
I'm reasonably security concious and even I take shortcuts. I have a small cadre of a half dozen or so helper passwords that I use on 'disposable' sites which I can actually remember. Mind you, these passwords aren't real words but rather are alphanumeric strings of no less than eight characters. If I forget a site's password then I only have to cycle through a half dozen or so well-remembered strings.
For important stuff I use much longer passwords which I have also committed to memory. And for truly critical stuff I use even longer passwords where the first dozen or so characters are recalled from my memory and the remainder of the string loaded from a source that's external from the PC (the full password doesn't exist anywhere--either written down or in my head).
What the Microsoft researchers are saying makes very considerable sense.
Isn't that bloody obvious!?
"For important stuff I use much longer passwords which I have also committed to memory."
Passphrases with suitable entropy are much easier to remember. 6 words is the sweet spot at the moment.
What amazes me is the number of sites which insist on 8 characters maximum, given that md5 127 character has been around for over 20 years.
This is where the xkcd comic needs an airing.
Your joke icon is inappropriate though you may not realize this! I've done checks on databases of some large services and found a significant number of hashes matching "correct horse battery staple". There are idiots who either don't get the comic at all, or find it hilarious to amuse themselves by setting this as their personal password.
Sad but true.
There are two problems with this 1. plenty of password fields have an unreasonably short limit on a number of characters in a password, thus preventing use of a reasonably long passphrase 2. it is arguable whether a passphrase (build from dictionary words) actually has large entropy, since it can be brute cracked simply in (dictionary size * variations)^(small N) tries, rather than characters^(large N)
You might want to actually check some of those numbers. 2^28~=2E8, 2^44~=1E13. Size of a reasonable adult English vocabulary: 5E4. 5E4^4~=6E18. You're better off brute forcing the individual characters of those words than trying to use a dictionary based attack. You would actually need a dictionary of less than 2048 words to make it faster to check than the 2^44 brute force search or 128 words for the 2^28 password. And that still involves knowing that there are 4 words to search through.
Essentially, the ratio of potential dictionary size to character set size is much greater than the inverse ratio for their corresponding exponents.
Or a notepad and a pen
In some cases you can improve security by only writing down a pattern. In my previous job where the passwords changed every 90 days I used incrementing numbers and for each account wrote down the number.
So my main login would be written down as 'MLI:57'. Even if you found the piece of paper it wasn't going to help you much.
Wasn't there a post the other day stating that they were also insecure and open to hacking?
They are IMHO, a single point of failure.
Yes, there was. Useful research but in case of LastPass , it's a FUD. The problems discovered have been fixed last year.
Although of course, it is risky to put all eggs in one basket, and I'd love to have something better to replace all these passwords. For now though, password manager used in a correct manner seems to be the best solution.
I have several 'awkward' passwords that I use in different combinations, plus numbers that I can use for a variety of security levels.
For example, If I were to use the base word of, say Klingon (as a memory aide) the password 'root' might be something like
K11Garn!
Another might be Enterprise, and be something like 3nt3Rprize=
Start adding numbers to those and the passwords you write down (for reference) are:
77 + Alien
Ship + 73
Alien + 99 Ship + 03
As long as I remember the root passwords I can create lots of combinations and keep them written down with very little risk of anyone 'guessing' the root.
There is no one size fits all solution, which is part of the problem with the current security regime mindset.
Yes, I use a password manager for a number of sites. It sits on my home PC and I use it to generate keys for sites. Mostly I use it for stuff that I care about with high entropy long passwords (assuming the sites permit). But they are all sites that I plan to access only from home on that one computer. For other sites I have easily remembered (for me) passwords. But then I have to generate passwords on a regular basis for creating or changing user accounts. I do simple things like pick song lyrics, l3Et two short words, smack them together between a date and add some additional characters on the front, end, or both. Other times I look at article headlines I am reading. For example, from this article I might generate: )20nE3d14$h0ulD07(
Fluffy1 etc will fail the checks in many systems simply because they won't allow the repetition of characters.
the 'ff' is a failure, pure and simple.
That in itself is IMHO, a weakness those password systems. If an attacker knows that then then number of options for possible passwords is greatly reduced. I'd probably allow two characters but no more.
I just had to change my eBay password.
Which required me to get a token from my disposable email.
Which required me to change that email password.
Which sent the 'click here' to a different email.
And having got back through the tracks to eBay, it refused to allow my new password on the grounds that certain non-alpha characters, with which it had been perfectly happy before, were no longer allowed...
I don't understand why password systems *insist* on capitals, numbers, non-alphas, etc instead of just *allowing* them - it reduces the possibilities, I think (ok, has to be eight characters, has to have a number, haven't had a number yet...) though perhaps not as severely as not allowing particular characters in the password. One credential checker refused to accept my place of birth - required - because two of the characters in it are adjacent on the keyboard. Ridiculous.
Or is there something subtle with input sanitisation that I don't understand, and it's the little Bobby Tables problem all over again?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
