Password re-use is dangerous, right? So what about stopping it with password-sharing? Two comp-sci boffins have proposed that websites cooperate to block password re-use, even though they predict the idea will generate "contempt” among many end users, . Their expectation is founded on experience: Troy Hunt's HaveIBeenPwned is useful because so many people reuse passwords, and it currently claims to record more …
No. Just no. Did the researchers think about what will happen if say SiteA is breeched? I read what they said but supposedly most sites only keep a hashed version of the password, yet we see email addies and passwords being dumped on Hunt's site all the time. So obviously passwords aren't as secure as these guys think they are.
Take it a step further and inform each user of the number of other users with the same password as you. For the truly security conscious corporation they could inform you which users were sharing your password as an added incentive to have a strong unique password.
Why it is necessary for sites even to know what the user passwords are?
Why do they store the password and not just its hash? That's just asking for trouble, i.e. screwing all their customers at the same time, as someone can steal the file containing all the passwords.
But maybe there is some psychological profiling data to be extracted from people's password choices and monetised.
This post has been deleted by its author
I have never, ever been able to understand why any organism higher up the evolutionary tree than a prawn would ever have thought of having the same password for every website was even close to being anything less than an absolutely barking mad idea.
I've got another idea - why don't we give all doors the same lock and key? What could possibly...?
"I have never, ever been able to understand why any organism higher up the evolutionary tree than a prawn would ever have thought of having the same password for every website was even close to being anything less than an absolutely barking mad idea."
A different identity and email address on two or more sites means using the same password at those sites is no more a security risk than using the same identity with different passwords. Only you know those accounts belong to the same person. If the identities can't be linked, then neither can the re-used password.
"I have never, ever been able to understand why any organism higher up the evolutionary tree than a prawn would ever have thought of having the same password for every website was even close to being anything less than an absolutely barking mad idea."
Most simple folk who have no idea about IT simply don't understand what goes on behind the scenes, really. They can understand using a password to logon to a PC or device and they figure out that no-one will try enough times to guess their password to be able to logon.
They then take that same simplisitc yet not unrealistic approach into a completely different world of cyberspace of which they have no clue, but assume it's similar, and assume that you IT professionals are doing such a good job that you are protecting their password - exactly the same as they trust their bank not to lose their money, same as they trust their accountant or lawyer to give them the right advise.
Are their assumptions unreasonable? Not really. Naive or lacking knowledge, definitely yes. But it's unfair to say they have not evolved beyond prawns, that's just a nasty, arrogant comment. As I said, the IT industry has an awful lot to answer for, and it starts with the likes of MS taking ownership and accountability for their crap code, but not just them, so many others. It's a complete mess out there and blaming the user and their poor passwords is the easy way out but will not fix the problems.
"I've got another idea - why don't we give all doors the same lock and key? What could possibly...?"
What you've described is having all doors in the world having the same lock and key.
The issue here is analogous to having all of of *your* doors having the same lock and key. Which is not that far removed from having one bunch of keys on you that let you access anything you own, which is what many of us actually do day-to-day.
@JohnFen wrote:
"Done correctly, no passwords are being shared. They'd be sharing password hashes instead"
Done "correctly" the hashes would be all completely different, on different sites, even for the SAME password, even different for the SAME password used for another, account on the SAME site.
If you change your password for the SAME password, (assuming this was allowed) the resultic data again should then appear completely different.
They should be using stored per login stored random salts, preferably long ones of 64 bits minimum, and at least 128 bits in my opinion, with iterative hashing, with a minimum number of iterations, the number of extra iterations being somehow controlled by the user's salt data and/or some other data. They could also perhaps add a site-wide salt (or pepper) to differentiated the site from others.
The hash itself, should therefore be completely randomized and without running through the algorithm with its stored data AND the password it should be impossible to tell otherwise if any particular passwords match anything used on other sites.
If they shared any other data with other sites to compare passwords used on those other sites, then that too would be grossly insecure and I would be very angry indeed with them.
To me the fact that they think they could do this, says much about their own (in)security,
Personally I wouldn't store hashes at all. It would be something different, but require hashing of course.
But just storing the raw output from a known hash algorithm is completely dumb to say the least
Shaun.
Different companies will use different methods to encrypt a password (& ilikely one way i.e. be unable to decrypt it). So any "hashed" data would have to be in a known, unencryptable format and so slightly better than passing raw password around, but still open to attack
So obviously passwords aren't as secure as these guys think they are.
I think you meant to say "password storage and handling by websites isn't as secure as these guys think they are".
Which is the conclusion they should have reached, given all the password lists on Troy's site originate from the very websites he is proposing should implement this fancy scheme...
Some stuff really needs security, some not so much.
I'm retired and now, and only have 4 mail accounts - Three of them are for different levels of "I don't care"; going from total crap (Gmail) through an old Hotmail account, up to an old ISP's $20/year one. Google seems to do a reasonable job of filtering crap, MS less so; and the ISP is really only used as the security account for Gmail and Hotmail and a few websites (about 6). The only one I really care about has a pwd of 13 chars, which I have had for at least 12 years, and funnily enough does not seem to have ever been compromised, and does not see any spam. I also have a Facebook account which I log into occasionally with no details other than my name, it has no "friends" either, but seems to occasionally generate crap.
I do not use Gmail, etc., to log into other accounts; and use a password generator which seems to work well - If I lose the pwd on these I really don't care as I could just generate a new account or use the recovery through the ISP. I have not put my real "Mother's Name", etc., anywhere and seem to have few problems.
A retired friend who used to be contractor to various banks thought I was paranoid (I am), but was recently compromised with a planted key logger. I suspect that he was deliberately spearfished through a Windows machine, I believe he now uses an iPad for anything important...
... there's a lot of bollocks talked about passwords.
My bank, and my main email account, are both pretty important to me. On those, I use strong passwords that are not reused from anywhere else. If I thought for one moment that my bank or my email provider was broadcasting my password, however encrypted, to every other internet service in the world, I'd close the accounts faster than you can say "formal complaint". I would deeply resent the idea that my bank had even tried to identify my email username, let alone password, or vice versa.
At the other end of the scale, there's dozens of tinpot little blogs (El Reg, I'm looking at you) that require me to log into something to post on them, and don't allow OAuth because... I dunno, they want to sell password managers or something. On those I see no reason not to reuse passwords, and I'll deeply resent anyone who tries to prevent me from doing so.
So this proposal is calculated to piss me off in two entirely separate ways.
> At the other end of the scale, there's dozens of tinpot little blogs (El Reg, I'm looking at you) that require me to log into something to post on them, and don't allow OAuth because
Conversely though, if El Reg ever went "sod local logins, you can log in with Facebook, Google or Twitter and no other way" that'd piss me off.
Nice to have as an option for those who want it, but an increasing number of sites (and apps particularly) seem to be making it the only way. Call me paranoid but I don't want the big providers tracking me around the net. You can block 'like' buttons etc reasonably well and easily, but it becomes an issue if you want to actually login somewhere.
I'd rather have a throwaway'ish password for El Reg than use any of the common OAuth mechanisms.
I agree. This is the most bonkers suggestion I've read about passwords ever. Second worse is to change a password regularly.
Indeed. I thought we'd finally managed to agree that making password systems more obstructive to users just results in weaker passwords being chosen. I guess the University of Carolina didn't get the memo.
I own the domain name I use for email and give a different address to each service/site I sign up for. I also use a different password of varying strength depending on the type of site it is. I realise that this won't be a solution for everyone but it does work for me.
I have elderly relatives who use the same password on various websites and despite my imploring say it's not a problem for them. One of them uses the GWR website who they asked everyone to change their password recently. My relative didn't bother doing so and then called me to say that they couldn't book train tickets. I said they had to change the password via the link they were emailed otherwise they couldn't. The amount of grumbling that produced was amazing. I've suggested possible solutions but "It's just easier to use the same one"
As the go-to techie for most family, friends and colleagues, it's certainly frustrating when you're asked what to do, spend your own time researching the best advice for that particular person's abilities and idiosynracies, and then be told that they don't want to do it that way. WHY DID YOU EVEN ASK ME??? I've found a method that's easier AND better for you, collected all the hardware and software, and written full instructions - if I knew you were going to ignore it, I could have spent the time rewatching my Monty Python DVDs...
Maybe users should just shutdown a few of their accounts. How many Emerdata / Palantir's need to occur before users realize - They're just marks, is a sea of data-sniping. The answer is lots actually. See here:
https://www.bbc.co.uk/news/world-us-canada-44023381
"Most Facebook users in the US remain loyal, despite the recent data sharing scandal involving a political consultancy firm, a poll suggests. Facebook had been lucky the data was apparently used only for political adverts and not anything more sinister. "I have yet to read an article that says a single person has been harmed by the breach,"
Even as news goes, that's a bit depressing. How can people make assumptions about how sinister things will get. Their data has only relatively recently been leaked in the Wild. Whereas Data-Mining is always evolving... Do Americans suffer from Dunning–Kruger effect? Or is it the US MSM mushrooming the population and controlling the narrative so tightly, awareness of Instagram / WhatsApp owned by Facebook just gets ignored?
~
https://www.bloomberg.com/news/features/2018-04-10/instagram-looks-like-facebook-s-best-hope
~
"Most Americans don’t know the identity of Instagram’s parent, which is just fine with Facebook"
mmm, what does "loyal" mean, though? It can run the gamut from "slavering defense if Zuck commits murder" through to "forced to keep my login so I can check a work-related page once a month". Anybody who is loyal, in the traditional sense of the word, to a multinational corporation that couldn't care less about individual users, is stupider than the average bear.
These research papers always seem to be pointing me in the direction of buying a solution. I like my solution better. I don't have different passwords for each site. I have different credentials. The credentials are associated with the site. The e-mail account for registration is associated with the site. The "Security Question" answers are always the same regardless of the question. All I have to do is remember the base for generating the credentials and presto I am in... I never supply my "proper" name and only supply a phone number when absolutely necessary for deliveries.
My Banking and important e-mail accounts have their own strong passwords that are never shared.
The "Security Question" answers are always the same regardless of the question.
I have toyed with the idea of making all my answers "Pork!", inspired by the famous Secret Policeman's Ball sketch.**
**Spoof of schoolkid quiz shows in which John Cleese (for it is he) asks a bunch of fellow satirists in school uniforms (John Bird, may he rest in peace, is especially good) questions from a list that got sabotaged.
What £$%^ arrogant!
To reduce the prevalence of password re-use, reduce the NEED for sodding passwords. Stop bullying users and start bullying the websites that demand users create an account for every inconsequential function.
Users are not an unlimited resource for you to do with as you please. Users are your paymasters. Stop making life more difficult with ever more convoluted complicated bloatware and start making the technology easier to use. Or is that not glamorous enough for you?
It used to be that most sites would have a "continue without registering" option (even if it was a tiny link you could easily miss), but that seems to have fallen out of fashion.
Like you, I just move on to another, or if no other choice, setup the account with the bare minimum info possible (an incorrect info for anything that's inconsequential to the order). Once the order's arrived, I'll either use "Delete my account" (if present), or edit out the real data, set a stupidly strong password and not record it.
The real data might still live in a backup, or revision history somewhere, but that's at least lower risk than leaving them with the correct details.
A recently introduced "encrypted mail" scheme I have seen sends, not an e-mail, but a link to the encrypted e-mail company's site, where you register and log in to see the e-mail.
Strike 1: it's a PITA.
Strike 2: Guess these guys didn't notice that there's a lot of spear-phishing going on, not to mention the fact that e-mail security teams take a dim view of such messages.
"A recently introduced "encrypted mail" scheme I have seen sends, not an e-mail, but a link to the encrypted e-mail company's site, where you register and log in to see the e-mail."
That's how our "e-payslip" system works. Yes, we are a tech company and people higher up still put "e-" at the front of words because it's what the "cool kids" do, yeah?
It used to be that most sites would have a "continue without registering" option (even if it was a tiny link you could easily miss), but that seems to have fallen out of fashion.
By the simple act of ordering you are "creating an account," insofar as your personal info will be thenceforth be in the possession of the seller, and the details of your purchase will be associated with you by name.
In practical terms, what then is the difference between registering and guest checkout?
"In practical terms, what then is the difference between registering and guest checkout?"
Probably some nuance of data protection laws. Personal data must only be held for the defined reasons and for as long as necessary. "Guest" ordering, by definition, means you are not planning a long term business relationship with the company. If you register, then you must take action to close the account so the data can then age and expire.
This would undoubtedly save the hackers some much time. So would no longer need to try to hack different sites, as they would now have a single site against which they could throw endless rainbow attacks from one of their botnets.
Example First off a slew of passwords for Facebook. Even though the password was wrong for facebook, the Password Similitude engine (sic) would allow them to know that it was the good password for another site because it would also be interesting X other sites..
It a theory looking for a buyout..
I agree this hasn't been thought through. Firstly, it assumes there is a trust relationship between unrelated websites and secondly, I suspect it will be difficult to protect this backdoor API from dictionary & password cracker attacks - I suspect this could be more remunerative than BitCoin mining...
Skype's slurping up dates of birth too - forced me to enter before I could load the client the other day.
My guess was that one was more to do with GDPR and what they can do with your data, so obviously I told Skype I'm 9 years old.
> Twitter is currently collecting the mobile phone numbers of it's users. How safe is that info with them? They're not allowing any accounts without phone numbers, so sod 'em.
They prompted me a while back to enter my mobile number to prove I wasn't a bot. So while I was in Tesco's I picked up a PAYG SIM and gave them that number. Once in, I deleted it back off my profile. It'll only ever go in a phone when I need to "verify" myself.
At first it felt a bit overly paranoid, but actually - they're insisting on my number (which they don't need on a routine basis) and asking me to trust them not to lose or misuse it. Once it's out, it's out, so why would you give them your regular number?
They prompted me a while back to enter my mobile number to prove I wasn't a bot. So while I was in Tesco's I picked up a PAYG SIM and gave them that number. Once in, I deleted it back off my profile. It'll only ever go in a phone when I need to "verify" myself.
When I last topped up I was given two free sims by the store manager. I use them for that purpose too.
Although they state in their second sentence of the abstract that their idea is bollocks:
‘Though the design of such a framework is fraught with risks to users' security and privacy’
they decide to proceed regardless.
I see great potential in further screwups of processor design. Maybe ‘optimizing’ virtualization. Why not have global inode ref counters for shared file systems...
The actual password should not be accessible for comparison with anything else, only with a salted hash of it.
The only way that e.g., Twitter and Facebook would know that two passwords were identical would be if they are using the same salt and an identical hashing technique.
I would guess that for the purposes of this, there'd be an agreed format for it to be stored in.
In fact, for this use-case, you probably wouldn't use a salted-hash in the way you would for credential storage - this stuff would only be triggered when a password is _set_ so you could afford to go for something a bit more expensive in processing terms. So, you'd probably generate a cryptographic signature using a shared/known key.
The problem is, with a globally shared key, you could _potentially_ still try and bruteforce signatures (the tables you generated would be applicable to every platform using the comparison service - essentially losing the benefit that a salt traditionally provides).
The alternative, as you say, is probably that services need to keep the password in some reversible format so that they can answer similarity requests. There are ways other than simply storing plaintext (or an encrypted version of, which is no better) but I don't know how strong they are against a determined analysis.
Password managers don't cover each use case. It's OK when they are on the same device, and they can automate input. But have you ever tried to use a really complex random password, one that's also hard to type, and have it shown on your mode while you try to input it into another device? It's uncomfortable enough you don't want to have to do it but seldom.
Also, with a password manage you become totally reliant on it. Just like mobe address book make you no longer remember telephone numbers, with password managers you don't remember password, so if you need access and for any reason the password manager is not available or not working, you're cut out.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
