back to article Customers baffled as Citrix forces password changes for document-slinging Sharefile outfit

Citrix says there is no reason to panic after it asked customers to reset their passwords on its Sharefile service. The file-slinging service rang in the new month with the announcement that it would begin regularly requiring users to change their passwords. That new policy will begin this week, as all users are being asked to …

  1. Anonymous Coward
    Anonymous Coward

    customers also baffled

    Baffled by "Custoemrs": intentional / pun? Am I just dense?

  2. Anonymous Coward
    Anonymous Coward

    Work requires regular password changes

    so I cycle through various iterations of "weak password(n)"

    1. Phil Kingston

      Re: Work requires regular password changes

      I used to work somewhere as a non-sysadmin that required regular password resets, retained 12 previous passwords but had no minimum password age. I just used to sit there and reset my password 13 times to get back to the one (very complex) one I had committed to memory.

      I say this to perhaps reinforce that having a policy is one thing, having an effective policy is harder. Sounds like Citrix is at least trying to do good things.

    2. MJI Silver badge

      Re: Work requires regular password changes

      I have had this, try to think of new one each month.

      Now I am a railway enthusiast so chose the following

      month 1 - dreadnought

      month 2 - superb

      month 3 - temeraire

      month 4 - stvincent

      All from the Platform 5 book of regularly changed memorable passwords

      4 years worth

      left there fortunately before I got too far down the list

  3. jason_derp

    Question about weak passwords

    I'm a bit confused about the reasoning behind forcing password changes leading to weaker passwords. If it's only x number of users doing so and making garbage passwords/not using password managers (or company or whatever not providing them), isn't only that single user being effected, or does that become other people's issue as well? If you change out the locks on a door every month, and the person with the key keeps taping it to the same door that's locked, is it the locks fault the door got open by somebody who shouldn't have opened it? If I sell really sharp utility knives to people, do I have to hire people to go and put helmets on users before they start trying to hold the knives with their mouths? I think it's fair to allow for the assumption of a bit of responsibility to the user.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Question about weak passwords

      "I'm a bit confused about the reasoning behind forcing password changes leading to weaker passwords"

      I imagine it goes something like this: you start out with D9xTMffgH!#82 then D9xTMff then DxCitrixAgain and then ihatecitrix and ihatecitrix! and ihatecitrix123

      etc

      C.

  4. Nick Kew
    Devil

    Quick, more boiling oil!

    So they're 'protecting' users who do dumb things like re-use passwords ... by doing dumber things like forcing them to deal with extra complexity. Along with all those who would never dream of reusing their Correct Horse Battery Staples. This is broken, so let's double down on it.

    Do they also make you identify with memorable personal data? Mother's maiden name, favourite colour, first school, sorta thing? Now that really does feature in data leaks. As if it was even secure in the first place.

    Where's the Pratchett icon, for occasions like this when he helps translate AAARGH to a half-decent LART?

    1. Steve K

      Re: Quick, more boiling oil!

      If you are of a certain age then the problem for a lot of people will be from all those harvesting emails in the late 90’s/early 00’s where huge email chains were used to find your Star Trek/Porn Star/etc. names.

      This means that there are probably a lot of hash tables out there with a decent subset of personal data, and probably databases with links between personal info supplied above and surnames/emails.

      Whilst emails could well have changed for many people and so this may be less of a problem these days, it would explain why some ID theft campaigns were so successful in the past, and why memorable personal data could be considered compromised or less secure.

      1. Korev Silver badge

        Re: Quick, more boiling oil!

        There are similar junk "surveys" doing the rounds of Facebook etc. these days too

    2. vtcodger Silver badge

      Re: Quick, more boiling oil!

      "So they're 'protecting' users who do dumb things like re-use passwords ..."

      Perhaps the users are trying, in the only way available to them, to communicate to you what they think of complicated password based authentication schema.

      Let me ask the inevitable downvoters one question.

      Are your ideas of how to do things working?

      1. Anonymous Coward
        Anonymous Coward

        Re: Quick, more boiling oil!

        Reusing passwords is dumb dumb dumb - I would NEVER do that - I just write it down on a post-it note and stick it under the keyboard - I'm not dumb enough stick it on the monitor. Everybody happy now?

        1. gnasher729 Silver badge

          Re: Quick, more boiling oil!

          "I just write it down on a post-it note and stick it under the keyboard"

          You want to be protected from evil hackers on the internet, and from nosy colleagues at your workplace. So if you use this method, take a password that is memorable to you, but not to your colleagues, add a longish random password, and only write the longish random part on a note. Evil hackers on the internet can't read the note. Nosy colleagues are usually not skilled enough to add your memorable words part.

  5. Alan J. Wylie

    NCSC advice

    The National Cyber Security Centre (part of GCHQ) doesn't think that forcing regular password expiry is a good thing.

    1. Pascal Monett Silver badge
      Trollface

      Not in their interest, is it ?

      1. MJB7

        Not in their interest, is it?

        NCSC may be part of GCHQ, but their remit is to protect government (interpreted broadly) systems, and UK businesses.

        There are plenty of other people saying password resets other than when compromised are a bad idea.

        If Citrix wanted to do something useful, they could check new passwords aren't in the Have I Been Pwned database.

  6. Steve K

    What about other Cisco services?

    If it’s such a good idea for Sharefile then surely Cisco will roll this out to any other of their services too?

    1. upsidedowncreature

      Re: What about other Cisco services?

      Citrix != Cisco.

      And IMO regular forced password expiry != a good idea.

      1. Steve K
        FAIL

        Re: What about other Cisco services?

        My mistake - I meant Citrix.....

  7. Anonymous Coward
    Anonymous Coward

    ""Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.""

    I'm guessing Citrix have downloaded one of the many available leaked credentials databases from the web (they are there if you look), and ran a comparison against their existing database, and found X% of matches. They've probably also worked that if an attacker starts at a and ends with z it will take Y weeks until the first account is hacked and Z weeks until the matches all are, so password change all round.

    I say I'm assuming cos that's exactly what I did with one of the systems I look after and a forced urgent password change was undertaken in a race against the hackers. Every time a new leaked database is made public, rinse and repeat.

    I heartily recommend people to have a nosey at https://haveibeenpwned.com/ and change their password if appropriate.

  8. Anonymous Coward
    Anonymous Coward

    Communication would have been nice

    It would have been helpful if Citrix had actually communicated to users and administrators that they were doing this, rather than coming in on Monday morning to find no-one could login.

    1. Pascal Monett Silver badge

      Re: Communication would have been nice

      They did, except that they were dumb enough to post notice during the week-end.

      They should have posted the notice Monday morning, then waited until Thursday to implement.

      Instead, they thought people were really intent on following their services during the week-end. That's what you get when you take FaceBook as an actual news platform, and confuse your number of followers with your number of friends.

  9. R J
    Trollface

    Lets just hope...

    .. that they won't force you to change password as often as they change their product names.

    1. Korev Silver badge
      Coat

      Re: Lets just hope...

      Since you metaframe it like that...

  10. Gareth Jones

    "According to Citrix, there's no specific data breach or incident behind the move"

    Really? If so, why am I dealing with users asking about this then?

    "We have been notified this morning of a security incident relating to our support data sharing tool Sharefile, and we have provided their message to us as part of our management of this situation. We have contacted ShareFile and are awaiting further clarification from them, and as their message states they are continuing investigations into the incident."

  11. Peter 26

    2FA Fail

    I'm all for increased security, so I went to their website, changed my password to a random generated one (I have no idea what it is) and saved it in my password manager Blur. Then I went to see if they had a 2FA option. There is yay! But only via sms/phone call, boo! But wait, after enabling SMS 2FA, I can then enable a backup 2FA via an Authenticator App, but you cannot remove the SMS 2FA.

    I signed in on my mobile and it sent me an SMS rather than using the authenticator app.

    They are nearly there, but they need to push to use the authenticator app as the first choice and give the option to remove SMS as 2FA (in fact encourage it), sim swapping is incredibly easy to do, use of it to take over accounts has exploded recently. SMS 2FA cannot be trusted anymore.

    I've removed SMS 2FA from my google account, name cheap and anywhere else that gives me the option.

    Sharefile is probably the most important account I have, I use it to transfer customer data. That thing needs to be secure. They should up their game with regards to 2FA.

    1. Pascal Monett Silver badge

      Re: sim swapping is incredibly easy to do

      Not knowing what this was about, I did some quick research.

      What I found is that, yes, this is a thing and yes, it can be real headache.

      However, there are a few prerequisites :

      1) sim-swapping targets "profitable victims", which means said victims have been identified among the many - not so obvious

      2) "Laying the groundwork for a SIM swap scheme involves collecting as much information about the victim as possible. - sounds like work, even if clueless people also have money

      3) living in a country where phone providers activate new sims via phone call

      And that is the crux. If you live in a country where the phone provider will not do any such thing over the phone, and instead send the legitimate owner a new sim via mail to the legitimate address, then this whole scheme is dead before it started.

  12. Neil Spellings

    More details now posted here:

    https://www.citrix.com/blogs/2018/12/04/citrix-forces-password-reset-to-protect-against-credential-stuffing/

    Credential stuffing attack. I'm still not a fan of scheduled enforced password changes, but it's better than nothing for users that don't have 2FA enabled and have their credentials exposed online.

  13. EJ

    On the bright side

    Nearly every user who received one at my company reported it as a potential phishing attack. Even our security team was confused by the message when we evaluated it (suspicious content but legit links). Wasn't until we saw a Twitter conversation by ShareFile claiming they were legit before we finally gave the thumbs up on performing the password resets.

    1. Huw D

      Re: On the bright side

      Same here. It appears that the security training is working!

  14. Frank Bitterlich
    Pirate

    An email...

    ... that for some reason travelled backwards in time from May 2019 into my today's inbox:

    "Dear happy Cixtrix user,

    as you please have heard must please reset password now. Or not have access. Convenienly, plase click [a href="someplace.please-dont-block-my-account.wherever.tk]here[/a] to not have account removed and set new password. Must enter old password first. Please ignore if some get warning browser message, all is OK. Awaintingly, Cxitrix user best support team."

    1. Pirate Dave Silver badge
      Pirate

      Re: An email...

      I had a similar thought. I wonder if the spammers are already using the confusion to dupe users into providing their new credentials. Just a simple "Dear user, please reset your password again. The one you did earlier was lost by our server" email, followed by a relatively official looking login page, might trick far too many users. Never underestimate the gullibility of the user base.

  15. eyemessiah

    "Unless there is reason to believe a password has been compromised ..."

    The problem is of course that even in the absence of data breaches users frequently find ways to compromise their own logins so you should probably always assume that some proportion of your users are using compromised credentials.

    Frequent forced resets are obviously harmful but the mistake I think that we make nowadays is in assuming that if frequent forced resets (worst I've personally experienced was 30-day but I've heard of worse!) are bad for overall security then the ideal must be to never, ever force your users to reset their passwords.

    I'm not 100% sure this is always true - particularly given that over time your users will tend to compromise their own credentials one way or another. Even if an infrequent forced reset isn't a perfect "refresh" - it seems like its better than just letting the proportion of compromised credentials grow over time.

    If Citrix did indeed run a comparison of their sign-ins against publicly known compromised credentials it would be interesting to know if they did the same again after the reset - and whether or not and how much difference it made.

    1. julian_n

      Re: "Unless there is reason to believe a password has been compromised ..."

      One answer would be to check passwords, as they are changed, against the compromised list from Troy Hunt - he has an API for this - and tell users to pick again if the password is on the compromised list.

    2. gnasher729 Silver badge

      Re: "Unless there is reason to believe a password has been compromised ..."

      "If Citrix did indeed run a comparison of their sign-ins against publicly known compromised credentials..." then I would be very worried, because Citrix is not supposed to know their user's passwords and not supposed to be able to do this easily. And not faster than any hacker could do it.

  16. Anonymous Coward
    Anonymous Coward

    Don't believe that Citrix did not have a breach!

    These email responses have been sent to some Citrix Sharefile users.

    "I got an email that included the following:

    We are writing to notify you of a security incident on the Citrix ShareFile service (aka Citrix Content Collaboration) that affected users on your Citrix ShareFile account. We recently became aware of suspicious activity associated with certain user accounts. Based on our investigation to date, we believe that an unauthorized party used credentials obtained from third-party sources to attempt to access and obtain information from certain Citrix ShareFile user accounts.

    "We believe these attempts were successful for some Citrix ShareFile user accounts associated with your organization. There is no indication that this issue resulted from a compromise of our systems."

    "We have taken a number of steps to address this issue, including disabling unauthorized account access and requiring all non-SSO users to reset their passwords. In addition, we continue to closely monitor our network to detect and prevent any suspicious activity associated with the Citrix ShareFile service.""

    "Based on our investigation to date, we believe that an unauthorized party used credentials obtained from third-party sources to attempt to access and obtain information from certain Citrix ShareFile user accounts."

    1. Neil Spellings

      Re: Don't believe that Citrix did not have a breach!

      That email confirms what the blog post said..the credentials came from elsewhere, not from Citrix, so there was no breach of ShareFile itself.

  17. rg287

    "In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures."

    FFS. I thought we'd got past stupid bollocks like this.

    Doing a reporting process vs. the HIBP Pwned Passwords API and then forcing resets on specific users with matching passwords (and then querying HIBP on password resets going forward) could be construed to be a useful and sensible thing to do to scotch people speculatively trying compromised passwords. Along with encouraging/pushing adoption of (token or H/TOTP - not SMS!) 2FA to outright mitigate password theft.

    Arbitrarily going back to 2001 and requiring regular password resets is just stupid.

  18. Alister
    Headmaster

    Citrix did not say how frequently users will be required to change out their passwords

    What's wrong with "change"? Where does the "out" come from?

  19. Gitboxster

    I don't believe them

    Our organization has over 300 users. 80 of them are part of our Sharefile workforce. All 80 have been getting a particular phishing email several times a day which began 4 days before Sharefile mysteriously began enforcing this new policy. The rest of our non-Sharefile users have received a single one. This is not a confidence. Whoever performed this hack were able to obtain a list of addresses. I don't know if they were able to get to any of our data. I believe the truth will come out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like