back to article Weak passwords stored in browsers make hackers happy

Nearly a quarter of people (23 per cent) polled in a survey by Symantec use their browser to keep tabs on their passwords. A survey of 400 surfers by Symantec also found that 60 per cent fail to change their passwords regularly. Further violating the 'passwords should be treated like toothbrushes' maxim (changed frequently and …

COMMENTS

This topic is closed for new posts.
  1. EddieD

    Easier said than done...

    A lot of sites don't allow special characters, others don't discriminate between lower and upper case (WoW, I'm looking at you...), so often the user has to accept a lower level of password security than they would like.

    I'm a wee bit in the middle for security - I don't allow my browser to store passwords for what I think of as sensitive sites (and I don't use web based banking at all), I use different passwords for different sites, but I have to confess that I don't change them often enough.

    OTOH, if anyone wants to hack my mail, all they'll find is how dull my life really is, and if I did have my bank account compromised they'd be the lucky recipients of 3 groats 2 shillings and thruppence ha'penny - I'm lucky in a way, what you don't have, can't be taken...

    1. ian 22

      Lucky

      So yer saying "Freedom's just another word for nothing left to lose".

      I pity the rich....

  2. Reading Your E-mail
    Terminator

    100 sites

    100 "Different" passwords that you change on a regular basis, don't write down and can't be related to anything in your life.

    Nice idea for sure, but not practical unless you want to be constantly clicking on "forgotten password" links.

    I can't argue with the logic but it'll never be practical unless we go Johnny Mnemonic

    1. RandSec

      All the Long, Random Passwords You Want

      We all need a password manager and then can easily manage hundreds of unique long, random passwords having serious strength. I have been happy with free LastPass.com, which encrypts locally and then saves the result in the clouds. There are versions for various browsers and OS's. There is a local "portable" version. The Firefox add-on saves an encrypted copy locally, for when the cloud is down (perhaps to access a router password). Passwords are easily accessed from different computers, either for normal work, or in an emergency. As in any password use, the local computer does need to be bot-free. I recommend booting Puppy Linux from DVD for online browsing.

      1. local grockel
        Thumb Up

        Thanks

        lastpass.com, a useful pointer. I've been using KeepAss (sorry KeePass) which is good, but more hassle to use multi-platform and with a good backup.

        Imagine having all your passwords extra-safe, and extra-lost because of bad housekeeping. Ugh.

        So, thanks for the recommendation, makes ElReg the fine place it is! (smarm smarm)

  3. Anonymous Coward
    Anonymous Coward

    Impossible

    It's simply impossible to store 10 / 15 / 20 different passwords, each consisting of a mixture of punctuation and numbers, in your head.

    Nice bit of PR for Symantic, but everybody use the same simple password for the internet.

    The alternative is being locked out of sites. I'll take my chances naggers!

  4. Graham Dresch
    FAIL

    Idiots

    Quote: "one in ten used a pet's name. The name of a pet might easily be obtained by browsing on an intended target's social networking profile."

    If anybody actually needs a reason to completely avoid the disaster - waiting - to - happen that is social networking, this is it.

    1. Anonymous Coward
      Anonymous Coward

      eh?

      I completely fail to see why this is a problem with social networking and not a problem with the users of social networking...

  5. Anonymous Coward
    Black Helicopters

    Re: Impossible

    how about using a single word of say 6 or seven letters as a common word. then when you need a password for a site, say ebay. your password would be eb<yourwordhere>ay

    that way, you only need to remember one password and add the site on to it.

    1. informavorette
      Thumb Down

      strategy about as bad as a single password for everything

      Imagine that a single password of yours is hacked. If I was a hacker and bruteforced/phished/intercepted/socialengineered your ebyourwordhere password, I'd directly head to amazon and log in as you@googlemail.com, pass:amayourwordherezon. Or better yet, try out cityyourwordherebank...

      Or even if there isn't a hacker. In university, I had to submit solutions of homework assignments with a hard deadline. Miss a deadline, and you cannot write the test in this subject. So one day I was somewhere, when I realised that I have to submit a homework within two hours, and that my solution only exists on the HDD of my laptop... which I'd left on the docking station in the office where I was doing an internship. There was no way to reach the laptop within two hours, so I just called a co-worker, gave him the password for my account, and he sent me the file, which I successfully submitted. As soon as I got to my laptop, I changed the password, matter closed. If I'd followed your password creation strategy, I'd have had to choose between the guy easily guessing all my passwords and postponing the test by two semesters.

      The only way it is more safer than "same pw everywhere" is when a hacker gains access with account of yours by circumventing a password rather than obtaining it.

  6. Daniel 1
    Stop

    Did we really need Symantec to tell us this?

    Did they even really need to do the research. They could have just cut&pasted the results from any number of previous surveys, instead. Of course users let their browsers to store their passwords for them: their browsers prompt them to do so.

    Also, I don't go along with this 'change passwords frequently' crap. The toothbrush analogy is one of those trite-isms that sounds terribly wise - until you realise that what is being advocated, is a system that forces users to rotate between a handful of memorable-enough passwords, on a regular basis - or, worse still, forces them to think of some new, unique (and, therefore, in all likelihood, even easier to remeber/guess) password, every few weeks or so (and then immediately begins prompting them that their password is about to expire in a few weeks, of course!)

    Just let the user select one, secure, password; tell them not to share it; tell them not to write it down; sack them if they do either of those things, and let them keep the damn thing for all eternity... If you really think someone might be trying to force-crack your password system, then any attack worth bothering with is going to take far less time than your enforced password-changing regime. Maybe you should be considering moving to a more secure password system, instead of beating up your users?

    While we're on that tack, let's have a survey of all the applications that don't enforce passwords correctly, store the results in plain text, allow multiple users to share a session, embed human-readable data in things like querystrings, or just run the entire application logged in to the database as root/sa - with a blank password?

  7. Adam Trickett
    Linux

    The sites them selves don't help

    Most sites, including banks force you to use woefully short passwords without punctuation. Their own policies are so stupid and incoherent that the only explanation is that they were created by their marketing departments rather than someone with basic IT skills...

    Most people get their browser to remember their password because they have far too many to remember by hand. So few sites use any reliable form of single-sign-on so most users have little or no option.

    There are tools that can help but most people don't have them or use them. I use GPG to lock down the really important things I need but don't want to have to remember.

    You need look no further than "Insecured by Visa", for an example of how poor on-line security is.

    1. AndrueC Silver badge
      Thumb Down

      Insecured by Visa..

      ..is easy to work with. Every time it prompts me for the nth, rd, nd character I launch Notepad then type my password in with digits beneath it. That way I find that I stand a reasonable chance of getting it right.

      Doesn't do much for my security but it probably makes Visa feel happy and /that/ I'm sure is the whole point.

      Stupid sods.

  8. Andrew Moore

    I go for the alternative...

    I always use the same password- However the username often changes...

    Still I'd like to test one of Symantec's "secure passwords" against the latest rainbow table doing the rounds...

    1. Chemist

      Re : I go for the alternative...

      Hash with a 256 bit salt and use a long password and you've made it essentially impossible for cracking using rainbow table.

      For really important sites like banks I use 20-digit passwords.

  9. Anonymous Coward
    Anonymous Coward

    Banking websites are the worst

    This reminds me of the joys I had with a HSBC owned bank locking me out each time I tried to log in as they let me set a 15 letter password (but only stored 9 of them).

    A now non existing bank who's telephone banking security question was set to a question they had asked me when I had opened the account as a student 10 years previous - This same bank had a bunch of memorable questions that were case sensitive but gave you no way to check or change them - stupid considering you never entered them in some cases.

    All of this is of course trumped by the joke that is verified by visa and it just reset the password by email without any checks.

    At least the social notworking sites have api's to let you authenticate with them and pass a token around - something the banks could have cleaned up on if they had some braincells to rub together considering how much they know about everyone.

  10. Mr Pedantio

    Plain text

    Agree with most of the above, especially the impossibility of remembering multiple, constantly-changing passwords. One thing the article doesn't mention is that browsers store passwords in plain text . I was expecting details of a hacking attack that stole the browser password file.

    On a completely separate note, if you want readers to vote on comments, get some bleedin' ajax on your site so we don't have to wade through two page loads just to register a single thumbs-up or -down..

    1. Ammaross Danan

      Ah

      Ah, but if they incorporated AJAX for the thumbs up/down buttons, then they'd never have any votes logged, for if you haven't read most of the comments, everyone seems to be browsing the web using "security by obscurity" browsers or NoScript-enabled ones such as Lynx (complete lack thereof) or FireFox and the like.

      For those "normal" people willing to have acceptible risk vs functionality, I second the AJAX motion.

    2. Anonymous Coward
      Boffin

      voting process

      Good point about the voting, I feel in the same way. But OMG, Ajax! It could inject some malicious code and completely compromise all the temp files stored in the RAM by the live Puppy CD I boot from whenever I want to go online! We reg readers have to defend our title of Most devoted noscript users on the entire interwebs. So if someone at el reg thinks that we'd sacrifice our paranoia^H^H^H^H^H^H^H^H security for some noob concept like usability, and implements client-side voting, we actually won't be able to vote at all.

      *now I have to post this*

      *what was my reg password again?*

      *damn, I only remember the first 18 characters*

      *oh yes, 19th to 23 are the Viking runes. Now where did I put the Unicode table?*

      *grr I have to start typing password again, at 28 put in code for a ვ instead of a ე*

      *All right, I have it. Enter!*

    3. Mark 65

      Wrong

      "One thing the article doesn't mention is that browsers store passwords in plain text "

      Err, no. As indicated here...

      http://kb.mozillazine.org/Password_Manager

      "Firefox 3.5 and later versions use the file signons.sqlite to store the encrypted names and passwords."

      Keyword: encrypted. If a user is foolish enough to not use a password for the manager then that's their issue but in general this is as safe as you'll probably get without storing long complicated passwords in the grey locker.

    4. Chemist

      Re : Plain text

      As far as I'm aware Firefox defaults to encrypting passwords although unless a master password is used it's trivial to read a stored password.

  11. Rabbers
    FAIL

    This is understandable

    Obviously everybody just wants to get on with their life, having to remember the password you made up just two days ago just isn't in keeping with that.

    In general though, and in a far-flung utopian universe, wouldn't it be nice if hackers actually got caught far more regularly than they do now?

    Here's a story about why this doesn't happen:

    My company has recently been told that our merchant bank no longer offers us Credit card facilities, not because we have had charge backs - in fact we have a perfect record. This has actually happened because the bank has chosen not to offer merchant facilities to companies that sell hosting!

    They've done this because the card scheme would require them to investigate when suspected wrong-doing occurs where they have a relationship with the host. If they don't have a direct relationship with a host then they don't have to act. i.e. wrong doing doesn't get investigated because banks (or one specific bank) are free to turn a blind eye to it to save money!

    Sorry for the rant but it's very annoying!

  12. Gilbert Gosseyn
    Jobs Halo

    Could this be why ordinary folk don't take their passwords seriously?

    Just done a quick count up.

    I have 233 passwords, along with their associated login names, user names, screen names and email addresses noted in the text file I'm forced to use cos my brain doesn't have the capacity to remember the necessary random bits of snippets that aren't related or traceable to me or my life.

    I also have notes of 22 verbal passwords I'm expected to use when talking with various service providers on the phone.

    14 PINs

    3 gate/door pass numbers

    5 physical descriptions of key rings on which are kept various friends and neighbours house key emergency copies

    3 anti-theft codes for in-car hifi

    and a separate file with 61 software registration or installation codes.

    Why do I have to create an account to...

    buy something?

    see a price?

    access some types of (otherwise free) information?

    "recommend a post" in a discussion?

    contribute to a discussion?

    look up a phone number

    look up a postcode?

    subscribe to a newsletter?

    obtain software updates?

    report a bug?

    download free stuff?

    get tech support?

    etc..?

    PS: For those security experts freaking out right now: Said text file is encrypted with a fiendishly long and complex passphrase, kept on an encrypted partition of a USB key drive, plugged into the back of my Mac and attached to the wall behind it with a sturdy sink plug chain! Every night the encrypted partition is backed up to an off site server. Not absolutely fool-proof, I know, but it's the best balance of ease of use and security I could think of.

    Gil

    1. Neoc

      This one is easy...

      The answer to most of your above list is "spammers". Until forums required a registration (valid email address + captcha + whatever), they used to be overrun with spammers posting "buy viagra" (or whatever) posts.

      Welcome to real life, where a small minority can make life a pain for the rest of us. :(

      1. Steve Roper

        And also...

        When you buy something online, we, er, sort of need to know where to send the goods you've ordered, and to be able to track your order if you contact us with questions. Since you have to enter your contact information *anyway* for us to send the goods to you, we kinda have to store that info in an account. How else exactly are we supposed to process your order?

        Buying online isn't like walking into a shop and asking for 2 Mars bars and a litre of milk, that's six fifty thanks, see you later. Be good if you could teleport cash over the internet and we could teleport the goods to your location, but until that technology becomes available, we're stuck with doing it the clumsy old way of storing your order info on a computer so we can process and ship it.

        Can't be arsed having yet another username and password to keep track of? Well - what would you prefer? That we just keep that information in the open where anybody can look at it? Or just lock it away so you can't?

    2. Penguin007
      Linux

      I'll see your text file....

      ... and raise you an HTML page! I have a similar setup, but use an HTML page, with all the site names, user-id's and passwords. So I can just right-click on the link, and copy&paste the UID and password.

      File is decrypted at startup of Firefox, and encrypted again when I close FF down (done in a script)

  13. 124Out

    Password advice does more harm than good

    Users ignore it, because they understand that the cost is greater than the benefit.

    Microsoft: http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf

    Schneier: http://www.schneier.com/essay-282.html

  14. Frank Bitterlich
    Badgers

    75% of users believe in marketing blurbs...

    ... otherwise such "press statements" (some even call them "studies" - meh) would be seen as what they are - advertising.

    Don't get me started on the useless advice to "change your passwords frequently". The benefits of doing that are highly disputed.

  15. ArmanX
    Unhappy

    It's not the users' fault... usually

    Quiz! Which is more secure: sjst,ib^ogs!cxa or ASDFasdf1234? According to most websites out there, the latter, because it has numbers and upper case.

    On an average US keyboard, there are 94 different characters you can use. That means for an 8 digit password, you can have as many as 6.0957 * 10^15 passwords. If one of those characters must be an uppercase letter, one must be a lowercase letter, and one must be a digit, you're suddenly at 4.9612 * 10^13 possible combinations; if you can't use symbols, you're at 6.1931 * 10^12 possible combinations. The more limits you have, (like "no repeating letters" or "can't look too much like your last password"), the fewer password possibilities there are.

    If you want to make your site "secure", fix the problems on your site, not the user side. Enforce a simple security policy on the user side - at least 8 characters, use at least one non-alpha character, don't use a password on our "bad password" list. And then lock down the log in system - sure, there are systems that can check eleventy billion passwords a second, but if your system only allows a log in attempt every 30 seconds, then it doesn't matter how fast the query is. If the cracker gets into your password database, well, it doesn't matter how secure they passwords are, they're compromised.

  16. Callum
    FAIL

    I'm alright

    because my cat's name is "y£^%$d3D*m)"

    oh bugger.

  17. Lionel Baden

    name of pet

    I tend to use the name of my current stalker :/

  18. Anonymous Coward
    FAIL

    Male Cow Excrement

    "The net security firm advised computer users to pick a mix of numbers, letters, punctuation, and symbols when picking passwords."

    A password like "BookAlien" , "SwitchCheese" or "jumpCable" is easily secure enough; the problem clearly is with A) people using totally stupid passwords like "123", "qwerty" or their first name OR B) broken authentication systems that allow for brute-forcing.

    Proper systems will present a good CAPTCHA after ten bad tries and/or will slow down the checking process. If you can issue a password every 5 minutes (after ten bad attempts), this means you can do about 300 tests per day. As there are about one million words in the english language, a system of two simple, unrelated and unguessable words is totally secure: 1E12/2/300== 1666666666 days (4.5 million years) are needed to guess a password on average.

    The suggestion with the special characters was only necessary during the time of publicly viewable /etc/passwd files on Unix. That was about 15 years ago.

    Try a wrong password a couple of times with Google Mail and you will see how a good system works.

  19. Pablo
    Stop

    So what?

    The point these surveys always miss is that people nowadays have passwords for dozens of things, most of them thoroughly trivial. Sure I use stupid passwords for things I don't care about. For the rare financial stuff or anything else that seems important I use stronger passwords.

  20. Anonymous Coward
    Anonymous Coward

    wot he said

    Three sets of sites

    General

    Shopping

    Banking

    Three sets of passwords with a numeric sequence tacked on the end

    Store the numerals on my phone disguised as a phone number in case I forget which is which and away I go.

  21. lucsan
    Grenade

    The Solution

    The solution is simple. First create an imaginary life for yourself. Make sure you populate it with plenty of characters and cool thinks. Now you can use the nameof your imaginary pet as a password, no one will guess it.

    Want even more security? create a secret codex, this is even cooler as it's a codex like Da Vinci's (surely the coolest techie ever?) (Da Vinci is a char from history popularised by Dan Brown). Create your codex by writing down all the letter you use then map them to a set of chars.

    Wow cool, not you can browse safely as long as you do it well away from cliffs and objects with sharp edges.

    1. Steve Roper

      Exactly what I've done

      Many of my passwords are place-names from my imaginary world. I have a large and highly detailed map with literally hundreds of places identified on it, along with a load of rendered scenes depicting that world. I then just associate a website in my mind with a place in that world, and bam - unique easily-remembered impossible-to-guess passwords!

      1. Chemist

        Re : Exactly what I've done

        Even so important passwords should be LONG

  22. Robert Carnegie Silver badge

    My password for The Register is quite weak

    And is the same as for several other sites.

    When trivial participation in a web site requires registering an account name and password... when there are dozens of these that you may use... when there isn't one universal sign-on service (which I think we expected would be evil, but now I've forgotten why)...

    Maybe trivial sites that you also only use once in a while should ENCOURAGE you to use a pet's name or abirthday, or a pet's birthday, as your password with them. Someone will have to dig moderately deeply to steal it and it won'tbe much use to them. But then I suppose there would be immediately created an evil personal data search network that holds the birthday of everypet in the world, just to get past that password question more easily. In fact I thin-!k it has anyway...

  23. Hugh McIntyre

    Re: and also...

    RE: "When you buy something online, we, er, sort of need to know where to send the goods you've ordered, and to be able to track your order if you contact us with questions"

    But many shopping sites have the option to manage without this. Instead, for tracking, you can log onto the site with order number and email address (unlikely for someone to guess) for tracking. Based on the order number having been emailed to you. In terms of storing a shipping address in an "account" , obviously you can just store this in a database indexed by order ID. No need for accounts.

    sure, you probably only want this to give access to that single order, not all of your orders. And you may want to only allow tracking or questions, not cancellation. And also, people be willing to sign up for an account for a few commonly used sites like Amazon, but not all sites.

    Essentially, I'm arguing that for an obscure site you only go to once, the combination of (email,ordernumber) corresponds to a form of (username,password). At least assuming you don't have access to the user's email or have such a tiny number of orders that the order numbers are just 1-10.

This topic is closed for new posts.

Other stories you might like