passwords

Instead Of Blogging…

Things I’ve been doing instead of blogging, this last month, include:

Code Week: hacking Three Rings code in a converted hay loft of a Derbyshire farm, as mentioned on the Three Rings blog.
Hoghton Tower: as is traditional at this time of year (see blog posts from 2010, 2009, 2005, 2003, for example), went to Preston for the Hoghton Tower concert and fireworks display, accompanied by Ruth, and my sister’s 22nd birthday. My other sister has more to say about it.
Family Picnic: Joining Ruth and JTA at Ruth’s annual family picnic, among her billions of second-cousins and third-aunts.
New Earthwarming: Having a mini housewarming on New Earth, where I live with Ruth, JTA, and Paul. A surprising number of people came from surprisingly far away, and it was fascinating to see some really interesting networking being done by a mixture of local people (from our various different “circles” down here) and distant guests.
Bodleian Staff Summer Party: Yet another reason to love my new employer! The drinks and the hog roast (well, roast vegetable sandwiches and falafel wraps for me, but still delicious) would have won me over by themselves. The band was just a bonus. The ice cream van that turned up and started dispensing free 99s: that was all just icing on the already-fabulous cake.
TeachMeet: Giving a 2-minute nanopresentation at the first Oxford Libraries TeachMeet, entitled Your Password Sucks. A copy of my presentation (now with annotations to make up for the fact that you can’t hear me talking over it) has been uploaded to the website.
New Earth Games Night: Like Geek Night, but with folks local to us, here, some of whom might have been put off by being called “Geeks”, in that strange way that people sometimes do. Also, hanging out with the Oxford On Board folks, who do similar things on Monday nights in the pub nearest my office.
Meeting Oxford Nightline: Oxford University’s Nightline is just about the only Nightline in the British Isles to not be using Three Rings, and they’re right on my doorstep, so I’ve been meeting up with some of their folks in order to try to work out why. Maybe, some day, I’ll actually understand the answer to that question.
Alton Towers & Camping: Ruth and I decided to celebrate the 4th anniversary of us getting together with a trip to Alton Towers, where their new ride, Thirteen, is really quite good (but don’t read up on it: it’s best enjoyed spoiler-free!), and a camping trip in the Lake District, with an exhausting but fulfilling trek to the summit of Glaramara.

That’s quite a lot of stuff, even aside from the usual work/volunteering/etc. stuff that goes on in my life, so it’s little wonder that I’ve neglected to blog about it all. Of course, there’s a guilt-inspired downside to this approach, and that’s that one feels compelled to not blog about anything else until finishing writing about the first neglected thing, and so the problem snowballs.

So this quick summary, above? That’s sort-of a declaration of blogger-bankruptcy on these topics, so I can finally stop thinking “Hmm, can’t blog about X until I’ve written about Code Week!”

Deliciously Silly Password Restrictions

After hearing about the recent purchase of social bookmarking service del.icio.us by Chad Hurley and Steve Chen, I remembered that once, long ago, I had a del.icio.us account. I decided to check if my account was still alive, so I trekked over to del.icio.us and took a look.

The site’s changed quite a bit since I last used it. It took a while for me to remember what my password was (it was an old, old one, since before I started using passwords the right way). It also appeared that the site still knew me by my former name (it really had been a while since I last logged in!), so I updated it with my new name.

The next step was to change the password. I generated a random password:

#AOOZ*Qs9xsj6^bT@MtN4rq1!0FK&2

But when I went to change my password, it was rejected. Apparently it didn’t meet their security rules. What? That 30-character, randomly-generated password, containing uppercase letters, lowercase letters, numbers, punctuation, and special characters… isn’t secure enough?

A little investigation (and some experimentation) later, it turns out there’s a reason: my password must be insecure, because it contains my surname!

I have a single-character surname. That means that a 30-character password will (assuming a dictionary of 26 letters, 10 digits, and let’s say 20 special characters) have about a 40% chance of being rejected on the grounds that it contains my surname. The longer my password is, the more likely it is to be rejected as insecure. My experiments show that “abcdefghijklmnop” is considered by delicious to be more secure for my account password than, say, “@Ubj#JeqPACrgmSQKn9qRYMBM9nPOj”, on account of the fact that the latter contains my surname.

Silly, silly, silly.

After delicious finally died a death, I retroactively imported all my delicious bookmarks into this blog.

Bank Security

Having found by coincidence a (minor, perhaps exploitable as part of a more-complex attack) security problem with the website of a major high street bank, one would think it would be easier than it evidently is to get it reported and fixed. Several phone calls over a couple of days, and the threat of making a complaint about a representative if they didn’t escalate me to somebody who’d actually understand what I was explaining, I’ve finally managed to get the message through to somebody. How hard was that? Too hard.

If this still doesn’t work, what’s the next step? I’m thinking (1) change banks; (2) explain why to the bank; (3) explain why to the world. Seriously, I expect better from the people looking after my money.

And on that note: time for bed.

Edit: Meanwhile, we see that the PlayStation Network hack may have resulted in the theft of personal information from users’ accounts. While most of the media seems to be up in arms about the fact that this might have included credit card information, I’m most pissed-off about the fact that it might have included unencrypted passwords. Passwords should be stored using irreversible encryption: there’s no legitimate excuse not to do this, these days (the short version for the uninterested: there is a technique which can be used to store passwords encrypted in a pretty-much irreversible format, even if the hacker steals your entire computer: it’s very easy to do, protects against all kinds of collateral damage risks, and Sony evidently don’t do it). If any of Sony’s users use the same password for their email account, social network accounts, online banks, etc. (and many of them will, despite strong recommendations to the contrary), the hackers are probably already getting started with social hacking attempts against their friends, identity theft attacks, etc. Sony: you are a fail.

Passwords

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

This repost was published in hindsight, on 11 March 2019.

Fiona wrote:

I have been uneasy for a while about my passwords, but being dyslexic and a bit lazy there was not an obvious solution to make it more secure and not lock me out. The problem that I have is anything that requires memorising a string of letters numbers and symbols just does not work in my brain. I have over come this for my normal passwords by having a small number (around 5) and adding a new one every so often and losing an old one. I take two to three words that I can spell (not a very long list) and then change them with substitution of some letters for numbers. On one occasion I managed to get punctuation in there also. However, they are used in many sites, and are easily broken in to.

Following Dan’s post on passwords combined with a visit to Dan we started looking at other solutions and settled on last pass. This looked like a good option for us. I very carefully set up the account paying close attention to where it said make sure you remember your password. The first password I chose was tolerably strong, I had not used it before and it followed the proven pattern of how I remember passwords. When I typed it in to change something it would not work. Knowing that lastpass will not let me do anything if I cant remember my password I made a word doc changing each part of the password to see where I went wrong and trying it in the filed, fourth time lucky I got the password. I then realised that this was not going to work as the bit I got wrong was an inconstancy of treating one letter as a number. So I reset my password using the old copied password.

I texted myself my new password and copied it from my phone, checked that it worked with a second sign in. Then I continued to set up my sites for last pass to sign in. When Kit came home we decided it was best if I had to write out my new password as often as possible to get it in to my head, this did not work. And after 20 min of trying every combination I could think of the same way I had before I called Kit through to see if he had any ideas. In the end the only option was the delete account and start again option. So we hit show password on the screen and copied each password in to a word doc, then we shut down the account.

This morning I have set up a new last pass account, and because my dyslexia has not gone away over night I have a new stratagie. I use SuperGenPass to change a simple password in to a more complicated password and the resulting password is used to sign in to Last Pass. This might seem convoluted, but in a world where things that I can remember are so insecure that polite coughing will open them up to anyone who chooses it is one of the few options that give security and will allow me to access my own accounts.

Anyway, I have to now go and change all my passwords again as the were made insecure in the rescue mission, but this time I have confidence of it working.

Passwords – The Least You Should Do

If you see me in person, you’ll know that this is something I rant about from time to time. But that’s only because people consistently put themselves and their friends at risk, needlessly, and sometimes those friends include me. So let me be abundantly clear:

If you’re reading this, there is at least a 95% chance that your passwords aren’t good enough. You should fix them. Today.

Let’s talk about what what we mean by “good enough”. A good password needs to be:

Long. Some of you are still using passwords that are shorter than 8 characters. The length of a password is important because it reduces the risk of a robot “brute forcing” it. Suppose a robot can guess 1000 passwords a second, and your password uses only single-case letters and numbers. If you have a 4-character password, it’ll be lucky to last quarter of an hour. A 6-character password might last a week and a half. At 8-characters, it might last a few decades. Probably less, if your password makes one of the other mistakes, below. And the robots used by crackers are getting faster and faster, so the longer, the better. My shortest password is around 12 characters long, these days.

Complex. Remember how long an 8-character password lasts against a “brute force” attack? If you’re only using single-case letters, you’re reducing that by almost a third. Mix it up a bit! Use upper and lower case letters, and numbers, as standard. Consider using punctuation, too. There’s no legitimate reason for a website to demand that you don’t have a long and complex password, so if one does seem to have unreasonable requirements: write to the owners and threaten to take your business elsewhere if they don’t get with the times.

Random. If your password is, is based on, or contains a dictionary word (in any language), a name or brand name, a date, a number plate or (heaven forbid) a national insurance number, it’s not good enough. “Brute force” attacks like those described above are usually the second line of attack against properly-stored passwords: first, a robot will try every word, name or date that it can think of, with and without capitalisation and with numbers before and afterwards. Many will also try common phrases like “iloveyou” and “letmein”. WikiHow has a great suggestion about how to make “random” passwords that are easy to remember.

Unique. Here’s the one that people keep getting wrong, time and time again. You should never, never, use the same password for multiple different services (and you should be very wary of using the same password for different accounts on the same service). This is because if a malicious hacker manages to get your password for one site, they can now start breaking into your accounts on other sites. Some people try to get around this by keeping two or three “levels” of passwords, for low-, medium-, and high-security uses. But even if a hacker gets access to all of your “low” security sites, that is (these days, frequently) still a huge amount of data they have with which to commit an identity theft.The other big reason to make sure your passwords are unique is that it makes it safer to share them, if the need arises. Suppose that for some reason you need to share a password with somebody else: it’s far safer for everybody involved if the password you share with them works only for the service you wanted to give them access to. Every person you trust is one more person who might (accidentally) expose it to a hacker by writing it down.Even if you have to memorise a complex “master” password and keep in your wallet a list of random “suffixes” that you append to this master password, different for each site, that’s a huge step forwards. It’s also a very basic level of two-factor authentication: to log in to your Twitter account, for example, you need your master password (which is in your head), plus the Twitter suffix to the password (which is written down in your wallet).

There’s been a wave of attacks recently against users of social networking websites: an attacker will break into an insecure web forum to get people’s email addresses and password, and then will try to log in to their webmail accounts and into social networking sites (Facebook, Twitter, etc.) using those same credentials. When they get a “hit”, they’ll explore the identity of the victim, learning about their language patterns, who their friends are, and so on. Then they’ll send messages or start chats with their victim’s friends, claiming to be their victim, and claim some kind of crisis. They’ll often ask to borrow money that needs to be wired to them promptly. And then they’ll disappear.

In this interconnected world, it’s important that your passwords are good not only for your benefit, but for your friends too. So if you’re guilty of any of the “password crimes” above – if you have passwords that are short (under 8 characters), simple (don’t use a mixture of cases and include numbers), predictable (using dictionary words, names, dates, etc.: even if they include a number), or re-used (used in more than one place or for more than one site) – change your passwords today.

Here’s some resources to help you do it:

WikiHow’s guide to choosing secure passwords.
PCTools’ great random password generator.
The top 500 worst passwords of all time – if yours is in here, it’s probably already been compromised.
SuperGenPass – a very good way to use a strong, unique password for every website without having to remember multiple passwords. Free.
KeePass – a great way to use a strong, unique password for every site and service without having to remember multiple passwords. Free.
LastPass – another great way to use a strong, unique password for every site and service without having to remember multiple passwords. Free (or cheap, for the premium version).

Mobile One-Time-Passwords in Ruby

I recently came across the Mobile One-Time-Passwords project, which aims to make a free, secure alternative to commercial two-factor authentication systems (like SecurID). The thinking is pretty simple: virtually everybody now carries a mobile phone capable of running basic applications, so there’s no reason that such an application couldn’t provide the processing power to generate one-time-passwords based on a shared secret, a PIN number known only to the authenticating party and to the server, and the current date and time stamp.
Great! But it turns out that despite there being libraries to produce server-side implementations of the technology in PHP, Perl, and C, nobody had yet bothered to write one in that most marvelous of programming languages, Ruby.

Well, now I have. So if anybody’s got the urge to add one-time-password based security to their Rails or Sinatra app, or would like to write an MOTP client for their Ruby-capable smartphone: well, now you can.

Copy-Pasting Passwords into Steam

Just want to know how to ‘fix’ Steam’s password field? Scroll down to “How to Fix It”

Steam & Security Theatre

You’re a smart guy. You’re not stupid about computer security. And that’s why you always make sure that you use a different password for every service you use, right? You might even use a different password for every account, even when you have different passwords on the same service. You know that there are really, really good reasons why it’s simply not good enough to, for example, have “high-security”, “general use” and “low security” passwords, and re-use each of them in several places. And if you don’t know that: well, take my word for it and I’ll explain it in detail later.

It’s no great hardship to have lots of long, complex, effectively-random passwords, these days. Tools like SuperGenPass, LastPass, and KeePass, among others, mean that nowadays it’s so easy to use a different password for every service that there’s no excuse not to. So you probably use one of those (or something similar), and everything’s great.
Except for that one application – Steam. I have Steam save my password on my desktop PC (by the time somebody steals my desktop PC and breaks into the encrypted partition on which my data files lie, I have bigger problems than somebody stealing my Just Cause 2 achievements), but it forgets the password every time that Ruth uses her Steam account on my computer. No problem, I think: I can easily copy-paste it from my password manager… nope: Steam won’t let you paste in to the password field.

What? If you ask Valve (Steam’s creators) about this, they’ll say that it’s a security feature, but that’s bullshit: it’s security theatre, at best. And at worst, it means that people like me are inclined to use less-secure passwords because it’s harder to memorize and to type out that a more-secure password would be.

How to Fix It

Well, obviously the best way to fix it would be to successfully persuade Valve that they’re being stupid: others are already trying that. But what would be nice in the meantime would be a workaround. So here is is:

Edit Program FilesSteamPublicSteamLoginDialog.res (Program FilesSteamPublicSteamLoginDialog.res on 64-bit Windows, somewhere else entirely on a Mac) using your favourite text editor (or Notepad if you don’t have a favourite). Take a backup of the file if you’re worried you’ll break it.
In the "PasswordEdit" section (starting at about line 42), you’ll see name/value pairs. Make sure that the following values are set thusly:

"tabPosition" "1"
"textHidden" "0"
style="TextEntry"

The next time you load Steam, you’ll be able to paste passwords into the password field. The passwords won’t be masked (i.e. you’ll see the actual passwords, rather than asterisks), but the dialog never loads with a password pre-populated anyway, so as long as you make sure that nobody’s looking over your shoulder while you type, you’re set!

Update: let’s face it, Valve’s security policies suck in other ways, too. Please read the tale of a friend-of-a-friend who’s desperate to change her Steam username.

A Selection Of News Items From Around The World

[this post has been partially damaged during a server failure on Sunday 11th July 2004, and it has been possible to recover only a part of it]

[more of this post was recovered on Friday 24 November 2017]

Here’s some stuff I found interesting this weekend:

Swedish health workers, in an effort to stem the growing cases of chlamydia among young people, have launched a ‘condom ambulance [BBC News]. If you find yourself ‘caught short’ in Sweden, just give them a bell and they’ll rush around to your house with a pack-of-three, for the equivelent cost of about £4.

Chinese researchers have used a carbon nanotube [Wikipedia] as a filament in a new, experimental light bulb [The Register]. This bulb emits more light and works at a lower threshold than tungsten at the same voltage, and was still functioning fine after being switched on and off 5000 times. The future of lighting?

And finally, researchers from Hebrew University in Israel may have found a solution to the problems associated with passwords. As it stands, ‘secure’ passwords are hard to remember, and often find themselves written down, whereas insecure ones can be cracker. Plus, for real security, passwords should be …

Reply #13106

Sian wrote:

People are funny. I get to look at the accounts of people who have signed up for Children First newsletter updates, and their passwords make me laugh. The number of people who’s password question is just their password is scary.
I also worry for the person who put their password question as ‘opposite of goodbye’.
Guess the password guys! Yes, it’s Hello!
Password Question: Mums Name. Password: Councillor (What?? The cruelty!)
Password Question: favourite game. Password: Boggle (yay!)
Password Question: Fish. Password: Dolphin (…?)

Most popular theme is pets name, so I’m glad pets have a purpose in this day and age. Another popular theme is the Magic Roundabout which worries me somewhat.

Anyways, I’m sure this is against some sort of rule but I found it funny.

The passwords should be one-way encrypted. Your system is insecure. This is evident by the fact that you can read everybody’s passwords. =o)