Passwords

A 32-post collection

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Last week I wrote a couple of different pieces on passwords, firstly about why we're going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn't be in a position where we're still dependent on passwords and people needing to understand good password management practices in order for them to work properly.This week, I wanted to focus on going beyond passwords and talk about 2FA. Per the title, not just any old 2FA...

When Accounts are "Hacked" Due to Poor Passwords, Victims Must Share the Blame

It's just another day on the internet when the news is full of headlines about accounts being hacked. Yesterday was a perfect example of that with 2 separate noteworthy stories adorning my early morning Twitter feed. The first one was about HSBC disclosing a "security incident" which, upon closer inspection, boiled down to this:The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack. This is when hackers try usernames and password combos leaked in data breaches at other companies, hoping that some users might have reused usernames and passwords across services.The second story was about a number of verified Twitter accounts having been...

Here's Why [Insert Thing Here] Is Not a Password Killer

These days, I get a lot of messages from people on security related things. Often it's related to data breaches or sloppy behaviour on behalf of some online service playing fast and loose with HTTPS or passwords or some other easily observable security posture. But on a fairly regular basis, I get an email from someone which effectively boils down to this:Hey, have you seen [insert thing here]? It's totally going to kill passwords!No, it's not and to save myself from repeating the same message over and over again, I want to articulate precisely why passwords have a lot of life left in them yet. But firstly, let me provide a high-level overview of the sort of product...

86% of Passwords are Terrible (and Other Statistics)

A couple of months ago, I launched version 2 of Pwned Passwords. This is a collection of over half a billion passwords which have previously appeared in data breaches and the intention is that they're used as a black list; these are the "secrets" that NIST referred to in their recent guidance: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don't let your customers use that password! Now, as I...

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Last August, I launched a little feature within Have I Been Pwned (HIBP) I called Pwned Passwords. This was a list of 320 million passwords from a range of different data breaches which organisations could use to better protect their own systems. How? NIST explains: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. They then go on to recommend that passwords "obtained from previous breach corpuses" should be disallowed and that the service should "advise the subscriber that they need to select a different secret". This makes a lot of sense when you think about it:...

How Long is Long Enough? Minimum Password Lengths by the World's Top Sites

I've been giving a bunch of thought to passwords lately. Here we have this absolute cornerstone of security - a paradigm that every single person with an online account understands - yet we see fundamentally different approaches to how services handle them. Some have strict complexity rules. Some have low max lengths. Some won't let you paste a password. Some force you to regularly rotate it. It's all over the place. Last year, I wrote about authentication guidance for the modern era and I talked about many of the aforementioned requirements. I particularly focused on how today's thinking is at odds with many of the traditional views of how passwords should be handled. That post has a lot of guidance...

Introducing 306 Million Freely Downloadable Pwned Passwords

Edit 1: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Edit 2: The API model described below has subsequently been discontinued in favour of the k-anonymity model launched with V2. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern Era with the aim of helping those building services which require authentication to move into the modern era of how we think about protecting accounts. In that post, I talked about NIST's Digital Identity Guidelines which were recently released. Of particular interest to me was the section advising organisations to block subscribers from using passwords that have previously appeared in a data breach. Here's the...

Passwords Evolved: Authentication Guidance for the Modern Era

In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy. But the ecosystem in which they were used was simple too, for example in MIT's Time-Sharing Computer, considered to be the first computer system to use passwords: We're talking back in the 60's here so a fair bit has happened since then. Up until the last couple of decades, we had a small number of accounts and very limited connectivity which made for a pretty simple threat landscape. Your "adversaries" were those in the immediate vicinity, that is people who could gain direct physical access to the system. Over time that...

Password Strength Indicators Help People Make Ill-Informed Choices

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: When website errors make no sense! @Argos_Online my password is more complex than your system can handle. What gives? @troyhunt #insecurity pic.twitter.com/64VA7qINGP— Jon Carlos (@billywizz) June 10, 2017 This was a very misleading error message on Argos' part and as it turns out, what it really mean was that they only allowed up to 20 characters in passwords. It's the classic arbitrary limit story; for various reasons which may include legacy dependencies, ignorance or very often, a database column of limited length (which then implies no password hashing and quite likely plain text storage), Argos...

Password managers don't have to be perfect, they just have to be better than not having one

LastPass had an issue the other day, a rather nasty one by all accounts that under certain (undisclosed) circumstances, it looks like it could lead to someone's password (or possibly passwords) being disclosed by virtue of a remote code execution vulnerability. This is not a good thing - nobody wants an RCE vuln in their software - but as is prone to happen with these incidents, some people went about promptly losing their minds. This prompted me to suggest the following: Password managers don't need to be perfect, they just need to be better than *not* using them which they unequivocally still are https://t.co/nVG5G6RAWx— Troy Hunt (@troyhunt) April 1, 2017 The mind-losing generally centred...