Passwords

Edit: The following day, I loaded another set of passwords which has brought this up to 320M. More on why later on. Last week I wrote about Passwords Evolved: Authentication Guidance for the Modern Era with the aim of helping those building services which require authentication to move into the modern era of how we think about protecting accounts. In that post, I talked about NIST's Digital Identity Guidelines which were recently released. Of particular interest to me was the section advising organisations to block subscribers from using passwords that have previously appeared in a data breach. Here's the full excerpt from the authentication & lifecycle management doc (CSP is "Credential Service Provider"): NIST isn't mincing words here,...

In the beginning, things were simple: you had two strings (a username and a password) and if someone knew both of them, they could log in. Easy. But the ecosystem in which they were used was simple too, for example in MIT's Time-Sharing Computer, considered to be the first computer system to use passwords: We're talking back in the 60's here so a fair bit has happened since then. Up until the last couple of decades, we had a small number of accounts and very limited connectivity which made for a pretty simple threat landscape. Your "adversaries" were those in the immediate vicinity, that is people who could gain direct physical access to the system. Over time that...

I watched a discussion unfold on Twitter recently which started like so many of the security related ones I see: When website errors make no sense! @Argos_Online my password is more complex than your system can handle. What gives? @troyhunt #insecurity pic.twitter.com/64VA7qINGP— Jon Carlos (@billywizz) June 10, 2017 This was a very misleading error message on Argos' part and as it turns out, what it really mean was that they only allowed up to 20 characters in passwords. It's the classic arbitrary limit story; for various reasons which may include legacy dependencies, ignorance or very often, a database column of limited length (which then implies no password hashing and quite likely plain text storage), Argos...

LastPass had an issue the other day, a rather nasty one by all accounts that under certain (undisclosed) circumstances, it looks like it could lead to someone's password (or possibly passwords) being disclosed by virtue of a remote code execution vulnerability. This is not a good thing - nobody wants an RCE vuln in their software - but as is prone to happen with these incidents, some people went about promptly losing their minds. This prompted me to suggest the following: Password managers don't need to be perfect, they just need to be better than *not* using them which they unequivocally still are https://t.co/nVG5G6RAWx— Troy Hunt (@troyhunt) April 1, 2017 The mind-losing generally centred...

This weekend, I loaded five additional data breaches into Have I been pwned (HIBP) that had come from various forums running on vBulletin. These came via supporters that had collected them from data breach traders over the years and some of them dated back quite some time. I always go to great lengths to validate that a breach is indeed legitimate and one of the ways I do that is to take a real good look at the passwords stored in the system and ensure that they do indeed adhere to the sorts of password patterns we’re used to seeing (i.e. poorly chosen and often including the name of the site). Fortunately for my purposes here –...

This is somewhat of a perplexing acquisition, but apparently LastPass is now owned by LogMeIn. I get it in the-big-publicly-traded-company-gobbling-up-the-smaller-one kinda way, but it’s an odd marriage for a company that builds remote desktop software to buy one that builds a password manager. People aren’t real happy either when you look at the comments they’ve left on that post. Why aren’t they happy? I touched on it here: Very interesting to see how many people say they will now leave @LastPass as a result of the @LogMeIn acquisition. Reputation is critical.— Troy Hunt (@troyhunt) October 10, 2015 You see, entrusting all your passwords to one organisation is a big thing. Companies...

So this has been getting quite a bit of airtime today: @Sacro Hi Ben, I understand but as a business we've chosen not to have the compatibility with password managers. Thanks, Joe— British Gas Help (@BritishGasHelp) July 14, 2015 Yes, it’s ridiculous and British Gas are getting the lambasting they so deserve, but egregious security faux pas is hardly a new thing for them: @passy We'd lose our security certificate if we allowed pasting. It could leave us open to a "brute force" attack. Thanks ^Steve— British Gas Help (@BritishGasHelp) May 6, 2014 But here’s what really gets me and this tweet sums it up perfectly: @troyhunt I...

I’ve long held the view that passwords should consist of as many crazy things as the owner deems fit. If I want to create a password that looks like a dog just ate the keyboard and threw up all the keys, then good for me. (Chances are that Fido is going to cough up a pretty unique password too but before PETA gets on my case, try using a password manager like 1Password instead.) Now I’m used to seeing all sorts of ridiculous limits on passwords – no “special” character, limit of 12 chars, no spaces, can’t use letters “q” or “z”, can’t use letters at...

Back in the day when the British had a penchant for conquering the world, they ran into a little problem on the subcontinent; cobras. Turns out there were a hell of a lot of the buggers wandering around India and it also turned out that they were rather venomous which didn’t sit well with the colonials. Ingenious as the British were, they decided to offer the citizens a bounty – you hand in dead cobras that would otherwise have bitten some poor imperialist and you get some cash. Problem solved. Unfortunately, the enterprising locals saw things differently and interpreted the “cash for cobras” scheme as a damn good reason to start breeding serpents and raking in...

Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe’s giant-sized cryptographic blunder in terms of what they got wrong with their password storage so I won’t try to replicate that, rather I’d like to take a look at the password hints. This is an interesting one from an application security perspective and the rationale basically goes like this: In order to help people remember their passwords,...