Sponsored by:

Passwords

A 29-post collection

What the f*** were they thinking?! Crazy website biases exposed by naughty words lists (the NSFW version)

I’ve long held the view that passwords should consist of as many crazy things as the owner deems fit. If I want to create a password that looks like a dog just ate the keyboard and threw up all the keys, then good for me. (Chances are that Fido is going to cough up a pretty unique password too but before PETA gets on my case, try using a password manager like 1Password instead.) Now I’m used to seeing all sorts of ridiculous limits on passwords – no “special” character, limit of 12 chars, no spaces, can’t use letters “q” or “z”, can’t use letters at...

The “Cobra Effect” that is disabling paste on password fields

Back in the day when the British had a penchant for conquering the world, they ran into a little problem on the subcontinent; cobras. Turns out there were a hell of a lot of the buggers wandering around India and it also turned out that they were rather venomous which didn’t sit well with the colonials. Ingenious as the British were, they decided to offer the citizens a bounty – you hand in dead cobras that would otherwise have bitten some poor imperialist and you get some cash. Problem solved. Unfortunately, the enterprising locals saw things differently and interpreted the “cash for cobras” scheme as a damn good reason to start breeding serpents and raking in...

Adobe credentials and the serious insecurity of password hints

Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe’s giant-sized cryptographic blunder in terms of what they got wrong with their password storage so I won’t try to replicate that, rather I’d like to take a look at the password hints. This is an interesting one from an application security perspective and the rationale basically goes like this: In order to help people remember their passwords,...

Should websites be required to publicly disclose their password storage strategy?

I don’t know how Evernote stored my password, you know, the one they think might have been accessed by masked assassins (or the digital equivalent thereof). I mean I know that their measures are robust but then again, so were Tesco’s and according to their definition, “robust” means storing them in plain text behind a website riddled with XSS and SQL injection (among other security faux pas). Last year we saw LinkedIn breached and some millions of SHA1 passwords with no salt exposed. Last week we saw Australia’s own ABC do the same thing; it took me 45 seconds to crack 53% of those and others have since gone on to crack...

Lousy ABC cryptography cracked in seconds as Aussie passwords are exposed

45 seconds. That’s how long it took to crack 53% of the ABC’s now very public password database. That’s more than half of the almost 50,000 passwords that were publically exposed today. How the passwords (among other data) were exposed is yet to play out, but what we now know for sure is that the mechanism the ABC used to protect these credentials was woefully inadequate. Here’s how it was done: Firstly, the dump comprises of 10 parts all listed over on Pastebin. All in all there are just under 50,000 records with the following attributes: user_id user_age user_town user_nick user_regip addedtomap user_email user_...

Stronger password hashing in .NET with Microsoft’s universal providers

Last month I wrote about our password hashing having no clothes which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story on this (read that article before this one if not), but the bottom line was that cryptographic hashing of passwords needs to be way slower. Not half the speed or even one tenth of the speed, it needs to be thousands of times slower. The conclusion of the post was frankly, a little unsatisfying. Why? Because it essentially said “If you take my favourite technology...

What do Sony and Yahoo! have in common? Passwords!

Another week, another breach. This time Yahoo! was the target with 453,491 email addresses and passwords from their Voices service being exposed for all to see. Whilst unfortunate for those involved, these breaches do give us some unique insight into password practices and as is usually the case, it’s not pretty. Back in June last year after one of many Sony breaches I conducted a brief analysis and found a litany of bad password practices. Less than 1% of passwords contained a non-alphanumeric character, only 4% actually used more than two character types and 93% of passwords were between 6 and 10 characters long. What made the Sony analysis particularly easy (and relevant) was that there was...

Our password hashing has no clothes

In the beginning, there was password hashing and all was good. The one-directional nature of the hash meant that once passed through a hashing algorithm the stored password could only be validated by hashing another password (usually provided at logon) and comparing them. Everyone was happy. Then along came those pesky rainbow tables. Suddenly, huge collections of passwords could be hashed and stored in these colourful little tables then compared to existing hashed passwords (often breached from other people’s databases) at an amazing rate of knots thus disclosing the original plain text version. Bugger. So we started seasoning our passwords with salt. Adding random bytes to the password before it was hashed introduced unpredictability which was the kryptonite...

I’d like to share my LinkedIn password with you – here’s why

No really, this is my LinkedIn password: y>8Q^<6mqKEA4hac Well it was my LinkedIn password until earlier today when it became apparent that LinkedIn had suffered what could only be described as a massive security breach. The disclosure of 6 million passwords used in one of the world’s premier social networking sites is nothing short of astonishing. But what’s also astonishing is that this exercise once again demonstrates that we, as users, are continuing to choose outrageously stupid passwords. How do I know this? Take a look at leakedin.org and try something obvious: And here it is: Now try your old LinkedIn password which, of course, you’ve already changed. Don&...

Everything you ever wanted to know about building a secure password reset feature

This content is now available in the Pluralsight course "Secure Account Management Fundamentals" Recently I’ve had a couple of opportunities to think again about how a secure password reset function should operate, firstly whilst building this functionality into ASafaWeb and secondly when giving some direction for someone else doing a similar thing. In that second instance, I wanted to point them to a canonical resource on the ins and outs of securely implementing a reset function. Problem is though, there isn’t one, at least not covering everything I believe is important. So here it is. You see, the world of forgotten passwords is actually a little murky. There are plenty of different perfectly legitimate...