Passwords

Another week, another major security incident with a significant website. So the news this time is that Zappos – those guys who sell shoes (among other things) – to folks in the US may have, uh, accidentally disclosed somewhere in the order of 24 million user accounts. Bugger. Now of course at the root of this is inevitably yet more evildoers intent on breaking through website security for financial gain, activism or just plain old kicks. Regardless of the modus operandi of these incidents, the fact remains that a significant number of accounts have been exposed and there’s now the real possibility that usernames and passwords – perhaps your username and password – are going to be floating...

I love a good XKCD comic; Randall Munroe has a unique way of cutting right to the crux of technology issues and always doing it in a humorous fashion. Little Bobby Tables remains an all-time classic and it’s amazing how many times you’ll see it quoted in security discussions – it’s now well and truly embedded in pop culture (well, at least in the little app-sec corner of the world).Last week’s password strength comic was no exception; very funny stuff about the pain people will go to in order to create a strong password which they’ll ultimately forget. Anyway, the crux of the comic was this piece about using...

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password. But there was one important question I left unanswered and that was how people choose their passwords. We now know...

So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts wasn’t bad enough, numerous other security breaches in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com. As bad guys often like to do, the culprits quickly stood up and put their handiwork on show. This time around it was a group going by the name of LulzSec. Here’s the interesting bit: Sony stored over 1,000,000 passwords of its customers in plaintext Well actually, the really interesting bit is that they created a torrent of some of the breached accounts so that anyone could go and grab a copy. Ouch. Remember these...

A couple of different friends sent me over a link to an article about The Usability of Passwords this weekend, clearly thinking it would strike a chord. Well, let’s just say I was enthralled before I even finished the second line: Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice The crux of the article (and subsequent FAQ), is that so long as a password is sufficiently long – the example used is “this is fun” – you’re pretty damn secure (apparently eleven characters is just right). Actually, the term used was secure forever. Wow, two pretty absolute terms. This actually sounded alarmingly...

Banks don’t get it. Telcos struggle with it. Airlines haven’t got a clue. That’s right folks, its password time again. Earlier in the year I wrote a little post about the who’s who of bad password practices. I named, I shamed and I got a resounding chorus of support. The point was made. But it still bugged me. Why were our banks and airlines so consistently forcing us to choose poor passwords? Why do they constrain our length, discriminate against our character types and in some cases, even discard the entire alphabet? I mean there must be a reason, right? So I asked each one of them. Please explain What I did...

Let’s assume you log onto a bunch of different websites; Facebook, Gmail, eBay, PayPal probably some banking, maybe a few discussion forums and probably much, much more.Do you always create unique passwords such that you never use the same one twice? Ever?Do your passwords always use different character types such as uppercase and lowercase letters, numbers and punctuation? Are they “strong”?If you can’t answer “yes” to both these questions, you’ve got yourself a problem. But the thing is, there is simply no way you can remember all your unique, strong passwords and the sooner you recognise this, the sooner you can embrace a more secure alternative.Let...

Ah, passwords. Love ‘em or hate ‘em, they’re a necessary evil of the digital age. The reality is we all end up with an alphabet soup of passwords spread over dozens of various sites and services across the internet. Whilst we might not always practice it, we all know the theory of creating a good password; uniqueness, randomness and length. The more of each, the better. Of course we frequently don’t do this because of all sorts of human factors such as convenience, memory or simple unawareness of the risks. Still, when it’s a case of individuals electing not to create secure passwords, they really only have themselves to blame. But what...

Here’s the thing about securing credentials in web apps; you’re not just responsible for securing your application, you’re also responsible for securing your customer’s identities. Let me demonstrate: 123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, fuckyou, starwars, shadow, princess, cheese These 25 passwords were used a total of 13,411 times by people with Gawker accounts. The first one – 123456 – was used over two and a half thousand times alone. How do we know this? Because every one of these passwords and hundreds of thousands more were stolen from Gawker last month and released into the wild...