Mastodon

Passwords

A 42-post collection

Data breaches, vBulletin and weak password hashing

This weekend, I loaded five additional data breaches into Have I been pwned [https://haveibeenpwned.com/] (HIBP) that had come from various forums running on vBulletin. These came via supporters that had collected them from data breach traders over the years and some of them dated back quite some time. I always go to great lengths to validate that a breach is indeed legitimate and one of the ways I do that is to take a real good look at the passwords stored in the system and ensure that they do...

LogMeIn now owns LastPass – here’s how to migrate to 1Password

This is somewhat of a perplexing acquisition, but apparently LastPass is now owned by LogMeIn [https://blog.lastpass.com/2015/10/lastpass-joins-logmein.html/]. I get it in the-big-publicly-traded-company-gobbling-up-the-smaller-one kinda way, but it’s an odd marriage for a company that builds remote desktop software to buy one that builds a password manager. People aren’t real happy either when you look at the comments they’ve left on that post. Why aren’t they happy? I touched on it here: >...

It’s not about “supporting password managers”, it’s about not consciously breaking security

So this has been getting quite a bit of airtime today: > @Sacro [https://twitter.com/Sacro] Hi Ben, I understand but as a business we've chosen not to have the compatibility with password managers. Thanks, Joe — British Gas Help (@BritishGasHelp) July 14, 2015 [https://twitter.com/BritishGasHelp/status/620956147680432128] Yes, it’s ridiculous and British Gas are getting the lambasting they so deserve, but egregious security faux pas is hardly a new thing for them: > @passy [https://twitter....

What the f*** were they thinking?! Crazy website biases exposed by naughty words lists (the NSFW version)

I’ve long held the view that passwords should consist of as many crazy things as the owner deems fit. If I want to create a password that looks like a dog just ate the keyboard and threw up all the keys, then good for me. (Chances are that Fido is going to cough up a pretty unique password too but before PETA gets on my case, try using a password manager like 1Password [https://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html] instead.) Now I’m used to seeing all sorts of ridi...

The “Cobra Effect” that is disabling paste on password fields

Back in the day when the British had a penchant for conquering the world, they ran into a little problem on the subcontinent; cobras. Turns out there were a hell of a lot of the buggers wandering around India and it also turned out that they were rather venomous which didn’t sit well with the colonials. Ingenious as the British were, they decided to offer the citizens a bounty – you hand in dead cobras that would otherwise have bitten some poor imperialist and you get some cash. Problem solved....

Adobe credentials and the serious insecurity of password hints

Adobe had a little issue the other day with the small matter of 150 million accounts being breached and released to the public. Whoops. So what are we talking about? A shed load of records containing an internal ID, username, email, encrypted password and a password hint. Naked Security did a very good write up on Adobe’s giant-sized cryptographic blunder [http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/] in terms of what they g...

Should websites be required to publicly disclose their password storage strategy?

I don’t know how Evernote stored my password, you know, the one they think might have been accessed by masked assassins (or the digital equivalent thereof). I mean I know that their measures are robust [http://evernote.com/corp/news/password_reset.php] but then again, so were Tesco’s [https://www.troyhunt.com/2012/08/why-xss-is-serious-business-and-why.html] and according to their definition, “robust” means storing them in plain text behind a website riddled with XSS and SQL injection (among oth...

Lousy ABC cryptography cracked in seconds as Aussie passwords are exposed

45 seconds. That’s how long it took to crack 53% of the ABC’s now very public password database. That’s more than half of the almost 50,000 passwords that were publically exposed today [http://www.cyberwarnews.info/2013/02/27/abc-australia-hacked-49561-moderator-and-user-credentials-leaked/] . How the passwords (among other data) were exposed is yet to play out, but what we now know for sure is that the mechanism the ABC used to protect these credentials was woefully inadequate. Here’s how it wa...

Stronger password hashing in .NET with Microsoft’s universal providers

Last month I wrote about our password hashing having no clothes [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html] which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story on this (read that article before this one if not), but the bottom line was that cryptographic hashing of passwords needs to...

What do Sony and Yahoo! have in common? Passwords!

Another week, another breach. This time Yahoo! was the target with 453,491 email addresses and passwords from their Voices service being exposed for all to see [https://www.trustedsec.com/july-2012/yahoo-voice-website-breached-400000-compromised/] . Whilst unfortunate for those involved, these breaches do give us some unique insight into password practices and as is usually the case, it’s not pretty. Back in June last year after one of many Sony breaches I conducted a brief analysis [https://ww...