Skip

The age of the password has come to an end...
November 16, 2012 4:20 PM   Subscribe


 
The crazy part about this is that a person actually chose to give Apple remote access to wipe their devices...

they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture

How about not signing up for iCloud? I use my Macbook Pro just fine without it, thanks.
posted by thewalrus at 4:25 PM on November 16, 2012 [6 favorites]


The premise of the article is entirely 100% true -- and we are well overdue to make two (or more) factor authentication a standard practice.
posted by chimaera at 4:25 PM on November 16, 2012 [3 favorites]


Funny, I just finished reading this on my Kindle.
posted by nrobertson at 4:25 PM on November 16, 2012


Basic security precaution: Don't login to anything on random public/semi-public computers. Assume that any computer you have not personally set up has an operational keystroke logger on it.
posted by thewalrus at 4:27 PM on November 16, 2012 [1 favorite]


I read this and immediately considered transferring the contents of my bank accounts to the underside of my mattress. terrifying.

but as long as I'm not living on a commune, it is really hard to exist in the modern age without being connected. it makes so many things so much more efficient..

except icloud. I flat out refuse to ever use that service..
posted by ninjew at 4:28 PM on November 16, 2012


Owncloud. For those comfortable with a Linux CLI you can install it on a $7/month VPS.
posted by thewalrus at 4:32 PM on November 16, 2012 [2 favorites]


Yeah, two-factor auth. You could also use client side certs.
posted by Ad hominem at 4:34 PM on November 16, 2012 [1 favorite]


But... didn't he get hacked by someone not knowing his password, but instead conning apple into changing it?

It seems like the password actually did its job in that case...
posted by madajb at 4:34 PM on November 16, 2012 [7 favorites]


Having a remote wipe service is not crazy. Not having backups is crazy. If you don have backups, you don't have data.

Seriously, PSA time: have backups for your data! Use an external hard drive, use a remote Internet service like backblaze, just use something. People have quibbles about specifics, but anything is better than nothing.

There are protections in law for bank fraud, and you can get your money back. But if you don't have backups, there are no protections that will get you documents and pictures and emails back.
posted by Llama-Lime at 4:39 PM on November 16, 2012 [6 favorites]


There will be technical, cloud-centric solutions for personal privacy. Ethical architecture is entirely possible. Check MeFi projects in the coming months.
posted by clarknova at 4:44 PM on November 16, 2012 [5 favorites]


Say I was willing to sacrifice convenience for security, but also that I had a terrible memory. What's the solution? Something like 1Password? Or long random passwords, meaningless security questions, and a laminated card with the passwords that I carry with me at all times like the nuclear football?
posted by supercres at 4:44 PM on November 16, 2012


Strikes me the answer is not have to have a covetable Twitter username. Which means I'm totally safe.

And yeah, yeah, have backups, two-factor auth etc. etc.
posted by jontyjago at 4:46 PM on November 16, 2012


I use two factor authentication on my Google and Battle.net accounts. It's not perfect but miles above relying on a single password. I'd really love to see two factor authentication for iCloud, it's the only reason I continue to use my gmail account.

I think I've heard you can use two factor with Dropbox and Google's Authenticator app. Is there a list of apps/sites that have two factor auth available?
posted by polyhedron at 4:46 PM on November 16, 2012


Scene: Wired offices, mid-June 2012.

Matt Honan: "Man, I really have no idea what to write for these next few articles I'm slated to do. I've got a few ideas, but I'm just not sure..."

Wired editor: "Well, what were you thinking about?"

MH: "I had some notes on passwords, but..."

WE: "Nope, not cool enough. We're the new Wired, remember? Gotta have that engaging human dimension."

MH: "Well, I'm just not sure, then."

WE: "You should sex it up, then."

MH: "Huh?"

WE: "Choose a really terrible password, make sure all your security questions are obvious and easily identifiable, and then 'hack' yourself. You can make a huge deal of it, talk about how your whole life was almost destroyed."

MH: "Wow, that's a great idea!"

WE: "Yep. And the best part is, you can get at least a dozen articles out of this. For the next six months at least, you'll be wringing your hands in the pages of any number of web-zines and print periodicals, talking about how you could have lost everything. People eat that stuff up. It'll be at least December before people start to get sick of it. You can just go ahead and tell this exact same story over and over and over and over again, getting paid for it every time."

MH: "This is fantastic! I'm going to go do this right now."

Exeunt.
posted by koeselitz at 4:46 PM on November 16, 2012 [19 favorites]


Well the real lesson here is that you really have no chance against a focused attack.You can only hope to throw up so many barriers people give up. With enough resources you can break into anything. For SMS based two factor auth I could intercept messages in some way, walk into the store, say my phone was stolen, get a new phone I now get your SMS on. With RSA keyfob two-factor auth I can just request a new one and steal your mail. The only hope is that people don't care enough to go to all those lengths and give up if it isn't easy.
posted by Ad hominem at 4:46 PM on November 16, 2012 [1 favorite]


It seems like the password actually did its job in that case...

And that's my point in a nutshell. (Hi I'm Mat.) The password is meant to protect us, but there are so very many ways around it. It's a false sense of security, in some sense it's akin to the security theater you see at TSA.

Not having backups is crazy.

Completely agree. And I don't think there's anything wrong with a remote wipe service--but I do think it should have a secondary form of authentication.

Also, koeselitz. It's Mat. One T.
posted by emptyage at 4:47 PM on November 16, 2012 [29 favorites]


Ha. Sorry, Mat.
posted by koeselitz at 4:48 PM on November 16, 2012 [1 favorite]


(Still, I may as well note the last thread about this story.)
posted by koeselitz at 4:49 PM on November 16, 2012


But... didn't he get hacked by someone not knowing his password, but instead conning apple into changing it?

Yeah, I don't think passwords are really the whole or even most of the issue. Most of these hacks happen because you can reset your (Gmail, Yahoo, etc) email password just by knowing a person's billing address usually easily found out through sites like Spokeo. I guess two factor would help, but say you lose your RSA token how do you authenticate to get a replacement? Using your mobile as a second factor is an ok a solution for major things like password resets etc. Though, I know for sure I have some accounts (say my Yahoo mail I barely check anymore) has my phone number from 10 years ago. I think eventually when people trend to have one phone number for a very long time (now that area codes hardly matter and you have virtual number services) that this will work well for most people. Of course, there's the circular question of how you reset your password for your virtual Google voice number that you're using as a second factor.
posted by ill3 at 4:49 PM on November 16, 2012 [1 favorite]


The crazy part about this is that a person actually chose to give Apple remote access to wipe their devices...

Are you saying that remote wipe is crazy or that Apple is untrustworthy? I think remote wipe makes a ton of sense in the age of portable devices. Someone with physical access to a device can always break into it, so you need to have a mechanism to make the data disappear in the case of theft or loss. The data are backed up in 2 or 3 other places, of course.
posted by mr_roboto at 4:53 PM on November 16, 2012


Assume that any computer you have not personally set up has an operational keystroke logger on it.

I'm not even sure that's going to be enough for very long, given governments' interest in backdooring each other's chips. Eventually you'll need to make sure you design and fabricate the hardware too.
posted by RobotVoodooPower at 4:57 PM on November 16, 2012 [2 favorites]


Incidentally – as an owner of a few iDevices, Apple's response to this whole thing has really bothered me. They seem to have decided that the solution to the limitations of security questions is to add four more security questions. The article is absolutely correct, as much as I might feel like I've read the human angle many times now; multiple-factor authentication is the way we need to be going. It bothers me that Apple hasn't done that yet.
posted by koeselitz at 4:57 PM on November 16, 2012 [2 favorites]


I think remote wipe makes a ton of sense in the age of portable devices.

Funnily enough, I had my tablet stolen this morning on the way into work. Cue panicked changing of passwords, but on the plus side I did get to remote wipe at least one of the OSes on the device. I wish I'd thought to install the same capacity on the Android partition. Lesson learned for next time, assuming I don't get my identity sto- HEY WHAT ARE YOU DOING IN THIS VIDEO?
posted by running order squabble fest at 5:01 PM on November 16, 2012


I think remote wipe makes a ton of sense in the age of portable devices. Someone with physical access to a device can always break into it, so you need to have a mechanism to make the data disappear in the case of theft or loss.

Why not remote encryption instead? You "wipe" it remotely, and Apple encrypts the data with a key that only they know. If you prove it was a mistake or unauthorized, they give you the key and you get your data back. Security doesn't have to be foolproof as long as there is a way to reverse a mistake. Like if someone steals your credit card, as long as you can get the charges reversed it's not a big deal. Similarly online security should take into account the fact that unauthorized access is going to happen and have plans to make sure that they can recover from it when it does.
posted by burnmp3s at 5:07 PM on November 16, 2012 [3 favorites]


A reminder about how Honan described the initial hack:

They got in via Apple tech support and some clever social engineering that let them bypass security questions.

Gizmodo described it like this:

Hackers Got Into Reporter’s iCloud Account With Deception, No Password Required

...Mat might have a bit more information floating around out there than the average iCloud user, but if that information wasn't literal answers to his security questions, that shouldn't really have mattered. Until the gritty details of the deceptive conversation come out, there's not much users can do to protect themselves from something similar.


Did Mat ever offer any more "gritty details" about what happened between Apple and the hacker?
posted by mediareport at 5:08 PM on November 16, 2012


Did Mat ever offer any more "gritty details" about what happened between Apple and the hacker? Yes I did
posted by emptyage at 5:11 PM on November 16, 2012 [2 favorites]


I think Mat's story is great, I just wish it was stronger in recommending some technical alternative to passwords. The real solution here is a delegated authentication protocol like OpenID, BrowserID/Persona, OAuth, or Facebook Connect. Asking users to maintain 100+ strong passwords is ridiculous. Password agents like 1Password or LastPass work OK for now, but those agents become high value targets themselves and the core design is not very secure.

Delegated authentication designed from the beginning to be secure is the solution. And we've had technical implementations of that going back at least 10 years (Microsoft Password, client-side SSL, OpenID). The reason they haven't succeeded is a combination of product design and political problems. Mozilla's BrowserID / Persona project is looking promising. Tim Bray at Google has also been talking about identity a lot lately, maybe Google will offer a solution too.

Apologies for recycling a comment I made a couple of days ago to another forum.
posted by Nelson at 5:12 PM on November 16, 2012 [2 favorites]


Just to add further hubris to the thread.... I use a different email address (all point to the same wildcard domain mailbox) for everything I sign up for. I originally did this as an anti-spam measure, but the separation of personal email and password recovery email is a handy security benefit.
posted by Busy Old Fool at 5:21 PM on November 16, 2012 [1 favorite]


After Mat's earlier articles, I went on a tear through my online accounts, large and small, updating and randomizing absolutely every login password for every account I could remember having. Thanks, Mat. :-)

I have been uncomfortable with the Lost Password questions for a long time, and have tended to use familiar (to me) but nonsensical answers, but I am now debating using randomized answers to these questions and storing the answers as additional info in 1Password. Paranoid? Sure, but even then that doesn't really solve all of these social engineering and SSN flaws.

*sigh*
posted by insert.witticism.here at 5:22 PM on November 16, 2012


Google gives you the tools to integrate two-factor authentication to your site for FREE.

Guild Wars 2 started using it after a spate of hacked accounts due to idiot users with shitty passwords. More sites should use it.
posted by Talez at 5:22 PM on November 16, 2012 [1 favorite]


Most of us benefit from security through obscurity. My gmail address and hashed (and possibly even plaintext) passwords were scooped up during the Gawker hacks. There's evidence that a few people tried to access my linked-in profile using that. And yet, no one tried to socially engineer any company to get further access to my data. Why? Because I'm nobody.

I think it's important to remember this when considering internet security - most people do not need an elevated level of protection from hackers who are monomaniacal about accessing their specific account.
posted by muddgirl at 5:25 PM on November 16, 2012 [1 favorite]


Great opening line to this article btw.
posted by nathancaswell at 5:29 PM on November 16, 2012 [1 favorite]


(by "passwords" I mean my rather weak but unique password that I used for gawker websites)
posted by muddgirl at 5:29 PM on November 16, 2012


most people do not need an elevated level of protection from hackers who are monomaniacal about accessing their specific account.

The unfortunate thing is that hackers,and criminals in general, are nothing if not capricious about who they focus on.
posted by Ad hominem at 5:40 PM on November 16, 2012


I agree with much of this article, but the one thing I strongly disagree with is using bogus answers to security questions. He does hedge with "make them memorable", but the wide variety of security question configurations means that in order to make them memorable, you'll need to either (a) have some kind of mapping of "question type" to "fake answer" or (b) go with some ordered list of fake answers regardless of the questions. The problem with (a) is, again, there are so many different security questions nowadays that you'd be hard-pressed to make this repeatable and memorable, and the problem with (b) is that you're usually not going to know which "question number" you're getting when you're prompted for a security question, so you'll end up trying them randomly and probably locking your account (then spending time on the phone trying to explain why your mother's maiden name is "Purple Monkey Dishwasher".)

I understand the problem that "use fake answers" is trying to solve, but I think it ends up making the situation worse. Once you stop using real answers that are burned into your brain and start using some fake thing you have to remember, you're better served just sticking that entropy in the password field itself rather than abusing the security questions.
posted by tonycpsu at 5:43 PM on November 16, 2012 [1 favorite]


Whoever creates a viable, secure alternative to passwords is going to be the next Google.

Unless it's Google, in which case, they're Google already.
posted by MrVisible at 5:45 PM on November 16, 2012 [2 favorites]


Say I was willing to sacrifice convenience for security, but also that I had a terrible memory. What's the solution? Something like 1Password? Or long random passwords, meaningless security questions, and a laminated card with the passwords that I carry with me at all times like the nuclear football?

"monkeydonutfacebook" is more than enough. Use the same pattern for other websites "monkeydonutmetafilter". And so on.
posted by gjc at 5:45 PM on November 16, 2012


"monkeydonutfacebook" is more than enough. Use the same pattern for other websites "monkeydonutmetafilter". And so on.

How is this more secure than using the same complex password across the board? If I figure out your password on metafilter is "monkeydonutmetafilter" it's not a difficult jump to get to "monkeydonutfacebook" or "monkeydonutgmail."
posted by almostmanda at 5:50 PM on November 16, 2012


almostmanda: To a determined hacker who's actually examining your password, not much. To automated attacks, having the site-specific prefix/suffix/whatever limits the damage.
posted by tonycpsu at 5:52 PM on November 16, 2012


Ad hominem: "For SMS based two factor auth I could intercept messages in some way, walk into the store, say my phone was stolen, get a new phone I now get your SMS on."

Not unless you know my secret code, which is not the last four of my social. Of course, you could always just pay off a clerk to help you. It's not as if they can't see/modify accounts without it.
posted by wierdo at 5:59 PM on November 16, 2012


I'm the real emptypage, but some guy named 'Mat' hacked my account.
posted by zippy at 6:09 PM on November 16, 2012 [7 favorites]


The unfortunate thing is that hackers,and criminals in general, are nothing if not capricious about who they focus on.

But it seems to me that there are few monomaniacal hackers focusing on few targets. Extreme protection against a rare threat is a hard sell. Can we quantify how many people have suffered the same level of breach that Honan has suffered? Surely other people have come forward since the Wired article?
posted by muddgirl at 6:18 PM on November 16, 2012


I agree with much of this article, but the one thing I strongly disagree with is using bogus answers to security questions. He does hedge with "make them memorable", but the wide variety of security question configurations means that in order to make them memorable, you'll need to either (a) have some kind of mapping of "question type" to "fake answer" or (b) go with some ordered list of fake answers regardless of the questions. The problem with (a) is, again, there are so many different security questions nowadays that you'd be hard-pressed to make this repeatable and memorable, and the problem with (b) is that you're usually not going to know which "question number" you're getting when you're prompted for a security question, so you'll end up trying them randomly and probably locking your account (then spending time on the phone trying to explain why your mother's maiden name is "Purple Monkey Dishwasher".)

No, you use the same password managing software you use for all your other passwords, and then for each site with security questions you add this information:

Sitename.com
Question 1: mothers maiden name
Answer 1: [20 character random string]
Question 2: city you were born in
Answer 2: [different 20 character random string]
Etc...
posted by tylerkaraszewski at 6:54 PM on November 16, 2012 [1 favorite]


Say I was willing to sacrifice convenience for security, but also that I had a terrible memory. What's the solution? Something like 1Password? Or long random passwords, meaningless security questions, and a laminated card with the passwords that I carry with me at all times like the nuclear football?

Instead of using a nuclear football, how about making the analogy your house key. You carry that everywhere with you, right? Nobody expects you to memorize the shape of your key and recite it every time you need to get in your house, you just bring it with you.

And 1Password (or similar) will run on the phone you *already* carry with you, so you don't even need an extra object to carry around, but you could use a small USB drive if you wanted.
posted by tylerkaraszewski at 7:01 PM on November 16, 2012


The article doesn't say "use 1passwd or lastpass to fill in 20 character random strings." It says pick a memorable fake answer, which has the problems I described.

Your solution is basically "write your fake answers (in the form of 20 character random strings down" except you're writing it down in the password manager. More of a workaround than a solution.
posted by tonycpsu at 7:05 PM on November 16, 2012


Data protection is within my sphere where I work, as I tell people, at least once a day: "Data you haven't backed up is data you don't want to keep."

Two-factor helps sure, also not having a credit card does wonders.
posted by Cosine at 7:20 PM on November 16, 2012


Mr. Honan's experience happened because human beings bent the established security rules (social engineering), not because passwords don't work. Passwords provide an insane level of security - if you follow the guidelines for using them exactly. Which is hard for humans to do.

I'm surprised that a facility like LastPass or KeePass isn't built in to every browser by now. That would make the right thing (using strong and unique passwords for every internet site or service) the easy thing (the user only has to remember one good password), and I expect it would increase the average person's web security a great deal.

Google's two-factor authentication relies on cell phones in practice, doesn't it? Is phone cloning unheard of today for some reason? I don't see why that style of two-factor auth is any more than a speed-bump for a determined attacker making a targeted attack.
posted by Western Infidels at 7:59 PM on November 16, 2012 [1 favorite]


How is this more secure than using the same complex password across the board? If I figure out your password on metafilter is "monkeydonutmetafilter" it's not a difficult jump to get to "monkeydonutfacebook" or "monkeydonutgmail."

Because if someone can figure out your password for one site, then you are compromised and it doesn't matter what your passwords are- they've got them.

But those are hard passwords for computers to guess, because they are long. And they are easy to remember because they are only three "tokens" to your brain.
posted by gjc at 8:19 PM on November 16, 2012


Too much Wired hate in this thread.

I'm going to quote the article, just pretend it came from me, m'k? You know, a former Lead Engineer on the Network Security team for the third most attacked network on the internet?

Here we go:
This past summer UGNazi decided to go after Prince, CEO of a web performance and security company called CloudFlare. They wanted to get into his Google Apps account, but it was protected by two-factor. What to do? The hackers hit his AT&T cell phone account. As it turns out, AT&T uses Social Security numbers essentially as an over-the-phone password. Give the carrier those nine digits—or even just the last four—along with the name, phone number, and billing address on an account and it lets anyone add a forwarding number to any account in its system. And getting a Social Security number these days is simple: They’re sold openly online, in shockingly complete databases.

Prince’s hackers used the SSN to add a forwarding number to his AT&T service and then made a password-reset request with Google. So when the automated call came in, it was forwarded to them. Voilà—the account was theirs. Two-factor just added a second step and a little expense.

Oh yeah, he casually drops in there that RSA token users are fuXXorzd, too.

Two-Factor was supposed to be the way out of this mess. Two factor is now compromised with both soc-eng and technical hacks. Now, what?

I can kind of, sort of, keep everything distinct and firewalled (so to speak) from each other, and tools like OnePassword help (massive and randomized passwords changed on a bi-weekly basis automatically? Yus, plz.) - but it's not enough to protect average users, or even power users who play by what are understood by most people to be The Rules.

The Rules:

1) 16 character password.
2) Don't use dictionary words, don't rely on number-for-letter substitutions.
3) Lie when setting up the security questions, ie: "What was the name of your first pet?" should not be "Fido" but ",09Vbh8%6&gfrE)s@" - also, you need to memorize ",09Vbh8%6&gfrE)s@", and not use it again as the answer to any other security question and also you can't use it as a password anywhere. You also need to forget it in a month when you learn a new one.
4) No one reads down here. Superman wears his underpants on the outside. I can eat a glowstick. If you're giggling, you're a nerd who reads. Most users aren't.
5) In conclusion, they can soc-eng their way into one of your accounts, and use that to leverage way more than you'd think possible, as they are evil cumstains, and the service operators and webmasters and admins and whoever are generally too hassled by other bullshit to notice or care, so they treat you both as if you're you.
posted by Slap*Happy at 8:29 PM on November 16, 2012 [5 favorites]


I'm not sure there's anything really wrong with passwords -- certainly, simply having a password isn't enough, and there are always ways around them, but as a basic framework for authentication I haven't seen anything better.

One thing I do like about passwords is that they are personal -- I used 1Password for a while, and I never stopped being spooked by the idea that there was a machine that had access to literally everything important to me, and I was relying entirely on that one machine to never be fooled by an imposter. One the opposite end, I've been burned a few times by Google's 2-factor authentication, when I haven't been able to receive a text message.

I think good password management is possible, and lies in making passwords
- hintable,
- reconstructable, and
- unintelligible in isolation

Basically, treat the password like a one-way hash. The hint is like the data, and the reconstruction technique is like the salt. Without both, you can't generate the password, and you can't derive either from the password itself.

One technique I like works a bit like this:

Say I make my construction "the first letter of the first sentence of a chapter in book available from Project Gutenberg."

So for a new password, I browse until I find something that might work, and end up at Chapter 10 of War of the Worlds, which starts:
Leatherhead is about twelve miles from Maybury Hill.

So the password would be
LiatmfMH.
or even better
Lia12mfMH.

Note that this password
- has upper and lower case letters in a non-obvious pattern
- has both numbers and letters, also in a non-obvious pattern
- includes punctuation

Basically, this is almost as strong as a completely random string of alphanumeric characters. I can also make it arbitrarily long, since I could always take the first several sentences, or the first 20 words, or anything.

Now, what I write down is:
WW10
for War of the Worlds, chapter 10, or better yet
tripod
since that's the chapter where the narrator first sees a tripod.

Knowing my system, seeing "tripod" leaves no doubt where the relevant text comes from, but outside of that context it's meaningless.

As a bonus,
- the actual sentence isn't that hard to remember -- certainly easier for me than correct horse battery staple.
- if I do forget the sentence, I can easily get the source online, or even have it on my phone/Kindle as an unassuming e-book. Security through obscurity has its places.

The drawback is mostly in the legwork required to find a source for a new password and figure out an appropriate hint for it. As a result, I still reuse passwords more than I'd like. But I'm convinced that this is both easier and more secure than the technological fixes.
posted by bjrubble at 8:32 PM on November 16, 2012 [4 favorites]


I have not read all of the responses to this thread but ...

Secure access to restricted 'resources' is hardly unknown. I see references to 2-step verification, or other means of providing authentication in lieu of a static password.

So you have something like Google's 2-step verification as the answer?

This is an extension of ANSI X9.17 (not new at all) which provides a CSPRNG. The ANSI papers require payment, but the basic concept, if you understand hash algorithms is that seeding the algorithm with a timestamp will defeat procedural, or 'brute force', attempts to defeat security on a normal field. The raw value would be a number of bits equal to the hash algorithms output (my undertanding for commercial mainstream support is 512 or 1024 bits for normal purposes). The 'random' bits would be normally equal to the number of ticks recorded by the client system.

Integrating the random number as above into the output on an on-demand basis gives you the foundations of a 2-step process as you might have with Google (my own experiences imply that I have a 30 second window to type in the correct code; this is consistent with having a time-based counter integrated with a 'base' hash algorithm).

Another solution is DUKPT where there exists a mutually-accepted base key upon which transformations are applied (ANSI X9.24, required payment to view). The basic take-away of this approach is that there is an explicit agreement between the communicating parties, as would exist in the 2-step process described above, except that in this case the derived value for authentication did not depend on time; rather it favors a count of transmissions.

In either case, for complete security in all transactions, you have to be sure of synchronicity; in the case where you (the client) or the host go 'off by a bunch' or even 'off by one' you ability to communicate is essentially reduced to 'no'.

I don't have a lot of time to spend looking these days, and I always feel behind, so there may be better practices that I'm not aware of.
posted by timfinnie at 9:12 PM on November 16, 2012 [1 favorite]


@ill3: ...say you lose your RSA token how do you authenticate to get a replacement?

Maybe two factor authentication services shouldn't allow you to use the service until you've given public keys to the service from multiple devices?
posted by DetriusXii at 10:01 PM on November 16, 2012


I agree with several earlier comments here that the problem demonstrated in the article is not passwords but password reset procedures. A reasonably conscientious user (esp. with the help of keepass or etc) can manage secure enough passwords that password guessing is an unlikely attack. But that doesn't matter, because attackers go after the weak points of security, not the strong points. And the weak point is the reset policy. It doesn't matter if you don't forget your password, because the reset system has to handle the most forgetful, least organized user the service has (and wants to keep). They're usually either insecure ("secret questions", email tokens), laughably insecure (mother's maiden name, SSN), or prone to cascading failures because the user isn't aware of what depends on what (email tokens!).
posted by hattifattener at 11:08 PM on November 16, 2012 [3 favorites]


Something like 1Password? Or long random passwords, meaningless security questions, and a laminated card with the passwords that I carry with me at all times like the nuclear football?

One recommended solution — and at least at one point it was what Bruce Schneier was recommending — is to use a "password keeper" like LastPass or 1Password, creating single-use random passwords for most sites. Create one really super-duper high quality password and use that to lock/encrypt the password keeper itself. Don't ever store this master password in a computer file, and don't ever type it into an untrusted machine. Keep it on an otherwise-unmarked card in your wallet, plus in a safe place at home and in a safe-deposit box or at the office. If you lose your wallet (or think you might have lost your wallet) immediately change it, using the copy of the password you have at home.

It's not entirely perfect, but it's better than what 99% of people are doing today.

I understand the problem that "use fake answers" is trying to solve, but I think it ends up making the situation worse. [...] you're better served just sticking that entropy in the password field itself rather than abusing the security questions.

Not if the security questions provide a way to reset the password. In that case, they effectively are the password.

If the password is the lock on your door, the security questions are the big glass window right next to it, that lets someone reach in and just turn the latch by hand. It makes no sense to buy some super-duper high security lock, if you still have easily-breakable single pane glass right next to it.

So if you're going to create a nice high-entropy password, you also need to make sure there's an equivalent amount of entropy in the password-reset questions. Or else an attacker will just go around your password and reset it using the weak questions. Since many services only give you a small number of really shitty, easily-researchable-on-Facebook reset questions (e.g. Mother's maiden name, pets names, school names, etc.), it makes sense to use fake answers.
posted by Kadin2048 at 12:01 AM on November 17, 2012



I understand the problem that "use fake answers" is trying to solve, but I think it ends up making the situation worse. Once you stop using real answers that are burned into your brain and start using some fake thing you have to remember, you're better served just sticking that entropy in the password field itself rather than abusing the security questions.


Except Apple (and others) won't let me simply rely on my capacity to make good passwords -- they make users create these low-security alternate passwords before using the iOS app store and who knows what else.

Since I have an iOS device that I want apps for, that means I have a choice:

* Let Apple nudge me into doing something stupid and answer the questions honestly
* Come up with unique untruthful answers for the security questions and record them
* Enter random things in and forget them, risking losing access to my account in the future when Apple decides it needs to ask me
* Give up and forget about using the app store

Now I'm not surprised that Apple might give people the option to have security questions as a backup account access method. There's enough people for whom the threat of losing access to their account due to their own forgetfulness is comparable to (if not bigger than) the threat of a determined attacker. So it kindof makes sense to give people the option to use easy-to-remember (if accessible-to-discovery) secondary access methods.

The stupid part is forcing everybody to use it. And doubling down on the stupid by adding more security questions in response to problems.
posted by weston at 12:20 AM on November 17, 2012


But it seems to me that there are few monomaniacal hackers focusing on few targets. Extreme protection against a rare threat is a hard sell

That is true ,and I agree with you. Just wanted to point out the guy was targeted for a three letter twitter name.You can be targeted on a whim,for no reason.
posted by Ad hominem at 3:00 AM on November 17, 2012


Just wanted to point out the guy was targeted for a three letter twitter name.You can be targeted on a whim,for no reason.

Indeed - and this is what makes it a mistake to assume that just because we are ordinary non-celebrities we have nothing of value to a hacker. For example:

1. Money moved from your account to the hackers
2. Anything that can be bought with your credit card
3. Anything that could be used to blackmail you
4. Targeted revenge against you
5. Revenge against organisations holding your data
6. Your contacts (who may be follow-on targets)
7. A clean social media profile on services like Ebay, LinkedIn, etc

Unfortunately simply having a backup of your data will not protect against these threats. Nor will a super-secure password - if we have to share it with a remote third party who can reset it on the basis of rules which must work both for you and your 80 year old aunt.

If I was trying to engineer a solution to this I would try to gather together a group if the most technophobic, forgetful, lazy, dim people I could muster - and design a solution that would work for them.
posted by rongorongo at 3:53 AM on November 17, 2012 [1 favorite]


bjrubble: Basically, this is almost as strong as a completely random string of alphanumeric characters.

Actually, it feels like it is, but it isn't.

Passwords are not the same as they used to be. Things have changed. A LOT. And they are changing more and more every day. The old rules don't apply any more.

Why? Because so many large password databases have now been hacked that hackers have vast corpora of actual, in-use passwords generated by actual people. And one thing they are finding is that humans are very bad at coming up with truly unique passwords. No matter what your mnemonic system for generating passwords happens to be, someone else out there has probably thought of it already, and their passwords have probably already been lost to the bad guys. And the bad guys are now running mega pattern analyses on these huge databases, and actually deriving some of the rules that people use to make them up.

With the data sizes they're dealing with, just unbelievably huge rainbow tables and such, it becomes relatively cheap to just grab every e-book in the world, and run them through the same kinds of pattern analysis, looking for the sources for the passwords people are using. Yes, this is expensive and difficult. But it's much less expensive than just trying to generate every possible random password. Anything they can use to narrow their search space is a huge win, and recording the first letters of every sentence of every book in existence is trivial compared to the scope of trying to crack true random passwords.

The only defense against this kind of massive pattern matching, the kind that throws the equivalent of tens or even hundreds of thousands of computers into clever search algorithms that are trying to figure out how you were thinking, is true randomness. Individual hackers can now hire, from Amazon or other cloud providers, the kind of computing power that only nation-states once had. The sheer amount of power being devoted to peeling open your head, reverse-engineering your thought process when you came up with your password, is unimaginable even by the standards of just a few years ago. These guys/gals don't have to pay to build or maintain the infrastructure, they pay only when they actually need the computational power, so they can temporarily be a nation-state for a few thousand bucks, and then return to their cheetohs-strewn trailer afterward.

Use random passwords. Truly random ones. Long ones, at least 10 characters, preferably 12. Write them down and put them into your wallet/purse if you need to. It's painful to do this, but in the era of cloud computing, having any pattern whatsoever in your password system invites compromise.

tl;dr version: massive computational resources devoted to pattern recognition means that the only defense is to have no pattern.
posted by Malor at 6:04 AM on November 17, 2012 [2 favorites]


I feel like I'm not making my point very clear:

1. Money moved from your account to the hackers

Why does a hacker need money from MY bank account? And are there much much easier ways to get money than spending several days targeting me?

2. Anything that can be bought with your credit card

Again, why does a hacker need MY credit card, and not one of the several thousands of credit card numbers which can be bought? Is it worth several days targeting me in particular?

3. Anything that could be used to blackmail you
4. Targeted revenge against you
5. Revenge against organisations holding your data


I don't see why someone with these goals would be impeded by ANY security measure. If someone wanted to get revenge on me, why is a strong password a trivial thing to breach, but somehow 2-factor authentication is insurmountable?
posted by muddgirl at 6:12 AM on November 17, 2012


tl;dr - I can't design my internet security system to protect me from ALL threats, so what are the likely threats? What's the minimum level of intrusion to protect from those threats?
posted by muddgirl at 6:18 AM on November 17, 2012


The crazy part about this is that a person actually chose to give Apple remote access to wipe their devices...

I was recently given a newer hand-me-down iDevice, and one of the first things it asked upon activation was whether I'd like to activate the "Find My Phone" feature. But unless they've changed the setup in the past month or so, there doesn't seem to be a way to separate the ability to find your lost phone remotely from the ability to remote wipe the phone.

burnmp3's suggestion to replace remote wiping with remote encrypting sounds like a smart one, no?

Likewise, is there any reason for a cloud backup service to perform immediate deletion of a user's backups? Why not keep the data around for, say, a week or so, to allow a chance to undo the mistake? (Chances are the data was still sitting on iCloud's own backup storage servers for a while before being flushed, but they're just not set up to retrieve a single user's data from their own backups, right?)
posted by nobody at 6:21 AM on November 17, 2012


Walk without rhythm and you won't attract the worm.
posted by Freen at 10:01 AM on November 17, 2012 [5 favorites]


muddgirl: What's the minimum level of intrusion to protect from those threats?

At this exact instant, the likeliest threats come from password sharing. If, through no fault of yours, a site is hacked, then the hackers are probably going to be able to get a lot of the passwords. Even if you think you have a very good password, if it actually has a pattern in it, rather than being purely random, the chances are reasonable that they may crack it.

If you have used that password on only one site, and that password SYSTEM on only one site, then you're okay. If you've used that exact password elsewhere, then if they do crack the original file, they'll be able to freely access any other service using that password; how severe this might be is something you have to decide for yourself. If someone got my Metafilter password, I suspect it would be fairly obvious it wasn't me, and any damage would be, at most, embarrassment. If someone got my bank password, I could be in real trouble.

In other words, the primary threat to you is that hackers will use knowledge they gain from your account info on one site to gain access to another. For best safety, keep info as compartmentalized as possible. This new era of 'put everything in the cloud and share it so that marketers can mine it for data' also means that you may be sharing it with bad guys. So put as little online as you reasonably can, don't use a mnemonic system to generate passwords, make sure your passwords are at least 8 characters (10 or 12 is much better, if you can remember ones that long), and never repeat a password anywhere.

The idea is to make any individual breach as minimally damaging to you as possible; if someone hacks your Facebook account, there should be very little personal info there that can be used to socially attack your friends, and since you have different passwords everywhere, that means they can't just hop over to your credit union and steal all your money.

Unfortunately, some companies require you to give them damaging information, and then store that information on Internet-accessible computers. And you can't tell which companies are doing this. No matter what precautions you take, if they get sloppy, it can all be for nothing. That's not an excuse to be sloppy yourself, just be aware that when you share data, you inherently trust the other party to treat it responsibly, and they may not do so.
posted by Malor at 11:34 AM on November 17, 2012


One minor reality-check that needs to be kept sight of in these conversations; it cannot be, in general, quite as easy as people are suggesting to crack people's passwords or else such a vast number of people would have had their bank accounts compromised that the entire system would have collapsed already. Unless people are suggesting that the Bad Guys are somehow coordinating their efforts so as to effectively "farm" the system--only ripping off enough money to keep themselves happy but not so much as to destroy users' trust in the system overall (and that, clearly, is a preposterous suggestion)--then it simply cannot, in fact, be the case that criminals in general find it easy to hack into sensitive online accounts at will.
posted by yoink at 11:44 AM on November 17, 2012


Two-Factor was supposed to be the way out of this mess. Two factor is now compromised with both soc-eng and technical hacks. Now, what?

Two-factor was not compromised with social engineering, the guy's phone was. Don't use SMS to text you the key to two-factor! Install the App that does it algorithmically. Both Verisign and Google offers them.
posted by pashdown at 4:51 PM on November 17, 2012


Passwords are not the same as they used to be. Things have changed. A LOT. And they are changing more and more every day. The old rules don't apply any more.
...
With the data sizes they're dealing with, just unbelievably huge rainbow tables and such, it becomes relatively cheap to just grab every e-book in the world, and run them through the same kinds of pattern analysis, looking for the sources for the passwords people are using.


Only if they know the system.

Yes, I should have pointed out why the specific example I gave was problematic, namely:
1. Taking the first letter of each word in a sentence is a fairly obvious cipher, and
2. Gutenberg e-books are a fairly obvious source of text
plus
3. Someone familiar with the cipher could probably identify it by looking at the final password. (Capitalized first letter, punctuation at the end.)

In practice, the cipher should be more complicated, but it's not hard to do so. You could take the last letter of each word, or the first letter of every other word, or the letter following the first vowel in each word, or the letter that appears two characters after each diphthong.

But since you can use the same cipher for everything, it's okay to make it complicated -- you don't need to remember it differently for every password. This gives you a lot of room to work.

My point was, a lot of this discussion is predicated on the idea that the only way to make passwords at all secure is to make them completely unmemorable. I don't believe this, because here's a simple combination of two memorable components that can yield a huge increase in security.
posted by bjrubble at 5:12 PM on November 17, 2012


thewalrus: Basic security precaution: Don't login to anything on random public/semi-public computers. Assume that any computer you have not personally set up has an operational keystroke logger on it.
Basic security precaution: Never leave any door or window unlocked, even if you are home. Assume that anyone you let into your house is a potential robber, and cannot be left alone.

The world is not an easy place for absolutes to rule our actions.
posted by IAmBroom at 5:25 PM on November 17, 2012 [1 favorite]


My problem with password management applications like KeePass and 1password is syncing. On any given day I use at least 4 different devices, and it used to be 5 back when I had a workstation in my office. Keeping an encrypted file in sync between a Windows desktop, Mac laptop, iPad and iPhone is kind of a nightmare and such a hassle (and not really even possible on two of those devices) that I can't see myself bothering. In fairness, 1password does Dropbox syncing now, but reviews in the App store say that's been problematic, and then I need to have another account with yet another password and that just adds to the problem.

We're not really in an age where people have just one computing device anymore, and solutions that tie you to one device or platform aren't really workable.

The security problem with public Internet is part of why I keep a tethering plan on my phone. If I'm in an area with bad service I'll use public wifi but I tunnel the entire connection through a VPN to my rack in the colo. At least the I know then most vulnerable hop is secure.

I think what I'll end up doing is rolling my own at some point, make it web accessible and throw it on a VM somewhere. Then I don't have to guess about whatever commercial/open source solution I use being on available on whatever platform I'm using at the time.
posted by mikesch at 9:37 AM on November 18, 2012


bjrubble: I don't believe this, because here's a simple combination of two memorable components that can yield a huge increase in security.

What I am trying to tell you is that it is much less huge than you think. Having any pattern at all makes it possible for the pattern to be deduced. The only defense against pattern matching is not to have a pattern.

No matter how clever you think you are, other people out there are just as clever, and they're probably using passwords a lot like yours. If any of you lose a couple of passwords to crackers, then your system is far, far weaker than you think it is.
posted by Malor at 11:28 AM on November 18, 2012 [1 favorite]


And, for what it's worth, bjrubble -- my personal password system resembled yours a very great deal, and I thought I was pretty goddamn clever, too.

I don't think I've lost any passwords, but if I have, your system is close enough that you're at risk, too.
posted by Malor at 11:29 AM on November 18, 2012


Yes I did

Thanks, Mat; the followup was fascinating and I'm hoping Wired will keep following up to see if/when Apple ever fixes this idiocy:

It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud.

Apple tech support confirmed to me twice over the weekend that all you need to access someone’s AppleID is the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file. I was very clear about this. During my second tech support call to AppleCare, the representative confirmed this to me. “That’s really all you have to have to verify something with us,” he said.

...Apple would not comment as to whether stronger authentification is being considered.

As of Monday, both of these exploits used by the hackers were still functioning. Wired was able to duplicate them. Apple says its internal tech support processes weren’t followed, and this is how my account was compromised. However, this contradicts what AppleCare told me twice that weekend. If that is, in fact, the case — that I was the victim of Apple not following its own internal processes — then the problem is widespread.

posted by mediareport at 9:09 AM on November 19, 2012


Ah, I see they did: Apple Confirms Suspension of Over-the-Phone Password Resets.
posted by mediareport at 9:12 AM on November 19, 2012


What I am trying to tell you is that it is much less huge than you think. Having any pattern at all makes it possible for the pattern to be deduced. The only defense against pattern matching is not to have a pattern.

I agree that any pattern can be deduced; I just think that saying the "only defense" is complete randomness is overstating.

If somebody specifically targets you, yes, having any sort of guessability to your passwords will be a vulnerability. But as the linked article shows, there are lots of huge non-password vulnerabilities as well. Which is one of my issues with 1Password and the like -- beyond that one layer of security you are completely vulnerable across the board.

I personally take mass password hacking as the more likely concern, and in that case the relevant question is how many collisions your passwords have with other people's. If you can come up with a way to generate character strings that are unlikely to be shared by other people, I'm not convinced that guessability is a critical issue.

IOW, I see a big difference between having only a million possible passwords, and using one of the million most common passwords.
posted by bjrubble at 9:45 AM on November 19, 2012


Fighting Hackers: Everything You’ve Been Told About Passwords Is Wrong
Security is not just about strong encryption, good anti-virus software, or techniques like two-factor authentication. It’s also about the “fuzzy” things … involving people. That’s where the security game is often won or lost. Just ask Mat Honan.
Bruce Schneier: Recent Developments In Password Cracking
posted by the man of twists and turns at 11:16 AM on November 20, 2012 [2 favorites]


But... didn't he get hacked by someone not knowing his password, but instead conning apple into changing it?

It seems like the password actually did its job in that case...


Not really. People are only willing to use a password-protected system if there's some way to get around the problem that people are occasionally going to forget passwords. You're just saying that in an alternate universe where no one ever forgets passwords, the password would have done its job. That doesn't do us much good in the real world.
posted by John Cohen at 2:28 PM on November 25, 2012


« Older “Anything you are shows up in your music …”   |   TV show recaps, recappers, and TWoP Newer »


This thread has been archived and is closed to new comments



Post