Join 3,572 readers in helping fund MetaFilter (Hide)


password12345
August 5, 2014 10:15 PM   Subscribe

Less than a year after 40 million credit and debit card records were stolen from Target's point of sale systems, the New York Times is reporting that "a Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses." (Ars Technica, too)
posted by Chutzler (104 comments total) 37 users marked this as a favorite

 
lovely.

I'm currently looking into password managers, but given that I am often using someone else's computer (and my ability to install anything is super limited), what options are available?
posted by divabat at 10:32 PM on August 5 [1 favorite]


The new sense of security is not knowing that they don't have your credit card, it's knowing that they have everybody's credit card, so what are the chances they'd pick yours?
posted by anazgnos at 10:37 PM on August 5 [63 favorites]


I've been using LastPass since Heartbleed. 99% of the time I use it through the Chrome/Firefox/IE plugin, but there is also an iOS app and you can even access your passwords through the LastPass website.

Easiest way to use it is through the plugins. But even if you can't install anything, the website should work as a last resort.

However, it's not as slick as 1Password. It does sometimes glitch, not remember new site passwords correctly (you end up with multiple entries and have to figure out which one is correct), etc. I'm a power user, and so I can usually deal with it fine. But YMMV.
posted by sbutler at 10:40 PM on August 5 [8 favorites]


2nd LastPass.

I cannot imagine being on the internet without it. Everybody should be using it. It's a $1 a month you cheapos!
posted by lattiboy at 10:43 PM on August 5 [3 favorites]


I've been using LastPass for years, depend on it daily, and wholeheartedly recommend it.

It's not the purtiest, but people who know much more about this kind of thing than I do consider it secure, and they've been proactive about security issues. There's also a neat "security audit" process that I run occasionally, and it even checks whether your data has been leaked by cross-checking it against a database of leaked info.

Their (cheap) "premium" option includes a mobile app you can use to look up passwords when you're not on your own machine.
posted by ArmandoAkimbo at 10:45 PM on August 5 [1 favorite]


You know I've been forced to learn a few minor security protocols along the way and I've just realized that none of them covered the case where your personal authentication data was already spread far and wide across the internet.

If the security guys are going to insist on keeping up their charade (which I wouldn't blame them for, as security conferences get held at some very nice locations), how about they come up with a framework that is centered on recovering from the inevitable security violation rather than ones that are centered on trying to stop it.

You can't stop security violations, but you can make it easier to pick up the pieces.
posted by Tell Me No Lies at 10:46 PM on August 5 [5 favorites]


Universal two-factor authentication cannot come fast enough.
posted by Talez at 10:47 PM on August 5 [6 favorites]


You can't stop security violations, but you can make it easier to pick up the pieces.
And that's why everyone must use a different password for every site/service they use these days.

It's bad if someone gets your old Yahoo! login that you haven't used for years, but that quickly turns into a Serious Fucking Disaster if they can use that same info hijack your identity with your bank, Apple, Google, etc.
posted by ArmandoAkimbo at 10:55 PM on August 5 [2 favorites]


2factor is only as good as the programmers implementing it. And it entirely depends on what you mean by 2factor. Txt a code to a phone# would do some good in this case.

But a shared secret 2factor is just as vulnerable to DB dumps as a password is. The secret has to be stored somewhere on the server side. My guess is that most developers are tempted to place it in the database, right next to the password column.

All of my 2factor setups right now involve shared secrets. If that secret doesn't stay secret...
posted by sbutler at 10:55 PM on August 5


2-factors are near pointless if you're travelling - my mobile phone number isn't always going to work overseas.
posted by divabat at 11:05 PM on August 5 [2 favorites]


Well, again, it depends on what you mean by 2factor. If it's txt or call your phone, then you're right that it won't always work. But if it's a shared secret based on the time or a count, then a small keyfob or smartphone app (ie: Google Authenticator) works all the time, even if you don't have cell or data or wifi service.
posted by sbutler at 11:09 PM on August 5 [1 favorite]


I'm currently looking into password managers, but given that I am often using someone else's computer (and my ability to install anything is super limited), what options are available?

If you can't count on a browser plugin, maybe a smartphone app? Search for a "password manager app" for your chosen platform. There are also usb password safes. Even commercial devices like the yubikey.

Also, if you use the lastpass plugin on chrome, you don't really have to install anything, just add your user profile to Chrome. Of course, there's no security between profiles in Chrome, so whoever's computer you installed your profile on would have all your marbles, essentially.
posted by heathkit at 11:11 PM on August 5


I have 1Password and it is so fucking clunky I ended up reverting to a text document.
posted by phaedon at 11:18 PM on August 5


Huh. What's clunky about 1Password? I've been using it for a couple of years now and find it works brilliantly.
posted by koeselitz at 11:22 PM on August 5


I'm currently looking into password managers, but given that I am often using someone else's computer (and my ability to install anything is super limited), what options are available?

I use keepass, with the data file stored in the cloud. If I'm using someone else's computer, I just get the password using the keepass app on my cellphone, or add a new entry to the data file from my cellphone, and it syncs on all my devices.
No need to install anything on the computer if you have a cellphone. The phone doesn't need service or Wi-Fi at the time because has a local copy.

I use keypass simply because it's not propriety, so I won't end up locked into it. No big reason. Any password manager when combined with phones and the cloud should work.
posted by anonymisc at 11:25 PM on August 5 [7 favorites]


I'll second 1Password. The ability to sync the (encrypted) database with my iPhone is invaluable. Any accounts I create are guaranteed to be with me. It handles multiple databases easily too.
posted by brism at 11:27 PM on August 5 [2 favorites]


Create a flickr account and upload a number of images. Make them private. Add a password to the image description. If someone guess the password to your flickr account they now have to work out that the photo of the dog crap contains your bank account password.
posted by lilburne at 11:27 PM on August 5 [1 favorite]


I like KeePass. You can use it with browser plugins to largely automate the whole password thing. Save your DB to a folder synced to DropBox/Google Drive/whatever and load it in a smartphone app and you have them all there also.

If Firefox Sync still works, you can use Firefox's password manager if you prefer. If you set a password, it is encrypted and syncs to any of your other Firefoxes, say on your smartphone. The downside is that it lacks a password generator, so you have to come up with your own reasonably random combination of letters, characters, and punctuation of whatever length you consider safe. (this is a somewhat significant limitation, but not too bad, bias of the randomness in your password isn't much of an issue as long as there are no "dictionary" words and the password is reasonably long) Too bad Chrome doesn't support an encrypted password database.
posted by wierdo at 11:28 PM on August 5


Browser plugins still count as "things I need to install that I may not be able to because of admin permissions", and I don't know which browsers I have access to (for instance, library computers don't often have Chrome).

The thing with smartphones is that if it relies on having Internet access that's not going to work either.
posted by divabat at 11:36 PM on August 5


given that I am often using someone else's computer (and my ability to install anything is super limited), what options are available?
I use lastpass from their website in work (I don't trust workplace computers) to log into anything I've forgotten.
It's not as super secure as the app itself but it's enough.

For disaster recovery I have a two-factor email account as the backup and lastpass doesn't know that password.
posted by fullerine at 11:53 PM on August 5


Create a flickr account and upload a number of images. Make them private. Add a password to the image description. If someone guess the password to your flickr account they now have to work out that the photo of the dog crap contains your bank account password.

No. No. No.

Putting a collection of passwords in one place is just not very secure. If your password for a site is a member of a set of say 52 possible passwords then that is the same as having a one letter password.
posted by rdr at 12:09 AM on August 6 [6 favorites]


I'm yet another user of Lastpass, but I'm curious has anyone tried Dashlane? I've been looking around for a password manager for my parents to use and have read reviews that said Dashlane had a much simpler UI than Lastpass.
posted by comradechu at 1:11 AM on August 6


2-factors are near pointless if you're travelling - my mobile phone number isn't always going to work overseas.

The final implementation of this that everyone starts using is going to involve some sort of arbitration between your device and the server, google voice style, so that this doesn't matter at all.

I have a growing feeling apple is going to be the one to crack it from a reliability/usability standpoint, and make it something everyone actually starts using without even really thinking about it like they did with passcodes/touchid.
posted by emptythought at 1:16 AM on August 6


I use PasswordSafe. Bruce Schneier was involved in it's design.
posted by PenDevil at 1:46 AM on August 6 [4 favorites]


keepass user, have been fairly pleased, though their android app is kinda clunky.
posted by maxwelton at 2:08 AM on August 6


lilburne: "Create a flickr account and upload a number of images. Make them private. Add a password to the image description. If someone guess the password to your flickr account they now have to work out that the photo of the dog crap contains your bank account password."
This is a joke, right?
posted by brokkr at 2:29 AM on August 6 [1 favorite]


I have a growing feeling apple is going to be the one to crack it from a reliability/usability standpoint, and make it something everyone actually starts using without even really thinking about it like they did with passcodes/touchid.

I'm not sure which day I'm more excited for: the one where I need to have iTunes open in order to comment on metafilter, or the one where people thought that wasn't weird.
posted by 7segment at 2:34 AM on August 6 [5 favorites]


> If someone guess the password to your flickr account they now have to work out that the photo of the dog crap contains your bank account password.

The record of your passwords is at the mercy of the quality of a single password and for Flickr to, say, not make private image metadata searchable through the API. If the tags you use include random character strings, their functions can be guessed.

But if you insist on going to go this route, why not embed the passwords in the images themselves through steganography? This way, even if somebody cracks your Flickr account, they'd have to have prior knowledge that you'd manipulated the image data, and also have the unmanipulated images to extract the embedded information. Otherwise you'd have to have something incredibly valuable to them to make it worth their effort to work on your account, rather than give up and find lower-hanging fruit.

As security through obscurity goes, it's going to be better than most. Albeit unwieldy if you had wanted a cloud-based password system so you could read Reddit from work.
posted by ardgedee at 3:07 AM on August 6


The new sense of security is not knowing that they don't have your credit card, it's knowing that they have everybody's credit card, so what are the chances they'd pick yours?

So... I should make sure they DO have my credit card, as a kind of herd immunity, but the kind of herd immunity where some of the herd get eaten by lions and the bigger the herd the safer you'll be.
posted by EndsOfInvention at 3:38 AM on August 6


Putting a collection of passwords in one place is just not very secure. If your password for a site is a member of a set of say 52 possible passwords then that is the same as having a one letter password.

I think the point of the Flickr thing is that no-one knows that your private Flickr gallery has passwords in it. It's not that they have to work out which password is for your bank, it's that they have to work out that anything there is actually a password at all. Not that this makes it any more secure, you may as well have a draft email with your p/ws in it - the trick in both cases is making them not look like passwords I guess; MetaFilterIsGreat!1 is more obviously a password than Hi John, lunch at 12?.
posted by EndsOfInvention at 3:44 AM on August 6 [1 favorite]


I use LastPass with the Yubikey.
posted by winna at 4:06 AM on August 6 [4 favorites]


The new sense of security is not knowing that they don't have your credit card, it's knowing that they have everybody's credit card, so what are the chances they'd pick yours?

I'm not a credit card bank, though, so it's not really my problem. Worst case scenario, when I reconcile my statement at the end of the month, I notify the fraud dept and get a new card in the mail in a day or two.
posted by indubitable at 4:11 AM on August 6 [1 favorite]


I use my ability to remember 39 distinct passwords I change every month or two as a diagnostic tool for early onset Alzheimer's. It's like learning a new language. You gotta keep at it every day. Keeps the brain sharp.
posted by spitbull at 4:16 AM on August 6 [12 favorites]


But if you insist on going to go this route, why not embed the passwords in the images themselves through steganography? This way, even if somebody cracks your Flickr account, they'd have to have prior knowledge that you'd manipulated the image data, and also have the unmanipulated images to extract the embedded information. Otherwise you'd have to have something incredibly valuable to them to make it worth their effort to work on your account, rather than give up and find lower-hanging fruit.

Adept crackers wouldn't need the original image for steganalysis, as they could examine the color palette of the encoded version.
posted by Smart Dalek at 4:17 AM on August 6


I wrote a script that stores an encrypted file of passwords on my home server, and upon reciept of the master password, locally decrypts the file, and retrieves or stores an individual password via ssh. If I dont have my computer on me, I use a ssh app on my iPhone. I suppose someone could attack the ssh connection, but other than that possibility, it's worked out pretty well for me.
posted by Salvor Hardin at 4:26 AM on August 6 [1 favorite]


I don't always use a different password for every service I have, but I do with the more critical ones. My bank password is unique but my Facebook password is not.

One thing I've always wondered: why can't credit cards be issued with a little RSA style chip that changes some verification code every N minutes? It would be almost impossible to use without the card itself. Cards would be more expensive but surely its worth it to save on fraud.
posted by deathpanels at 4:31 AM on August 6


I have designed my own secret written language that only I can understand that I use for all my passwords
posted by robbyrobs at 4:49 AM on August 6 [2 favorites]


And that's why everyone must use a different password for every site/service they use these days.

Unfortunately, this is something that will never, ever, ever happen in reality. Sure, geeks will do it. They live for that sort of complexity. But, the bog-standard civilian just isn't. They might use two or three that they cycle through, but they're simply never going to use a different password on each and every website they do business with. And, no, they're not going to be using LastPass or anything else.

That the security world hand-waves this ugly reality away is a huge problem.

/rant

One aspect of security I really don't understand are the many sites that require you to use an email address as your username. That just seems like a really stupid thing to do.
posted by Thorzdad at 5:08 AM on August 6 [14 favorites]


One thing I've always wondered: why can't credit cards be issued with a little RSA style chip that changes some verification code every N minutes? It would be almost impossible to use without the card itself. Cards would be more expensive but surely its worth it to save on fraud.

Isn't that basically the European standard? I guess companies in the US figure that it's still cheaper to deal with the fraud (much of which people must not notice and never report) than it would be to change out the entire credit card infrastructure.
posted by Dip Flash at 5:30 AM on August 6


The chip and pin cards are coming to the USA, but it will still take years before the existing mag card readers are replaced to take advantage of it.

http://www.huffingtonpost.com/creditcardscom/the-dirty-little-secret-y_b_5572081.html
posted by cuscutis at 6:03 AM on August 6 [3 favorites]


Between this, the file-encrypting ransomware using Tor and Bitcoin and the numerous carding/fraud rings operating out of Russia according to Brian Krebs, cybercrime seems to be a major industry in Russia, and one that's tacitly approved of by the government as long as it targets only foreigners. Some commentators even say that Russia is literally a mafia state, with crime being to it what, say, the tar sands are to Canada or iron ore is to Australia.

I wonder how the proportion of Russian GDP made up by cybercrime compares to the proportion of Nigerian GDP made up by 419 fraud (wasn't that at one point Nigeria's second biggest industry after oil extraction)?
posted by acb at 6:12 AM on August 6 [3 favorites]


is the method where you have a string you always use followed by the first 4 (or however many) of the site's url still ok?

so like my passowrd would always start with P@ssw0rd but would for meta would P@ssw0rdmetaf and for yahoo it would be P@ssw0rdyahoo

i'm pretty sure i got the idea from here.

or do i need let lastpass randomly generate nonsense passwords for me for the important stuff, like my bank and credit cards?
posted by sio42 at 6:13 AM on August 6 [1 favorite]


divabat: "2-factors are near pointless if you're travelling - my mobile phone number isn't always going to work overseas."

I turn on Google Authenticator while travelling. It's an app that generates 2FA codes- no texting required. Works for gmail, tumblr, facebook, dropbox. Yes, it's shared secret, so you'll have to trust that Google can keep your secret key safe.
posted by zamboni at 6:13 AM on August 6 [2 favorites]


is the method where you have a string you always use followed by the first 4 (or however many) of the site's url still ok?

so like my passowrd would always start with P@ssw0rd but would for meta would P@ssw0rdmetaf and for yahoo it would be P@ssw0rdyahoo


It'd probably be easy enough to rig up a script to check for the most common substitutions (i.e., ("metafilter.com", "password") -> ["passwordmf", "passwordmeta", "passwordmefi",...]). I'd be surprised if some unemployed AI PhD turned cybercrime lord in Russia/Romania/somewhere with a glut of underemployed computer scientists hadn't rigged something like this up already.

You could put yourself down the search chain by using unusual rules ('password plus the second consonant and last vowel that is not E'). Or replace the site name with a free-associated word (i.e., "metafilter.com" gets "passwordbeanpl" or "passwordhbrgr"). Though then you've got to remember which idiosynratic word you free-associated with, say, delivermygroceries.com.
posted by acb at 6:26 AM on August 6


Keepass + cloud, with a loooooong passphrase and a keyfile that is squirreled away on various devices that aren't in the cloud. Plus two-factor authentication on particularly important accounts.

No browser plugin is needed for Keepass to figure out which account you wanted and where the username/password fields are on the login page.

I don't find KeePassDroid awkward at all, aside from typing that passphrase on a touchscreen.
posted by Foosnark at 6:27 AM on August 6 [2 favorites]


I'm looking forward to the day where signature brainwaves will be substituted for login credentials/security codes and that'll be enough.
posted by Occam's Aftershave at 6:27 AM on August 6


I use my ability to remember 39 distinct passwords I change every month or two

You may be joking, but that's what I do, more or less, sans the frequent changing. Different password for every website, no password manager, I just remember them.

OK, they're not completely independent. I have what you might call a general template, a part of the password that is universal, and another part which changes from site to site. That makes it easier (for that matter, possible at all) to remember distinct passwords for different websites, but it's still a bit of a theoretical weakness: finding just one of my passwords will not be enough to compromise any of the others, but if you got your hands on three of four of my passwords and started to examine them, you might discern the pattern and be able to derive a bunch of others.

Now, in fact, the hackers might have multiple passwords of mine. But you know what? I'm still guessing that out of 1.2 billion passwords, they're going to go after low-hanging fruit and not analyze all of mine to find the general pattern which could compromise the passwords of mine that they don't already have. (Also known as the "I don't have to outrun the bear, I just have to outrun you" philosophy of password security.)

Really, the hardest part of my scheme is remembering that website X doesn't allow a certain special character in passwords so I had to swap it out there, and website Y caps passwords at 16 characters, so I had to truncate my usual 20+ character password, etc.

(Also, there's still one or two other twists in my scheme which I haven't described here.)
posted by DevilsAdvocate at 6:37 AM on August 6


It'd probably be easy enough to rig up a script to check for the most common substitutions (i.e., ("metafilter.com", "password") -> ["passwordmf", "passwordmeta", "passwordmefi",...]).

"passwordmeta" I'll give you, but how would a script — presumably one you want to be applicable to thousands of websites — know that "mf" or "mefi" are more likely short forms of MetaFilter than "mt" or "milt"?
posted by DevilsAdvocate at 6:40 AM on August 6 [1 favorite]


DevilsAdvocate, that's the same method I use (a general template plus a hash function applied to the url), which is slightly better than sio42's method. But there's always the fear in my mind that once the hackers have just a few of my passwords, they can run the kind of script as described by acb and suddenly everything I own is cracked open.

And I see on preview that you've just mentioned that this is unlikely, but then again, if you have a bunch of unemployed Russian PhDs on hand, it won't take them long to try all the possible abbreviations/simple substitutions/etc and test them against the stolen password files until they start getting hits.

Sure, it's not exactly low-hanging fruit, but it only takes one person to assemble a "Find the Passwords" script that does all these tests.

So, somehow, I need to come up with a hash/coding function that's easy for me to do on paper or in my head, but difficult or impossible to reverse. Kind of like an easy public-key code, if you will.

I suppose an alternative is to have different logins at each site, too. That way, the cracker can't get three or four of my passwords to check their algorithm, but then I have to remember all those different logins, too.

Sigh.
posted by math at 6:47 AM on August 6


I play the Star Wars, the Old Republic MMO. As part of this, I have to keep an app on my smartphone that gives me a time-synchronized eight-digit code number whenever I request one. To log in on my PC, I need my password, but I also need to have my smartphone handy because I have to get a code number from it, and then punch that number in on my PC before it expires in a minute or two.

(Technically I don't have to do this, but now the alternative is apparently having it email me a one-time code every time I want to log in, which is so absurdly clunky that effectively, yes, you have to do it.)

It strikes me as quaintly ridiculous that my Star Wars game is more secure than my bank account.
posted by Naberius at 6:50 AM on August 6 [6 favorites]


My bank account pw has an eight-character limit, no special characters allowed. )-: At least they'll never guess what bank it is...

Seconding Keepass on a usb stick with a long passphrase for no-install goodness.
posted by sneebler at 6:57 AM on August 6


The thing with smartphones is that if it relies on having Internet access that's not going to work either.

Lastpass works on your phone. I regularly refer to the application and manually type in passwords when using computers other than my own machine.

With any password manager you absolutely need to reset your expectations of convenience. You will not know any of your passwords by heart. That's the point. It will take longer to log into sites. That's the point.

Many of the managers try to address these inconveniences in a variety of ways, and some succeed more than others. But even if they didn't address any of the inconveniences, it would still be worth moving your credentials to a password manager, and just manually transcribing random characters every time you log in.

Use unique passwords per service. Honestly, it is only marginally useful to use "strong" passwords, given the types of modern attacks.

Change them often.
posted by odinsdream at 7:00 AM on August 6 [2 favorites]


"passwordmeta" I'll give you, but how would a script — presumably one you want to be applicable to thousands of websites — know that "mf" or "mefi" are more likely short forms of MetaFilter than "mt" or "milt"?

With an English-language dictionary and some sensible data structures, one could reduce "metafilter" to ["meta", "filter"], a starting point for "mf", "mefi" and so on. Beyond that, the TeX hyphenation algorithm can find other human-intuitive breakpoints for deeper searches.
posted by acb at 7:04 AM on August 6


Use unique passwords per service. Honestly, it is only marginally useful to use "strong" passwords, given the types of modern attacks.

Which assumes infinite cognitive capacity for passwords. The people who can remember a 12-character password for each online ordering site and web-based service they use have probably already all been featured on documentaries about savants.

I think it was Microsoft who said recently to discard the advice and just reuse the same password for each non-important site, saving the strong ones for things like mail and banking.
posted by acb at 7:08 AM on August 6 [1 favorite]


Anyone have any thoughts on 1Password vs. Keepass for Mac & iOS? Which one is more seamlessly usable?
posted by shivohum at 7:09 AM on August 6


Using a different password for each website is good but not enough. Time and again we learn of someone (from 4chan etc) who uses social engineering to crack a person's accounts. They'll call customer service at Google Mail and social-engineer the password, then they go to Facebook or wherever and trigger a password reset request which then sends the new password back to the compromised Google Mail account. Easy, all accounts are cracked. Security is only as good as a single customer service rep manning the phones in India at 4am.

Use different emails for each website. Don't use email service(s) that can be social engineered. Basically this means either your own private email server (not hosted), or one that encrypts passwords so that even customer service can't divulge it because they don't know what it is.
posted by stbalbach at 7:11 AM on August 6


acb: that's the point of a password manager. You off-load the cognitive capacity to that system, and let it remember each site's unique password.

The problem with re-using the same password for "non-important" sites is that it fails to take into account human nature: if you make this advice to someone, they will inevitably use the "non-important" password for an important site. So, when that non-important service gets hacked, all of your other services are at risk.

Passwords do not work in a world where you can guarantee at least one of the services you have given your password to will be hacked, and will have stored your password in plain text.

Therefore, remove the ability for one service hack to infect all your other services by ensuring you use unique passwords. This does not mean using something mostly the same with the addition of some site-specific tag. It means completely unique passwords per site, that are unrelated to each other.
posted by odinsdream at 7:14 AM on August 6


I use KeePass, and although I have some UI objections to it, it's generally fine. I'm not sure I remember the last time I used one of my passwords on a computer that was not mine (or "mine" in the sense of it's assigned to me by my employer); I think it's been decades (little call for it and paranoid to boot). But I am prepared for the theoretical possibility: There's a standalone version of KeePass that can be run from a thumb drive, without installing and without requiring admin permissions. I keep a copy of that and a copy of my password database on a thumb drive that I carry around. And just for extra ridiculous paranoia, the thumb drive is itself hardware-encrypted; in order to use it on a computer, you have to first press a bunch of actual physical buttons on it in a certain order.
posted by Flunkie at 7:17 AM on August 6


The new sense of security is not knowing that they don't have your credit card, it's knowing that they have everybody's credit card, so what are the chances they'd pick yours?

All this stuff gets sold in online marketplaces, so there's a lot of "they" out there.
posted by RobotVoodooPower at 7:19 AM on August 6


All this stuff gets sold in online marketplaces, so there's a lot of "they" out there.

And the beauty of supply and demand means that the price of stolen credit cards just becomes really cheap; a small-time crook with an internet connection can pick up a bundle of card numbers/CVVs for fractions of a cent on the dollar.
posted by acb at 7:24 AM on August 6


And that's why everyone must use a different password for every site/service they use these days.

Well, not every. Most people use of bunch of online services where the worst thing that could happen if someone stole their credentials is a mild but harmless annoyance. If someone stole my metafilter credentials or my credentials to the CHE forums, there's not much they can do to harm me except post wildly embarrassing things under the name of a semianonymous online handle. At least as long as I use different and stronger passwords for accounts that have some sort of financial access.
posted by ROU_Xenophobe at 7:26 AM on August 6


comradechu I have my parents on lastpass, but they don't really view/use the interface at all. The setup: They use their own desktop home computer 99% of the time. They know their gmail and facebook passwords, which are both relatively secure passwords that I set up. They have the lastpass password on a post-it note by the computer and I have it stored in my own lastpass account. Yes, the post-it note is bad, but it actually gets worse: I set up lastpass to automatically log them in -- yes, that's right: It remembers its own password.

They never set up any accounts for themselves anywhere. I do them all. So when I do them, I get them in their last pass and set it up to auto-log in. They refuse to enter passwords anywhere. They always have, except when they used the same 8-letter (a four letter word repeated twice) password everywhere. The only way to talk them out of this was auto-login. Now they sort of know the gmail and fb password, but they don't enter it. Oh, they also know bank PINs for online banking.

If they need to log in somewhere that isn't auto-logging in, they call me and I look up the password on their lastpass and read it to them over the phone. So essentially *I* am the lastpass interface. It works pretty well for them. Sometimes I find it annoying.
posted by If only I had a penguin... at 7:26 AM on August 6 [2 favorites]


I am happy with Keychain Manager since it makes passwords available on both my Mac and my iPhone. Its only problem is that it doesn't always successfully discover name and password fields on a signup form are the same as the main page login. So then I just open Keychain Manager and manually copypaste the password and it now knows to associate that pass to that page.

I could probably direct KM to use the password sidewide but this only seems to be a problem on government domains that have multiple sites with different subdomains with different passwords.
posted by charlie don't surf at 7:32 AM on August 6


Surely this will finally be the moment when everyone realizes passwords are a stupid form of authentication and websites start switching to something better? Even fucking Facebook Connect is safer for everyone, both users and websites, than passwords.
posted by Nelson at 7:44 AM on August 6


I've tried LastPass and 1Password and I infinitely prefer the latter. The interface is much smoother and it doesn't create a bunch of duplicate entries or refuse to auto-fill sites. Plus, isn't it more secure to have the db on your local drive/thumb drive than stored in the cloud? If you stole my laptop, you'd have to also steal my thumb drive AND know the master password. I don't store them together, and I'm going to know it right away if someone steals it. If someone guesses your LastPass password, it's game over for you because they don't need any local files and they can change everything while you're sleeping, totally unaware.
posted by desjardins at 7:49 AM on August 6


A cracker with a database and something like hashcat is going to use a combination of the following:

"Dictionary" attacks: Password dictionaries go beyond classical dictionaries to include previously-cracked passwords, keyboard-walk patterns like "quwieo", phrases pulled from the bible, lyrics databases, and wikipedia, and popular hostnames like "metafilter."

Dictionary + padding/mangling: dictionary words + prefixes, suffixes, and l33t-style substitution. Something like "password+sitename" might be caught by this because it's cheap to add "sitename" as a suffix for dictionary run.

Hybrid dictionary + brute force: Since people don't memorize random characters, you assume that part of the password is already in your dictionary, and attempt to brute force the rest. So for example, you have "correct horse battery staple" in your dictionary, and then brute force "BRhGb" as a suffix. It's a bit tedious to do on a single workstation, but it's safe to assume that an organized crime group might have the resources to set up a cluster farm or botnet.

Any password scheme that depends on end-user discipline to distinguish between low-risk and high-risk sites is inherently broken, because human beings cognitively have shitty risk-assessment algorithms.
posted by CBrachyrhynchos at 8:00 AM on August 6 [2 favorites]


desjardins: Yes, lastpass depends on having a strong master password. Some of that is mitigated if you use 2FA with lastpass. It's an accessibility/security tradeoff.

Another factor to consider is that password managers use stronger key-strengthening algorithms that make attacks against their data potentially orders of magnitude slower than attacks on vanilla database hashing.
posted by CBrachyrhynchos at 8:12 AM on August 6


I just use hash based passwords to generate a new password for every site based on my master password + domain name. There are a lot of implementations out there, they don't require any software installation or browser plugin, there's no file to share between machines, there's somewhat less danger of the software itself getting compromised since it's just one or two lines of javascript.
posted by miyabo at 8:13 AM on August 6


The Flickr thing is a perfectly reasonable idea, if a little Rube Goldberg. A lot of people here seem to have the idea that crackers go through your accounts by hand and analyze things. "That's weird, he has these images with password protection, I'll do my magic hacking thing!"

Nothing could be further from the truth. Unless you're a very specific target - a celebrity or a very high net worth individual - crackers make their money processing accounts automatically and in very large volumes.

Anything that requires human input and isn't something that thousands of people do is almost certainly safe unless you're such a juicy target that you attract specific human attention.
posted by lupus_yonderboy at 8:24 AM on August 6


Nothing could be further from the truth. Unless you're a very specific target - a celebrity or a very high net worth individual - crackers make their money processing accounts automatically and in very large volumes.

"I don't need to be faster than the bear, I just need to be faster than you."
posted by CBrachyrhynchos at 8:32 AM on August 6 [3 favorites]


I like the idea of being able to recreate my passwords by hand "just in case." I guess my reluctance with any of the password managers is giving up my ability to know or regenerate them. What if something happens that locks me out of that?

At one point I was going to use (a passphrase+site name) hashed with md5 or something like that for every password. So now the even more annoying thing is the "strong password" rules websites make you use. Turns out a MD5 hash isn't two capitals, two lower-case, two special characters, your favorite kanji, an executable perl script, and both more than 13 and less than 11 characters long.

Remembering the deviations from the general plan would have been harder than just remembering passwords. But I guess I could keep a list in my wallet without being screwed if I lost it.
posted by ctmf at 9:04 AM on August 6 [1 favorite]


sneebler: "My bank account pw has an eight-character limit, no special characters allowed. )-: At least they'll never guess what bank it is..." Oh, I guessed which bank that is. Not the reason why I left them, but it was an added bonus to waving goodbye.

I've been getting rids of apps, services and apps requiring a login like crazy. I'm trying to reduce to the smallest number possible that I genuinely need. I got through the 80s with the absolute minimum of useless stuff (OK, a bad perm and granny boots) and I can do it again.
posted by maudlin at 9:04 AM on August 6


Oh, and it doesn't really matter in this case how unique or complex your password is. If the hackers get it in plain text, they get it. They're not brute-forcing these, they're copying them out of databases.

It's the changing it frequently that's going to limit the window for them to do anything with that information.
posted by ctmf at 9:12 AM on August 6 [1 favorite]


I guess my reluctance with any of the password managers is giving up my ability to know or regenerate them. What if something happens that locks me out of that?

Lastpass lets you export a plaintext dump of your password database which you can then save away or print out and store somewhere secure. I imagine 1Password can do the same thing. Both are excellent password agents and I think the best a normal Internet user can do right now to secure themselves. Once you have it set up in your browser you mostly don't think about passwords anymore, everything just autofills.

The new frontier of password idiocy is mobile devices. Strong passwords are impossible to type on a phone keyboard. And password agents like LastPass can't integrate usefully with iOS because of Apple's restrictive closed platform, so you're stuck copy-and-pasting awkwardly. That's one case where Android may be a better user experience.
posted by Nelson at 9:17 AM on August 6 [1 favorite]


My bank account pw has an eight-character limit, no special characters allowed. )-:
I had a retirement account that had a limit like that (and I didn't really have much choice in keeping the account there or moving it elsewhere), plus an extra level of totally awesome security:

I forget the details, but it was something like anyone who knew my email address, zip code, and last four digits of my Social Security number could change my password. And I don't mean "could cause an email to be sent to my email address asking me to click on a certain link if I want to change my password". I mean "could change my password".

They've thankfully changed this since then, but... jeez.
posted by Flunkie at 9:21 AM on August 6


it doesn't really matter in this case how unique or complex your password is

It does matter how unique it is. If you reuse the password on other sites, they may be able to use your credentials to log into sites they haven't compromised.
posted by one more dead town's last parade at 9:22 AM on August 6


Surely this will finally be the moment when everyone realizes passwords are a stupid form of authentication and websites start switching to something better?

Like what? Even biometrics, which should not be copyable (aside from that Avengers moment when Hawkeye says 'I need an eyeball', or in other movies the cutting off of the finger for the fingerscan, etc) is still going to be digital data, probably stored in a networked database, which mean that it can be deciphered, hacked, changed and reinserted into the database to open only for the criminal. It's basically what the encryption-ransom schemes were. We can go further with this but then it quickly devolves into trusting trust and such then my eyes glaze over and all I really want to do is check my damn balance to see if I can afford two beers or three and this was supposed to be an age of increased convenience and equality but instead it's an age where corporations are people which makes sense as we can't figure out a way to prove to a computer that a human is who he/she says he is and now I really need that third beer, but I can't because I can't get to my bank balance and I have to be careful with my money because I owe the federal govornment my firstborn for going to college and learning from Boethius that a good book in a hovel is all you really need, and isn't it ironic that I had to penury myself to learn that and now I'm set on that third beer and maybe a chaser, but that'll have to go on the card, to whom I owe my secondborn, for the benefit of affording a hovel and enough food to enable me to work a crappy job that Boethius says should be enough if I can get a library card and occasionally a night at a bar, where I can drink four beers and wonder what became of my coaster as I was writing something important on it.
What is that damn password?
posted by eclectist at 9:22 AM on August 6 [2 favorites]


Yes, LastPass works great on Android. It sucked ass when I was still on an iPhone

I use LastPass plus Yubikey for 2FA.
posted by Hairy Lobster at 9:24 AM on August 6


I use PasswordMaker. I have to remember only one password and nothing is stored online.
posted by Pendragon at 9:25 AM on August 6


Oh, and it doesn't really matter in this case how unique or complex your password is. If the hackers get it in plain text, they get it. They're not brute-forcing these, they're copying them out of databases.
Well, no, not really I don't think. Except in cases where the website is doing things wrong (which admittedly is probably too frequent), the database isn't going to contain your password in plain text. It's going to contain a hash of your password. The hacker gets the hash of your password, which is such-and-such, and the hacker already knows that the hash of "abcd1234" is such-and-such, so knows your password is "abcd1234".

But the hacker doesn't know that the hash of "re3jg01h1l4hntkh09ag0;eweiuhtq;34ut039ugh&^974t9iu34jk" is something-else.
posted by Flunkie at 9:25 AM on August 6


LastPass has somewhat clunky, but usable auto-filling on Android (it's very slick in Windows). They now setup as an accessibility assist keyboard, which is a bit hacky but seems to work fine.
posted by bonehead at 9:32 AM on August 6


start switching to something better? ... Like what?

Federated login. You authenticate yourself to one trusted identity provider who then does crypto magic behind the scenes to authenticate you to other places. We do this right now with Facebook Connect, Sign in with Twitter, logging in via Google, and if you're as nerdy as me with OpenID. From a security point of view it works pretty well, way better than a different password on every site.

The problem is who we trust to be the identity provider. It's not good that Facebook is often the only choice. I'm increasingly of the opinion that government could provide online login service, although there's obvious dangers for that too. Estonia is leading the way here.

As for how you authenticate yourself to the central provider, I think passwords are enough and two factor authentication would be better. Anything would be better than what we do now. (Speaking of which, the real risk for a targeted attack is email; with access to someone's email you can generally reset your way into most of their online accounts.)
posted by Nelson at 9:53 AM on August 6


Oh, and it doesn't really matter in this case how unique or complex your password is. If the hackers get it in plain text, they get it. They're not brute-forcing these, they're copying them out of databases.

None of the database breaches I've heard about involved plaintext passwords. I think the worst involved unsalted DES (Adobe) and one breach that used unsalted MD5. Most of the rest have been salted MD5 or SHA. At a minimum the password should be hashed with a random salt.

Using unique passwords does matter because hackers try using discovered usernames and passwords onto new systems. At least two of the big data breaches happened because hackers were able to use a username/password from a weak system on a tougher system. Wildstar suggested that a majority of compromised accounts appear to have involved passwords also used on fan sites (which makes me wonder if some of the early fan sites were honeypots set up by gold farmers.)
posted by CBrachyrhynchos at 10:13 AM on August 6


None of the database breaches I've heard about involved plaintext passwords.

There have been many plaintext password database breaches, here's a few from such little-known companies as Yahoo, Microsoft, and Adobe. Many of the more recent breaches involved databases that were encrypted but not properly salted, which is nearly as bad as plaintext.
posted by Nelson at 10:35 AM on August 6


lupus_yonderboy: “The Flickr thing is a perfectly reasonable idea, if a little Rube Goldberg. A lot of people here seem to have the idea that crackers go through your accounts by hand and analyze things. 'That's weird, he has these images with password protection, I'll do my magic hacking thing!' ¶ Nothing could be further from the truth. Unless you're a very specific target - a celebrity or a very high net worth individual - crackers make their money processing accounts automatically and in very large volumes.”

Or you're being hacked by an angry ex, or a random weirdo stalker, or just somebody who knows you well enough to know you're worth it, or someone who wants to steal your Twitter handle, or somebody who read a comment you made on Metafilter and got angry and wants to make you look bad by posting crap under your name. Why in the world should we assume we know exactly what "crackers" want?

This is basically like leaving your front door unlocked all the time because the really determined criminals will know how to pick locks or break windows anyway.
posted by koeselitz at 10:41 AM on August 6


the bog-standard civilian just isn't. They might use two or three that they cycle through, but they're simply never going to use a different password on each and every website they do business with. And, no, they're not going to be using LastPass or anything else.

This might be a marketing/reframing issue. Using KeePass has made life easier and saved my ass more times than I can count, because it offers more than passwords - I don't even think of it as a password manager, it's an ultra-private one-stop-shop of everything I need to know. It's also a method of tunneling, from wherever I am, to the kinds of important documents and data that I would be too fearful of loss or theft to casually carry around with me or leave in the car. Each bit of info is rarely needed individually, but the sum of all them is something I have constant need for.

Ie. I'm at the DMV and after an hour in line I'm told I'll need a VIN, and the previous license plate (which I've forgotten), or my father's year of birth, or whatever. I don't need to abort in rage and frustration and make another wasteful appointment, I have every bit of information, no-matter how unexpected, because my car is in KeePass. This particular example (unexpected DMV question) might only happen once in 5 years, but things like it are happening multiple times a week.

Also, little things - you're out shopping, you see something that someone would like, you can check their size. Someone's size info isn't secret data - it can go into their phone contact's "notes", but hey, it's also nice having everything in one place :)
posted by anonymisc at 11:28 AM on August 6 [1 favorite]


I didn't know about the Microsoft or Yahoo breach, the Adobe breach was 3DES. Also Heartbleed exposed plaintext passwords as well, but that wasn't a database breach.

There are alternatives. For example, Wuala and Lastpass never get a plaintext password, they get a token that's a hardened cryptographic hash. One way to shore up passwords is to do strengthening in the client so that neither the TLS layer or the server sees plaintext login credentials. Or SSH-style public-key authentication since people are more likely to pay attention to their phones and laptops than remember a good password. And there's an argument that if you're doing password resets via email and keeping the browser authenticated indefinitely, you might as well just skip the password and confirm new devices/browsers through your trusted channel.
posted by CBrachyrhynchos at 11:41 AM on August 6


For the comments criticising the security industry for denying that there's a problem - that's simply not the case.

Pretty much everyone in security now recognises that there's no way to stop the breaches from happening, and that you (and the companies who store your data) need to take steps to a) identify when it happens, so they can respond appropriately, and b) reduce the impact. Behind all of the hype about "advanced persistent threats", nation-state hacking teams and so on is some solid advice about detecting attacks early enough in the process that you can do something about it - not just crossing your fingers, denying reality and pretending that the attack's not going to succeed.

All of the talk above about avoiding password re-use, using password managers, changing passwords frequently and so on are methods of reducing the impact when a website is breached, because we recognise that breaches will happen.

In terms of this not being fixed - website security, certificate authorities, payment card fraud - I think that's far more down to commercial decisions by the major players than anything about the security industry pretending nothing's wrong.
posted by dvrmmr at 12:03 PM on August 6 [1 favorite]


Love this bit-

The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia.

'There is a division of labor within the gang," Mr. Holden said. "Some are writing the programming, some are stealing the data. It’s like you would imagine a small company; everyone is trying to make a living."


Repo Men for the post-2010 world...
posted by jammy at 12:30 PM on August 6


Forgot password only
posted by one weird trick at 2:03 PM on August 6


Cybersecurity experts take Russian hacking scare 'with a pinch of salt'
posted by RobotVoodooPower at 6:58 PM on August 6


(Brian) Krebs on Security: "It's definitely for real."
posted by Chutzler at 9:23 PM on August 6 [1 favorite]


And password agents like LastPass can't integrate usefully with iOS because of Apple's restrictive closed platform, so you're stuck copy-and-pasting awkwardly.

iOS 8 finally provides for this integration. A few days ago, a preview of 1Password in iOS 8 was released and it looks quite good, and also includes Touch ID for unlocking the vault. I assume LastPass will also have similar functionality, as they were pretty optimistic right after the iOS 8 announcement.
posted by zsazsa at 11:50 PM on August 6 [2 favorites]


Ooh, that is neat - although using Touch ID for unlocking the vault seems sort of like a terrible idea, given how easy it is to break that. Touch ID is useful as a deterrent to keep randoms from opening your phone at a whim, not a strong security measure. Even a four-digit passcode is many orders of magnitude more secure. As easy as it would make things, putting my 1Password under the control of the Touch ID seems like it invalidates the whole point of having a password vault.
posted by koeselitz at 12:03 AM on August 7


(For those who aren't aware, here is a neat video showing that Touch ID can be cracked relatively easily. I say "relatively easily" because, hey, not everybody has the materials for chemically etching a fingerprint into a plate just lying around their house; but the materials aren't super expensive, and it IS easier and quicker than sitting around for days on end trying tens of thousands of number combinations. As I said, Touch ID is really a deterrent, not a true security measure.)
posted by koeselitz at 12:15 AM on August 7 [1 favorite]


koeslitz: here is a neat video showing that Touch ID can be cracked relatively easily

Not exactly touch ID, but it reminds me of the time I 'cracked' the biometrics security point guarding a Bank of America branch's safety deposit box vault.

I'd just signed up for the box, and part of signing up was registering my right hand in the hand scanner that made up one half of the two-part authentication scheme for gaining access to the vault. The bank officer was proud of the new technology, and bragged about the extra security it afforded the bank's customers. After the system had scanned my right hand, successfully, and we'd tested to make sure I could gain access with my 'credentials,' I told him I'd like to try it one last time, only this time, rather than holding my right, hand palm-down, over the scanner, I held my left hand, palm-up, over it.

Much to his (and my) surprise, it worked! Either my hands are super symmetrical, the system wasn't very exact, or some combination of the two :)

...

I started using LastPass recently, and am pretty happy with it, so far. The interface isn't awesome, but it doesn't get in the way too much. I'd used a number of password schemes over the years - for the longest time, I incorporated the first PIN I ever had (I got to choose it - 6 digits, back in the mid 90's), mixed in with other meaningful characters and numbers, but no full words or combinations that would have been super easy to guess in a dictionary or brute force attack, at least not way back then, except for on 'less important' sites (i.e. for 14 years, I used a 4-digit number as my MetaFilter password - now it's >20 characters with upper and lower case letters, digits and special characters, thanks to LastPass).

I went through a phase of generating a unique, long, random password for each new site, and saving those to my PC & phone. Also went for a while with a nonsense passphrase consisting of words from multiple languages plus digits and special characters, but that was a PITA, since there are still so many sites that limit the length of passwords and the types of characters you can use in them (for absolutely no good reason). The other problem with both of these solutions was typing them into mobile devices - it sucks trying to type a >20 character random string on a touchpad.

I also use Google Authenticator for 2 factor authentication with my gmail and google apps for business accounts, I use OAuth2 for some services, and all of my mobile devices and PCs require a pin or password to unlock, as well.

Fortunately, I've never been hacked, that I'm aware of. I'm hoping LastPass, 2-factor authentication and PINs / passwords on my mobile devices and PCs will help me continue that streak well into the future.
posted by syzygy at 4:37 AM on August 7


My previous comment was posted at 1337/LEET o'clock in my timezone :)

Also s/i.e./e.g./ :S
posted by syzygy at 4:46 AM on August 7


syzygy: "there are still so many sites that limit the length of passwords and the types of characters you can use in them (for absolutely no good reason)."
Yes. If there are any restrictions on passwords apart from a required minimum length, you can safely assume that whoever coded the backend has no idea how to store passwords securely.
posted by brokkr at 7:04 AM on August 7 [1 favorite]


Why We Might Be Stuck With Passwords for a While. By Tim Bray. It's a pretty high level piece (Time Magazine), but does a good job conveying the state of the authentication implementations right now.
posted by Nelson at 8:56 AM on August 7 [1 favorite]


The Lie Behind 1.2 Billion Stolen Passwords - how Alex Holden told a story to the New York Times, how the NY Times poorly corroborated said story, how Alex had a friend chime in to talk about his character, and how that story spread like wildfire
posted by Lanark at 11:38 AM on August 8 [4 favorites]


(Brian) Krebs on Security: "It's definitely for real."

Krebs is not exactly an independent voice here. If you read the article Lanark links to it looks like he's been working in tandem with Holden for a while now, publicizing his "finds". He's even listed as a "Special Advisor" on Holden's website.

"Would you believe...one password I found written on a Post-It note attached to a monitor at my local Best Buy?" - Max Smart
posted by scalefree at 3:26 PM on August 8


Ooh, that is neat - although using Touch ID for unlocking the vault seems sort of like a terrible idea, given how easy it is to break that.

I like that people think that touch ID is somehow ridiculously insecure. When you need a lot of silly things and knowhow to actually crack it, and it's infinitely better than the "cutedog2" passwords 90% of people use.

I'd argue it's stronger security than most people already have, and disparaging it for not being Super Duper Good Security is really sending the wrong message to a lot of people, for whom using a bunch of randomly generated passwords, a password manager, and that would be an enormous upgrade.

Now you need physical access to the device and a solid fingerprint to even think about cracking that stuff(and knowhow, and time, and materials). It seems delusional to not think that's a big step up from just cracking an email account that has the password "penis12" or something.

If you think there's that much overlap between people who steal iphones and people who would do that unless you're edward snowden, then i think you're pretty much a tinfoil hatter.
posted by emptythought at 5:41 PM on August 8


I never said that Touch ID was "ridiculously insecure." I gather you didn't actually read my comment. "Stronger security than most people have" is great, but if people are already picking awful passwords, they're not going to use Touch ID. Like I said above, one of the more annoying and pernicious problems in Internet security is that people are apparently unwilling to face the fact that people will crack accounts for many different reasons. You scoff at the idea that anyone anywhere would crack Touch ID, but I personally know people who've had their identity stolen by folks who nabbed their iPhone. If the people who steal identities knew that it takes ten minutes to crack an iPhone 5s even if it's locked, they'd do it a lot more often. And if the materials to do so are refined and made more available - which is imminently probably, given the way technology works - then that becomes even more likely.

This is absolutely no aspersion on Apple or their systems at all, by the way. Touch ID is a useful thing, and it's great at what it does - prevents random people from opening up your phone. That is what they advertise it for, and that is what it's great for.

What you don't seem to want to understand is that there are those of us in the actual real world with jealous boyfriends and angry ex-husbands and disgruntled co-workers and unhinged neighbors and other people like that who are actually willing to do things like this.

Good security is about education.
posted by koeselitz at 10:42 PM on August 8 [1 favorite]


From Lanark's link:
I would almost go so far as to suggest that he has obtained access to multiple forum systems on TOR that require verification of l33t-krad-LoD-versus-MoD status
I've been all over TOR & never had to pull that one out.
That’s how Alex Holden told a story to the New York Times, how the NY Times poorly corroborated said story, how Alex had a friend chime in to talk about his character, and how that story spread like wildfire – kind of like Back Orifice in the days of cDc. God, I miss cDc.
We miss you too, buddy.
posted by scalefree at 6:23 AM on August 9


« Older Matthew Cox is a Philadelphia- based artist who em...   |   Pokémon Zeta & Omicron are not... Newer »


This thread has been archived and is closed to new comments