Dropbox (not) hacked, but hackers claim 7 million accounts for sale
October 14, 2014 12:51 AM   Subscribe

ArsTechnica: "7 million Dropbox username/password pairs apparently leaked" Reports started to come in late Monday evening about the cloud file storage service Dropbox having been "hacked" by a group that was offering up the complete list of millions of email+password combinations for Bitcoin donations. Later reports, including a statement by Dropbox, point to the potential list being several million combinations culled from various third-party sites, and then tested against Dropbox.

From Dropbox's statement (emphasis mine):
"The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

"Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account."
Wikipedia: Two-step Verification.
posted by Celsius1414 (79 comments total) 10 users marked this as a favorite
 
You can test stolen accounts against literally any service with some success. The media's only complaint is that the hackers aren't more diligent so they can release more non-stories.
posted by michaelh at 12:56 AM on October 14, 2014 [2 favorites]


Oh then when I heard half the story, and I changed my (one-off, lastpass-generated) password it was all for nothing.

Oh well!
posted by aubilenon at 1:00 AM on October 14, 2014 [1 favorite]


aubilenon: "Oh then when I heard half the story, and I changed my (one-off, lastpass-generated) password it was all for nothing."

Two-step verification is also recommended for news stories.
posted by Bugbread at 1:28 AM on October 14, 2014 [58 favorites]


This isn't so much a non-story, though. People need to know that they should stop using the same password for every service and site.
posted by koeselitz at 1:29 AM on October 14, 2014 [4 favorites]


It's a clever attack. Yeah Dropbox can say "you dummies don't reuse passwords". OTOH everyone reuses passwords. And now Dropbox has a serious problem, 7 million users with exposed files.

Password authentication is fundamentally broken. We need to move to two factor for very important sites like your email, and federated login like OpenID, Facebook Connect, Connect with Twitter, etc for less important things.
posted by Nelson at 2:03 AM on October 14, 2014 [6 favorites]


It's a clever attack. Yeah Dropbox can say "you dummies don't reuse passwords". OTOH everyone reuses passwords.

I don't, anymore, because I did two things:
1. I keep a list of passwords and sites I use them to, and manually add to it when I join a new site, and look things up myself when I need to. The existence of the list is, of course, a security risk. But if I didn't, I'd forget them all, and at least it's in a form that it's difficult for a program to use automatically.
2. I learned to enjoy the act of making up random nonsense words to use as passwords.
posted by JHarris at 2:26 AM on October 14, 2014 [1 favorite]


You can make your life a lot easier if you use LastPass or 1Password to keep your list of passwords for you. I've done that for years now and it works pretty well, but it's still a horrible kludge where the "login protocol" is guessing which part of the HTML form to shove some text into with a browser extension. Also it's a mess on mobile devices, although iOS 8 finally allows browser extensions so it's a tiny bit better.

Still, there's better technical solutions than passwords. The industry needs to get with it.
posted by Nelson at 2:59 AM on October 14, 2014 [8 favorites]


+1 for the use of a password manager, for the love of all that is sane!

They're inexpensive (versus the risks of password re-use), simple and - for the most popular ones - increasingly able to sync to multiple devices. Bringing one into your daily workflow is truly not an inconvenience when you consider the mere seconds it takes to retrieve the login details.

While popular authentication models might seem broken, people's continued, wanton disregard for widely cautioned, common sense risks is demonstrably broken behavior (albeit, classically human). Ironically, some of the most common abuses I see are among tech colleagues who damn well know better!
posted by Lesser Spotted Potoroo at 3:15 AM on October 14, 2014


Everything gets broken under some condition or another, not least of which is the cost/benefit calculation. How many circumstances exist where your Dropbox account contains something that may ruin your life? Even naked pictures and credit card numbers aren't strictly life-ruining. I care enough about my privacy to use a password manager; I don't care enough to use two-factor because I haven't yet found a system I like and that's not vulnerable to getting lost/broken at a higher probability than an actual breach. I want Dropbox to take security in general seriously; I'm glad they aren't requiring me to use two-factor to protect a boatload of old law school notes, some RPG documents, and some old completely boring pictures.
posted by Sequence at 3:16 AM on October 14, 2014 [2 favorites]


The reason I don't use a password manager is because it, itself, is software, and thus vulnerable to being hacked.
posted by JHarris at 3:27 AM on October 14, 2014 [10 favorites]


KeePass is free and lets you define which HTML element is the user name and password field. It doesn't have a centralized file database that lets you sync across multiple devices, but I use SpiderOak to do that for me.
posted by Apoch at 3:42 AM on October 14, 2014 [7 favorites]


Fair point, JHarris, but I suggest literally every security measure is vulnerable to being hacked, eventually. The best anyone can do is take steps to make themselves less of a soft target. Hacking (cracking), after all, requires effort and if you can make the effort greater than the potential (and often unknown) reward, you stand a chance of the would-be attacker moving on (or you/community detecting something unusual and reacting).

A software-generated, unique (at least between my various logins) random string of >10 characters for each password is better than any human password-generation scheme I've come across so far. The small amount of security literature I've read to date suggests that human schemes show far more predictability than we would like to believe.

Sure, there is the "master password" vector but if you take it seriously, that password should also be truly random and you're going to make the effort to remember (and never share) it.
posted by Lesser Spotted Potoroo at 3:45 AM on October 14, 2014 [1 favorite]


This is exactly how i expected them to monetize that giant russian password list. Do this one site at a time, every couple months, for essentially forever.

That, and for unlocking icloud locked stolen iphones. Thinking about it, other than something you can extract money from like a dwolla account or something i bet apple ids and file storage are the two juiciest things to test that list against.
posted by emptythought at 4:11 AM on October 14, 2014 [1 favorite]


This sounds an awful lot like the story we saw a few weeks ago of, "OMG 20 GAZILLION GOOGLE ACOUNTS HACKED!!!" which turned out to be pretty much the same thing. Who keeps pushing these sensationalized non-stories?

Also, if we're going to talk password managers, you should at least look at what crpytographers have to say about them (KeePass does not come out looking good here).
posted by indubitable at 4:39 AM on October 14, 2014 [8 favorites]


DropBox was designed to leak user data like this. If you want secure storage, then use SpiderOak or roll your own with Tahoe-LAFS.

Edward Snowden’s Privacy Tips: “Get Rid Of Dropbox,” Avoid Facebook And Google
posted by jeffburdges at 5:12 AM on October 14, 2014 [5 favorites]


I just use my social security number for all my passwords, then every time there's a major security breach somewhere I take out a nice big loan and blame it on the "hackers". It's a fool-proof plan with absolutely no flaws or risk on my end and those who argue otherwise are just jealous that they didn't think of it first.
posted by item at 5:38 AM on October 14, 2014 [15 favorites]


Edward Snowden’s Privacy Tips: “Get Rid Of Dropbox,” Avoid Facebook And Google

Similar tips here, including a Faraday bag for phones, and downloading a new service that shows who is tracking you as you surf the internet.
posted by Brian B. at 5:45 AM on October 14, 2014 [1 favorite]


I have very strong passwords for financial stuff, and things that can be used to hijack my identity: email, social networks, domain registrations. But honestly, there are just too many. I have over 200 strong passwords stored in a password manager, and I only use that for things that really matter.
posted by Nothing at 5:53 AM on October 14, 2014


I have very strong passwords for financial stuff

I've heard stories from people who say their bank's site won't accept non-alphanumeric characters in their 8 character passwords. That is time for a new bank, there.
posted by thelonius at 5:55 AM on October 14, 2014 [1 favorite]


What is cool these days is that more and more when I hear about an exploit that might involve me, when I check it out I already have an entry in my password keeper with a stupidly random password and two factor auth already enabled.
posted by clvrmnky at 6:24 AM on October 14, 2014


Even naked pictures and credit card numbers aren't strictly life-ruining.

I can think of a scenario where someone else puts naked pictures into your hacked Dropbox account, and the possession of those pictures carries a jail sentence. From what I read in the news, Dropbox actively fingerprints your files and reports such activity to law enforcement. That would be a pretty shitty form of online harassment.
posted by RobotVoodooPower at 6:43 AM on October 14, 2014


Fair point, JHarris, but I suggest literally every security measure is vulnerable to being hacked, eventually.

They are, yes. I put a human element into it, not to make security perfect, but just to make it harder. Also, it means whenever I create a new account somewhere, I have to spend a couple of minutes taking steps to add the log in name, password and website address into my password text file. That extra overhead helps me keep the rate at which I make new accounts down. I do keep my password file sync'd between machines, but considering that the file is manually and idiosyncratically constructed, at least automatic password harvesters have to deal with all my human cruft getting in the way of extracting that juicy data.

I'm amazed attackers haven't started going after password managers yet. It might be that they're not in popular enough use to be worthwhile targets.
posted by JHarris at 6:44 AM on October 14, 2014


OTOH everyone reuses passwords.

Keepass and Msecure and their ilk do a good job of eliminating duplication, and they need to be promoted a lot more heavily than they are. Everyone knows you need malware protection software ("AV"), but modern, secure password management is an afterthought or a "nice to have."

No, it's a serious issue, and a "need to have or get hacked" situation.
posted by Slap*Happy at 6:48 AM on October 14, 2014 [1 favorite]


Also, if we're going to talk password managers, you should at least look at what crpytographers have to say about them (KeePass does not come out looking good here).

That paper talks about what happens if the attacker gets the password manager database. Well, no crap, you're screwed then. But most of the time, that's not the threat; the common threat is that the site you're using has been compromised and the attacker harvests the easiest passwords from it.
posted by Jpfed at 6:52 AM on October 14, 2014 [1 favorite]


Really, if you're at all worried about the security of your documents, do not use Dropbox!

By hiring Condoleeza Rice, one of the architects of America's surveillance program, they are sending a practical message - "We will gladly cooperate with the government". By using it, you're trusting that the undisclosed backdoors that are thus within their system will never be misused... you might as well believe in unicorns.

Since she was also one of the architects of the Iraq War, and unrepentant about both of these, they're also sending an ethical message - "We have no ethics."

I deleted my Dropbox account the moment they got Rice in, and I won't even click on their links. Yes, it's tiny, but I won't do business with such entities.
posted by lupus_yonderboy at 7:00 AM on October 14, 2014 [3 favorites]


I'm amazed attackers haven't started going after password managers yet. It might be that they're not in popular enough use to be worthwhile targets.

Some things to keep in mind:

Password Managers: Attacks and Defenses (2014)

The Emperor's New Password Manager: Security Analysis of Web-based Password Managers (2014)

Bruce Schneier: Security of Password Managers (9/5/14)
posted by ryanshepard at 7:01 AM on October 14, 2014 [4 favorites]


If you want secure storage, then use SpiderOak

What makes it any better than DropBox?
posted by Steely-eyed Missile Man at 7:08 AM on October 14, 2014


SpiderOak might not be perfect, but they at least appear to take privacy much more seriously than Dropbox. The main advantage is zero-knowledge privacy:
'Zero-Knowledge' privacy means the server NEVER knows the plaintext contents of the data being stored. Never. Your data is never at risk of being compromised or abused by internal threats or external hackers. Never.

So, for example, SpiderOak has a web client, but they say upfront that you shouldn't use it if you are concerned about privacy, since that would need your data to be (temporarily) decrypted, and available to snooping, on their server.
posted by theyexpectresults at 7:17 AM on October 14, 2014


What makes it any better than DropBox?
An actual commitment to real security? They try (and appear) to implement zero-knowledge encryption, in which they do not ever hold the encryption keys to your data. It is encrypted on your machine before it touches the wire. They've historically been very open about where the holes in their model are, such as telling you about how accessing files via the web GUI requires you to send your key to the server: i.e., don't do that if you want your key to remain only in your hands. They've implemented a warrant canary that requires multiple signatures from a pool of their agents. Etc. Etc.

If you don't have the chops or desire to run a Tahoe-LAFS installation of your own, SpiderOak is probably the next-best thing.

Security is Hard, and solutions like Tahoe-LAFS and SpiderOak aren't perfectly secure. But DropBox doesn't even fucking try.
posted by introp at 7:21 AM on October 14, 2014 [2 favorites]


How many circumstances exist where your Dropbox account contains something that may ruin your life?
Using Dropbox for something which is that important would be like Dropbox using Big Yellow for their offsite backups.
posted by fullerine at 7:23 AM on October 14, 2014


That paper talks about what happens if the attacker gets the password manager database. Well, no crap, you're screwed then.

No, that is definitely not a "no crap" outcome. KeePass spends considerable effort to appear to securely encrypt your password database, even going so far as to allow you to use a randomly generated key along with passwords to provide a kind of 2 factor authentication. If you can't rely on it to actually be secure, then you can't, e.g., store it on a cloud service and sync it with your other devices.
posted by indubitable at 7:38 AM on October 14, 2014


Even naked pictures and credit card numbers aren't strictly life-ruining.

I think that could depend a lot on what you consider life-ruining.
posted by maryr at 7:48 AM on October 14, 2014


While we're on the topic of zero knowledge encryption and cloud storage, Tarsnap is another provider to look at.
posted by indubitable at 7:52 AM on October 14, 2014 [1 favorite]


JHarris: The reason I don't use a password manager is because it, itself, is software, and thus vulnerable to being hacked.

What a coincidence! That's the same reason I don't lock my doors - physical locks can be picked!
posted by IAmBroom at 8:04 AM on October 14, 2014 [4 favorites]


While we're on the topic of zero knowledge encryption and cloud storage, Tarsnap is another provider to look at.

Yes, absolutely. As long as you're not afraid to get your hands a bit dirty at the command line, they seem like a great service.

But, and this is a HUGE but: their account deletion policy is simply insane.

What happens when my account runs out of money?
You will be sent an email when your account balance falls below 7 days worth of storage costs warning you that you should probably add more money to your account soon. If your account balance falls below zero, you will lose access to Tarsnap, an email will be sent to inform you of this, and a 7 day countdown will start; if your account balance is still below zero after 7 days, it will be deleted along with the data you have stored.


That's straight from the FAQ. So, two emails - two emails - and your entire backup is flushed. Emails get caught in spam filters, people go on vacation, prepaid balances fall to zero - and the penalty is your entire backup archive deleted.

Sorry, that's just nuts.
posted by RedOrGreen at 8:04 AM on October 14, 2014 [1 favorite]


I can't believe Dropbox under that circumstance wouldn't also know where Dropbox was being accessed from when the file in question was uploaded, that sort of thing. But even so. That's like saying--someone could break into my house and do that with my computer! Yes, they could. It would not be smart of me to go through my whole life operating under the assumption that I needed to protect myself from this possibility, actively, at all times.

I think that could depend a lot on what you consider life-ruining.

There are certainly exceptions with the photos--politics, or that the naked photos in question were actually of you and someone not your spouse, or whatever--but, again, it could make for a bad time, but the chances of it happening if you're not being specifically targeted are, again, really small. Conversely, my credit card number has been compromised twice in my adult life, and both times I filed paperwork with the bank and got my money back and it was really not a disaster. I wouldn't upload my bank account numbers and my credit report and scans of my identifying documents and my SSN to Dropbox--but I don't really know who would, I guess.

So, two emails - two emails - and your entire backup is flushed. Emails get caught in spam filters, people go on vacation, prepaid balances fall to zero - and the penalty is your entire backup archive deleted.

The thing about backups is that they are not backups if they are your only copies of the files in question. If they aren't, you might be talking some annoying re-upload times, but not disaster.
posted by Sequence at 8:18 AM on October 14, 2014


IANASecurityExpert, but this is what I do because I don't want to deal with a pass manager/generator tool. Come up with two short, non-dictionary strings (at least four characters each). Make sure there are two numbers in there; if a site requires a "special" character, just make it the shifted version of the second number.

For each site, come up with a short, representative string (e.g., "fb" for Facebook). Your password is the first string + the site string + the second string, so it might look something like Mb82fbrypm for Facebook, Mb8@etrypm for your eTrade account, Mb82goorypm for Google, etc.
posted by aaronetc at 8:48 AM on October 14, 2014 [2 favorites]


DropBox was designed to leak user data like this. If you want secure storage, then use SpiderOak or roll your own with Tahoe-LAFS.

One problem is that if you are not a computer person (programmer, etc.) you are not that likely to find or easily implement the more obscure/complex solutions. It really depends on what you are storing. My DropBox pro account is full of legal documents, photos, study notes, etc. and it's very convenient for those things. Things that aren't on there (and that don't exist at all in my case): illegally obtained music/video, naked pics, stuff the government doesn't need to know about me, etc. So yeah if you have more intense security needs ... but other than a few financial documents, things I don't want people to know about me pretty much don't exist anywhere in digital form. But maybe that's because I'm old.
posted by freecellwizard at 8:53 AM on October 14, 2014 [1 favorite]


This may sound like a silly question, but I am not as a interested in this topic as others and as a result do not understand it as much: what's the upside to hacking into my stuff? I can understand trying to get my bank account number and credit card numbers because you want my money. But what the hell does anyone want with my pictures, drafts of documents I typed up, notes, shopping lists, etc? Is it worth it to anyone to go through my stuff? Let alone scan through millions of other people's stuff too? Assuming my "stuff" does not contain bank account or credit card numbers, does the rest of it have any value to anyone else besides me?
posted by dios at 8:54 AM on October 14, 2014 [3 favorites]


JHarris: The reason I don't use a password manager is because it, itself, is software, and thus vulnerable to being hacked.
What a coincidence! That's the same reason I don't lock my doors - physical locks can be picked!


Oh for the love of.... I don't use a password manager, but I do use separate passwords for web sites, and I make them up out of nonsense. I just do what the password manager would do, except manually. Which I said! Sheesh.
posted by JHarris at 8:59 AM on October 14, 2014


One data point pointing toward an actual leak, I give out a custom email address to every single website I sign up for (dropbox@[mydomain].com), and dropbox is one of the few ones that I had to blacklist the email address I gave. Multiple spammers/phishers have been sending spam to that address since earlier this year.
posted by burnmp3s at 8:59 AM on October 14, 2014


Do you have kids? A number of moms I know don't want kids' pics on line. Have your kids ever been bullied? Have you or a spouse ever had a stalker? A nasty neighbour dispute?

Do you do anything sensitive professionally? Has work stuff ever gone to your personal email account for any reason? Do you simply like to keep your personal and professional lives separate? Would it be a bother or worse if your comments here were ever brought up in your workplace?

Do you have sensitivities about sharing medical information online? Would it affect your work, clients or social relationships? Have you ever sought advice or help for addiction or mental health issues?
posted by bonehead at 9:03 AM on October 14, 2014 [1 favorite]


No thread about Dropbox security is complete without reminding everyone about that time they accidentally turned off passwords completely.

Trusting them with any data whatsoever after that amateur league mistake requires a capacity for forgiveness that I do not possess.
posted by zjacreman at 9:03 AM on October 14, 2014 [3 favorites]


bonehead: the answer to those questions are all yes. But my question is a little different than that. Why would someone take the time to go through all my stuff and do anything with it? I certainly wouldn't want them to do it. But why would they want to do it?

I assume someone wouldn't click through my dropbox account item by item and think "I bet this person I never met before wouldn't want me to make public this picture/journal entry, so I am going to do that!" I assume someone wouldn't go through the time of reading a 50 page rough draft of a response to a motion I had written and make some conclusions about it. Thus, I suspect no one would make an individualized inquiry into my stuff.

So I am left to think that all they would want to do is dump it all some place to make it publicly available. That goes back to my question: what's the upside to doing that for them? What do they get out of it? Moreover, say there is a data dump of all my stuff. Why would anyone else want to comb through that dump? Sure, I wouldn't want the second link of a google search for me be a draft of a motion I had written or a picture of me and my kids making snow angels. But would that even happen if all my stuff is dumped somewhere?
posted by dios at 9:21 AM on October 14, 2014


dios: There's all kinds of theoretical stuff, but with things like this, the value isn't in your username/password specifically, it's in having huge quantities of usernames and passwords, then trying to flip through and find easy stuff like credit cards, maybe--but even more than that, these have now been confirmed against Dropbox and one other site. The odds go up significantly that the same combination's in use elsewhere. It's like credit card numbers in general--one store clerk might try to take a copy of your card number to use online hoping they wont' get caught or something, but when someone hacks something to get tons of them, they aren't really planning on using them all. They resell them for a pittance. That person might, say, check to see which ones in their batch actually seem to work, and resell those. That person might use them for a bunch of smaller transactions and hope they go through, instead of a smaller number of larger ones that could get flagged. Whatever. Aggregation is where the value is, unless someone is targeting you specifically.

However, you could get targeted specifically for any number of reasons, like, as mentioned a couple threads down, posting a couple funny meme images making fun of GamerGate. So there's that.
posted by Sequence at 9:37 AM on October 14, 2014 [2 favorites]


JHarris: “The reason I don't use a password manager is because it, itself, is software, and thus vulnerable to being hacked... I'm amazed attackers haven't started going after password managers yet. It might be that they're not in popular enough use to be worthwhile targets.”

Or – password managers are often just not very vulnerable. Which ought to be the case, fairly obviously, right? Take the simplest type of password manager: a text file which I encrypt myself and keep on my desktop. If the encryption is sufficiently strong – and it is trivially easy to get encryption that is sufficiently strong – then it will be literally impossible for an attacker to break the encryption on that file. The only way for an attacker to access the contents of that file would be for them to install a keylogger on your system – in which case it won't matter whether you use a password manager at all, since then it's possible to simply capture your passwords as they're typed in. Even if you put the encrypted file in a public place, it isn't really vulnerable at all, so long as the encryption is strong enough.

IAmBroom made the point rather more snarkily than I would have, but it is a good point: it makes very little sense to pretend that all software is equally vulnerable. And acceptance of the limitations of software is necessary, yes; but password management is not about rejection of software as software, it's about reasonable understanding of risk in various situations.

All else aside, when Bruce Schneier is recommending that people use password managers, they can't be that bad an idea.
posted by koeselitz at 9:38 AM on October 14, 2014 [2 favorites]


password managers are often just not very vulnerable

Password managers are designed to be secure, unlike crappy consumer websites. A password agent is definitely an all-your-eggs-in-one-basket approach, and certainly a risk. So far so good though, the worst I've recalled happening is in 2011 when LastPass had some unexplained traffic. (There was no evidence of a specific leak, but in an abundance of caution they took precautionary measures.)

I have over 400 passwords regularly used in LastPass. If you're some superhuman who can really maintain a paper list or an algorithm for that many sites, then yes, you'll certainly be more secure not using an agent. But back when I used to do that, I realized I was using the same password for "less important sites", which ended up being 90% of them, some of which (like DropBox) started out as unimportant and then became important, putting me at risk. Works better for me to use LastPass. Even then I have a few very important passwords committed solely to memory.

But again, passwords in general are a stupid, bad design for authentication. There are much more secure mechanisms possible that the tech industry hasn't adopted widely because of market forces. It's maddening.
posted by Nelson at 9:44 AM on October 14, 2014 [2 favorites]


Dios, consider: criminal syndicates generate lists of accounts/emails and monetize by selling retail to doxxers or simply peeping toms. This is what happened with the recent release of intimate pictures from various celebrities. Is there anyone out there unscrupulous or desperate enough to pay a fee for access to your personal info, specifically? There's a developing black market that hopes so.
posted by bonehead at 9:45 AM on October 14, 2014


One thing I learned after purchasing 1Password is that it's not just a password manager, it's an encrypted, distributed data vault. They've built it to hold not just passwords but any kind of document. So now, from my smartphone, I can securely access scans of my family's passports, all of my credit cards, social security cards, health insurance cards. I plan to add birth certificates, marriage certificates, our wills etc. Sure you can roll your solution to do this - and for many years I've been planning to do just that - but 1Password makes it incredibly easy. Just pick a strong passphrase and only a government could come up with enough resources to crack it.

I know this isn't really the topic we're discussing but there are other fringe benefits to using a password manager.
posted by exhilaration at 9:48 AM on October 14, 2014 [2 favorites]


The recent analysis of password managers isn't an indictment of the concept, but a call to arms for developers to get their act together. There are no in-the-wild attacks involving password managers (yet!), and those papers referenced by Schneier means there likely won't be - so long as the developers work to fix architectural problems.

In the meantime, defense in depth further reduces vulnerability - the attacks rely on a malicious web server + compromised DNS. It would need to be an elaborate watering hole attack or APT, and a modern content filtering solution (client side or a firewall with a modern UTM engine) can help sniff out and squash that.

tl;dr - use a password manager. The reports of their vulnerability are overblown, and those vulnerabilities can be mitigated.

Eventually, we'll want to retire passwords altogether.
posted by Slap*Happy at 10:21 AM on October 14, 2014 [2 favorites]


Nelson: If you're some superhuman who can really maintain a paper list or an algorithm for that many sites, then yes, you'll certainly be more secure not using an agent.

Don't need to be super-human to do this.

Pick your favorite song lyric, or movie quote, or whatever. Let's say it's "Frankly, my dear, I don't give a damn!"

first letter of each word, capitalize the first one, use "1" for I. (if there are no "I"s in the quote, choose "3" for "E" or whatever suits.)

Fmd1dgad!

Now, insert the name of the website in all caps where it would best fit in the sentence:

"Frankly, my dear Metafilter, I don't give a damn!"

Becomes

FmdMETAFILTER1dgad!

your gmail password?

FmdGMAIL1dgad!

Banking?

FmdCHASE1dgad!

Shopping?

FmdAMAZON1dgad!

You have caps, a number, and a punctuation mark, and you can remember thousands of passwords without repeating a single one.
posted by tzikeh at 10:26 AM on October 14, 2014 [2 favorites]


And the moment one of your passwords is compromised because some website operator didn't properly encrypt their password store, someone can trivially guess most of your other passwords!
posted by introp at 10:30 AM on October 14, 2014 [5 favorites]


introp: And the moment one of your passwords is compromised because some website operator didn't properly encrypt their password store, someone can trivially guess most of your other passwords!

I didn't say it was foolproof against hackers (nothing is); I was just refuting the argument that you would have to be superhuman to memorize thousands of passwords :)
posted by tzikeh at 10:32 AM on October 14, 2014


And if you need to change your Metafilter password go to algorithm #2? What about sites that only allow 8 characters per password? Remember to truncate, I guess. And if a site refuses to accept a ! just leave it off, and if the site requires 2 or more punctuation then well remember it's !!. Hopefully none of the sites you visit do the wrong thing with passwords with capital letters.

These are not theoretical concerns, these are real things that really happen because some websites are so shitty. I've tried the algorithmic approach, I had to give up.
posted by Nelson at 10:33 AM on October 14, 2014 [6 favorites]


I've had my own algorithmic approach for a while, but I've been replacing it with computer-generated 10-14 character random passwords after I found that I had enough accounts that I was starting to get dupes on the relatively unimportant ones.

But this seems like the time to dump any minor accounts and get started fresh with a password manager. What I like about 1Password is that it supports Mac, Windows and iOS/Android (am developer, have all of these). In addition, you can sync all passwords via your own WiFi network (properly passworded, of course) instead of using Dropbox or iCloud. That's worth $70/year, I think.
posted by maudlin at 10:43 AM on October 14, 2014


The problem with password managers is that a) they compromise *all* your passwords at once if hacked, b) they are extremely attractive targets to hackers, so you can assume a lot of personhours are being directed at them, and c) you have little view into what is going on with them. And it's not just cracking attempts you have to worry about; there have been cases where people brought out a company and then started adding malware to the software.

Now, I have other singlesite vulnerabilities that could compromise a large number (though not all), Gmail most notably, but I use Gmail constantly so if I suddenly can't get in because of a password change or if I see password resets appearing in my account, I know to immediately contact support to have it locked and change all my key financial passwords. I have no such warning from a password manager.

I don't think it's unreasonable to use a password manager, but all the people going "it's the one and only solution" are well, wrong.
posted by tavella at 10:46 AM on October 14, 2014 [1 favorite]


I still use hash-based passwords. A one-way hash generates a unique random password based on my key and the site name. The advantage over LastPass or OnePass is that there's no app to install so I can easily use it on my work computer and there's no cost and it works fine offline. The disadvantage is that there's no central list of all my accounts, which can make it confusing to change (is this one on the new password or the old password or the one before that...).
posted by miyabo at 10:48 AM on October 14, 2014 [1 favorite]


miyabo: how do you run the hash algorithm? And what do you do if you have to change the site password? I used to use PwdHash in the long long ago but it basically required software (the hasher), couldn't change passwords, and wasn't flexible enough to deal with sites' random password strength requirements.

I really think the password store agents are the best option at the moment. They do have a pretty good security model, your passwords are hashed so that only you have access to the plaintext. Compromising the agent software itself is the attack vector I'm most worried about, but that's about equal to someone planting any other exploit on your system, like a keystroke logger or memory sniffer.
posted by Nelson at 10:53 AM on October 14, 2014


I use angel.net's password generator (http://angel.net/~nic/passwd.sha1.1a.html), although I also tried PwdHash. I haven't yet had a problem with inadequate password complexity. Changing passwords is a huge pain though, you have to keep a separate list of all your accounts and which password iteration they're set up on.

A lot of people use Password Safe, which is like LastPass but totally non-cloud-connected and open-source (and well reviewed). My only issue with that is that it's hard to keep the file synchronized across many computers.
posted by miyabo at 11:03 AM on October 14, 2014 [1 favorite]


When I used pwdsafe, I synced the keyfile through dropbox. Otherwise, forget it. We use a hardware assisted thing at work and the big challenge is simply getting people to use it instead of stickynotes or plaintext files.

Usability is a big deal with these things. Even copying and pasting twice each time is a pain in the ass. That's why Lastpass and others which autofill are so popular, especially on mobile where everything is just that much more of a pain to do.
posted by bonehead at 11:06 AM on October 14, 2014


Also my big worry with password managers is that there is a back door in the agent software. That was the big problem with Hushmail, the government was able to force them to push an update that completely destroyed the security of their software. I don't understand why people believe that password managers don't have this problem.
posted by miyabo at 11:06 AM on October 14, 2014 [1 favorite]


tavella: “The problem with password managers is that a) they compromise *all* your passwords at once if hacked, b) they are extremely attractive targets to hackers, so you can assume a lot of personhours are being directed at them, and c) you have little view into what is going on with them.”

This is true (somewhat) if you're talking about third-party password managers. But if hackers enticed by the "extremely attractive target" of the passwords in a (say) PGP-encrypted file put enough personhours in to manage to actually break PGP encryption, I would be really interested to see that. Because at the moment it seems pretty firmly in the realm of the impossible.
posted by koeselitz at 11:06 AM on October 14, 2014


miyabo: “Also my big worry with password managers is that there is a back door in the agent software. That was the big problem with Hushmail, the government was able to force them to push an update that completely destroyed the security of their software. I don't understand why people believe that password managers don't have this problem.”

They don't appear to yet. This is why security researchers study them closely, though. And that's a good thing.
posted by koeselitz at 11:07 AM on October 14, 2014


I wonder if this is related: Report: Thousands of Snapchat pics leaked online
posted by Chocolate Pickle at 11:11 AM on October 14, 2014


What about sites that only allow 8 characters per password?

Ugh. Just don't use those sites unless there's no choice. Sites that have a limit as small as 8 -- or restrain which characters can be in a password -- are part of the problem, and should possibly be advertised on a list of shame somewhere.

There's a good chance that such sites are storing passwords in cleartext, because when you're hashing a password, cleartext length and content don't really matter from a storage perspective. And even if they're not, they're keeping people from better security habits.

If one of those sites turns out to be essential for some reason, you probably shouldn't trust them with information of any kind (let alone sensitive info) and maybe even patronage. So first see if you can find a competitor.

If for some reason you still want/have to use it, either a password you don't care about anyone discovering or a unique password kept in a password manager is a good idea.

And the moment one of your passwords is compromised because some website operator didn't properly encrypt their password store, someone can trivially guess most of your other passwords!

Yeah, that's a problem, but there are ways around this. I think the best is probably to come up with a simple hash function you can do in your head on the site name. Combined with the noise of the rest of the password it's going to be non-trivial to figure out what other site passwords are (unless the attacker has multiple cleartext passwords to compare).

Throw in a few different base passphrases so your eggs aren't all in one basket -- at least two different base phrases for financial and key personal communications sites, another for middling important sites, another for random internet participation where you won't really lose anything if someone hacks you.

This is overhead a lot of users won't/can't do, though, and a password manager or offline paper password book is probably better in that case.
posted by weston at 11:15 AM on October 14, 2014


I wonder if this is related: Report: Thousands of Snapchat pics leaked online

No - the Snapchat photos were leaked via an attack on a 3rd party client that may have happened months ago.
posted by ryanshepard at 11:28 AM on October 14, 2014


You have caps, a number, and a punctuation mark, and you can remember thousands of passwords without repeating a single one.

Yeah, this is not a good idea. After getting a single one of your passwords (due to one site with poor storage/salting) it would be pretty easy to figure out the other ones. Oh gee, the name of the site is right there in the middle ... could we replace that with the names of other sites and then try them? Yes, yes we could — easily and automatically. That is bad.

Also, using a popular song lyric or movie quote as a password is doubly bad, because any reasonably-intelligent attack is going to hit that long before they're going to hit a random string of the same length, or even a combination of random words. Song lyrics are an almost ideal corpus to feed into a password-cracking tool. (And tossing some digits onto the end doesn't really improve things.)

You should not use as a decent password any string of words which have ever been used ever before anywhere — it should be unique, not just obscure — and it definitely shouldn't be something that exists somewhere on the public internet (lyrics or movie-quote databases) that someone could and probably has already scraped and has sitting around ready to feed into a cracking tool.

Yes, this makes passwords hard to remember. Especially if you are working with some 1970s-era maximum-length constraint (which is why anyone with a maximum-length requirement that's under 64 or 128 characters should be tarred with year-old Jolt Cola and feathered with server-rack dust bunnies). If you use a password manager, though, you can reduce down the number of "good passwords" you need to remember to just a few.

Personal recommendation which I believe is consistent with best practices, in rough order of importance:
  • Use one very high-security password (e.g. Diceware derived) plus Two Factor for Gmail or you other main email account; use it nowhere else. Be sure to set up the reset methods correctly (e.g. print those wallet codes and keep them safe).
  • Use another high-security password for your password-manager's encryption of its database. PasswordSafe (Win) or Password Gorilla (Mac/Linux) are open source and have a good security track record. All your website passwords go in here.
  • If you don't want to deal with multiple copies of the database on multiple computers, you can use a service like Dropbox to sync the (encrypted) database file, but it's probably a good idea to use a 3rd strong and unique password for the online-storage service. (Although this shouldn't matter too much if the password and encryption implementation on the password manager are decent, as PasswordSafe's seems to be.)
Browser-based password managers such as LastPass (or just saving all your passwords into Chrome) are probably better than typical DIY password-management schemes (like repeating the same damn password everywhere, or low-entropy derivative schemes involving the site name) but of course you put yourself at the mercy of the operator of the site. Google purports to encrypt all your passwords in such a way that they are decrypted only on the client side with your account password (or a separate decryption password that you set) but it's hard to audit.
posted by Kadin2048 at 12:53 PM on October 14, 2014 [2 favorites]


What about sites that only allow 8 characters per password?

Why Canada’s banks have weaker passwords than Twitter or Google

Financial institutions are balancing between how much security costs and how much customer service costs. Note that, in Canada at least, the major banks all indemnify their customers against id theft---if someone steals $500 from your bank account, the bank generally covers it. This has happened to a couple of people I know. One had her small business tax return stolen out of her mailbox, her accounts charged to over $5,000 before they were stopped. The bank absorbed it. She wasn't out of pocket a penny.
posted by bonehead at 1:08 PM on October 14, 2014 [1 favorite]


introp: And the moment one of your passwords is compromised because some website operator didn't properly encrypt their password store, someone can trivially guess most of your other passwords!
That presumes one highly unlikely event: that the hacker bothers to read your password, out of the millions he, she, they, or it harvested, and relate it to the website.

No longer remotely low-hanging fruit. The safety is in obscurity, there - and it's pretty good, actually.
posted by IAmBroom at 1:08 PM on October 14, 2014 [1 favorite]


weston: Ugh. Just don't use those sites unless there's no choice. Sites that have a limit as small as 8 -- or restrain which characters can be in a password -- are part of the problem, and should possibly be advertised on a list of shame somewhere.
You mean LIKE ACTUAL BANKS AND OTHER FINANCIAL INSTITUTIONS I HAVE TO DEAL WITH???

GOD MY BLOOD BOILS! IRDGAFF if you have two-level security, if one of those is a limited-length (small) password. Some operator somewhere is going to accept your password over the phone, and turn off the second level of "security". I'm sure of it. After all, if they were the kind of place that would never, ever, ever do that, they'd allow 255+ ASCII characteres in their passwords.

JESUS FUCK. (Goes off to breathe in a bag and meditate on my happy place.)

Also: passwords that rely on special symbols create their own special hell. A LARGE number of sites won't accept those symbols, so you now have to remember permutations without those symbols...
posted by IAmBroom at 1:14 PM on October 14, 2014 [1 favorite]


Kadin2048: Also, using a popular song lyric or movie quote as a password is doubly bad,

Not that it matters, but I never suggested that. I suggested a random string of letters and numbers substituting for the first letter of each word in the lyric or movie quote, not the actual lyric or movie quote.

I don't think "any reasonably-intelligent attack is going to hit" 712cMEFIdm4hoa! as easily as they would hit a movie quote or song lyric, but that is, in fact, an easily-remembered song lyric (with MEFI inserted) in my algorithm.
posted by tzikeh at 1:42 PM on October 14, 2014


that the hacker bothers to read your password, out of the millions he, she, they, or it harvested, and relate it to the website.

If you're dumb enough to use the site's name as part of your password it's trivial for a script to run through those passwords, see that, and try other stuff in the same place.

E.g. if you use "thisismyMETAFILTERpassword" on metafilter.com, and the database was compromised (and wasn't properly hashed, which I presume is not the case in real life), it doesn't take a genius to run a script against the dump before they try the passwords against Gmail or Dropbox, changing every occurrence of "Metafilter" "metafilter" or "METAFILTER" to "Gmail" "gmail" or "GMAIL". (Or whatever they happen to be trying to break into.)

Keep in mind that the person who steals the database isn't necessarily the same person who is going to try to use the passwords. And there are a lot of people, with a shitload of free time and computer cycles, who will be happy to download a big password dump and try it out against various sites just to see if there happens to be a 'hit'.

There is no hash-like algorithm that you can easily do in your head that can't be trivially done by a computer. So cute stuff like just incrementing the name of the site using a ROT1/Caesar shift isn't going to help much either (s/nfubgjmufs/hnbjm/g).

You could easily automate a search through a password dump looking for basically all the cutesy ways of "hashing" a password using some variant of the site name, and if we're talking about it it's likely someone on the blackhat side has already implemented it.
posted by Kadin2048 at 1:46 PM on October 14, 2014 [2 favorites]


Previously1 Previously2 Previously3

Every time this subject comes up we seem to have the same conversation: 'your password sucks', 'your method for memorising/creating passwords sucks'
Just pick a password generator almost any one will be better than nothing, memorise one really strong master password and you are good to go.
posted by Lanark at 2:03 PM on October 14, 2014 [1 favorite]


Also my big worry with password managers is that there is a back door in the agent software

I'm totally not worried about this threat. If NSA wants my passwords, fine, there's 100 other ways they could compromise me too. The NSA threat makes me angry as an American citizen who believes in liberty and freedom but as a practical matter I just accept that Advanced Persistent Threats like the US or China could pwn me if they want.

I'm mostly worried about script kiddies doing drive-by attacks on low hanging fruit. I want to be sure my Paypal account doesn't get caught up with everyone else's. That's why this Dropbox attack is so clever and low tech. You don't have to break the fancy security systems to cause trouble. Just realizing that joe@example.com uses 123456 as his password on Gawker and so probably uses that as his password on Dropbox too is enough to make significant problems not just for Joe, but for all of Dropbox.
posted by Nelson at 2:11 PM on October 14, 2014 [1 favorite]


Isn't one line of defense against password crackers simply checking to make sure that no one account and no one computer is generating too many login attempts, especially unsuccessful ones? How are those defenses foiled?
posted by leopard at 4:31 PM on October 14, 2014


I've heard stories from people who say their bank's site won't accept non-alphanumeric characters in their 8 character passwords. That is time for a new bank, there.

This puzzles me. Surely it should be "Your bank uses passwords? That's time for a new bank, there."
posted by effbot at 5:34 PM on October 14, 2014 [1 favorite]


Isn't one line of defense against password crackers simply checking to make sure that no one account and no one computer is generating too many login attempts, especially unsuccessful ones? How are those defenses foiled?
Well designed websites will indeed do that, but attackers gain entry through many unorthodox methods. Imagine someone wanders into the data centre and walks out with a backup tape containing all the user/security data.
posted by Lanark at 2:04 AM on October 15, 2014


Pick your favorite song lyric, or movie quote, or whatever. Let's say it's "Frankly, my dear, I don't give a damn!"

As very well documented in earlier posts on the topic, the state of the art in password cracking involves data-mining the Bible, wikipedia, gutenberg, and quote and lyric databases for both phrases and acronyms. Hashcat already tests common patterns of capitalization, site-name insertion, and character substitution. The method described here is exactly the kind of passwords that crackers and software developers are working to defeat (with various degrees of success.)

Here's a link describing the method from a year ago.

Really if you must use something familiar to you, pick random words from random different songs, quotes, or titles. (One I came up with the other day was "india effect stone goblin")
posted by CBrachyrhynchos at 9:33 AM on October 15, 2014


Isn't one line of defense against password crackers simply checking to make sure that no one account and no one computer is generating too many login attempts, especially unsuccessful ones? How are those defenses foiled?

The anatomy of this current attack (assuming we trust Dropbox) appears to be as follows:

1. Attackers get all the usernames, emails, and passwords for an entire service, either through a security vulnerability that gives them administrative access or white-collar crime. In many cases this is encrypted, but in some cases, it's not. When Adobe got hacked, the attackers got password hints as well.

2. Attackers run offline dictonary attacks rolling through lists of previously broken passwords, literary sources, pop culture, news, etc., etc.. The software can be configured to try most common methods of number and character substitution. It can also run on graphics cards (depending on the encryption algorithm used by the broken site) or a parallel farm. This allows for attackers to run thousands or millions of attacks against a password in a second. Because people tend to use quotes, acronyms, or common phrases as passwords, this method can usually get more than %50 of the passwords in the database.

3. The username/email/password combinations recovered are tested against additional sites such as Dropbox or Google. If the person used the same username/password combination twice, it's a win.
posted by CBrachyrhynchos at 9:49 AM on October 15, 2014 [2 favorites]


« Older Homosexuals have gifts and qualities to offer to...   |   Da da da Dead Newer »


This thread has been archived and is closed to new comments