Why the password paranoia?
May 7, 2006 8:59 PM   Subscribe

it all depends on your perspective. from the point of view of an individual of moderate net worth, the likelihood of someone targeting you and having a concerted go at cracking your passwords is relatively small.

however, that same individual may work at a Fortune 500 company. Guessing/cracking their password grants potential access to the company's systems. Via privilege escalation it may be possible for a bad guy to obtain admin access to at least part of the IT system. At which point bad things happen, INCLUDING the theft of idenitity info of many other people.

so you are totally right that the greatest risk for Joe Blow is not that someone guesses his password but that a his identity is stolen or sold by some third party with access to client and credit card details for one of the companies he patronizes.

however the same Joe Blow may represent a possible vector of attack via his work passwords.
posted by unSane at 9:23 PM on May 7, 2006

This question would be a really good one from any CS people working in crytpo or security.

One threat model you may not be considering is someone hacking your personal machine. Someone with a bit of time and intelligence can dump your machine history and/or scan whatever email they can get their hands on to find out what sites you visit (or, perhaps, check a known database of sites from which it is possible to buy things). If all your passwords are weak, possibly kablooey?

Using the same password somewhere and you could fall victim to one DB break in triggering a cascade - I think slashdot didn't encrypt passwords until up to a year or two ago (when they got hacked) because "no one would have their /. password be the same as an /important/ password"... mhmmm.

I can't tell you whether or not the tradeoff is worth it. As a graduate student in computer science who has taken a graduate class on crytpography and has done research on worms and spam, I can tell you that your thought process is a reasonable one (and I'm sure future posters will catch what you may have missed).

The bottom line, from my POV, is that the validity of your question suggests that there is a lot more work to be done in security. I believe people are, at this very moment, hard at work on usable security schemes.
posted by jhscott at 9:27 PM on May 7, 2006

One serious problem with consumer network safety is that of "master passwords" — using one password for a Windows account (granting access to stored passwords in Internet Explorer), one master password for Firefox, or the Keychain component of OS X, can unlock a series of accounts.

If you're not vigilant about passwords not being stored on shared computers, or if your passwords unlock any part of your home computer, this can easily open up access to your bank account.

Other security methods involve information exchanged via a two-part authentication scheme: something you know and something you own.

With respect to online purchasing, one current scheme is that of a three-digit number on the back of your credit card — the theory being that you will have to have the card in hand when making the purchase.

Some online banks now use a RSA hardware device that converts the current time to a non-reproducable key which you must enter into the login, along with your usual credentials.

This device is used by administrators at some universities to protect their Kerberos (single-sign-on) systems from remote attack, since Kerberos' main weakness is one where your credentials tell everyone else who you are. If your credentials are co-opted, and you have a privileged account, the evil third-party running under your account becomes you.
posted by Mr. Six at 9:48 PM on May 7, 2006

Even in a scenario where you don't care if you have private, confidential access to a service, most companies will want/need to provide that option to at least some proportion of users. Having a standarized system that gives some people more security that they personally feel they need is better than having to manage a bunch of different-level security options that could potentially leave someone with less than they need,
posted by chudmonkey at 9:50 PM on May 7, 2006

I think the driving force behind the "always use strong passwords" rule is the KISS (Keep It Simple, Stupid) principle. Most users aren't capable of making the judgement about which logins are important & need strong passwords & which ones aren't & don't, so it's simpler to just (try to) train them to use strong ones everywhere. Password security in general seemes to be a trailing area within the field, full of outdated & just plain wrong ideas that we just can't seem to get rid of. As someone who does penetration tests professionally, guessing passwords is something I usually don't have to resort to so it doesn't much matter if they're strong or weak. It's often just easier to bypass the whole login process & take control of the system directly, then just set the password for a user from the inside so I can login normally.
posted by scalefree at 10:09 PM on May 7, 2006

If I use the same password for all of my internet sites, is there a real risk that someone, learning of my password, will randomly go to tons of sites to see if I have an account there? They'll guess at my username and use my password to see if they can get in? Seems very time-consuming with a low likelihood of benefit.

This would be true if there weren't efficient automated tools to handle all of this.

No one cares about your password or your amazon account. Not a single person. However, there are a lot of people who care about any passwords they can crack, and they'll launch an offline dictionary attack against every account present on a 50,000 user machine while they're out of town for the weekend.

Then, when they come back, they'll run the cracked usernames/passwords on the big sites. Amazon, eBay, banks, stocks, etc.

I wonder if the trade-off of constantly having to look up my good passwords in these computer security programs is worth the trade off.

There are a lot of very smart computer scientists who wonder the same question, including a lot of brilliant people at Microsoft Labs. The problem is that 99.9% of computer authentication is single-factor, and single-factor authentication is the worst idea in the world.

Imagine if your bank, tomorrow, said that you no longer needed anything other than your PIN number (or anything other than your card) to withdraw money. How would you feel about this?

This is the same system in use everywhere online. It's not secure by any reasonable definition of the term 'security'.

Personally, I would rather use a system with strong crypto I trust to store a list of passwords. This way, you most likely have a maximum of two points of failure. Poor implementation of crypto, and weak passwords.

Comparatively, if I use the same password on 50 different websites, then the number of points of failure are increased by several orders of magnitude. Weak passwords, poor crypto, lazy admins, malicious admins, admins with keyloggers installed on their PCs, servers with keyloggers installed on their PCs, etc., etc...
posted by Jairus at 10:57 PM on May 7, 2006

Regarding strong passwords for internet sites & forums...

It's true that there probably isn't any financial damage a person could do if they hacked your MeFi account (or whatever), but look at it from the admin's point of view. Every once in a while, there's some flamewar on a forum or something, and some user's account gets hacked, and all kinds of hijinx ensue. For the admin, he can try to head this off to some degree by requiring stronger passwords. It won't eliminate the problem completely, but it will reduce its occurrence.

Of course, you can argue that this is offset by the number of people who forget their complex passwords... but I think the burden of dealing with forum spam and so forth outweighs that...
posted by Brian James at 11:01 PM on May 7, 2006

If I use the same password for all of my internet sites, is there a real risk that someone, learning of my password, will randomly go to tons of sites to see if I have an account there? They'll guess at my username and use my password to see if they can get in? Seems very time-consuming with a low likelihood of benefit.

Not really, that said it did happen to one chap on ask me a couple of months ago, or rather what they did is get access to his email and then used the 'email me my password' feature on like a million website in order to get that guy's email.

So really the security on all of these sites is only as secure as your email.

Anyway, for most people it's really not something you need to be worried about.
posted by delmoi at 11:52 PM on May 7, 2006

Imagine if your bank, tomorrow, said that you no longer needed anything other than your PIN number (or anything other than your card) to withdraw money. How would you feel about this?

I used to be able to withdraw money from my savings account simply by giving the tellers my social security number, and nothing else.
posted by delmoi at 11:53 PM on May 7, 2006

Why do I need good passwords for anything but my online banking?

That depends on a lot of things. You certainly may not need an incredibly strong password for your mefi/slashdot/whatever account online, but there are a few reasons why you should still be somewhat cautious about the security of those accounts. As pointed out previously, the most serious is probably some form of privilege escalation. If someone can log into your account, can they access something (e.g. access private information) or change something (e.g. trick you into installing a keylogger) to provide them further access?
The most direct and unfortunately common occurrance of this is when people use the same passwords on 'unimportant' and 'important' stuff. However, that's not to say that attacker's can't cause you embarassment with access to your account, perhaps with some creative 'i am teh gay' posting under your name.

Maybe I'm totally naive, but is some bad guy going to sit there and spend hours to guess even a bad password to login to my Amazon account and buy stuff and get that stuff sent to him?

I'd say that most people who undertake password cracking excercises do it to many targets in an automated way. So it seems relatively unlikely that you personally are going to have your account targeted by a human password guesser (unless your day job is more important than you mention ;o) though it can certainly happen.

How would this criminal know what username to try to crack? Would he pick it at random?

What if amazon had a security issue and leaked a list of account-names onto the internet? What if there was some way to guess/mine account names from the web, perhaps from proxy logs?
Usernames are not universally considered privileged information, don't assume that yours will remain a secret.

Isn't the real danger that someone will crack into the Amazon database and steal thousands of credit card and social security numbers and names and abuse that information? If so, isn't the strength of my password irrelevant?

Someone may crack Amazon, but this is beyond your control. However, if this occurred and a cracker ran up a huge bill of books on your account, you would expect Amazon to refund your money. A more dangerous outcome, in my opinion, is that you could be left financially liable for online goods. You can mitigate this risk by having a strong password, decreasing the risk that you are wholly/partially to blame if your account gets cracked. In addition, you probably shouldn't presume to analyse the motives of crackers. It may indeed be a better payoff for a cracker to attack amazon specifically rather than your account, but they may not do this. Failing all else, they might just be stupid.

You've thrown up a lot of different ideas, so i'll try and summarise. You should probably assume that crackers can do some harm if they crack your accounts. Try to minimise that harm by being sensible. You should probably assume that all of your accounts are a potential target, because there's no real way to tell which ones aren't. That doesn't mean you should put an enormous amount of energy into protecting them though. Put in an amount of effort that you think is sensible. Keeping all of your passwords in a keychain sounds like it may be overkill. Personally, i write my 'unimportant' ones in text files in a reasonably safe location. Don't assume that crackers will behave in a predictable fashion.
posted by nml at 11:56 PM on May 7, 2006

Since you mentioned Bruce Schneier, I feel compelled to mention that his company, Counterpane, wrote a program called Password Safe. It probably works in a similar principle to that of the other programs you mentioned, and it's quite simple to use. You enter one password to open your safe, then simply double-click on whatever account you are trying to access, which copies the password into the clipboard for pasting into that account's password field. The passwords it creates for you when you add an account are acceptably strong, or you can choose your own password.

You don't actually need strong passwords for most websites (excepting banks, etc). What you should have is *different* passwords for each website, so that if one account somewhere is compromised, your others aren't also compromised. Do you want someone taking over your entire online identity?
posted by cactus at 11:56 PM on May 7, 2006

why do I need a different good password for anything but online banking and email? I need different one for every online forum, magazine, and everywhere I've ever bought anything?

For me it is easier to just make a new password for each web site than to carefully consider the risks of a particular password being compromised, and perhaps get that wrong.
posted by grouse at 1:36 AM on May 8, 2006

I'm not an expert, but my understanding is that a big reason for having a "good" password is to protect against a "dictionary attack."

Bad guy gets into Amazon.com's database and retrieves the file that contains the passwords... /etc/passwd for example.

The passwords are not in plaintext -- they can't be read and deciphered. But they are stored in a "hashed" form; when logging in, the system takes your password, hashes it, and compares against the hashed passwords stored in the file. In theory, because the hash function is supposed to be secure, the bad guy can't get the original password by looking at the hashed values.

But the bad guy has some time on his hands. His computer can do the same hashing that Amazon's computer does, so he simply hashes every word in the dictionary and looks in the file to see if he gets a match. If a user chooses the word "friday" as a password, for example, when the bad guy hashes the word "friday", it'll match the hash value of the user's password in the password file. Thus, the bad guy knows that the user's password is "friday."

By choosing a good password, you all but eliminate the possibility that your password is in a "dictionary" that gets passed through the hash function.

This doesn't answer your broader questions about the tradeoffs, though, which are good ones.
posted by cgs06 at 5:17 AM on May 8, 2006

I wonder if the trade-off of constantly having to look up my good passwords in these computer security programs (which involves accessing the password program, typing in my complex good password, retrieving the site-specific password, and then copying it into each website) is worth the trade off.

You make the process sound too complicated. I use Roboform, which makes things pretty convenient. I put in my master password when the machine boots (or after a certain period of inactivity), Roboform recognizes the login form on a web page and presents me with a button on a toolbar which I click to fill in the username and password, and I'm in. If you are using software that doesn't make the process this simple or simpler, you need to change systems.
posted by lhauser at 6:13 AM on May 8, 2006

So you're using Roboform, or Password Safe, and have happily given up trying to memorize all your passwords, and then one day you are in a cybercafe, or using a friend's computer, and want to check your mail, or your bank balance. Oh well...

PasswordMaker was inspired by (and is better than) my Javascript password generator, which lets you remember just one master password and hashes it with the hostname to generate and enter a unique password at each site. You can always recover the password, from anywhere. It almost completely solves the password problem.
posted by nicwolff at 7:41 AM on May 8, 2006

For websites like nytimes.com, where I really don't get care if it gets hacked, I use the same weak, generic userid/password.

Hackers want into home pcs and email accounts for use as spam-sending zombies, denial-of-service attacks, or vandalism. For my home computer, email accounts or any account where misuse could be a significant hassle, I use a stronger password, based on one of several magic words, like plus a number that gets changed, like Rover06Max. So there's a list in my address book that says: PC 19, Gmail 82, etc. so if I forget my gmail password, I can be reminded that it's Rover82Max.

Work email has the capacity to cause big trouble, and paypal and bank accounts involve money, so they get stronger, unique passwords from a favorite poem.
whose519WOODS!!
THESE041are{{
I658think%%%
I201know$$$
and again, the note in my address book contains a cryptic reminder only.

Longer passwords are easier to type than really random passwords. If your work-at-home computer has broadband access, make sure it's as protected as possible, if only because mischief could cost you a lot of billable hours. Turn off file&print sharing, use a router/firewall, use the software firewall in Windows, don't let your web browser remember more secure passwords, etc. or other precautions appropriate to your OS.
posted by theora55 at 9:09 AM on May 8, 2006

What constitutes a good password?
posted by partner at 9:30 AM on May 8, 2006

I once got burned by an unscrupulous sytem adminstrator. Because I used the same password on two sites, the bad guy running site A was able to get my password trivially easily and vandalize site B.

This was in the BBS days so there were no credit cards involved, thankfully!
posted by jewzilla at 9:56 AM on May 8, 2006

« Older Do countries other than Canada...   |   I'm trying to track down a flo... Newer »

This thread is closed to new comments.