Bad password advice

In the December issue of Computer Fraud & Security, an article by Prof Steven Furnell - ‘Assessing password guidance and enforcement on leading websites’ - presents some fascinating original research into the password practices of various leading websites - and also paints a somewhat worrying picture.

In the article, Prof Furnell, of the University of Plymouth, follows up on earlier research looking at how well (or otherwise) websites guide their users when picking passwords. Do they provide decent advice on what constitutes a strong password? And just how clever are those password strength meters?

It’s not pretty.

It’s not just that many of these websites continue to allow the selection of very weak passwords: there’s also the problem of inconsistency. One of the things I took away from this article is that password meters - those little graphic devices that purportedly show you how strong or how weak your chosen password is - are pretty meaningless. Every site uses different criteria for rating the password strength, so a word deemed ‘weak’ on one site might be hailed as ‘strong’ on another.

Even within a single website, the strength criteria seem inconsistent and weird. Passwords we, as infosecurity specialists, know to be weak are deemed acceptable. For example, WordPress rates ‘qw12’ as ‘Good’. Oh really? And even when sites deem a password as feeble, some of them will still let you use it - Furnell discovered that Twitter, Windows Live and Yahoo fall into this camp.

There are widely accepted criteria for determining the strength of a password - a mix of upper- and lowercase, the inclusion of numbers and special characters, the avoidance of dictionary words and length (because size does matter). But it seems that some websites will allow users to go against their own best interests by selecting weak passwords. Why?

One useful thing that hacktivist group LulzSec did for us is make available a number of databases containing real-world user login credentials. Trawling through these databases is enough to make an infosecurity specialist weep. Yes, ‘password’ really is still used as a password - a lot. The same goes for ‘qwerty’, ‘123456’ and all the other classics.

Organisations such as SANS have formulated password policies that provide useful guidance. In fact, you can find any number of policies online, developed by organisations for their own use and offered to others as a template. But is it time to collate password best practices into a formal standard that website operators might actually accept and implement - and perhaps even mandate its use on any website that holds personal data?

Of course, there is a danger inherent in standards - that they become outdated too quickly. Remember when we used to think that six-character passwords were acceptable? (According to Furnell’s research, some websites still think this.) Now that hackers can buy multiple GPUs in the cloud to run password crackers, an eight-character password is now too feeble. The other problem with standards is that, during their formulation, they are beaten to a pulp by committees and self-interested parties until they represent only a lowest common denominator.

But a standard accepted across the industry would at least be a starting point. And it should address not just what is an acceptable password (or, better, passphrase), but also what advice is given to users when choosing passwords. Again, Furnell’s research found that this is highly inconsistent and usually inadequate.

There have been too many breaches for us to regard website security a trivial matter. For example, we’ve witnessed a long litany of hijacked accounts on Twitter, whose primary advice on password choice seems to be limited to ‘make it tricky’, whatever that’s supposed to mean. Those strength meters may help give you a feeling of confidence, but because they give no clue as to why a password is considered strong, they don’t actually help users understand the principles at work. Smarter registration procedures would explain why dictionary words are bad, why you should a mix of character types. And sites should also encourage periodical password changes - not a single site I’m registered with does that.

Wikileaks’ security failure

Wikileaks has committed a cardinal security sin, and is busy trying to blame it on The Guardian.

It all revolves the infamous ‘Cablegate’ memos - the US diplomatic cables that Wikileaks has been peddling for some time now.

Wikileaks has been working with media organisations in an attempt to release the material in a piecemeal fashion. The reason for this is to cherry-pick the most significant material in order to make the greatest impact. And, although Julian Assange was at first somewhat indifferent to the possibly dangerous effects that publication might have on whistleblowers, informants and others mentioned in the cables, the media organisations have been making an effort to redact the cables to protect the innocent.

As The Guardian explains, in the early days, before Wikileaks fell out with the paper (and the New York Times) for refusing to worship at the alter of St Julian, Assange made the full archive of unredacted cables available to the paper, via a downloadable zip file. The file was encrypted with PGP to which the paper was given the password. The file was to be available for a limited time only.

At the same time, Assange distributed an encrypted archive, without revealing the password, to a select group of people. This was part of an insurance policy: Assange threatened to make the whole archive freely available if he was, for example, extradited to the US.

There’s hypocrisy in that, of course. If it is important for freedom and transparency that the cables should be published, why was Assange witholding them for personal reasons? Does he really conflate his own interests with those of the world? On the other hand, if it’s important that unredacted cables are not published, because of the damage they could cause to innocent people, then again Assange was being selfish and hypocritical for using them for his own self-interest.

It’s all moot now, of course.

The cables are out. One way or another (and with some pointing the finger at ex-Wikileaker Daniel Domscheit-Berg) the archive file has become readily available via torrents.

And the password?

In their excellent account of the Cablegate saga, Wikileaks: inside Julian Assange’s war on secrecy, Guardian journalists David Leigh and Luke Harding mentioned the password given them by Assange. Why wouldn’t they? As far as they were concerned, it was a unique password for a temporary file. I mean, Assange wouldn’t be dumb enough to use the same password anywhere else, would he?

Alas, he would. Yep, uber-hacker Assange reused a password. The insurance file, since leaked, can be decrypted using the same password. And boy, has it been decrypted. Head over to cryptome.org - the original, still operating and far superior whistleblower website - to get your own copy.

The reaction from Wikileaks was one of outrage, mixed with its usual brand of self-importance and martyrdom. While all but taking credit for the Arab Spring, the site has been frothing at the mouth about The Guardian and other media organisations, often descending to playground-level abuse. But the truth is, the fault lies squarely with Assange and Wikileaks and their ineptitude when it comes to security.

After all, Wikileaks has been touting these cables as the biggest thing since the Pentagon Papers. Surely, these of all files should have been secured with different passwords for separate files.

Wikileaks is now flooding the net with released cables. Now that it no longer has a monopoly on the material, it is indulging in a desperate bid to be first to publish. The organisation seems unaware that this nullifies its argument against The Guardian. It also dilutes their effect.

The biggest worry, though, is that Wikileaks has shown significant shortcomings when it comes to due diligence: it has demonstrated that it is not to be trusted when it comes to the custodianship of important material.

Let’s not forget that Wikileaks did not leak this material. Bradley Manning is accused of that and is paying a high price. Wikileaks is merely a conduit. And an incompetent one.

Password problems

Some of the recent stunts by online mayhem seekers LulzSec have highlighted (again) something we all know: it’s bad to use a password for more than one website.

Recently, LulzSec hacked porn site pron.com, obtaining customer logins and admin credentials for a number of other porn sites - all with passwords apparently stored in plain text. Leaving aside the embarrassment that will be caused by some of the account email addresses having .gov and .mil at the end, there’s a high likelihood that at least some of these credentials will be valid on other sites. LulzSec encouraged its followers to try logging into Facebook with them and, if successful, bring down shame on the luckless users. A tad unsporting that. Facebook responded by resetting passwords for any and all affected accounts.

At least the people most at risk from this stunt are likely to know about it. LulzSec’s only motivation appears to be glory-seeking. The group has certainly not espoused any coherent political, ethical or commercial agenda. Normally, when jackers purloin login credentials this way, they don’t tell the world. They’re after your money.

So getting your passwords in order is a smart idea.

I use LastPass to manage my online passwords. It’s not without its own risks. The service had a scare recently when its security was mildly compromised. And there’s an inherent paradox in the concept. LastPass enables you to create long, complex passwords using all four character types -uppercase, lowercase, numbers and non-alphanumeric (punctuation and ‘special’ characters). It will randomly generate these for you. (Okay, pedants - pseudo-randomly generate.) These are the kinds of password that are impossible to remember. Fortunately, LastPass remembers them for you and will enter them (automatically, if you want) into login forms.

That’s a good thing. The problem is that there’s one password it won’t remember for you - the master password you need to gain access to LastPass itself. In other words, the one password that you’re going to be motivated to write down, or make weak enough to remember, is the one that gives access to all your other passwords.

Oh well.

LastPass does have another very useful feature. It will run a security check on all your stored passwords. It looks for instances where you’ve used the same password on multiple sites and also judges the strength of each. It’s a sobering experience. I’ve just about finished the drudgery of changing my passwords on dozens of sites, ensuring each one is unique.

There is another benefit to carrying this check: it reminds you of sites you no longer use. And I think this is a security vulnerability that not enough people consider.

It may be just me, but I seem to have gone through a period where I would register at sites using one of a small pool of common passwords, all rather short and easy to crack, thinking ‘oh, I can’t think of anything stronger right now, I’ll fix that later’. And, of course, I never did.

Looking through my LastPass vault, I can see a surprisingly large number of sites where I’m registered but which I haven’t visited in a long while. The danger they pose is this: most of these sites are small or middle-ranking, the type that may not be the most secure. They’re the most likely kind of website to give up their password databases to hackers. Having now changed my passwords, any hackers would (hopefully) only have access to a password I don’t use anywhere else. But there’s always a risk that I’ve overlooked something. And, in any case, the hackers won’t know that, and will be encouraged, purely by my presence in the purloined database, to go pound on my other accounts.

It’s seems obvious to me that being registered at sites you don’t use is a small but real security risk.

So, as part of my current password hygeine practices, I’m revisiting these sites and closing down my accounts. I can only hope that they’ll actually delete my records (as they should), rather than simply marking them ‘inactive’.