Whats terrifying is that they are referring to "their password" and not their passwords.
Password reuse is much worse that having a weak password. Hackers only brute force high value targets, everyone else should just aim to have unique passwords for every service they use.
However, the average person can only remember 5-10 unique passwords and they have many many accounts...password reuse. For the average person password managers aren't an option for normal people, so we have a big problem.
> For the average person password managers aren't an option
Why not?
Every major browser in its default configuration offers to remember your passwords, and some will even offer to sync them across all your devices.
The only thing that's missing is an offer to generate random passwords automatically, for which you currently need an add-on/extension. But even without that ability, the browser is already a pretty decent password manager.
On plenty of sites, Chrome/FF/IE/etc. will fail to recognize a user or password field. They'll often fail to recognize them at account creation. Sometimes you'll need multiple accounts on a single domain, which Chrome can't handle (for example). I could go on and on...
Browsers remember passwords as a mere convenience, when it happens to work. They are in no way "proper" password managers, which are encrypted with a master password, can be exported and backed up, handle multiple accounts, etc...
But since some of the best password managers are already open source, I wonder what's preventing browser vendors from integrating at least some of the functionality. A good password manager not only helps contain the damage of leaked passwords, but also does a very good job at protecting users from phishing attacks at similar-looking domains.
All the browsers have been pretty stagnant on this front for the last few years. I suspect they've been hoping that everyone will move to an SSO platform in which the browser vendors themselves have a vested interest (Mozilla Persona, Google account, Microsoft account).
This is one I've been recommending to "Aunt Tillie"-types, because it involves fairly little computer-savvy:
1. Memorize a single prefix that has at least an uppercase letter, a number, and a symbol, to be used with all passwords. (e.g. j8$F)
2. Use a physical journal or pad of paper to note down each site's password restrictions (e.g. "no symbols") and a personal hint to the rest of the password.
3. Your password is the prefix (minus any unsupported characters) plus the answer to the hint.
So the hint "No symbols, They All Float Down Here" might become j8fPennyWise. "Feet On The Road" might be j8$fFlintstones.
___
This minimizes what people have to memorize, is secure against casual attacks by people in the same physical area, is strong against attackers who might try to replace "password4hn" with "password4reddit", and doesn't require any sort of special software.
And when "Aunt Tillie" installs a keylogging trojan, it's Game Over. Not only that, but she had no idea how to make backups.
A paper pad, on the other hand, is extremely secure against cyberattack, and she has tons of experience with managing it and creating backups. And it's almost what she was gonna do anyway.
I think the point is that these schemes are still vulnerable to one of the most common types of malware. It speaks to the fact that by far the greatest threat to your password security is from cyber sources, and likely not from your physical desk, so we might as well take advantage of that to help people out.
> > A paper pad, on the other hand, is extremely secure against cyberattack
> Paper pads are extremely secure (sic).
Stop right there, asshole. You're doctoring quotes and changing their meaning. That's not the correct usage of (sic) either.
> I forgot that users no longer have to key in passwords
1. Not all passwords are commonly-entered.
2. Passwords collected together in a defined file format are a richer target than ad-hoc collection thank forms-with-password-fields used in one of multiple possible browsers.
Most people aren't worried about being secure from the CIA, we're worried about being secure from random criminals at the airport or the cafe. If the CIA wants you, they can just kidnap you and lock you away anyway.
"in a system that really shouldn't be so complex" [citation needed]
Do you actually have a less complex way to reliably identify a person at the other end of a computer network?
(physical keys using NFC stuff are pretty exciting, but the tech isn't in place yet... until then we're stuck with "something you know" and the limits of human memory vs computer power)
This strikes me as a really good strategy. Thanks for sharing.
At first I thought you were going to advocate the "just pick a prefix and then append the name of the site after it", like Go123facebook and Go123gmail. Which is, of course, quite awful because one plaintext reversing of one password may very well defeat all of the other passwords.
I figure if people are going to write things down on sticky notes anyway, it might as well be part of the system.
Hmmm... also, there's a failure-mode with systems that notice the prefix and reject future passwords as "too similar to one you used before". Users would have to deviate from the strategy somehow.
> Create a simple random character string "tjxmvg123" that you can remember easily. Append the name of the website you are using to the end of this. I.E.: tjxmvg123hackernews.com
Am I missing something? I'm surprised to be the first to point out that this is very dangerous advice (to the extent bad passwords are dangerous).
All it does is add one, easily guessable bit of information -- for the first password the attacker seeks. And after someone has the first password, this method adds zero security; the attacker then has the passwords for every other website.
The problem with the 2nd approach is password restrictions (some of which, stupidly, reduce the key space rather than increase it - all uppercase required on some banks? yes it happens).
Another annoying but logical constraint is the one where sites query your pwd for references to the site itself and tell you not to include that - another strike against that appending approach.
The requirements vary, are conflicting and change over time. I tried your approach, but then gave up after repeatedly forgetting what restrictions applied for which site - altering my specific password and making it non-memorable. Enter 1Password.
I don't think that's a good approach. A good approach to me is one which works when a large number of people do it and attackers are aware of it. Appending the site name to a shared password in order to make it unique is security through obscurity, and won't help you at all if attackers know about the technique.
There is something to be said for the philosophy of, "I don't have to run faster than the bear, I just have to run faster than you." But in this particular case, at least, it's not hard to do better than that.
I think it's a decent approach, in spirit. Don't use the domain name as suggested; come up with your own algorithm based on the website or whatever else. Combining a fixed string with a variable component based on the website is easy to remember and different from site to site. It's not too hard to make to make all your passwords long and complex with this approach, too. For most purposes- Thumbs up!
I think it all comes down to how you do the combining.
For example, if you take a fixed secret string, append the site name, SHA256 the whole mess, and then derive a password from the hash, that's reasonably secure and only requires you to memorize one secret. The downside is that you need to perform SHA256 whenever you want the password for a particular site.
But if you take a fixed password and merely concatenate something derived from the site name to get the site-specific password, that's not secure. You're counting on the attacker not figuring out your "something derived from" and that's security by obscurity. (Unless your algorithm involves mixing in some hard-to-guess secret, but then you're back at my suggestion above with a bit of extra stuff tacked on.)
This was just a response to the "'Aunt Tillie'-types" comment and replies. I'm not trying to preach to the HN reader. If the average user were setting a password for their google account, and their fixed string was U$erN4m3* and their variable component was the URL backwards moc.elgoog, to create the password U$erN4m3*moc.elgoog they are far, far beyond typical password security. You, Sir, with due respect, are correct, but are a few steps past practical or easy to remember.
This. Or a similar pattern thereof that's harder to guess even by the administrator of a malicious site with access to one such password. Like your random string followed by the first and third letter of the domain.
That would lead to shorter passwords. Normally domain names are pretty long, and just containing a common string like .com doesn't make inverting hashes any easier.
> "Cantor Fitzgerald did have extensive contingency plans in place, including a requirement that all employees tell their work passwords to four nearby colleagues."
This baffles my mind. Is this common practice in finance? What would stop a malicious actor from impersonating someone whose password they knew? Even if these passwords aren't tied to someone's identity in any way, they presumably exist to secure sensitive data and/or systems, but then they're shared with officemates like Dilbert comics?
Agreed. They might as have everyone use the same password.
Aren't there regulations for security of financial information? It's hard to believe this passes muster. If it's a 'reasonable precautions' regulation, this fails badly.
Secret sharing systems are a good solution to this.
I wrote a basic command line only one[1] a few years ago, but command line UI doesn't really make for "usable by everyone". It would be nice if there were something like this that had a good UI.
For the purpose at hand, having some secrets accessible by multiple parties without sharing the same password comes in handy[1]. I'm surprised that this is not a feature of a lot of software that relies on encryption with keys based on passphrases.
[1]: example: https://code.google.com/p/cryptsetup/. I believe that the way it works is it encrypts the actual decryption key for data with keys derived from passphrases multiple times, so any one of the those passphrases can decrypt the key, which then can access the data.
Our company has interesting contradiction in this regards. On one hand all accounts, files and digital communication belong to the company. Assume you could instantly lose access in a sudden layoff.
On the other hand the annual IT security video course tells you encrypt like crazy and leave no digital assets in public.
Well I guess talking to people and telling them you're writing an article about "The Secret Life of Passwords" is more novel than giving them a call pretending to be from their bank or telco.
I dearly hope that those people who actually told passwords to the author were either no longer using them or immediately changed them to something better on reflection of just how terrible they were. My mother kept a door from her parents' first house (which they built after emigrating after WW2) for sentimental reasons, that doesn't mean she relied on the old antique lock to secure her current house.
If someone from my loved one's job called me 24 hours after they were killed in a horrific terrorist attack to talk about passwords I don't think I would be able to contain my vitriol.
If someone from my loved one's (and family's sole breadwinner's) job called me 24 hours after they were killed in a horrific terrorist attack to talk about passwords because the company was in a crisis I think I would be relieved that someone was working to make sure I could continue to feed my kids while I figured out what to do next.
And if you see how Cantor Fitzgerald treated its employees and their families in the wake of that crisis, you'd see that helping them was the right thing.
The banking industry may have metastasized from a service industry to a giant vampire squid, but that doesn't mean every company turned into slimy blood-sucking leeches.
(And maybe C-F were heartless leeches before the attack and reformed due to their literal near-death experience -- I really paid little attention to them until that day. But they are famous for how they responded and rebuilt the business).
I'm a little confused how them getting their passwords help feed your kids after the employee is gone. I think what they did afterwards was definitely great, but that doesn't change my opinion that if that happened to me some passwords would be the last thing I would want to talk about.
Money, finance, jobs, passwords, it all seems so pointless when I think of it against that loss.
CF had most of their people based in the WTC. The majority of them were sole earners in the family -- they had kids in school, spouses (typically wives) who didn't work, etc. By all rights the company should have evaporated that day. Instead they rebuilt it. OK great, it's just some company and it survived.
What made the story famous was the fact that the company went out of its way to support the families of its dead staff even when the company itself was in the middle of an existential crisis. And it has continued to be somewhat of a "good guy" (as much as you can say that about someone in that business). I am sure there's a lot of PR spin, of course, but I watched this happen in the news when they appeared to be struggling pretty hard and were not managing their PR at all. They tried cutting off the survivors but got hammered (and probably needed that password help!). Most companies just let their insurance deal with the dead employees' families.
(Hmm, by doing a quick search of "cantor fitzgerald 9/11" I see that they were indeed utter assholes before the event.)
Of course they've had a chance to burnish their image since then.
While that is quite generous of them, I feel I should point out that if they really felt that way about their employees' families, they could have accomplished the same goal without tying it to the continued survival of the company by buying good life insurance for all of their employees. They'd have to have made sure to get a policy without a terrorism exemption, but given that their offices were in a building that had already been attacked once that doesn't seem like a stretch.
It may have turned out well here, but you really don't want to tie together things like "the company survives" and "grieving widows continue to eat". And not just because it may involve things like calling up relatives of the deceased to ply them for passwords while the bodies are still warm.
They gave $180 million to the families of the deceased in the 5 years after the attacks. If they went out of business due to September 11, none of that money would have been there.
They also provided health care to the families for 10 years. Again, if they went out of business, none of that would have been there.
Losing someone who is earning a salary often drives families into a downward spiral. Having to sell your house and move because you suddenly are choosing between mortgage payments and food for your kids is not easy. The survival of the company prevented this from being a sudden financial adjustment for many of these families.
Imaging your entire IT department being wiped out instantly overnight, managers included. How quickly would it take you to restore access to your infrastructure?
Like their offsite location in the other tower that was also destroyed? I don't mean to say you are wrong, but many times contingency plans rarely consider such devastating circumstances. Once heard a rumor that a large defense contractor had a backup plan that included flying disk drives from one coast to the other to safe guard against nuclear strikes on either coast or both by having a day old backup in the air. Do you have a plan for nuclear strikes on both coasts?
I've considered it, but it really comes down to what the business needs. Does the business need to continue to operate in the face of a nuclear winter? The government sure, but most day-day operations of a retail chain would be out the window at that point.
Taking this to another extreme, does a DR plan need to account for the earth no longer being viable? Do you need system/data backups in space?
I'd imagine so, yeah. It's hardly a new trend though. There also was a massive decline when George W Bush decided to head to Irak. And before that, there was enough mistrust -- indeed hatred -- in US policy to prompt nutjobs to conduct 9/11.
Side comment about the web design- very cool and clear way of integrating audiovisual stories into the article. Lots of people try to find novel ways to share interviews/first-person accounts that they've recorded, with mixed results. This piece strikes me as best in class.
Password reuse is much worse that having a weak password. Hackers only brute force high value targets, everyone else should just aim to have unique passwords for every service they use.
However, the average person can only remember 5-10 unique passwords and they have many many accounts...password reuse. For the average person password managers aren't an option for normal people, so we have a big problem.