Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Another Site Breached - Time to Change your Passwords! (If you can that is) - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Another Site Breached - Time to Change your Passwords! (If you can that is)

So after yesterday's news that eBay had been compromised, and that the compromise was in play for a good 2-3 months (short in comparison to many), I decided it was time to change my passwords.  Yes - ALL of them.

Don't get me wrong, I do change my passwords - really.  Not as frequently as I should, but it happens.  I decided to use my little "make me a random string" character generator script, and set them all to 32 char gobbledygook.  Except for the ones that have 10, 16 or 20 character maximums that is (really? that limit was a good idea why?)

So I dug through all my applets, "saved password" tabs and saved notepads to find them all, and change them all.  It's amazing how many logins you can accumulate over the years.  It's also amazing how many of these logins have my credit card info (eeps).  eBay, Paypal, Apple, travel sites - it really starts to add up.

What did I find when I got going on this?

  • For starters, since the last time I reset almost EVERY site has let their marketing and "design" folks at their site layout.  The password change is almost universally hidden 4-10 or more clicks and menus deep in the interface.  
  • Many sites now disable the "paste" function.  So if you have a complex password, you can't cut and paste it - you have to type it from the keyboard.  This also breaks many "password keeper" applications.  So what does this encourage?  Simple passwords, that's what.  Just because you can enable a neat feature doesn't meant that it's helpful.
  • Don't even get me started on Facebook.  I'm not even sure how i got to the menu (it took a while), but when I did, password change was under "General" instead of "Security".  Like so many other sites, "security" to Facebook is about Authorization (who can see me) rather than Authentication (credentials).  And the 3rd A" in "AAA" - Accounting - is not available to the end user, only to the system administrators.  So if someone has attacked and/or compromised your account, the only folks who see that are the ones who review the logs.  Oh - and I guess that's a problem too. 
  • Facebook does have a nice "log me out of other devices" option during the password change though.  So if it's an attacker who's compromised your account, they can punt you offline as they change your password.  They phrased it the other way though - I guess it's a race to see who gets to the password change page first.
  • I'm still working on my Apple password.  Apparently they've decided that my favourite book as a child doesn't meet their literary standards, so they've changed it.  More likely, what I typed in is still there and is case sensitive - and knowing me, it's either all lower case, or the one Cap in the phrase is accidental.  Long story short, I can't answer the challenge phrases.  And the "send me an email" trapdoor didn't work - no email yet. 

What does this all add up to?  Web designers really have made it increasingly difficult for us to protect our credentials.  Almost every site has emphasised the "friends and sharing" functions, and this has crowded the "protect your credentials" stuff into the background.  Challenge phrases are great I suppose, but making challenge phrases case sensitive is a really bad idea.  Not a single site in my list had a periodic password change requirement.

The other big conclusion?  It'd be nice if more sites implemented two factor authentication - that way a password breach wouldn't be such an emergency or such big news.

Long story short, when sites say "we've been breached, please change your password", I think that's in the nature of a dare or a challenge - it's not as easy as it sounds.

===============
Rob VandenBrink
Metafore

Rob VandenBrink

516 Posts
ISC Handler
> "Not a single site in my list had a periodic password change requirement."

And that is a very good thing since such a requirement only serves to encourage simple passwords.
Anonymous
Take a look at LastPass. Add in Google Authenticator for a second factor and you have a really secure way of storing passwords. LastPass also has a strong random password generator.

For sites that deal with financial information, I do not store my secret question/answer in LastPass. I also do not register any device, which forces me to answer questions each time I log in. I keep my questions/answers in an encrypted file on my Ubuntu laptop. I also do not answer these questions with "proper" responses. For example: Question: "What is your mothers maiden name?" Answer: "1965 Mustang". That way, even if you get to know me or OSInit me, you wont get my answers.

I use my own domain as my email for financial records, so no need to store that password. I know it by heart.

Just my two cents.
Tri0x

17 Posts
100% agree

web designer seems to never be security conscious user
- strength maximum ... why? if you do things cleanly, you store a salted hash and the rest doesn't matter. same for no-space/no-special characters restrictions
- copy/paste forbidden. Sometimes you can pass through it by disabling javascript, sometimes not
- yeah, changing password is hard to find. just did for ebay and it's clearly not a 1-click step
- as for security questions, I usually put password-like answers which are also store in my password safebox (keepassx) but once, I found it was not recognized: not sure if there was some string encoding which changed or whatever (special characters stripped or not recognized?) but had a hard time to reset my password through customer service because of that. => that's the time when you think, a regular check of reset process would be appropriated like too many things which are in best effort mode.

I also enabled more and more 2FA but strangely, it seems to stay uncommon in north america at least in consumer space.
In Canada, there is no 2FA used for bank transfer or online payments compare to Europe (at least France) where it's almost all the time.
See http://twofactorauth.org/ but still a bit too US-centric and doesn't say what is enforced / default / most used option. I would supposed it's clearly not the most used for now.
And if NAS manufacturer like synology can use Google Authenticator, why the hell banks, retails and other couldn't...
Julien

10 Posts
I really like using my Yubikey, far more secure than Google authenticator app on a phone that could be easily compromised.

lastpass.com and passpack.com support two factor authentication using Yubikeys and its really easy to support them in your own network too.

I'm not affiliated with Yubico, just a happy user of their product.
Eric B

2 Posts
-------
The other big conclusion? It'd be nice if more sites
implemented two factor authentication - that way a password
breach wouldn't be such an emergency or such big news.
-------

I'm not sure that this ends up being a good idea, since many people reuse passwords for multiple sites.

If a 2FA site gets their password database stolen, the site owners may decide to postpone or even refrain from asking users to change their password. After all, the "other factor" mitigates the risks while admitting a breach is (commercially) embarrassing and may involve a lot of help desk work.
Erik van Straten

122 Posts
Most of the good password managing apps (e.g. LastPass) have an option to ignore the autocomplete/autofill = off attribute, thank goodness. I've noticed that the sites that try to use this the most tend to be the ones that have the most complex password requirements and require passwords to be changed frequently (e.g. authorize.net). Ridiculousness.
Joey

18 Posts
I find that the password field mouse paste function is disabled on Bank of America and MS VSLC. My tentative conclusion is that it is a Silverlight thing, although I have not sufficient motivation to find out for certain. The (sort of) good news is that while cursor/graphical paste is disabled on those sites, <Ctrl><V> works fine... Seriously. As for password storage and generation, I use PasswordSafe on a Defender F200 fingerprint secured USB drive. The cloud is the last place to which I will consign my passwords.
Joey
10 Posts
100% agree. Passwords have been my #1 pet-peeve/complaint with the Internet since I started using AOL dial-up in the 90's. Fast forward 20 years and we are still in the same boat: it's very difficult to manage passwords. Yes, I've tried solutions like LastPass but ended up ditching them since they only integrate nicely with web browsers and not local applications like iTunes, Spreadsheet passwords, etc. So since these various password management services don't have the universal integration with local applications, I just use KeePass since it's effective and free.

To add to the issue, different sites have different password requirements. Some sites require this-and-that while others still don't allow special characters (like Fidelity) since they claim that allowing special characters in passwords makes them more vulnerable to SQL injection. So then you are stuck with not only trying to have different passwords for every site, but dealing with different password requirements as well. It's absolutely ridiculous.

I don't usually like regulation. But I think we are at a point where the government needs to step in and enforce a universal password compliance standard... so we can at least move beyond the different password requirements with every site. Because right now when it comes to passwords, it's truly the wild west out there... anything and everything goes.
da1212

69 Posts
I went through this exercise after the Target breach. Like a good security professional, I thought I would also delete any accounts that have not been used in awhile. You know, analogous to the "close unused ports and remove unused services" routine. It turns out that deleting an account can be very time consuming and/or difficult. Furthermore, if it looks like you have successfully removed an account and you wait a day and then try to log in to verify -- it may cause the account to get reactivated! Ugghh.
sallyvdv

2 Posts
Since you are not liable for any false credit card charges, why do you care how many sites have it? That's the bank's problem, not yours. Since we are mentioning peeves :) this is one of mine. Effort any person will spend on security is limited, and I hate to see it wasted on things with little to no impact. Password discipline is very important, yes. But since security effort is a limited resource, it should be limited to sites where the impact is highest. Articles like 'look at all these simple passwords from Gawker' leave me uninterested. Who cares if your Gawker password is compromised, there is no risk. Spending any effort to change or secure it is wasted.
jbmartin6

20 Posts
jbmartin6,

Very true. I guess the problem is that some people use the same password on multiple sites. Someone who is not security aware might have the same password for yahoo.com as they do for their bank. I think this 'password duplication' issue is the concern when a lifehacker.com, gawker.com, etc.com is compromised.

The funny thing is that for these "junk" sites that force you to register even though registration yields little to no value, I would bet that the majority of the user registrations/profiles are either bogus or alternate identities. So what's the point of having the users register? So this registration process that many sites require needs to be questioned as well... since these sites are collecting potentially private information for no real reason. For example, a site that requires registration to personalize the experience, attempts to collect your real name, email address, and other information. Why? Personalizing the site doesn't require any of this personal information. Maybe only your zip code, but again, that should not be a mandatory field. So, your options are: give up personal information for no real reason or register with false information. The safer bet is to register with false information... so if and when the site is compromised... you have nothing to worry about.

Sites are collecting personal information on mass-scale for no reason... and this needs to change as well.
da1212

69 Posts
Yes, that is my understanding as well. Although I haven't seen much real data on password reuse between significant impact levels. For instance, How many people re-use a gawker level password on their bank account? I am sure some people do, but not everyone. I know quite a few "non technical" folks who understand the different risk quite well and use passwords accordingly. On a funny side note, I just got really annoyed that I had to log into ISC again to post this, even though I had already logged in earlier today. That sort of thing is why people don't like security and use simple passwords. What is the impact if my ISC logon is compromised? I has to be near zero. Yet my logon doesn't persist for even half a day.
jbmartin6

20 Posts
Completely agree with you. The overuse of authentication is a huge problem on the Internet today (and always has been). So many sites require registrations that really shouldn't have any type of registration at all. I think they do it so that they can boast about how many "users" they have for $ reasons.

Of course, ISC/SANS is exempt ;-)
da1212

69 Posts

Sign Up for Free or Log In to start participating in the conversation!