Monday, April 21, 2014

Password security hall of shame

With the recent Heartbleed vulnerability (wait, why am I even making that a link), I figured it was time to upgrade my password security. Like all proper nerds, I have dozens of accounts all over the web. And like most humans, I am unable to remember distinct passwords for all of them. I'll admit, I have sinned, and reused passwords all over the place. Today, I repent.

So far, my strategy has been to have three tiers of passwords:
  • a very strong one for my email and banking
  • a moderately strong one for accounts that I somewhat care about
  • a laughably weak one for throwaway accounts
The reason that these aren't all strong passwords is that I started using increasingly strong passwords over the years, but never bothered to update lesser-used accounts.

After some research and asking around, my new strategy will be random unique passwords, stored in the password manager LastPass. There are several other password managers, but LastPass is the only one that ticks all but one of the boxes that I care about:
  • Easy to use.
  • Passwords are encrypted locally and never leave your computer.
  • It's available as a browser plugin.
  • It's available on Linux, OS X and Windows.
  • It's available on mobile devices.
The one box it doesn't tick is being open source, which makes me a bit sad. Open source alternatives would be KeePass or Password Safe (the latter by security expert Bruce Schneier) but neither seems to have great usability.

So I spent a few hours today changing passwords on over 40 websites, and got a nice overview of how different sites approach password security. Here is my bottom-3 of the worst ones.

#3: Steam

You can log in to your account on the web, view purchases, chat with friends, and do many more of the things that nobody ever uses Steam for... but you cannot change your password on the web. You have to use the client for that. (Also, why haven't they bought yet?)

#2: HSBC

HSBC, the large multinational bank, have a very... interesting approach to login. Some banks use a username/password combination for their online banking. Most will then require two-factor authentication to actually do transactions. Some banks use username/OTP for logging in, where you sometimes need your bank card to generate the OTP.

HSBC does none of these things. Their login flow uses a username, a memorable question, and a 6-digit OTP. The admissible memorable questions are:
  • What is your eldest child's middle name? (I don't have any children.)
  • Who was your first employer? (Easy to find on LinkedIn.)
  • What is your father's middle name? (Somewhat harder to find, probably not impossible.)
  • What is the name of the street you grew up on? (Easy to guess if you know where I went to primary school.)
  • What was the name of your first school? (And the name of that school is probably on the untrimmed version of my CV.)
  • Name a memorable character from a film or book or TV (I wouldn't remember what I'd answered to this one.)
  • What is the make and model of your first car? (I never owned a car. And if I still had it, it'd be parked outside my house for all the world to identify. Maybe even on Street View.)
  • Name a memorable meal (What?!)
  • Name a memorable restaurant (Actually, this one might work for me. But for close friends, my answer would be easy to guess.)
  • What is your memorable answer?
Yes, really. The self-referentiality almost makes the entire banking world disappear in a puff of logic. But of course I chose this option, and just entered a password. I can only imagine how this option came about.
Management: "Passwords are too hard. I forgot the password to my email for the third time this month. IT people, make our site use a secret question instead."
IT person: "But they are less secure. They're easy to guess for outsiders. We're a bank, right? We manage people's money."
Management: "I have to rush off to a meeting. You know what to do."
IT person: "Just one more question – what secret questions should we use?"
Management: "You're the expert. Figure something out."
IT person (trying to suppress a grin): "OK, will do."

#1: Charles Schwab

Schwab is a big investment firm that manages stock portfolios, so you'd expect them to be secure, right? Let's take a look at their password policy:
  • The password must be at least 6 characters. So far, so good.
  • The password must contain at least one digit. OK.
  • The digit must be between the first and last characters. What?
  • The password must be at most 8 characters. What?!
  • The password may not contain any symbols. WHAT?!
  • The password is case insensitive. WHAT?!
Even LastPass had some trouble coming up with a password for that.

Well, at least they have recently added the ability to change your username, so I can stop being THOMAS3722. Or was it THOMAS9560? I forgot.


Mark IJbema said...

"The digit must be between the first and last characters. What?"

I think this one actually is sensible. Most people, when confronted with a digit requirement only add '1' to the start or end of their password ('password1')

One of my banks actually requires me to type blind (as in password field) the answer to what the profession of my granddad was (in addition to my password). Now lets see, was that middle school teacher, french teacher, middle school french teacher? Also, blind. Did I mention that?

Marten said...

So is your Schwab username now a long unmemorable string of 64 random characters?

Thomas ten Cate said...

@Mark: Yes, I can see where it came from. But it shrinks the search space by a factor of (36/26)^2 = 1.9, which is fairly significant if your search space is only O(10^12) to begin with. So I'm not sure it's wise when combined with the other restrictions.

@Marten: Interesting idea :)

eSignature said...
This comment has been removed by a blog administrator.
ICS Cyber Security said...

Digital signatures help organizations sustain signer authenticity, accountability, data integrity and non-repudiation of electronic documents and forms.

digital signatures

Unknown said...

They know that with Ex-Im Bank backing, any U.S. nuclear exporter is enabled to win -- and that the only losers are their competitors from Russia and elsewhere. sydneysecuritycompany