From previous incarnations of this thread on HN (I think the linkedin one...), I have learned to use SuperGenPass.
There are a few similar utilities, basically it hashes your password browser-side with the site domain. This allows you to maintain unique passwords on all different sites by memorizing a single "master password".
You wouldn't use rainbow tables for a scheme like using hash(secret phrase + domain) to generate personal passwords, you'd use a dictionary attack where domains are the words, followed by a brute-force technique (which you'd use if you lacked the secret key). If I know you use such a scheme and I learn your secret phrase, your email provider and bank account websites would be the first on my list. It becomes no more secure than using the same password on every site plus the domain name at the end. The benefit is that you never have to trust all those different websites with your secret phrase.
The parenthetical in my above comment calls back to a comment by some early giant in cryptology (I think). It's best to have all the details about your specific method of hiding data known publicly, with the secret key being the only private piece of information.
I have "don't care" relatively weak passwords, various mnemonics for stronger ones I want to remember, and a bash+python script that takes a hash of a memorized passphrase + site domain as a random number generator seed that spits out 64 "graph" and 64 "alnum" characters (and some helpful trimmings for common, ridiculous, "maximum length" of sent passwords (20, 12..) that get SHA1'd into 40 characters anyway). I typically just remember which combination I used for the site, and since each is unique I just let the browser store it if I don't care too much for the account. Before I started using my script, for some sites that were important but I visited maybe once a year at maximum I grabbed something off of http://www.fourmilab.ch/hotbits/ and forgot it and then used the "forgot password" feature when I needed to log in some other time in the future.
Few things bug me more than sites that have a maxlength property on the registration password forms (that's longer than the form-width shows), but not on the login password form.
I wonder what hash nvidia uses? These days when they don't specify, I just assume sha1. I hope it's not md5.
From their email to users:
"As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere."
I suppose it's a good idea, as a "precautionary" measure. But is this their way of admitting to hashing without salt...?
Since they were hacked it's possible that the logins were intercepted in flight. (Add something to the login code to log all passwords, or email them.)
So the hackers may have captured all the passwords of anyone who logged in while they had control of the site. Because of that it's a good idea to change your password if you've used it elsewhere.
What software are they using for their forums? It seems like you're just begging for this to happen to you if you go with any of the open source options. They all eventually have exploits available for them (some have them all the time). As long as you know what you're doing you should always cook up your own solution for this sort of stuff even if what you come up with lacks features. One day you might be hacked by someone clever who figured out a weakness in your implementation, but at least it won't be a script kiddie with some automated method of attack.
This probably applies to any type of software online that has user accounts. Forums seem to get hit more than most other things because of the concentration of email/password combos.
This is a classic argument against open source, but security through obscurity never works. If you want to keep safe from script kiddies, always keep your software up to date.
Keeping your software up to date is great advise. However I do not entirely agree with the statement that security through obscurity never works.
It can never work alone - true. But in combination with other measures it can be a great help.
And with respect to the point cshimmin makes, there is some merit to it. Yes nearly every piece of software, open or closed source is bound to have vulnerabilities. However, the chance of someone taking the time for finding and exploiting a moderately hard to find bug (not referring to a run-of-the-mill sql injection) in a piece of software I've written myself and I'am the only user of is vastly lower than in case of a popular piece of open source forum software (to some extend depending on who I - the only user - am of course).
unless, of course, you are vulnerable to a certain class of attacks (e.g. the ruby on rails attack this year). the chance that others have already fixed it is way better when more people use the same software.
i'm not subscribing to the "enough eyeballs, all bugs are shallow"-argument, but the opposite is also wrong. deeply wrong.
It's really not intended as an argument against open source. It's an argument against using open source forum software (maybe even open source web app software with user accounts). There are always exploits available and you can't always patch in time. Sometimes there isn't even a patch available before the exploits are in use. I was always taught never to rely on security through obscurity. I understand that it's a best practice to not. But feeding off of what jvdongen said, you are far less likely to be hacked using well-constructed homebrew software than an off-the-shelf open source solution.
Can you make a case for why this is so? Not everyone fails at security. Just because one person is working on the software and because that software is not open source does not mean that you will leave something in your software that can be exploited in a way that gives someone access to your database.
Whether your site gets owned or not is dominated by its popularity rather than its source code license. There's a number of proprietary forums out there too, they tend to suck as much as the open variants. (And if it's for sale, your attacker has a copy.) Being custom-developed protects you from the script kiddies (but you'll have to fight spam yourself--fortunately custom non-OCR-requiring captchas can have higher blocking success rates than even recaptcha), being closed gives you little more than a time advantage if you do become popular. Security through obscurity is a real security layer, it's just incredibly thin.
The better argument for "roll your own", if you have the time, is that it can be a great learning experience. But regardless of what's used, if you ever do get popular enough to become a conscious target it's just negligent to not do security audits from people whose job is security. It's also helpful to design from the perspective of "everything is compromised, what will I regret."
There seems to have been an increase in big-name-related releases recently. Is there a particular reason behind it?
Are there more break-ins happening, or more being reported, or are more companies being more open about this kind of thing? Or is it even that the burglars are being more open?
I'm not involved in the field, but am finding it interesting that a lot more of these break-ins appear on my radar.
30 comments
[ 4.8 ms ] story [ 59.6 ms ] threadI've memorized most of the regulary used ones though.
There are a few similar utilities, basically it hashes your password browser-side with the site domain. This allows you to maintain unique passwords on all different sites by memorizing a single "master password".
Does this mean using the domain as a salt?
The parenthetical in my above comment calls back to a comment by some early giant in cryptology (I think). It's best to have all the details about your specific method of hiding data known publicly, with the secret key being the only private piece of information.
Both are compatible with KeePass (to some extent), that runs on Windows.
Basically you can use it (almost?) anywhere:
http://keepass.info/download.html
You have to download it before using ANYTHING
And if the machine is compromised, they will have your passwords either way
Few things bug me more than sites that have a maxlength property on the registration password forms (that's longer than the form-width shows), but not on the login password form.
I wonder what hash nvidia uses? These days when they don't specify, I just assume sha1. I hope it's not md5.
I suppose it's a good idea, as a "precautionary" measure. But is this their way of admitting to hashing without salt...?
That doesn't mean they're doing it right, but it's a good start point.
So the hackers may have captured all the passwords of anyone who logged in while they had control of the site. Because of that it's a good idea to change your password if you've used it elsewhere.
And with respect to the point cshimmin makes, there is some merit to it. Yes nearly every piece of software, open or closed source is bound to have vulnerabilities. However, the chance of someone taking the time for finding and exploiting a moderately hard to find bug (not referring to a run-of-the-mill sql injection) in a piece of software I've written myself and I'am the only user of is vastly lower than in case of a popular piece of open source forum software (to some extend depending on who I - the only user - am of course).
i'm not subscribing to the "enough eyeballs, all bugs are shallow"-argument, but the opposite is also wrong. deeply wrong.
The better argument for "roll your own", if you have the time, is that it can be a great learning experience. But regardless of what's used, if you ever do get popular enough to become a conscious target it's just negligent to not do security audits from people whose job is security. It's also helpful to design from the perspective of "everything is compromised, what will I regret."
Are there more break-ins happening, or more being reported, or are more companies being more open about this kind of thing? Or is it even that the burglars are being more open?
I'm not involved in the field, but am finding it interesting that a lot more of these break-ins appear on my radar.