30 comments

[ 4.8 ms ] story [ 59.6 ms ] thread
To many high profile names falling in the last few weeks. Must remember to always use different passwords.
I have over 50 overly strong passwords in a little black book, encrypted by simple method so I can decipher at "runtime".

I've memorized most of the regulary used ones though.

From previous incarnations of this thread on HN (I think the linkedin one...), I have learned to use SuperGenPass.

There are a few similar utilities, basically it hashes your password browser-side with the site domain. This allows you to maintain unique passwords on all different sites by memorizing a single "master password".

"hashes your password browser-side with the site domain"

Does this mean using the domain as a salt?

yes. and that's a problem.
It's only a problem if the secret key is compromised. (But that's a problem for pretty much everything, isn't it?)
are you sure? that makes it possible to use rainbow tables (rainbow tables per domain obviously, but still pretty bad). or am i missing something?
You wouldn't use rainbow tables for a scheme like using hash(secret phrase + domain) to generate personal passwords, you'd use a dictionary attack where domains are the words, followed by a brute-force technique (which you'd use if you lacked the secret key). If I know you use such a scheme and I learn your secret phrase, your email provider and bank account websites would be the first on my list. It becomes no more secure than using the same password on every site plus the domain name at the end. The benefit is that you never have to trust all those different websites with your secret phrase.

The parenthetical in my above comment calls back to a comment by some early giant in cryptology (I think). It's best to have all the details about your specific method of hiding data known publicly, with the secret key being the only private piece of information.

There's the cross-platform issue with that one. I need this everywhere.
I'm using KeePassX (Linux, Mac) and KeePassDroid, both open source (you can audit the code if you need to).

Both are compatible with KeePass (to some extent), that runs on Windows.

Basically you can use it (almost?) anywhere:

http://keepass.info/download.html

+1 for the valid suggestion. Though I still prefer have them physically and nowhere else.
The main problem with "password vaults" is (and this is a showstopper for me)

You have to download it before using ANYTHING

And if the machine is compromised, they will have your passwords either way

I have "don't care" relatively weak passwords, various mnemonics for stronger ones I want to remember, and a bash+python script that takes a hash of a memorized passphrase + site domain as a random number generator seed that spits out 64 "graph" and 64 "alnum" characters (and some helpful trimmings for common, ridiculous, "maximum length" of sent passwords (20, 12..) that get SHA1'd into 40 characters anyway). I typically just remember which combination I used for the site, and since each is unique I just let the browser store it if I don't care too much for the account. Before I started using my script, for some sites that were important but I visited maybe once a year at maximum I grabbed something off of http://www.fourmilab.ch/hotbits/ and forgot it and then used the "forgot password" feature when I needed to log in some other time in the future.

Few things bug me more than sites that have a maxlength property on the registration password forms (that's longer than the form-width shows), but not on the login password form.

I wonder what hash nvidia uses? These days when they don't specify, I just assume sha1. I hope it's not md5.

(comment deleted)
From their email to users: "As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere."

I suppose it's a good idea, as a "precautionary" measure. But is this their way of admitting to hashing without salt...?

No, unless they're lying. The submitted page says "hashed passwords with random salt value".

That doesn't mean they're doing it right, but it's a good start point.

Since they were hacked it's possible that the logins were intercepted in flight. (Add something to the login code to log all passwords, or email them.)

So the hackers may have captured all the passwords of anyone who logged in while they had control of the site. Because of that it's a good idea to change your password if you've used it elsewhere.

What software are they using for their forums? It seems like you're just begging for this to happen to you if you go with any of the open source options. They all eventually have exploits available for them (some have them all the time). As long as you know what you're doing you should always cook up your own solution for this sort of stuff even if what you come up with lacks features. One day you might be hacked by someone clever who figured out a weakness in your implementation, but at least it won't be a script kiddie with some automated method of attack.
But can't you say that for every web technology or are forums software especially bad security wise?
This probably applies to any type of software online that has user accounts. Forums seem to get hit more than most other things because of the concentration of email/password combos.
(comment deleted)
This is a classic argument against open source, but security through obscurity never works. If you want to keep safe from script kiddies, always keep your software up to date.
Keeping your software up to date is great advise. However I do not entirely agree with the statement that security through obscurity never works. It can never work alone - true. But in combination with other measures it can be a great help.

And with respect to the point cshimmin makes, there is some merit to it. Yes nearly every piece of software, open or closed source is bound to have vulnerabilities. However, the chance of someone taking the time for finding and exploiting a moderately hard to find bug (not referring to a run-of-the-mill sql injection) in a piece of software I've written myself and I'am the only user of is vastly lower than in case of a popular piece of open source forum software (to some extend depending on who I - the only user - am of course).

unless, of course, you are vulnerable to a certain class of attacks (e.g. the ruby on rails attack this year). the chance that others have already fixed it is way better when more people use the same software.

i'm not subscribing to the "enough eyeballs, all bugs are shallow"-argument, but the opposite is also wrong. deeply wrong.

It's really not intended as an argument against open source. It's an argument against using open source forum software (maybe even open source web app software with user accounts). There are always exploits available and you can't always patch in time. Sometimes there isn't even a patch available before the exploits are in use. I was always taught never to rely on security through obscurity. I understand that it's a best practice to not. But feeding off of what jvdongen said, you are far less likely to be hacked using well-constructed homebrew software than an off-the-shelf open source solution.
All this does is guarantee you do it wrong.
Can you make a case for why this is so? Not everyone fails at security. Just because one person is working on the software and because that software is not open source does not mean that you will leave something in your software that can be exploited in a way that gives someone access to your database.
Whether your site gets owned or not is dominated by its popularity rather than its source code license. There's a number of proprietary forums out there too, they tend to suck as much as the open variants. (And if it's for sale, your attacker has a copy.) Being custom-developed protects you from the script kiddies (but you'll have to fight spam yourself--fortunately custom non-OCR-requiring captchas can have higher blocking success rates than even recaptcha), being closed gives you little more than a time advantage if you do become popular. Security through obscurity is a real security layer, it's just incredibly thin.

The better argument for "roll your own", if you have the time, is that it can be a great learning experience. But regardless of what's used, if you ever do get popular enough to become a conscious target it's just negligent to not do security audits from people whose job is security. It's also helpful to design from the perspective of "everything is compromised, what will I regret."

This is very sound advice. On a long enough timeline everyone gets hacked. You should definitely spend the money to get audited by professionals.
There seems to have been an increase in big-name-related releases recently. Is there a particular reason behind it?

Are there more break-ins happening, or more being reported, or are more companies being more open about this kind of thing? Or is it even that the burglars are being more open?

I'm not involved in the field, but am finding it interesting that a lot more of these break-ins appear on my radar.