But why can't I send people their passwords?
Hi all, this is @omervk, one of the co-founders and maintainer of Plain-Text Offenders [1].
I've just finished creating two FAQs: One for developers who come to the site and don't understand what's wrong with what they're doing [2] and another for the laymen who want to understand what we're all about and how to protect themselves [3]. The idea is that people could also send these links around to educate others.
As HN is one of our main supporting communities, I'd love to hear your thoughts about both of these new pages.
[1] http://plaintextoffenders.com/ [2] http://plaintextoffenders.com/faq/devs [3] http://plaintextoffenders.com/faq/non-devs
178 comments
[ 2.1 ms ] story [ 219 ms ] thread[1] http://plaintextoffenders.com/ [2] http://plaintextoffenders.com/faq/devs [3] http://plaintextoffenders.com/faq/non-devs
This is one I always struggled to understand. If email is compromised, the attacker can request and immediately intercept a password reset anyway.
[edit: Many excellent points below. I think some of these should be in the FAQ.
That would grant continued access to the email, and other sites that took protection a little more seriously like Paypal and Bank Logins (you can't reset a Paypal password with just an email, and if you could, such an action would make Paypal fraud detection software go nuts).
Cool!
No, the people who use a common password gave out the keys.
There is simply no excusing it. The apologism for it has to stop. NEVER use the same password across multiple services. If one service gets compromised, the extent of their culpability is their own service. Anyone whose password exposes other things was the cause of their own demise.
EDIT: I will not back down from this (and you shouldn't feel too ashamed for reusing passwords and falling in the above buckets, desperately hitting down arrow. Just correct your mistakes). It is utter idiocy to constantly defend the habit of shared passwords, when people give it to services of zero trust, and with unknown habits and practices. When some service of no consequence stores your password in plaintext, that is them being dumb. If you then complain because it's the same password used elsewhere, that is you being dumb.
Yes, you absolutely can and should say that. This isn't human nature, but is simply accepted and defended behavior that gets caught out again, and again, and again. I have absolutely no doubt that many visitors to HN are guilty of this, and instead of confronting the reality of their insecurity, pretend it's someone else's fault.
Each time some random, irrelevant message board has a password exploit, everyone who should know better rushes forth to pillorize the operator because of the greater danger, yet the operator may have been sharing those passwords on the black market for time eternal. The operator may have been putting their plaintext backups on a compromised FTP site for years. They may have engaged endless contractors who made their own backups and are busy buying stuff on Amazon for it.
But instead we argue pretend security measures, when the horses have not only bolted, they're several states away.
It is complete idiocy to use passwords across services. Utter insanity. It is the worst possible practice imaginable, and is never, ever excusable.
If you used the same password across sites, you simply must assume that since day one it has been compromised, and it is your own doing.
But here we excuse it. And then, in excusing it and defending it and supporting it, claim that it's "human nature". It isn't human nature at all.
How To Hack 60% of Hacker News: Create a service requiring users to create logins, submitting it as a show HN. Harvest email/passwords from very foolish people and enjoy their access everywhere else.
I disagree entirely with your statement that: "This isn't human nature, but is simply accepted and defended behavior that gets caught out again, and again, and again."
This is patently false - remembering a different password for every single system, device and site you interact with is not a feasible proposition for the vast majority, especially if you require these passwords to be in any way meaningfully secure.
There are ways of sidestepping this problem, such as 1password and the like, but the ones that are most seamless are paid for services and hence the adoption rate among technically illiterate people is pretty small (I'd imagine, no stats here).
The real issue is that passwords are a broken way of authenticating. End of. Passwords that are easy to remember are trivial to crack, and passwords that are difficult to crack are hard to remember. This is the issue here.
People may do dumb things, but it is far easier to change your system than it is them.
The whole discussion revolves around a fundamental principal that is simply broken to begin with, akin to "How to try not to die when you eat rotting meat".
Don't eat rotting meat. Use a fridge. Etc.
In the case of passwords-
-Use a shared authentication platform -or on sign-up implore that your users do not use a shared password. Education -or offer, or force, a generated password
But instead we'll discuss the risk that shared passwords get lost, when they were in the wild the moment you used them on a second site.
The problem needs to be solved at a more fundamental level - people should not have to be forced to perform a function that they are demonstrably bad at. Mitigation strategies like having randomised passwords and storing them in a shared authentication platform are only masking the reality that passwords are a bad way of performing authentication.
Not that I'm clever enough to come up with an alternative mind you, and not to suggest that I don't agree with your premise that using a password in multiple places is a bad idea.
If you have given an untrusted third party site the credentials that you use on other sites, that meat is complete fetid. It is now deadly.
This whole discussion is arguing about what to do once the meat is rotten, rather than daring to maybe discuss not selling rotten meat in the first place.
When a site gets compromised and the passwords may get stolen (because of weak or no cryptography), the site should send out password reset emails en mass, and that should be the end of the whole issue. Instead it's moralizing about how they put everyone at risk because of other sites where the same credentials work. No, the user put themselves 100% at risk. But it is never discussed that way, and instead we continue this ignorance train.
As an aside, I marvel that some defensive imbecile keeps coming deep into this thread to downvote me.
Comments like this are the "rotting meat" of Hacker News. Please just leave them out of your posts.
It's one thing to argue for improving people's password practices, but please don't pretend that there's no reason for their behavior. The vast majority of people who share passwords between sites experience no repercussions from their choice. And choosing not to create a new password for every site saves them time and potential frustration.
That's the human nature part, to assess the risk of behavior and change it only if future experiences show that the costs associated with that behavior are too high. Since most people don't experience the disadvantages and do experience the benefits this behavior continues.
We can encourage more people to avoid this behavior by explaining the potential impacts and providing accurate estimates of the risk they're taking. We can offer alternatives to password reuse, like using a password manager. But ultimately they are still going to weigh their perception of the risk and benefits to make their own decision.
More accurately, they have no awareness of the reprecussions from their choice. Yet endlessly on HN we hear stories of mysterious iTunes access, Steam takeovers, even Amazon AWS account compromises. It is no big mystery when this happens given this common, grossly insecure behavior.
But ultimately they are still going to weigh their perception of the risk and benefits to make their own decision.
I absolutely agree, absolutely and completely, but think that the risk portion is hugely underestimated. Among people who should know better there is a tendency to under-estimate what is an enormous, worst-possible-exploit problem. No one ever talks about education. No one wastes time trying to help users enjoy better behavior.
Instead we argue about whether some site operated by an unknown number of people of unknown trustworthiness, on a platform that might have been exploited and owned by hacker groups for years, properly hashed our password after we passed the keys to all services through plaintext. It is insanity.
What do I do?
I just don't use the sites.
I've restricted, and continue to pare down, the sites that I use on the internet.
It's the truth.
I do keep my amazon.com account, so I can order paper and cardboard books the local bookstores don't carry, and read them on the sofa at my house, next to my floor lamp.
use throwaway passwords for one off services and just use the password reset feature when you want to use it.
Not everything is critical, if someone gets into my HN account, for example, I'm not too fussed about it. It sucks, but whatever.
If someone gets into my bank account... different story.
It isn't that people re-use passwords that's the issue, it's that they do it for shit that actually matters.
Still, one time use password reset links with explicit instructions and set expectations to reset the password immediately is the way to go if you're emailing anything IMO.
At first glance this might seem a little silly. Amazon has the key. (You don't even get to see the key yourself.) So Amazon can read all your data. And every time you read from the bucket it's automatically decrypted, so the encryption won't protect you from anyone who has somehow achieved permission to read your data.
But that's not the point. The point is to protect against attacks like "I found this pile of dusty drives stacked in the maintenance closet at Amazon," or "I went digging in the local dump near an Amazon data center and unearthed this hard drive, and look what I found backed up on it."
Now, one good idea might be to redundantly back-up Amazon's backups at some other host, using GPG to encrypt those. This ensures against Amazon encryption errors, billing errors, mistyped legal injunctions, Jeff Bezos declaring you his personal enemy, et cetera.
This may be obvious, but rolling my own at-rest encryption is not going to significantly protect my data from an attacker who works inside Amazon, nor from an attacker who roots my instance. If the keys are in the cloud, the keys are in the cloud.
UPDATE: oh, yeah, I forgot the use case where you are writing to s3 from outside Amazon's datacenter over HTTPS. Okay, that is a much stronger case for GPG in advance. It wouldn't matter if we assumed that TLS always worked. But this is TLS. Does your upload client check the certificate chain? So many of them do not. I sure hope Amazon's CLI client does.....
Dear Amazon S3 Customer,
Amazon S3 now supports server side encryption with customer-provided keys (SSE-C), a new encryption option for Amazon S3. When using SSE-C, Amazon S3 encrypts your objects with the custom encryption keys that you provide. Since Amazon S3 performs the encryption for you, you get the benefits of using your encryption keys without the cost of writing or executing your own encryption code.
And do they keep your key?
How long?
Look, it's keys all the way down.
Beneath that, wiretaps.
> Email is not a secure medium. It was never designed to be one. It’s susceptible to Man In The Middle (MITM) attacks and a slew of other issues.
Email by default right not isn't encrypted. Anyone (eg, a 3-letter government agency or a malicous actor on an unencrypted wifi network) who can intercept your traffic can read that password - and you can't even tell. At least with a password reset there's the "notification" of "my password doesn't work anymore". That's mitigated by SSL/TLS, but it's still an important point to consider.
Additionally, even if your reset request is harvested via MITM, if you use a single-use reset token, and an attacker uses it before you can, you know something is up. Even if it's not single-use, your password suddenly no longer working should ring alarm bells.
That said, it can be more secure. Firstly, people reuse passwords, so intercepting a plaintext password gives you access not only to the account on that site, but also several others.
Secondly, if the link expires you can't use old account recovery emails to find out passwords. If you manage to compromise an account (rather than mitm), you can search through for old "here is your password" emails and use those without even having to initiate a new password recovery process, which in this age of mobile devices and push notifications risks the victim seeing the email and getting suspicious.
It's totally irresponsible for a service provider to essentially reveal a secret like that (without asking or really, ever).
If google really does get in-browser crypto working, they might even understand pgp. They won't understand Diffie-Hellman, but they understand if words --> block of gibberish --> words, then there must be some math in between.
I guess what I mean to say is that you need to play both sides of it. As a developer, you should be doing all you can to prevent anything from leaking user info. As a user, you should do anything you can to prevent leaks from one site affecting other parts of your internet identity. Isn't that the entire goal of the FAQ this guy is putting together?
Whenever I encounter them, I paste the output of "dd if=/dev/random bs=1k count=1 |uuencode x" into the field.
Not really the main issue - if you always send the password the Thief controlling the email does not even need to reset the password. he can get in without leaving any trace at any time. It also allows the collection of all the Passwords from all the users in bulk. And if your users are reusing their passwords everything else is open too.
Sending the Password is just a stupid policy. Its up there with restrictive Password requirements and Server-side unhashed Password storage.
Basically you could visit a malicious webpage, and all emails containing the word "password", would be sent to the attacker.
This would close the "I accidentally left my account logged in" hole.
There's a balance to be had, and while admittedly, getting the details right is tedium and minutiae, it can be done, and done right.
Also, after users learn the new process, it opens up a new phishing attack vector for Gmail.
By the way, you can always allow users to connect several OpenIDs to a single account – this way, worried users can provide redundancy themselves, if desired.
Persona is just a protocol though, it's implicitly supported by all browsers. Though in-browser auth (which is the ideal case) is only in Firefox so far...
> JS requirement
Granted. Though theoretically, you don't need javascript.
> reliance on email
Granted again, but this is a completely acceptable tradeoff for 99% of services which will require an email and usually even use it as the user's identification.
Still not sold, but I'll keep your solution in mind. Thanks for alternatives! :)
Teach good password hygiene. Use keepassx. Use decentralized third party authentication with providers that know what they are doing and use 2FA and such!
But password restrictions achieve very little. Let people use their 12345 if they really want, they won't learn by watching the stove but by touching it. Some people are like that and we should educate, not babysit.
There are many sites which contain none of my personal info but I have to setup an account just to view website content. If my account gets hijacked, it might be used for spamming. But still If I could make a throwaway account with a blank password I would because I don't care about that accounts security. So surely some restrictions need to be in place if you're going to require signups.
I sucks for people that generate individual passwords based on a common password and site-specific data.
I had a password for a credit card account which could not be more than 8 characters and couldn't contain 'special' characters or punctuation. This was probably done to either make the password human readable (over-the-phone, horrible idea), or because of some legacy system on their end. At some point the organization got smart and made a minimum of 6 characters, of which two needed to be numbers (but kept the other restrictions). This effectively narrows down pool the possible passwords for an attacker to guess, the opposite of what you want to do.
Originally:
After: Only 62,237,044 possibilities eliminated. Length is the most important factor, so this was probably a good decision if most of their users were using <= 6 char passwords, or not using numbers at all. And frankly, the financial sector should be using HSMs anyway, making weak KDFs irrelevant.Therefore 1000 is a good minimum max length but 3 million is way to long.
In the old days, if you stored the unencrypted password, it had to have a maximum length because somebody decided to make the db column 16 chars....
Same goes for charset limitations (e.g. try storing unicode characters in a database set to US-ASCII charset...) - with a hash your input does not matter - it is just a sequence of bytes that are hashed.
Lastly, the source of disallowing certain characters is the laziness of the implementers that couldn't be bothered to implement proper input encoding in their frontend
Example:
>7. Fine, but I still get to send users their passwords once they created them so they don’t forget them, right?
No, Email is not a secure medium.....
https://docs.djangoproject.com/en/dev/topics/auth/passwords/
A list of password hashers, on successful login the user is upgraded to the top password hasher. Makes it very simple to switch to a new scheme or work factor.
[1] https://pythonhosted.org/passlib/lib/passlib.context.html?hi...
Question 9 should include a sub-section .3 which explains that if you unrestrict the password field, you need to include a basic password cracker or strength requirement, usually along with a client-side "strength" meter. The backend should reject all simple passwords and the frontend should help the user pick a simple yet strong password.
And ideally this page would also link the dev to http://twofactorauth.org/ as an example of how many more places are implementing 2FA. Passwords are dead; long live passwords with 2FA.
Re: Q9. Again, that's a great pattern, but is not a requirement to not be on our list.
This is linked to from the non-dev FAQ, but I'll make sure to add a section about 2FA to the dev section.
Thanks!
[1] https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-s...
"We explain in everything our About page." - doesn't read right, maybe 'we explain everything on our About page"?
"your post was deleted with prejudice" ?? needs rephrasing
2. Rephrased.
I'm not saying we shouldn't take care of our users, but how's our fault that their email is hacked? We can't do anything to protect against this and placing more complex policies would hurt users who have enough common sense to this properly and expecting the same from us.
P.S. I'm in no way saying to to ditch all security procedures we can, but to one point security is about trust, and if you can't trust your users to keep their freaking passwords and email accounts secured, then hell with them. Put it in plain text in your TOS and be done with it.
You could as well just publish your users passwords at your front page, and claim that if a user has a password compromissed because of that, it's his own fault, you should be able to trust them not to use insecure services.
edit:
Maybe something along the lines of:
> Modern cryptography allows websites to save passwords in a form that is un-decryptable even to the site itself. This works because to check the validity of logins, the unencrypted (plain) version of the password is never needed. The fact that a site stores the password in a decryptable format and decrypts it to show it to you means that an attacker could potentially decrypt the password in the exact same way. Or even worse, maybe they never encrypt it in the first place! This potentially compromises the safety of the password you use because it lets an attacker steal your password.
> If the website can pull out your password to show it to you, an attacker can pull out the password to steal it.
As ever, the issue is explaining hashing.
"It is possible to store passwords in a way that the website cannot see your password, but can still verify that a password entered by you checks out." (trust us, after all you're trusting that we know what we're talking about by reading this stuff)
Ordinary people are going to be thinking about a key in a lock. Does the lock on your house store the key inside? Maybe in some kind of information-theoretic sense but in the ordinary meaning of the word, no, it has a representation (that may not even be sufficiently specific to recover your key exactly). And if you lose your key you don't break into the lock to recover it--you call a locksmith to replace the lock, and get new keys.
That right there is an intuitive understanding of both hashing and good security principles that goes surprisingly far.
I don't think people are thinking about keys and locks. Passwords are a thing that existed before computers and that people understand perfectly outside of an IT context. Spies in films use secret phrases to prove they're the contact, kids use passwords to gain access to the clubhouse. But in all these non IT contexts the person checking the authentication knows the shared secret, so it's obvious how they check it.
If my mental model is "I've arranged a secret password with this website that proves I'm really me", then my first question when told the website doesn't know what secret password is "well how does it know that the password is correct?".
The best I've been able to come up with today is a somewhat lengthy metaphone with color mixing.
[Edit] Having said that, I just went and talked to my technical literate non programmer wife and she used the key and door analogy.
Something to arm the devs who work at these places with something when they go to management who's reaction is "yeah I know it's bad.. but... like, we have important shit to do."
My dad is an endodontist with zero software/web experience and even he knows not to keep passwords in plaintext and to use ssl.
I'm only a CS undergrad and I'm learning webdev so I can implement it for him but I still know to hash and salt your passwords. The fact that people implement these critical systems (and get paid for it) without knowing basic practices makes me worry about the future.
Is this offending? Let's also pretend that I have to change this password upon my first login.
http://nakedsecurity.sophos.com/2013/11/20/serious-security-...
EDIT: Just saw @ajanuary's child comment on the top-voted parent. The point exactly.