Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Top E-commerce Sites Fail To Protect Users From Stupid Passwords

timothy posted about 4 months ago | from the use-uno-dos-tres-instead dept.

Security 162

Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'" xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.

cancel ×

162 comments

Top gun manufacturers fail to protect users (0)

Anonymous Coward | about 4 months ago | (#46456859)

From pointing the gun at their face.

Re:Top gun manufacturers fail to protect users (4, Insightful)

causality (777677) | about 4 months ago | (#46456883)

From pointing the gun at their face.

Indeed. And "rules that require even more complexity in passwords" backfire because the notion of protecting people from themselves is fundamentally flawed. Note the way you practically never see this notion questioned in any headline or summary.

Re:Top gun manufacturers fail to protect users (1)

Anonymous Coward | about 4 months ago | (#46457357)

From pointing the gun at their face.

Indeed. And "rules that require even more complexity in passwords" backfire because the notion of protecting people from themselves is fundamentally flawed. Note the way you practically never see this notion questioned in any headline or summary.

My guess is that they're probably afraid of losing business to customers that would end up being frustrated trying to make up a password they'll remember that contains at least one uppercase letter, one number, one symbol, and is a minimum of a LONG 8 characters (long for the user, short for us IT techie guys).

In the end, to some degree, it probably has to do with (1) not recognizing, accepting, and implementing security and (2) fear of losing business. This especially matters with small businesses because most of them are too cheap / won't recognize, accept, and implement security / straight out don't give a ****.

Re:Top gun manufacturers fail to protect users (2)

ShanghaiBill (739463) | about 4 months ago | (#46457583)

the notion of protecting people from themselves is fundamentally flawed.

Yet traffic deaths are at a sixty year low [masslive.com] despite a quadrupling of the number of cars and drivers. When common sense safeguards, such as seat belts, were first proposed, the auto industry made the same argument you are using here: "Our customers are stupid, and deserve what they get."

Re:Top gun manufacturers fail to protect users (2)

x0ra (1249540) | about 4 months ago | (#46457729)

how is more death on the road necessarily "bad" ? If Joe the Plumber crash and was not wearing a sit belt, well, too bad for him. Why should the government try to protect people from themselves ?

Re:Top gun manufacturers fail to protect users (1)

ShanghaiBill (739463) | about 4 months ago | (#46457933)

Why should the government try to protect people from themselves ?

I wasn't saying the government should protect people from themselves. I was saying that the car industry should protect people from themselves. Most car safety improvements have NOT been the result of government regulation. They were the result of liability laws that made manufacturers responsible for the preventable deaths and injuries of people using their products.

Re:Top gun manufacturers fail to protect users (1)

x0ra (1249540) | about 4 months ago | (#46458029)

No. The car industry should provide the mean for people to protect themselves, but ultimately, it is to the people to decide whether or not they want that extra protection (and pay for it). The Government *IS* protecting people from themselves by imposing mandatory seat belt law and alike.

correct horse battery staple (1)

operagost (62405) | about 4 months ago | (#46456871)

Funny, I got my password from xkcd. UNCRACKABLE

Re:correct horse battery staple (1)

AvitarX (172628) | about 4 months ago | (#46456967)

I read the XKCD linked, and it starts by stating that password entropy is NOT a problem, then goes on to explain why.

I guess what I'm saying is /. editors suck.

Re:correct horse battery staple (3, Interesting)

Holladon (1620389) | about 4 months ago | (#46457173)

Eh. It kinda works. If your goal is to invade Amazon accounts using the method laid out in the strip, it's that much easier to do because by allowing you to use anything for a password, they're more likely to have people using simple repeat passwords that, even if not common for everyone, are common for the user. If those sites had more stringent requirements, you couldn't use your childhood dog's name as a password like you've been doing for various account passwords since high school.

But yeah -- this xkcd [xkcd.com] was probably the more applicable strip.

Re:correct horse battery staple (1, Interesting)

AvitarX (172628) | about 4 months ago | (#46457339)

The only real solution to password re-use (site to site) I can think of is requiring changes and making sure past passwords aren't used again.

Perhaps require the site's name to be part of the password (and not at either end), this won't add much entropy, but maybe enough that along with lock-out after a certain number of guesses it could be sufficient.

Two factor authentication, with a different token per site, but short one, around 4 digits, is the only way I can think to have memorable passwords AND site-to-site security. But that introduces it's own issues. Perhaps that plus a long password in a vault (similar to Google's lost my token password).

Re:correct horse battery staple (1)

pla (258480) | about 4 months ago | (#46457305)

Funny, I got my password from xkcd. UNCRACKABLE

Nonono, you can't just use that one, you need to roll your own using a random number generator [xkcd.com] !

And without giving too much away, I know mine counts as secure, because it starts with a "4"!


/ Actually, I kinda wonder how many real-world accounts out there have "correct horse battery staple" as the password.
// Probably enough to make Randall cry.

Ticketmaster (2)

suso (153703) | about 4 months ago | (#46456881)

Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

"(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

Re:Ticketmaster (2)

Number42 (3443229) | about 4 months ago | (#46456987)

A 250-character password isn't nearly strong enough. The company's limiting my safety by not allowing the extremely secure 10×10^10 character password I thought of!

Re:Ticketmaster (1)

CanHasDIY (1672858) | about 4 months ago | (#46457143)

Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:

"(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"

That's nothing - A company I once worked for allowed passwords such as "Charlie5", but not a 10-character sequence of random alphanumerics (too long - 10 characters is too long a password!!!), or anything with a special character.

Were I a betting man, I'd put money down that not a thing has changed.

Re:Ticketmaster (1)

wiredlogic (135348) | about 4 months ago | (#46458091)

They didn't want you entering anything that wasn't in their set of rainbow tables.

Re:Ticketmaster (0)

Anonymous Coward | about 4 months ago | (#46458163)

I read a story on /. yesterday about "secure" HMACs that thought allowing only a set of 74 password characters was a good idea (upper/lowercase letters, digits and a few punctuation characters). But the system also received passwords to be hashed as URI parameters in plain-old-HTTP requests, so you have to doubt the author's security credentials. http://it.slashdot.org/story/1... [slashdot.org]

I don't understand length limits (0)

Anonymous Coward | about 4 months ago | (#46456913)

My bank, even the company I work for, have arbitrary length limits for passwords. I can not fathom why unless the password is stored unencrypted :/

I'm not that great with using a different password for every single account I have online, but my bank account password is vastly different from anything else.

Re: I don't understand length limits (1)

digitalPhant0m (1424687) | about 4 months ago | (#46457057)

I hope this is sarcasm.

Length is important because the longer the length the harder it is to brute force.

Re: I don't understand length limits (1)

hsmith (818216) | about 4 months ago | (#46457101)

I've seen Bank of America (no longer know if this is true) specify "password must be between 8-16 characters."

Why would you set a ceiling - unless you are storing them in plain text...

Re: I don't understand length limits (1)

Qzukk (229616) | about 4 months ago | (#46457133)

My electric company recently (last year) changed out its billing system.

The new billing system required me to reset my password to be between 6 and 8 characters, letters and numbers only (but is at least case sensitive).

Re: I don't understand length limits (1)

Jeff Flanagan (2981883) | about 4 months ago | (#46457371)

Is your electric company ComEd? Their payment system does this. An 8 character limit is insane, but I suppose I don't mind if someone breaks in and pays my electric bill.

Re: I don't understand length limits (-1)

Anonymous Coward | about 4 months ago | (#46457235)

Storing them encrypted could also result in variable length. It's storing them as hashes that removes the relationship between length of password and length of hash.

But strictly speaking storing hashes is less secure as it's possible for multiple inputs to compute to the same hash which makes false positives technically possible.

Re: I don't understand length limits (1)

mmell (832646) | about 4 months ago | (#46457121)

Uh, you misinterpreted his post. You're off by 180 degrees. I get the impression that these institutions impose a maximum key length of ten characters, not a minimum.

My apologies if I'm wrong . . .

Re: I don't understand length limits (0)

Anonymous Coward | about 4 months ago | (#46457523)

Not the same AC, but I have definitely encountered financial institutions that had a maximum password length of 10 digits.

Re:I don't understand length limits (1)

Anonymous Coward | about 4 months ago | (#46457079)

My bank, even the company I work for, have arbitrary length limits for passwords. I can not fathom why unless the password is stored unencrypted :/

I like how you say that, like somehow storing the password encrypted would be significantly better. All storing the passwords encrypted does is change the challenge from "steal lots of passwords" to "steal lots+1 passwords".

Re:I don't understand length limits (1)

mmell (832646) | about 4 months ago | (#46457135)

Almost - it's gone to "steal lots of passwords - this (hopefully harder) one first."

Using a service on a user's behalf (2)

tepples (727027) | about 4 months ago | (#46457353)

A salted hash of the user's password is fine for authenticating the user to your own service. But it doesn't help when your service needs to authenticate to another service to perform actions on that user's behalf. Say a server running service A uses service B on behalf of users of service B. In order to do this, service A needs to store a credential for each user of service B. How should service A protect these credentials from an intruder?

not really a huge deal... (4, Informative)

Connie_Lingus (317691) | about 4 months ago | (#46456931)

it's a lot harder to actually steal money online [microsoft.com] then people think.

Re:not really a huge deal... (0, Flamebait)

Anonymous Coward | about 4 months ago | (#46457071)

Yes, "then" people think. You fucking idiot. You AMERICAN idiot.

Do you actually NOT know what the words "then" and "than" mean? You fucking AMERICAN idiot.

I would rather kill myself THEN go ice skating. That's the sort of moronic statement AMERICANS make every day, because they are so stupid and lazy they can't even understand what two simple, four letter words mean.

Re:not really a huge deal... (0)

Anonymous Coward | about 4 months ago | (#46457307)

...calmer than you are

Re:not really a huge deal... (0)

Anonymous Coward | about 4 months ago | (#46457327)

PREACH, BROTHER AC!

Re:not really a huge deal... (4, Interesting)

Anubis IV (1279820) | about 4 months ago | (#46457471)

From what it sounds like, stealing money is harder than people think (myself included until I just read through that rather great link), but it's far from impossible. Moreover, a large part of the paper makes the point that it's not the customer who had their password stolen that will suffer the financial damage, but rather the person who owns the account that's used as a mule to move the funds, meaning that there's still a victim, just not who we thought.

For instance, if they get your password, they can't just cash your account out, since they don't have your ATM card, your PIN, or your government-issued ID. They first need to transfer the money to an account they control. But they don't want that account linking back to them either, which is where those spam e-mails about someone having $10,000 for you come into play. They'll send a person your $10,000 in exchange for that person sending them a $1000 "commission", and that person will then be scammed out of the $1000 they paid as a commission when you repudiate the $10,000 transfer and it's removed from their account. They're partially to blame too, of course, since they've allowed themselves to be taken in by an obvious scam, but its the people engaging in bad password practices (both users and developers) that are enabling the scammers to scam in the first place.

Re:not really a huge deal... (0)

Anonymous Coward | about 4 months ago | (#46457557)

I'm more concerned about my name, address, phone number and other important information. For example the recent kickstarter hack, they were trying to down play it by saying that passwords and credit card numbers weren't hacked but it's a lot easier to change a credit card and password than name and address. You can do a lot more damage with the later than the former.

...and this wont change because (3, Insightful)

mnt (1796310) | about 4 months ago | (#46456939)

users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

Re:...and this wont change because (2)

tlhIngan (30335) | about 4 months ago | (#46457123)

users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.

Well, the first question I have is... why?

I mean, I run into websites that declared themselves so important that the password HAD to be complex. Which is great, except I only accessed it once every few months, and ended up clicking "Forgot Password" anyways because they wouldn't accept a simple one.

No, all the site had were software downloads.

So really - it's another case of "web site is SOOOOOOOOOOO IMPORTANT!" syndrome where the website believes it's the be-all-end-all of websites and wants everyone to use a strong password. User sees it as just a web site that they don't care much about and wants to use a simple crappy one, because well, who really cares?

This is especially true if it's a one-off purchase. I mean, I run into many places that require you to register so you can buy from them. Except that the product I bought was all I needed and all I was going to need. So now I have to create an account and come up with a strong password that I'll never bother using again?

Re:...and this wont change because (1)

BenSchuarmer (922752) | about 4 months ago | (#46457237)

I don't mind strong passwords at sites that I'll never visit again, because I won't have to remember it (and if I do come back, I just hit the "I forgot my password" button).

It's the sites that I go to infrequently that drive me nuts.

To use your download entitlements (1)

tepples (727027) | about 4 months ago | (#46457377)

I mean, I run into websites that declared themselves so important that the password HAD to be complex [but] all the site had were software downloads.

Might it have been to keep an intruder from pretending to be you and redownloading the software you paid for? Or maybe I guess my mind got clouded by today's story about Steam...

Re:...and this wont change because (1)

swv3752 (187722) | about 4 months ago | (#46457871)

I had this with my Gas Utility company. I can only see the last couple of digits of credit card. The worst someone could is pay my bill before I am ready, or see how much gas i am using. Why do I need to use a 16 character alphanumeric case sensitive password that requires multiple special characters. I work in IT and have to maintain strong passwords, even on government HIPAA systems, and the gas company is more stringent.

I have ended up setting up an auto-pay and have not touched the account in two years.

Slashvertisement. (5, Informative)

khasim (1285) | about 4 months ago | (#46456949)

Vendor of X does a study showing that people would be safer using X.

The easiest way to create and remember strong passwords is with a password manager, like Dashlane, which generates unique passwords for you, saves them to your account, and autofills them online.

My bank enforces stupid passwords (3, Interesting)

allsorts46 (1725046) | about 4 months ago | (#46456957)

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters. None of the several bank staff I asked about it could tell me why that is.

Re:My bank enforces stupid passwords (1)

Drethon (1445051) | about 4 months ago | (#46457023)

My bank tells you if you entered an invalid user name. Not particularly thrilled about that.

Re:My bank enforces stupid passwords (1, Insightful)

tepples (727027) | about 4 months ago | (#46457391)

My bank tells you if you entered an invalid user name.

Attempting to create a new account with that username, attempting to begin the password reset process, or attempting to send money to that user would disclose the same.

Re:My bank enforces stupid passwords (0)

Anonymous Coward | about 4 months ago | (#46457897)

Wow, you're bank has shitty security. None of those things would work at my bank. My bank gives you your user name, requires you to answer a phone call/text to a number you provide but that they already have on file to do a password reset (or even if you log in from a computer you've never loged in from before), and reqiures you to use your account numbers to transfer money.

Re:My bank enforces stupid passwords (1)

Scutter (18425) | about 4 months ago | (#46457109)

My bank just implemented a new password policy. "Between 6-10 characters, the first two should be 'XX' and the rest must be letters and numbers, with at least one of each type". I just finished sending them an e-mail in which I included a helpful link to some rainbow tables.

Re:My bank enforces stupid passwords (2)

mmell (832646) | about 4 months ago | (#46457175)

So you're actively trying to get yourself arrested?

Re:My bank enforces stupid passwords (1)

CanHasDIY (1672858) | about 4 months ago | (#46457177)

My bank just implemented a new password policy. "Between 6-10 characters, the first two should be 'XX' and the rest must be letters and numbers, with at least one of each type". I just finished sending them an e-mail in which I included a helpful link to some rainbow tables.

I believe you just won the Internet.

Re:My bank enforces stupid passwords (1)

Cro Magnon (467622) | about 4 months ago | (#46457185)

One of my bank sites doesn't allow special characters. Only letters & numbers.

Re:My bank enforces stupid passwords (0)

Anonymous Coward | about 4 months ago | (#46457259)

My bank requires a 6 character password, no more than 4 numbers or letters. And they want me to change it every 3 months. Kinda ridiculous.

Re:My bank enforces stupid passwords (1)

allsorts46 (1725046) | about 4 months ago | (#46457345)

I think we have a winner!

They're probably not hashing them. (3, Informative)

khasim (1285) | about 4 months ago | (#46457277)

I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters.

That means that they're probably storing them in a database where the field is set to 14 characters. Possibly in plain text.

If they were hashing them (with or without a salt) then they wouldn't care if your password was larger. As long as it still fit into the buffer they've assigned to it. Because the hash of a 1 character password should be the same length as the hash of a 256 character password.

Be worried about that bank's security.

Re:They're probably not hashing them. (1)

allsorts46 (1725046) | about 4 months ago | (#46457381)

The only (non-technical) reason I can think of is that they think that longer passwords are more likely to be forgotten, and they don't want to deal with the support calls.

On the other hand, the people I work with who constantly forget their passwords can't even remember a string of 3 or 4 numbers, so maybe the length doesn't really make a lot of difference there.

Re:My bank enforces stupid passwords (0)

Anonymous Coward | about 4 months ago | (#46457529)

My bank uses personal certificate + password. It's up to you how you protect the certificate.

Tobuscus Got It Right (2)

TheSwift (2714953) | about 4 months ago | (#46456997)

This is getting effing ridiculous.

https://www.youtube.com/watch?v=jQ7DBG3ISRY

1, 2, 3, 4, 5 (2)

SGDarkKnight (253157) | about 4 months ago | (#46457027)

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Darth Helmet look at each other in horror]

Oblig. xkcd (1)

barlevg (2111272) | about 4 months ago | (#46457047)

I love how the submitter headed us off.

Re:Oblig. xkcd (0)

Anonymous Coward | about 4 months ago | (#46457223)

Which means:
Obligatory non-XKCD! [weknowmemes.com]

Password LENGTH is most important... (0)

Anonymous Coward | about 4 months ago | (#46457055)

... not complexity. Did nobody read the Slashdot article from a few weeks ago about that?

Quick!!! (0)

Anonymous Coward | about 4 months ago | (#46457075)

Joseph, P. Parrot Smuggler is being an idiot, using simple passwords online....

lets blame someone else for his stupidity!!!!

30 years later. This isn't that hard. (1)

Animats (122034) | about 4 months ago | (#46457081)

Sigh. My obvious password detector [animats.com] , published in 1984:

The algorithm used requires that the length of the password be within configurable length limits, and that the password not have triplet statistics similar to those associated with words in the English language. This is an inversion of a technique used to find spelling errors without a full dictionary. No word in the UNIX spelling dictionary will pass this algorithm.

Users should be advised to pick a password composed of random letters and numbers. Eight randomly chosen letters will pass the algorithm over 95% of the time. A word prefaced by a digit will not pass the algorithm, although a word with a digit in the middle usually will. Two words run together will often pass.

(The code linked is the original version in pre-ANSI C. Yes, kiddies, that's what C code once looked like.)

Re:30 years later. This isn't that hard. (1)

dkf (304284) | about 4 months ago | (#46457435)

My obvious password detector [animats.com] , published in 1984

I came across this password strength detector [dropboxusercontent.com] the other day. It really cheered me up, as it uses a scientifically-justifiable approach (information entropy FTW!) and it laughs in the face of a number of tricks that many people recommend despite them being actually weak (replacing "o" with "0" only really adds one bit of security, which is nearly nothing, whereas adding another word adds far more despite being easier to remember).

Three fold problem (1)

gurps_npc (621217) | about 4 months ago | (#46457097)

1) A bunch of sites that insist on using a password when they don't really need one. Prime example: Amazon. They don't really need a password as long as they don't keep your credit card on file - which they certainly should NOT do. My neighborhood grocer does not ask to keep my credit card # on file no matter how 'convenient' (for whom???). If you want to discuss past trades use the last 4 digits of the credit card you used for those trades as an ID.

2) A bunch of sites that have legitimate needs for passwords but do NOT need 'secure' passwords. Slashdot is a great example - we need to confirm who you are but if someone steals your Slashdot password it is not a big deal. So they use your identity to Praise Senator Cruz, and destroy your reputation, no big deal. Let people use 4 character passwords - just like for your ATM card.

3) Websites with a real need for secure passwords - 'primary' email accounts, credit card accounts, etc. They could easily use stream ciphers - little electronic devices that constantly update the password. You have 1 minute to enter the password before it changes. Or if you prefer anonymity for your email account a downloaded program that resides on the PC you use to establish the email account and to log in, you must use that PC (with a 'move my account' program that must be initiated from that PC). Of course that limits your functionality, but at least it gives you anonymity.

Re:Three fold problem (0)

Anonymous Coward | about 4 months ago | (#46457219)

Amazon.com doesn't have my credit card number, only my debit card number. I hate re-entering 16 numbers and my address every time I want to buy something from Amazon.com.

Re:Three fold problem (1)

kodomo (1100141) | about 4 months ago | (#46457241)

repeat that to ./ four digits uid number

Re:Three fold problem (1)

mmell (832646) | about 4 months ago | (#46457243)

Amazon - sending you stuff in the mail. You claim you didn't order it? You don't have to pay for it. Amazon has to give you your money back if they can't prove their end of the transaction, so the credit card company gives you back your money and dukes it out with Amazon in court.

Those other guys - somebody runs up to 'em with a subpoena and says "Who did what from where when?" It'd sure be nice if I could keep a straight face when I let them into my database - something about staying out of Club Fed . . .

What, you thought they were using your password for your protection?

Re:Three fold problem (1)

SleazyRidr (1563649) | about 4 months ago | (#46457265)

But, if they're not keeping your credit card # they can't do the one-click order thing. I do get kinda annoyed having to type my credit card in every time, but I realise that it's nothing compared to the annoyance of having it stolen.

Since the story already had the obligatory xkcd, here's an oatmeal which also describes it: http://theoatmeal.com/comics/s... [theoatmeal.com] . To paraphrase: if I want a shitty password and don't care if it gets stolen, why shouldn't I?

Re:Three fold problem (1)

BenSchuarmer (922752) | about 4 months ago | (#46457395)

I think Amazon does give you the option of storing your credit card number. Some of their customers think this is a nice convenience, and are likely to take their money elsewhere if Amazon doesn't offer this "service" (or maybe it just makes impulse sales easier).

Comment on this story... (0)

Anonymous Coward | about 4 months ago | (#46457115)

Yes, because I'm going to be so traumatized when I lose my Red Robin login that has my low security password...

My trick to passwords? Song lyrics. Easy to remember and usually long. Now my main problem is explaining how to spell 'Ipanema', and what's so special about the girl there.

Re:Comment on this story... (1)

amiga3D (567632) | about 4 months ago | (#46457183)

I use simple and easy for everything non-monetary related. For things like my bank I use very long and complex passwords that I have to write down in a book. If I ever lose this book I'm fucked.

Why I only shop using Paypal, Amazon, GoogleWallet (1)

scorp1us (235526) | about 4 months ago | (#46457129)

When you use the above merchants to pay, only the money is transferred and no re-usable billing information like credit card info is sent to the recipient of the funds. So when doing ecommerce you don't have to put your CC# everywhere on the internet then wonder why you've got credit card fraud.

In some cases you can set up or are forced to automatic authorization from PayPal, but you can revoke that immediately. PayPal really is the safest way to pay. No comment on the rest of PayPal's operations though (disputes and seizures).

Re:Why I only shop using Paypal, Amazon, GoogleWal (0)

Anonymous Coward | about 4 months ago | (#46458225)

PayPal: correct infrastructure, but company run by crooks. Quite unfortunate.

This is your password deal with it. (1)

caitriona81 (1032126) | about 4 months ago | (#46457157)

I think the right strategy for websites which have to do user registration is to just provide the user with a random password of sufficient length as to be near impossible to type correctly, much less remember, and don't even provide the functionality for users to select their own. This almost insures that the password won't be used elsewhere, it enforces password quality, and it encourages the use of a good password manager.

Re:This is your password deal with it. (1)

Cro Magnon (467622) | about 4 months ago | (#46457213)

The funny thing is, when I forget my password, some sites reset me to a pw like that - then make me change it to something memorable.

Re:This is your password deal with it. (1)

jader3rd (2222716) | about 4 months ago | (#46457289)

encourages the use of a good password manager

Lol!
All that would really encourage is people not using the website. If Kellogs.com customer loyalty reward website assigned me a ginourmus password, using characters I don't think I could even find on my phones' keyboard, it would encourage me pretty quickly to not use Kellogs products and seek out the competitors product (which would have a more reasonable password policy) when the difference was negligible to me.

Re:This is your password deal with it. (1)

x0ra (1249540) | about 4 months ago | (#46457895)

Good password manager ? I consult regular website from 5 or 6 differents machine (including laptop, desktop, tablet, phone, ipod,...), all running different kind of OS. There is NO password manager for this, which is typical nowadays.

Problems with conflicting rules (1)

Maxo-Texas (864189) | about 4 months ago | (#46457169)

I'm starting to have problems with differing rules at different sites.

I.e. one REQUIRES a special character. Another disallows special characters.

One has a maximum length of 8 (crazy short) while others have a minimum length of 8 characters.

And all of them won't let you reuse a recent password so if you can't remember the password, then your new password can't follow your own password rule set.

It's reached a point that now i have a sticky pad with coded passwords written down.

Netflix has been a pain because it's non-standard as a result of resets and you need to reenter the password on every device (and I'm up to five now).

So when I have to reset the password, I have to reset the password on all my devices. And on some the password screen only comes up when it checks the password- which isn't apparently every time you use the device. I guess they get a token that's good for a month or more.

Re:Problems with conflicting rules (0)

Anonymous Coward | about 4 months ago | (#46457579)

I use LastPass as a password manager. Apart from tracking my passwords across all devices and being behind two-factor authentication it provides a random password generator that can be parametrized to whatever length and characteristics you want. It makes dealing with that kind of sites much less of a pain.

Wrong xkcd in header (1)

Anonymous Coward | about 4 months ago | (#46457203)

The blurb has the wrong xkcd article, this is much better: http://xkcd.com/936/

Slashdot needs to get out of the business of... (0)

Anonymous Coward | about 4 months ago | (#46457225)

shilling for companies under the guise of 'news.'

Let's see, the 'article' is a blog post by an author at Dashlane and the last paragraph in the 'article' is...

The easiest way to create and remember strong passwords is with a password manager, like Dashlane , which generates unique passwords for you, saves them to your account, and autofills them online. Your data is protected with world-class security and encryption, and is only accessible to you. Learn more, and get it free at here.

Really!?! Hopefully you're getting paid for this promotional ad ;)

Need timeouts (1)

edxwelch (600979) | about 4 months ago | (#46457239)

Developers should protect the password from brute force cracking by putting a time delay after successive failed login attempts. It doesn't really matter how strong your password is, if the system allow unlimited login attempts then it's possible to crack using something like CloudCracker.

" 66% make no attempt to block entry after 10 ..." (0)

Anonymous Coward | about 4 months ago | (#46457271)

" 66% make no attempt to block entry after 10 incorrect password entries ... "

And the other 34% have hundreds of customer service calls from people whose accounts have been locked out.

My e-mail address is not a secret. I wouldn't mind being notified about failed logins, but please don't lock me out.

Also, maybe you feel your site is ultra-super-important, but I personally don't give many fucks about 99% of my logins. Before tech, people were identified based on looks, mannerisms, tone of voice, character, everything which identified them as /them/. I don't think that, following millions of years of evolution to make us the complex social animals that we are, humans are about to accept that "knowing a password" should be any sort of necessary or sufficient means of identifying a person.

Silly suggestion (1)

DaveAtFraud (460127) | about 4 months ago | (#46457287)

In addition to just listing their password requirements, sites could provide a link or bubble help to a method of creating a "good" password. I like:

1) Pick a short phrase (e.g., "See Spot run.") but that connects to the site to provide some mneumonic value (so "See Spot hurl." might be for your vet).
2) Do some simple letter to number, symbol or punctuation substitutions (e.g., "S33 Sp0+ hurl.").
3) If you wish, squish out the blanks between words (e.g., S33Sp0+hurl.).

So we now have an easy to remember, eleven character password that includes upper and lower case letters, numbers, a symbol and punctuation.

Cheers,
Dave

Re:Silly suggestion (1)

dskoll (99328) | about 4 months ago | (#46457699)

Any password-generation algorithm that is not based on a cryptographically-secure random number generator reduces the search space and makes it easier to guess passwords.

I do not believe in "easy to remember" passwords. I believe in strong passwords, which of necessity are hard to remember, so they have to be written down and stored safely, or stored in a password keeper protected by strong encryption and as long a passphrase as you can get away with.

Re:Silly suggestion (1)

x0ra (1249540) | about 4 months ago | (#46457859)

All in all, these are all the worst hints ever:
1) prone to typo error, especially as the password is generally hidden
2) number & capitals are a pain on mobile devices
3) ever harder to remember (ie. where the @!#$ did I put the capital)

Help me act on this advice (1)

tepples (727027) | about 4 months ago | (#46457401)

From the report [dashlane.com] :

66% accept notoriously weak passwords such as "123456" or "password"

How should a web site determine whether a given password is "notoriously weak"?

66% make no attempt to block entry after 10 incorrect password entries

Where does "10" come from, and how long should entry be blocked? We don't want customers to become ex-customers when they discover that they have to make international telephone calls at a dollar per minute or more to get their accounts unblocked.

60% do not provide any advice on how to create a strong password during signup

One site I manage uses the following, with a link to Wikipedia's page about password strength and xkcd's comic about passphrases: "Either 8 or more characters using at least one letter and one digit or a phrase [xkcd.com] of 16 or more characters using at least one letter, and not easy to guess [wikipedia.org] "

and only 14% display a password meter

I don't know how it's possible to "display a password meter" to users of NoScript.

Tesco (1)

nogginthenog (582552) | about 4 months ago | (#46457451)

Me: Additional Information: password "Must be between six and ten characters in length"
Why does Tesco have such a silly limit???? Please consider increasing the max length of the password!

I am sorry that you are unhappy with the length of password you can use to register on our website. I have now logged your comments on our Customer Feedback System under reference 13782619. This will ensure that it is fed back to the relevant team in our Head Office.

That was back in 2012

If I was a company (0)

Anonymous Coward | about 4 months ago | (#46457453)

I wouldn't want anything to do with trying to monitor my user's passwords. If I make rules for what makes a good password vs a bad one, and they get hacked, I'm now partially liable ("I followed your rules! this is your fault")

Not a problem... for the sites. (0)

Anonymous Coward | about 4 months ago | (#46457469)

What this really is about is an incessant lobby geared at "banning" passwords in favour of whatever is the latest fad this week, invariably involving something getting sold or some service getting way more access than it should, ie, it's another blatant round of ploy at productizing people yet again.

And the problem they're trying to solve? Can't really be solved that way. Worse, it's [b]not their job[/b] to even try. This sort of access management is the users' own responsibility, and [i]one size does not fit all[/i]. For example, the first people that get shut out are the ones that already using different and hard-to-guess passwords everywhere, say managed by a password manager under their control. Thus, to make sure "no user gets left behind", the ones at the front get held back and pushed into models they have no need for. Something that the companies with a password replacement agenda never want to hear. How curious.

Our policy (1)

dskoll (99328) | about 4 months ago | (#46457679)

We sell software that has an accompanying account for users to download data feeds and related updates. We do not let users pick their own passwords. We give the user a randomly-generated password that he/she has to use.

There are two major benefits: If we get hacked and all the credentials are stolen, the passwords (with overwhelming probability) will not be usable on any other sites, so our users are safe. Conversely, if another web site used by our users is hacked, then (with overwhelming probability) those credentials will not work on our site.

Yes, it's a little inconvenient for our users. We tell them to write down the password on a piece of paper and keep it in their wallet.

Re:Our policy (1)

x0ra (1249540) | about 4 months ago | (#46457833)

I HATE this kind of company. It will no matter what ALWAYS end up the same: "I forgot my password, send me a new one". Heck.. I'm not even able to remember password for my utility company whose I consult every 6 month...

Why make users reset after X number of failures? (1)

island_earth (468577) | about 4 months ago | (#46457711)

Apple, among many, many other services, says that after a certain number of failed attempts, your account is locked and you have to reset your password to regain access.

This seems stupid to me because if the password kept someone out after X failed attempts it must be strong enough. So why force a new one?

Experiment: force enough password resets on a user's account until they've run out of strong passwords, then use "password" to get in. Profit!

Re:Why make users reset after X number of failures (1)

gatfirls (1315141) | about 4 months ago | (#46458041)

I don't think you have thought your plan all the way through.

It's not just passwords (0)

Anonymous Coward | about 4 months ago | (#46457715)

Of my 61 documented online accounts, 31 REQUIRE the use of my email address as my account name. When any of the 31 have a data breech, the rest are at far higher risk then would they would be otherwise because the bad guys now have a probably active email address to try a list of common passwords against all of the sites that require email addresses for login ids. Online retailers seem to be the worst, followed by on-line game accounts.

if you think there ought to be a law... (1)

x0ra (1249540) | about 4 months ago | (#46457799)

Let's think about this again... if you think there ought to be a law, there probably oughtn't.

Good! (1)

neminem (561346) | about 4 months ago | (#46457805)

More sites should fail to protect me from using a "stupid" 30-letter-or-whatever-long passphrase just because its algorithm thinks that it's "weak" because it doesn't have 2 numbers and two special characters (but only choose from these 3 specific special characters, because we don't know how to protect against sql injection otherwise!) Let me pick my own frelling password.

Ok, so it probably makes sense to specifically bar users from using completely butt-tarded passwords like "123" and "password", but only those specifically.

On the other news... (1)

Lisias (447563) | about 4 months ago | (#46457825)

... job admission forms fail to protected candidates to burn themselves by bad grammar.

(thanks god Slashdot fails too, as some of you can easily note by my already traditional bad grammar)

Companies that limit passwords are worse (1)

jonwil (467024) | about 4 months ago | (#46457849)

The bank I used to be with before I recently switched upgraded their security a few months ago. Prior to the upgrade, they actually limited passwords to 10 characters maximum. Thankfully, both this bank after the security upgrade and my current bank don't have any such maximums and I can use a longer password. (and no, the security stuff wasn't why I switched, I switched because I moved to a new area where my old bank didn't have any branches)

Any web site that limits the maximum amount of characters in this way is stupid, as is any web site that makes passwords case-insensitive or doesn't allow numbers or symbols)

news at 11 (1)

Riceballsan (816702) | about 4 months ago | (#46457899)

Actual security that will protect people from themselves, costs a lot more than compensating the 2% of that 66% who actually get hacked. Person gets hacked for his own stupidity, company may or may not need to compensate the victim. lets say this amount comes to $100 per 1,000 users as a high estimate pulled out of my ass. Company B uses real security, that somehow completely eliminates fraud, blocks users out after 3 wrong passwords, and requires really complex passwords. Users keep forgetting their passwords, support is now overwhelmed, company pays $400 per 1,000 customers on support.

In other news (0)

Anonymous Coward | about 4 months ago | (#46457999)

...stupid parents found not to be doing enough to prevent birth of stupid children

Top E-commerce Sites Fail To Protect Users From St (1)

grep -v '.*' * (780312) | about 4 months ago | (#46458089)

Didn't realize it was their job to be a nanny to their users. And here I thought they had to be over 18 and of legal age to "sign" the EULA.

A lot of sites have the same userID and a password like "xyz123". OMG you hacked into my free pandora / whatever site that I don't care about? Yawn, I guess I'll just create another account.

Now ones with my CCs and other more more important info? They all have much harder credentials and unique passwords.

(Yes, I can read. "These are Top Sites we're working with. Which ones? Top. Sites.") Still not my problem. Maybe the users actually want their account attacked so they can get free CC account monitoring? Or can plead bankruptcy easier somehow? Hell, maybe it's a detection canary sponsored by your regional government or police officials. Just because it's weak doesn't mean it's bad, maybe the users have memory loss and can only remember a single letter.

That's RIGHT, you're now actively arguing for discriminating against intelligence-impaired people, people who can't touch-type, and people (executives) that are much too important and busy to bother typing a complex password. Government standards will soon mandate a minimum password of 0 characters with a maximum of 9 in order to preserve the impending world-wide bit crisis. The more characters you use now, the less that remain for everyone one. Larger font letters that require more digital ink to store will soon increase in price -- soon only the 1% will be able to afford them, so BUY NOW!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...