Mailing List Archive: NANOG: users

Dear Linkedin,

1 2 3 4

View All

Index | Next | Previous | View Threaded

mike at mtcc

Jun 8, 2012, 12:48 PM

Post #1 of 87 (1170 views)
Permalink

Dear Linkedin,

Linkedin has a blog post that ends with this sage advice:

* Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.

I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember
each one of them and dutifully update them every month or two?

* Do not use the same password for multiple sites or accounts.

So the implication is that I have 100's of passwords all unique and that I must
change every one of them to be something new and unique every few months.
And remember each of them. And not write them down.

* Create a strong password for your account, one that includes letters, numbers, and other characters.

And that each of those passwords needs to be really hard to guess that I change to every
few months on 100's of web sites.

I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does
yours. So what you're telling me and the rest of the world is impossible.

What's most pathetic about this is that somebody actually believes that we all really
deserve this finger wagging.

Mike

lyndon at orthanc

Jun 8, 2012, 12:54 PM

Post #2 of 87 (1128 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 2012-06-08, at 12:48 PM, Michael Thomas wrote:

> I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does
> yours. So what you're telling me and the rest of the world is impossible.

https://agilebits.com/onepassword (1Password) is one solution to managing web site passwords.

--lyndon

paul at paulgraydon

Jun 8, 2012, 12:56 PM

Post #3 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 06/08/2012 09:48 AM, Michael Thomas wrote:
> Linkedin has a blog post that ends with this sage advice:
>
> * Make sure you update your password on LinkedIn (and any site that
> you visit on the Web) at least once every few months.
>
> I have accounts at probably 100's of sites. Am I to understand that I
> am supposed to remember
> each one of them and dutifully update them every month or two?
>
> * Do not use the same password for multiple sites or accounts.
>
> So the implication is that I have 100's of passwords all unique and
> that I must
> change every one of them to be something new and unique every few months.
> And remember each of them. And not write them down.
>
> * Create a strong password for your account, one that includes
> letters, numbers, and other characters.
>
> And that each of those passwords needs to be really hard to guess that
> I change to every
> few months on 100's of web sites.
>
> I'm sorry, my brain doesn't hold that many passwords. Unless you're a
> savant, neither does
> yours. So what you're telling me and the rest of the world is impossible.
>
> What's most pathetic about this is that somebody actually believes
> that we all really
> deserve this finger wagging.
Use a password safe. Simple. Most of them even include secure password
generators. That way you only have one password to remember stored in a
location you have control over (and is encrypted), and you get to adopt
secure practices with websites.

The only real inconvenience might be having to log into each of whatever
sites it is you're concerned about and changing the password on them.

Paul

alec.muffett at gmail

Jun 8, 2012, 12:58 PM

Post #4 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

> I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember
> each one of them and dutifully update them every month or two?

Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals.

It's pretty commonsensical once the threat is understood.

> So the implication is that I have 100's of passwords all unique and that I must
> change every one of them to be something new and unique every few months.
> And remember each of them. And not write them down.

Yes; of course more than a couple of dozen random passwords or passphrases will be hard to remember, so look into something like 1Password, PasswordSafe or LastPass to help you with that - amongst others.

It goes without saying that your password database should be protected by something really quite long but memorable to you.

> * Create a strong password for your account, one that includes letters, numbers, and other characters.
>
> And that each of those passwords needs to be really hard to guess that I change to every
> few months on 100's of web sites.

Yes. My 1Password configuration for my work system is for 16 character random passwords, sprinkled with punctuation and mixed case. My home one is less thoroughly set up but is being migrated to the same.

They are this way because I have both read and understood the performance statistics for some software called "Hashcat" which I have seen burn through every single 1 thru 8 character lowercase alphanumeric password in 32 minutes, on a single Alienware gamer laptop. Imagine what it can do on AWS.

> I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does
> yours. So what you're telling me and the rest of the world is impossible.

Stop using your brain, use a computer.

> What's most pathetic about this is that somebody actually believes that we all really
> deserve this finger wagging.

Yes, some people evidently do.

-a

jmaimon at ttec

Jun 8, 2012, 12:58 PM

Post #5 of 87 (1128 views)
Permalink

Re: Dear Linkedin, [In reply to]

Michael Thomas wrote:
> Linkedin has a blog post that ends with this sage advice:
>
> * Make sure you update your password on LinkedIn (and any site that you
> visit on the Web) at least once every few months.
>
> I have accounts at probably 100's of sites. Am I to understand that I am
> supposed to remember
> each one of them and dutifully update them every month or two?
>
> * Do not use the same password for multiple sites or accounts.
>
> So the implication is that I have 100's of passwords all unique and that
> I must
> change every one of them to be something new and unique every few months.
> And remember each of them. And not write them down.
>
> * Create a strong password for your account, one that includes letters,
> numbers, and other characters.
>
> And that each of those passwords needs to be really hard to guess that I
> change to every
> few months on 100's of web sites.
>
> I'm sorry, my brain doesn't hold that many passwords. Unless you're a
> savant, neither does
> yours. So what you're telling me and the rest of the world is impossible.
>
> What's most pathetic about this is that somebody actually believes that
> we all really
> deserve this finger wagging.
>
> Mike
>

Different passwords have different security clearances.

Some stuff, especially all those "security questions" just has to be
stored somewhere retrievable.

Joe

surfer at mauigateway

Jun 8, 2012, 1:02 PM

Post #6 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

--- lyndon [at] orthanc wrote:
From: Lyndon Nerenberg <lyndon [at] orthanc>
On 2012-06-08, at 12:48 PM, Michael Thomas wrote:

> I'm sorry, my brain doesn't hold that many passwords. Unless you're
> a savant, neither does yours. So what you're telling me and the rest
> of the world is impossible.
t
:: https://agilebits.com/onepassword (1Password) is one solution to
:: managing web site passwords.
----------------------------------------------------------------

Only if you have an OS you have to pay for: apple or ms.

scot

jna at retina

Jun 8, 2012, 1:03 PM

Post #7 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

On Fri, Jun 8, 2012 at 12:48 PM, Michael Thomas <mike [at] mtcc> wrote:

> So the implication is that I have 100's of passwords all unique and that I
> must
> change every one of them to be something new and unique every few months.
> And remember each of them. And not write them down.
>

> I'm sorry, my brain doesn't hold that many passwords. Unless you're a
> savant, neither does
> yours. So what you're telling me and the rest of the world is impossible.
>

No actually, it's not impossible.

I use 1password, you might use LastPass. They both work on Android, iPhone,
Linux, Mac, Windows.

I have over 900 passwords in that system, and I don't know any of them.
They're all 8-14 characters. All random. I know my master password, and no
one on the Internet has a copy of that. On some systems, I have a Yubikey
with a 45 character master password.

Change your habits. Fix the password anti-pattern.

-j

jna at retina

Jun 8, 2012, 1:03 PM

Post #8 of 87 (1128 views)
Permalink

Re: Dear Linkedin, [In reply to]

On Fri, Jun 8, 2012 at 1:02 PM, Scott Weeks <surfer [at] mauigateway> wrote:

> :: https://agilebits.com/onepassword (1Password) is one solution to
> :: managing web site passwords.
> ----------------------------------------------------------------
>
> Only if you have an OS you have to pay for: apple or ms.
>
>
So use LastPass, then.

-j

simon.perreault at viagenie

Jun 8, 2012, 1:07 PM

Post #9 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 2012-06-08 15:48, Michael Thomas wrote:
> * Make sure you update your password on LinkedIn (and any site that you
> visit on the Web) at least once every few months.
> * Do not use the same password for multiple sites or accounts.
> * Create a strong password for your account, one that includes letters,
> numbers, and other characters.

And how about "Do not store your passwords using unsalted sha1?"

Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca

lyndon at orthanc

Jun 8, 2012, 1:08 PM

Post #10 of 87 (1128 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 2012-06-08, at 1:02 PM, Scott Weeks wrote:

> Only if you have an OS you have to pay for: apple or ms.

I don't pay for them. $WORK pays for them.

If you're complaint is about 1Password not running on your particular operating systems, then pick a solution that *does* run on your OS. There are several open source alternatives you can use.

surfer at mauigateway

Jun 8, 2012, 1:08 PM

Post #11 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

--- jna [at] retina wrote:
From: John Adams <jna [at] retina>

I use 1password, you might use LastPass. They both work on
Android, iPhone, Linux, Mac, Windows.
----------------------------------------

No, according to their site 1password does not work on
*nix, however lastpass says it does all *nix flavors.

scott

paul at paulgraydon

Jun 8, 2012, 1:09 PM

Post #12 of 87 (1131 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 06/08/2012 10:02 AM, Scott Weeks wrote:
>
> --- lyndon [at] orthanc wrote:
> From: Lyndon Nerenberg<lyndon [at] orthanc>
> On 2012-06-08, at 12:48 PM, Michael Thomas wrote:
>
>> I'm sorry, my brain doesn't hold that many passwords. Unless you're
>> a savant, neither does yours. So what you're telling me and the rest
>> of the world is impossible.
> t
> :: https://agilebits.com/onepassword (1Password) is one solution to
> :: managing web site passwords.
> ----------------------------------------------------------------
>
>
>
> Only if you have an OS you have to pay for: apple or ms.
>
> scot
>
Use lastpass, or maybe Password Gorilla (uses an encrypted local file
but you could stick that on a dropbox space or SpiderOak space).

nanog at lacutt

Jun 8, 2012, 1:20 PM

Post #13 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

I'm surprised no one mentioned a locally stored (and backed up of
course) gpg encrypted file for securing all of your passwords. Very
simple solution for the technically inclined.

Derrick

On Fri, Jun 08, 2012 at 01:08:34PM -0700, Scott Weeks wrote:
>
>
> --- jna [at] retina wrote:
> From: John Adams <jna [at] retina>
>
> I use 1password, you might use LastPass. They both work on
> Android, iPhone, Linux, Mac, Windows.
> ----------------------------------------
>
>
> No, according to their site 1password does not work on
> *nix, however lastpass says it does all *nix flavors.
>
> scott
>

jra at baylink

Jun 8, 2012, 1:22 PM

Post #14 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

----- Original Message -----
> From: "Michael Thomas" <mike [at] mtcc>

> I'm sorry, my brain doesn't hold that many passwords. Unless you're a
> savant, neither does
> yours. So what you're telling me and the rest of the world is
> impossible.
>
> What's most pathetic about this is that somebody actually believes
> that we all really deserve this finger wagging.

Whether those rules are *practical* is orthogonal to whether they're
necessary.

Ob:

https://xkcd.com/792/

https://xkcd.com/936/

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra [at] baylink
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274

mike at mtcc

Jun 8, 2012, 1:22 PM

Post #15 of 87 (1126 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 06/08/2012 12:56 PM, Paul Graydon wrote:
> Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites.
>
> The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them.

Does your password safe know how to change the password on each
website every several months?

Mike

paul at paulgraydon

Jun 8, 2012, 1:24 PM

Post #16 of 87 (1128 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 06/08/2012 10:22 AM, Michael Thomas wrote:
> On 06/08/2012 12:56 PM, Paul Graydon wrote:
>> Use a password safe. Simple. Most of them even include secure
>> password generators. That way you only have one password to remember
>> stored in a location you have control over (and is encrypted), and
>> you get to adopt secure practices with websites.
>>
>> The only real inconvenience might be having to log into each of
>> whatever sites it is you're concerned about and changing the password
>> on them.
>
> Does your password safe know how to change the password on each
> website every several months?
>
> Mike
Oh come on.. now you're just being ridiculous, even bordering on childish.
LinkedIn are offering solid advice, routed in safe practices. If you
don't want to do it that's your problem. Stop bitching just because
security is hard.

mike at mtcc

Jun 8, 2012, 1:27 PM

Post #17 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 06/08/2012 01:24 PM, Paul Graydon wrote:
> On 06/08/2012 10:22 AM, Michael Thomas wrote:
>> On 06/08/2012 12:56 PM, Paul Graydon wrote:
>>> Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites.
>>>
>>> The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them.
>>
>> Does your password safe know how to change the password on each
>> website every several months?
>>
>> Mike
> Oh come on.. now you're just being ridiculous, even bordering on childish.
> LinkedIn are offering solid advice, routed in safe practices. If you don't want to do it that's your problem. Stop bitching just because security is hard.

Uh, I'm not the one saying you should change your passwords every
month, Linkedin is. If you think it's childish, take it up with them.

Mike

alec.muffett at gmail

Jun 8, 2012, 1:29 PM

Post #18 of 87 (1126 views)
Permalink

Re: Dear Linkedin, [In reply to]

> Does your password safe know how to change the password on each
> website every several months?

Not far off, actually; my 1Password has an auto-login-page feature which you can often wire to be the same as the password-change URL.

So, nyah.

-a

mike at mtcc

Jun 8, 2012, 1:30 PM

Post #19 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 06/08/2012 01:24 PM, Paul Graydon wrote:
> Oh come on.. now you're just being ridiculous, even bordering on childish.
> LinkedIn are offering solid advice, routed in safe practices. If you don't want to do it that's your problem. Stop bitching just because security is hard.

PS: when security is hard, people simply don't do it. Blaming the victim
of poor engineering that leads people to not be able to perform best
practices is not the answer.

Mike

lyndon at orthanc

Jun 8, 2012, 1:35 PM

Post #20 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 2012-06-08, at 1:22 PM, Michael Thomas wrote:

> Does your password safe know how to change the password on each
> website every several months?

Yes.

alec.muffett at gmail

Jun 8, 2012, 1:41 PM

Post #21 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

> PS: when security is hard, people simply don't do it. Blaming the victim
> of poor engineering that leads people to not be able to perform best
> practices is not the answer.

Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk

We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.

Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too. See http://goo.gl/iL9EP for suggestions.

Have a nice weekend,

-a

mike at mtcc

Jun 8, 2012, 1:41 PM

Post #22 of 87 (1128 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 06/08/2012 01:35 PM, Lyndon Nerenberg wrote:
> On 2012-06-08, at 1:22 PM, Michael Thomas wrote:
>
>> Does your password safe know how to change the password on each
>> website every several months?
> Yes.

I run a website. If it can change it on mine, I'd like to understand
how it manages to do that.

Mike

mike at mtcc

Jun 8, 2012, 1:55 PM

Post #23 of 87 (1127 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 06/08/2012 01:41 PM, Alec Muffett wrote:
>> PS: when security is hard, people simply don't do it. Blaming the victim
>> of poor engineering that leads people to not be able to perform best
>> practices is not the answer.
> Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk
>
> We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.
>
> Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too. See http://goo.gl/iL9EP for suggestions.
>

A lot has changed from 1995, and still we're using technology that
is essentially unchanged from the 1960's. For my part, on my app/website
(Phresheez), the app actually auto-generates passwords for the user
so that they don't have to type one in. I do this mainly because people
hate typing on phones, but it has the nice property that if you have
a password exposure event, you do not have the cascading failure
mode that Linkedin has now unleashed. With apps and browsers that
can remember passwords why are we still insisting that users generate
and remember their own bad passwords? That's one reason that I
find the finger wagging tone of that Linkedin post extremely problematic --
they have obviously never even considered thinking beyond the current
bad practice.

Mike

alec.muffett at gmail

Jun 8, 2012, 2:28 PM

Post #24 of 87 (1103 views)
Permalink

Re: Dear Linkedin, [In reply to]

On 8 Jun 2012, at 21:55, Michael Thomas wrote:

> With apps and browsers that
> can remember passwords why are we still insisting that users generate
> and remember their own bad passwords? That's one reason that I
> find the finger wagging tone of that Linkedin post extremely problematic --
> they have obviously never even considered thinking beyond the current
> bad practice.

That's a fair point, well made; in practice I try to educate people on how to choose a good password by showing them bad ones and giving them a list of "Don'ts"; giving them a tool would be easier but then you have a race to the bottom for platform neutral tools which are well-written, don't repeat plaintexts and don't serve off a central authority like a website.

In some ways when faced with a challenge like that I would prefer people learned how to pick their own.

One pentester-friend of mine can now determine which in department employees of his customer reside because each department circulated its own rules on "how to choose a secure password" and the templates/technique are distinct from one department to the next. He brute-forces a password (possible because the passwords are 8 characters-ish and reasonably short, thereby making templates irrelevant) and then reprograms his cracking software to mess with the per-department template to crack the rest of the users in a shorter time.

Having people make up their own passwords reduces scope for that sort of behaviour - you crack some of the clueless folk but the overall quantity of breaks may be reduced.

Also: someone earlier mentioned "the password anti-pattern" - just to clear up a misapprehension, password security is not itself the aforementioned "anti-pattern"* but instead the actual "password anti-pattern" is (for example) surrendering your Blog password to a third party like Flickr so that it can post photos to your blog on your behalf.

This sort of problem is solved by OAuth which community (unsurprisingly) is from whence the password-anti-pattern term was popularised; Google's "application-specific password" scheme addresses another aspect of the same issue.

More concisely the "password anti-pattern" is "giving your password away or using it untowardly".

-a

johnl at iecc

Jun 8, 2012, 2:59 PM

Post #25 of 87 (1102 views)
Permalink

Re: Dear Linkedin, [In reply to]

>Yes; of course if most of those accounts are moribund and unused then you don't need
>to change them so often, but the passwords you use frequently should be changed at
>regular intervals.
>
>It's pretty commonsensical once the threat is understood.

Given that most compromised passwords these days are stolen by malware
or phishing, I'm not understanding the threat, unless you're planning
to change passwords more frequently than the interval between malware
stealing your password and the bad guys using it.

I agree that keeping a big file of unsalted hashes is a dumb idea, but
there isn't much that users can do about services so inept as to do
that.

R's,
John

1 2 3 4

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads