Password Coalition

Users use the same passwords for multiple services. It’s a fact of life, it’s just so easy to that most people end up having 2-3 passwords they use everywhere, including one “hard” one for financial sites, etc. The downside is your password is only strong as the weakest link of where you’ve used it — when something like the Gawker hack happens there is a huge wave of compromised accounts that follow.

You can ask users not to use the same password, you can even encourage things like 1password (too expensive for many people I recommend it to), but what if there was a way to enforce that people registering for your site hadn’t used the same password elsewhere?

It actually wouldn’t be too hard, if you’re registering with 123@gmail.com and the password “abc” when you register and the site hasn’t encrypted and stored the password yet it could try to log into your Gmail account with those details, and if it works force you to choose a different password. There’s no reason this has to be limited to email logins, you could put it against the APIs of WordPress.com, Twitter, Facebook, LinkedIn, any number of other services that expose simple authentication APIs and see where it works. Any successful logins, tell the user they need to pick something else.

Of course all that work and they’ll probably just put a 1 at the end of it.

43 thoughts on “Password Coalition

  1. I use 1Password, definitely useful, though really tricky to utilize when on a mobile phone, when you need to get into a site you haven’t already saved the PW for in the browser itself.

    I’d also say a big important step here is making the standard for passwords to allow for much longer strings, including spaces within. I’ve seen some crappy sites do max characters wayyyy to low, and not even allow certain symbols or spaces. That makes it harder to put together a more secure password for things like 1Password to generate for you, so there’s just a ton of fragmentation of password standards from site to site 🙁

    1. I use LastPass as well. I’m a big fan of the built-in password generator that LastPass has. It has a number of options for combinations of uppercase, lowercase, numbers, special characters, and password length.

      I use it for everything.

  2. I think this is against the TOS of most websites under unauthorized access.

    But I agree with the concept. Perhaps a standardized API could be used for the purpose (doesn’t grant access, but given to trusted partners for the purpose of password checks).

  3. hmmm….
    I thought it’s scary to read this “and the site hasn’t encrypted and stored the password yet it could try to log into your Gmail account with those details”.
    I’d have preferred to ignore that this is possible at all.
    Users trust providers won’t use their login details for their own purpose. It’s assumed that they can have access to them but they won’t go there unless the user needs help retrieving it or something like that.
    I think it’s stepping too far and breaking this trust if the provider would act in such a paternal way to protect your users from making that mistake.

    1. Has nothing to do at all with people using passwords in multiple places that require passwords, except in an imaginary world where every site in the world has a seamless oauth integration. It’s not even on the table for things like email accounts.

      1. Yes, but instead of changing your service so that it checks other sites for similar passwords, you could just use OAuth?

  4. Technically brilliant idea although I imagine there would be legal issues if you logged into someone’s accounts without express permission and, yes, putting a 1 at the end is exactly what they’d end up doing.

    I honestly don’t know how to react to people who feel that something as well-designed, constantly useful and superbly supported as 1Password is too expensive at $49, especially when that license allows you to run it on all your computers, both OS X and Windows, for a few years.

    I feel the same way when someone who would clearly benefit from an easy-to-use, reliable computer baulks at paying a bit extra for a Mac. The difference amounts to so very little when you consider that they’ll be using it for hours every day over at least three years and end up with a higher resale value, but a lot of people just can’t get past those newspaper ads for cut-price laptops, legoed together from bargain bin components.

    I get the calls when things go wrong, whether that be flaky drivers or hacked Facebook accounts, and, although I have more class than to say “I told you so”, I do despair at how incredibly short-sighted people are when making these decisions.

    I have a theory that the hordes of new Mac buyers today are mostly people who ALMOST bought one last time and have spent the past two years regretting their last-minute decision to buy a cheaper Windows machine instead. Likewise, I’ve never met a 1Password user who wasn’t evangelistic about it and didn’t regret not adopting it sooner.

    Automattic should cut an affiliate deal with the best password management applications and mention them during the registration process for WordPress.com, VaultPress etc, it could have a very positive impact.

    1. proud to have never owned a marvelous apple product: http://iamronen.com/2012/01/comfort-apple-in-china-potatoes-in-romania/

      in the spirit of open-source I live with Ubuntu & System76 (computers designed for Ubuntu) … no MAC and no Windows … 1Password is not available for Linux of any kind …

      Security … including identity, it seems to me, should be a core element of computing … the fact that it isn’t inherently solved for everyone (regardless of operating system) is a flaw … complements of software engineers (open and closed source) all around the planet

  5. Also HIGHLY recommend PassPack.com – amazing tool, been using it for over a year now and absolutely love it. To login you need to use your username/password, then verify that you’re a human by clicking on the right box, and then type your secure word/sentence before you can see the list of your passwords. You can tag them, search etc etc. The best tool I’ve used/found.

  6. I’m with Terry on using a single high-entropy master password paired with Lastpass and a completely random password for each site.

    I thought about implementing a process like this post is suggesting some time ago, but one thing always concerned me: what if you unintentionally chose to test passwords against an untrustworthy source (or worse – a source which had been compromised). Then you are giving away your users’ passwords outright… As a user, I don’t want my password being sent to a handful of different companies for any reason.

    1. That’s a really good point — this would probably have to be something that’s a behind-the-scenes deal between trusted partners, like WordPress.com and Twitter could do it, or you could pretty safely assume that Gmail hasn’t been compromised.

      1. Yea. I suppose I would really prefer a more robust solution. If I were to build something like this, I would want to partner with WordPress.com to send them a hash of the hash of the password.

        These hashes would both need to be salted – the first with the salt used by WordPress.com and the second by a random salt generated by me and shared with WordPress.com. Unfortunately, this would require WordPress.com sharing a given user’s salt with me which probably isn’t going to happen 😛

  7. That solution would cause too much frustration… and even anger in people who knew you were logging into another one of their accounts.

    The only solution that would solve this problem for the majority of internet users would be for 1Password-like functionality to be built into Windows, iOS, OS X, and Android. If you build it in and educate users up-front why they should start using it, they’ll have a positive association with this new bit of security instead of a negative one.

    1Password has done a lot of the industry’s R&D work for them already on this. They’ve gone through tons of usability tweaks and other updates which have finally gotten the product to a point where most people can learn how to use it. If a company like Apple took what’s been built so far and baked it right into the OS, it would be even more turnkey.

  8. Completely agree about 1password – it’s changed my life! Different passwords for every site that can easily be accessed. It also makes logging in faster as, with the browser extension, you just click a couple of times and you’re done.

    So it’s secure and will save you a few minutes/hours of your life. Surely that’s worth $40?

  9. Has anyone in this thread used both 1Password and LastPass recently? I currently use 1Password and give it a “B-” grade- it gets the job done, but I’m not the happiest with the licensing. I’m interested to know the LastPass experience relative to 1Password…

  10. A coalition or initiation of any such kind from the actual service/site owners would be great.

    I use LastPass for all my online passwords. While I do have a Master Password, there are dozens of weak passwords in my vault from the past shared across hundreds of sites.

    LastPass posted a set of resolutions in which they enforce their password policies and tips to encourage people to change all their passwords http://blog.lastpass.com/2012/02/resolutions-recap-share-your-feedback.html

    Surprisingly, most people are happy with their easy to remember birthday or pet’s name combined with home address passwords. Even with all the Facebook posts (“Sorry! I didn’t post those messages, I was hacked!”) floating around, people simply focus on the post and the Like button instead of wondering “Hmmmm, should I protect my e-mail password the way I protect my ATM pin?”

    I keep taking the LastPass Strength test every now and then on my quest to have all the weak passwords changed to something stronger. Will be doing it again after I’m done with this comment.

    Thanks for the reminder! 🙂

  11. I´m using Keepass and somewhat about 80% of all my passwords are different and really complex. The other 20% are passwords I haven´t used for years or are simply outdated.

    I even use Keepass on my smartphone, tablet and on Linux. With some third-party addons it integrates nicely with Firefox and/or Chrome, too. Synching is done with Dropbox.

    The only real threat is to forget the password of my Dropbox and don´t have a local copy of the Keepass file anywhere 😀

  12. I use a two part password system. The first part is a pattern based on the site. So WordPress might be Wrdprss, Twitter would be Twttr, and so on. I don’t have to memorize the first part, just the pattern being used.

    The second part is a “strong” sequence containing symbols and numbers. I memorize this part.

    Combine the two parts and you have a unique, strong, password for each site that doesn’t require much memorization.

    More examples can be found here: goo.gl/sMGQO

  13. I feel like i both can’t wait for a site to do this to me, and it’s a total dick move of a site to do this to me.

    Enable this on wp.com next april fools. Sure that would go over well.

  14. Matt,

    I use Roboform.com and not only use strong passwords such as V9eS7p7r8B4X4E9AWTX@awsf4whQ but also strong usernames such as fHK95bAqi6tmZUeXhqPJKSckso2A (This is something that I teach in my course on WP security)

  15. LastPass is a free password manager and form filler. Its also available for Firefox, Internet Explorer, Google Chrome and Safari. A must-have for any security conscious person. I generate an entirely new random password for every new site. I’ve also used LastPass to backup and securely log-in without an extension on public computers using LastPass.com/mobile. Been using it for nearly 3 years now. It’s the only online safe password generation and storage I know.

    Terence.

  16. I am a long time 1password user. Works great in avoiding generic passwords. There is a mobile version too, but I seldom use it. Most important is to keep a good backup of the 1password file.

    I think your plan to test user credentials against known services is a very bad idea. There are many privacy and legal issues involved in doing so. Isn’t this crossing a privacy line that you don’t want get crossed?

    And does it solve the real problem? I think not. In the first place users be educated and in the second place be facilitated in a proper way.

    Login in with a centralized robust system can be a good idea. There is LDAP, there is OpenID. But they are not widely used. Google now provides a system, that can be used to login on other services. Facebook does too. Google provides also two factor authentication. That can be a good idea or not? Do you trust Google? Do we trust Facebook?

    Certainly, I would not trust any party that test the uniqueness of my given credentials against other services.

    Privacy and trust and the integrity of privacy and trust become very quickly a complicated issue.

    So let the users decide for themselves. Educate users in choosing a strong password, with a password strength indicator and give users the opportunity to use OpenID, google login and the like.

    But don’t try to take away the users own responsibility for his own behavior. That leads to dumber users and more problems not less.

  17. almost a default when developers outline solutiongetting people to do something is a tall order … sadly it seems to bes.

    wouldn’t it be great if my self-hosted WordPress site could become a password server that (1) could provide authentication through OAuth or any other APi; (2) could auto-generate / auto-serve / auto verify different passwords for every service registered with it; (3) could provide me with a list of places where I use passwords and the ability to dump them; (4) could keep an eye out for me in case of hacked attempts and automatically handle it … such as handshake a new password with a service that may be suspcious?; (5) do so with every possible API/standard/protocol out there (that can be open-source licensed)

    Then all I would have to do is … have WordPress and forget about passwords … and it would be on my server so that no-one could ever access/utilize that data or metadata about me.

    I could even imagine that is a very popular WordPress.com premium service.

  18. After a virus scare a couple years back (ironically from a WP Thematic child themes site) that not only compromised my main workstation (rooted), but my server too (filezilla passwords were mined) I now use KeePass and the KeePass Chrome plugin and every web account, financial account, forum, site login, blog, ftp, etc. etc. has its own unique username and 20+ character password.

  19. Ok, here is my 2 cents.

    I have tried a lot about password management, and I found a good solution for me 3 years ago. It consists of two parts: files with account information and a password manager (I use KeePass). I put all account information, except passwords, into files. They may be plain text files or Word documents. And a password manager stores only password entries named in this way: Entry 1, Entry 2, Entry 3 and so on.

    Here is a small example. Let’s assume I have a facebook account I want to store the information about. I open the file named “Social Networks.doc” and put the following info into it:

    Facebook
    Email: example@domain.com
    Password: (416)

    And I create an entry in my password manager. The entry is named “Entry 416”.

    And that’s it.

    When I need to get my facebook account information I can go to that .doc file, copy the email address, then copy the password from KeePass and paste it into the web page.

    The solution is cross-platform. I can store text files on any OS 🙂 and KeePass is also cross-platform. Additionally, I can replace KeePass with any other password manager or any application that allows me to store encrypted notes.
    The overall security is also increased: full information about accounts is not stored in one single database.
    And it is flexible. It allows to create any number of files with account information, organized in any way.

  20. I think the problem with forcing users to have different passwords is that users can never remember them. Therefore they end up writing them down somewhere which then defeats the object of having a password.

    Although I do understand fully that the same password for everywhere is risky.

    Perhaps variations on a theme is the way to go!

  21. I use Keepass as its the only solution I have found that works on Windows, Linux and via USB. I sync the keepass file via Dropbox.

    I just wish it would work on iPad/iPhone as well

  22. I have a sneaking suspicion that any website stupid enough to implement this would quickly see a drastic drop in sign ups and users. Even if they did it without telling people, gMail keeps track of where your account was logged in from last. Hello class action lawsuit.

    Personally, I’d be among the droves heading for the exit, even though I do use unique passwords for each of my accounts online. It would be like signing up for house insurance and your insurer breaking in in the middle of night supposedly to check how secure the house was.

    Absolute power always, always, ALWAYS corrupts absolutely, and there is nothing in this world that would stop a less than reputable website owner from mining that information and using it to bad ends.

  23. The legal minefield aside, users would probably figure a simple way around it, as you suggested – they will probably stick a 1 at the end of it.

    With that being said, I have often considered comparing existing databases against the publicly available compromise lists when they are released using something similar to https://shouldichangemypassword.com and sending a quick notification off to the user (or maybe flagging their account if it’s the same password).

  24. The best hybrid answer is to actually auto-generate 5 passwords of up to 5 random characters each (heck, phone numbers are 7 digits long and people memorize those rote for any one of probably hundreds of people…).

    The trick – make your password on any site a combination of any TWO of those three short password sets:

    A+B, A+C, A+D, A+E, B+C, B+D, B+E, C+D, C+E, D+E

    Then do the whole thing in reverse, then you can do combinations within those. That’s like 25 passwords and all are generated from 5 simpler hashes that ONLY YOU KNOW! Mix them up between sites, and before you know it, you’ve got in excess of 25 passwords that are all generated of 10 completely randomized character, number, and special character sets.

    There is no convention that can be fleshed out based on the site type or anything tied to anything else! It’s not that difficult if you put your mind to it.

    Wanna really rack your brain? The one nugget I will reveal here is that I only use 3 shorter passwords, and one is 6, one is 7, and one is 8 character sets long! Completely blew away the DoD when they asked me to create a password for them that met all these special criteria and I did it on the fly without batting an eye! 🙂

  25. Remembering 100+ passwords seems to be the problem for most people. I personally do like this approach: http://xkcd.com/936/ To make passwords unique, just add the the site’s domain or first 5 letters of the domain you are registering with or another obvious variable.

  26. The password problem is absolutely one of these issues were you need to balance ease of use with robust engineering.
    Unfortunately, passwords are extremely user-UNfriendly. Some researchers like my friend Sara are working on a combination of password and bio-markers (in this case, fingerprints): http://fingerid.me/.
    It does make things easier for users, but then the problem of privacy arises: you are giving your fingerprints to a private company…what if they sell it? What if they get compromised and hackers user your fingerprints to commit crime?
    This is an extremely complex problem indeed…

Leave a Reply to iamronenCancel reply