Simon Willison's Weblog: passwords

How some of the world's most brilliant computer scientists got password policies so wrong

2024-11-21T06:00:04+00:00

How some of the world's most brilliant computer scientists got password policies so wrong

Stuart Schechter blames Robert Morris and Ken Thompson for the dire state of passwords today:

The story of why password rules were recommended and enforced without scientific evidence since their invention in 1979 is a story of brilliant people, at the very top of their field, whose well-intentioned recommendations led to decades of ignorance.

As Stuart describes it, their first mistake was inventing password policies (the ones about having at least one special character in a password) without testing that these would genuinely help the average user create a more secure password. Their second mistake was introducing one-way password hashing, which made the terrible password choices of users invisible to administrators of these systems!

As a result of Morris and Thompson’s recommendations, and those who believed their assumptions without evidence, it was not until well into the 21st century that the scientific community learned just how ineffective password policies were. This period of ignorance finally came to an end, in part, because hackers started stealing password databases from large websites and publishing them.

Stuart suggests using public-private key cryptography for passwords instead, which would allow passwords to be securely stored while still allowing researchers holding the private key the ability to analyze the passwords. He notes that this is a tough proposal to pitch today:

Alas, to my knowledge, nobody has ever used this approach, because after Morris and Thompson’s paper storing passwords in any form that can be reversed became taboo.

Via Bruce Schneier

Tags: passwords, security

Quoting John Gruber

2024-10-20T22:17:54+00:00

I really dislike the practice of replacing passwords with email “magic links”. Autofilling a password from my keychain happens instantly; getting a magic link from email can take minutes sometimes, and even in the fastest case, it’s nowhere near instantaneous. Replacing something very fast — password autofill — with something slower is just a terrible idea.

— John Gruber

Tags: passwords, security, john-gruber

Quoting Adam Newbold

2024-08-15T00:25:54+00:00

[Passkeys are] something truly unique, because baked into their design is the requirement that they be unphishable. And the only way you can have something that’s completely resistant to phishing is to make it impossible for a person to provide that data to someone else (via copying and pasting, uploading, etc.). That you can’t export a passkey in a way that another tool or system can import and use it is a feature, not a bug or design flaw. And it’s a critical feature, if we’re going to put an end to security threats associated with phishing and data breaches.

— Adam Newbold

Tags: passwords, security, passkeys, phishing

How researchers cracked an 11-year-old password to a crypto wallet

2024-06-17T17:04:54+00:00

How researchers cracked an 11-year-old password to a crypto wallet

If you used the RoboForm password manager to generate a password prior to their 2015 bug fix that password was generated using a pseudo-random number generator based on your device’s current time—which means an attacker may be able to brute-force the password from a shorter list of options if they can derive the rough date when it was created.

(In this case the password cracking was consensual, to recover a lost wallet, but this still serves as a warning to any RoboForm users with passwords from that era.)

Tags: passwords, security

Quoting Memo: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

2022-01-27T19:18:04+00:00

Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum. These requirements have long been known to lead to weaker passwords in real-world use and should not be employed by the Federal Government.

— Memo: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

Tags: government, passwords, security

Weeknotes: datasette-auth-passwords, a Datasette logo and a whole lot more

2020-07-17T03:41:13+00:00

All sorts of project updates this week.

datasette-auth-passwords

Datasette 0.44 added authentication support as a core concept, but left the actual implementation details up to the plugins.

I released datasette-auth-passwords on Monday. It's an implementation of the most obvious form of authentication (as opposed to GitHub SSO or bearer tokens or existing domain cookies): usernames and passwords, typed into a form.

Implementing passwords responsibly is actually pretty tricky, due to the need to effectively hash them. After some research I ended up mostly copying how Django does it (never a bad approach): I'm using 260,000 salted pbkdf2_hmac iterations, taking advantage of the Python standard library. I wrote this up in a TIL.

The plugin currently only supports hard-coded password hashes that are fed to Datasette via an environment variable - enough to set up a password-protected Datasette instance with a couple of users, but not really good for anything more complex than that. I have an open issue for implementing database-backed password accounts, although again the big challenge is figuring out how to responsible store those password hashes.

I've set up a live demo of the password plugin at datasette-auth-passwords-demo.datasette.io - you can sign into it to reveal a private database that's only available to authenticated users.

Datasette website and logo

I'm finally making good progress on a website for Datasette. As part of that I've been learning to use Figma, which I used to create a Datasette logo.

Figma is really neat: it's an entirely web-based vector image editor, aimed at supporting the kind of design work that goes into websites and apps. It has full collaborative editing for teams but it's free for single users. Most importantly it has extremely competent SVG exports.

I've added the logo to the latest version of the Datasette docs, and I have an open pull request to sphinx_rtd_theme to add support for setting a custom link target on the logo so I can link back to the rest of the official site, when it goes live.

TIL search snippet highlighting

My TIL site has a search engine, but it didn't do snippet highlighting. I reused the pattern I described in Fast Autocomplete Search for Your Website - implemented server-side rather than client-side this time - to add that functionality. The implementation is here - here's a demo of it in action.

SRCCON schedule

I'm attending (virtually) the SRCCON 2020 journalism conference this week, and Datasette is part of the Projects, Products, & Research track.

As a demo, I set up a Datasette powered copy of the conference schedule at srccon-2020.datasette.io - it's running the datasette-ics plugin which means it can provide a URL that can be subscribed to in Google or Apple Calendar.

The site runs out of the simonw/srccon-2020-datasette repository, which uses a GitHub Action to download the schedule JSON, modify it a little (mainly to turn the start and end dates into ISO datestamps), save it to a SQLite database with sqlite-utils and publish it to Vercel.

Covid 19 population data

My Covid-19 tracker publishes updated numbers of cases and deaths from the New York Times, the LA Times and Johns Hopkins university on an hourly basis.

One thing that was missing was county population data. US counties are identified in the data by their FIPS codes, which offers a mechanism for joining against population estimates pulled from the US Census.

Thanks to Aaron King I've now incorporated that data into the site, as a new us_census_county_populations_2019 table.

I used that data to define a SQL view - latest_ny_times_counties_with_populations - which shows the latest New York Times county data with new derived cases_per_million and deaths_per_million columns.

Tweaks to this blog

For many years this blog's main content has sat on the left of the page - which looks increasingly strange as screens get wider and wider. As of this commit the main layout is centered, which I think looks much nicer.

I also ran a data migration to fix some old internal links.

Miscellaneous

I gave a (virtual) talk at Django London on Monday about Datasette. I've taken to sharing a Google Doc for this kind of talk, which I prepare before the talk with notes and then update afterwards to reflect additional material from the Q&A. Here's the document from Monday's talk.

San Francisco Public Works maintain a page of tree removal notifications showing trees that are scheduled for removal. I like those trees. They don't provide an archive of notifications from that page, so I've set up a git scraping GitHub repository that scrapes the page daily and maintains a history of its contents in the commit log.

I updated datasette-publish-fly for compatibility with Datasette 0.44 and Python 3.6.

I made a few tweaks to my GitHub profile README, which is now Apache 2 licensed so people know they can adapt it for their own purposes.

I released github-to-sqlite 2.3 with a new option for fetching information for just specific repositories.

The Develomentor podcast published an interview with me about my career, and how it's been mostly defined by side-projects.

TIL this week

Tags: design, passwords, projects, datasette, weeknotes, covid19, git-scraping

datasette-auth-passwords

2020-07-13T23:39:06+00:00

datasette-auth-passwords

My latest plugin: datasette-auth-passwords provides a mechanism for signing into Datasette using a username and password (which is verified in order to set a ds_actor authentication cookie). So far it only supports passwords that are hard-coded into Datasette’s configuration via environment variables, but I plan to add database-backed user accounts in the future.

Tags: authentication, passwords, plugins, projects, datasette

Apple password-manager-resources

2020-06-09T04:21:56+00:00

Apple password-manager-resources

Apple maintain on open source repository full of heuristics for implementing smart password managers. It lists password rules for different sites (e.g. min/max length, special characters required), change password URLs for different services and sites that share credential backends—like icloud.com and apple.com. They accept pull requests!

Via Ricky Mondello

Tags: apple, passwords

Quoting UK National Cyber Security Centre

2018-08-25T19:57:46+00:00

Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately. [...] Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

— UK National Cyber Security Centre

Tags: passwords, security

Password Tips From a Pen Tester: Common Patterns Exposed

2018-06-12T15:35:22+00:00

Password Tips From a Pen Tester: Common Patterns Exposed

Pipal is a tool for analyzing common patterns in passwords. It turns out if you make people change their password every three months and force at least one uppercase letter plus a number they pick “Winter2018”.

Via @plaverty9

Tags: passwords, security

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

2018-02-22T19:24:43+00:00

I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Troy Hunt has collected 501,636,842 passwords from a wide collection of major breaches. He suggests using the to build a password strength checker that can say “your password has been used by 53,274 other people”. The full collection is available as a list of SHA1 codes (brute-force reversible but at least slightly obfuscated) in an 8GB file or as an API. Where things get really clever is the API design: you send just the first 5 characters of the SHA1 hash of the user’s password and the API responds with the full list of several hundred hashes that match that prefix. This lets you build a checking feature without sharing full passwords with a remote service, if you don’t want to host the full 8GB of data yourself.

Via r/netsec

Tags: passwords, security, troy-hunt

How could GitHub improve the password security of its users?

2013-11-20T17:50:00+00:00

My answer to How could GitHub improve the password security of its users? on Quora

By doing exactly what they're doing already: adding more sophisticated rate limiting, and preventing users from using common weak passwords.

Their account security practices are already best-in-industry: they support two-factor authentication and their "Security History" interface at https://github.com/settings/secu... is the best I've seen on any website.

The way they store passwords (correctly, using bcrypt) had nothing to do with this particular security incident.

Tags: github, open-source, passwords, rate-limiting, security, quora

apache.org incident report for 04/09/2010

2010-04-14T09:08:58+00:00

apache.org incident report for 04/09/2010

An issue was posted to the Apache JIRA containing an XSS attack (disguised using TinyURL), which stole the user’s session cookie. Several admin users clicked the link, so JIRA admin credentials were compromised. The attackers then changed the JIRA attachment upload path setting to point to an executable directory, and uploaded JSPs that gave them backdoor access to the file system. They modified JIRA to collect entered passwords, then sent password reset e-mails to team members and captured the new passwords that they set through the online form. One of those passwords happened to be the same as the user’s shell account with sudo access, leading to a full root compromise of the machine.

Tags: apache, incident, jira, passwords, security, tinyurl, urls, xss

Quoting rossriley on Hacker News

2009-08-23T10:10:28+00:00

For those who haven't heard the story the details were pulled from a Christian dating site db.singles.org which had a query parameter injection vulnerability. The vulnerability allowed you to navigate to a person's profile by entering the user id and skipping authentication. Once you got there the change password form had the passwords in plain text. Someone wrote a scraper and now the entire database is on Mediafire and contains thousands of email/password combinations.

— rossriley on Hacker News

Tags: security, sql-injection, passwords

Facebook Hacked By 4chan, Accounts Compromised

2009-08-23T10:02:04+00:00

Facebook Hacked By 4chan, Accounts Compromised

It wasn’t Facebook that got hacked: 4chan members got hold of a list of usernames and passwords from an insecure Christian dating site and started using them to raise complete hell. Yet another demonstration that storing your user’s passwords in the clear is extremely irresponsible, and also a handy reminder that regular users who “don’t have anything worth securing” actually have a great deal to lose if their password gets out.

Tags: 4chan, facebook, identitytheft, passwords, security

The Anatomy Of The Twitter Attack

2009-07-20T00:55:35+00:00

The Anatomy Of The Twitter Attack

Long-winded explanation of the recent Twitter break-in, but you can scroll to the bottom for a numbered list summary. The attacker first broke in to a Twitter employee’s personal Gmail account by “recovering” it against an expired Hotmail account (which the attacker could hence register themselves). They gained access to more passwords by searching for e-mails from badly implemented sites that send you your password in the clear.

Tags: gmail, hotmail, passwords, security, twitter

Weak Password Brings "Happiness" to Twitter Hacker

2009-01-07T12:04:56+00:00

Weak Password Brings "Happiness" to Twitter Hacker

The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts.

Tags: hacking, passwords, security, twitter

Antipatterns for sale

2009-01-02T10:48:17+00:00

Antipatterns for sale

Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder.

Tags: jeremy-keith, oauth, passwordantipattern, passwords, security, sitepoint, twitter

Facebook's new signup process

2008-12-12T11:43:56+00:00

Facebook's new signup process

It looks like they’ve dropped the “enter your password twice” pattern. Is this really a good idea? I suppose if people mis-type it they can always use forgotten password to set a new one.

Tags: facebook, passwords, usability

Quoting Ben Laurie

2008-11-02T13:04:41+00:00

.. yet another ridiculous data breach: this time, people's passwords to the Government Gateway on a memory stick dropped in the road. Perhaps it is uncouth to point this out, but... if the system had been designed by people with any security clue whatsoever there would have been no passwords to put on a memory stick in the first place.

— Ben Laurie

Tags: security, ben-laurie, passwords

Quoting Kim Zetter

2008-09-18T22:23:59+00:00

The Palin hack didn't require any real skill. Instead, the hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse - the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

— Kim Zetter, Wired

Tags: passwords, security, hacking, sarahpalin

Quoting Blaine Cook

2008-08-14T10:01:37+00:00

OAuth came out of my worry that if the Twitter API became popular, we'd be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users' passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.

— Blaine Cook

Tags: security, passwords, phishing, oauth, blaine-cook, twitter, twitterapi

Facebook Security Advice: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To

2008-08-09T10:18:28+00:00

Facebook Security Advice: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To

Nice to see TechCrunch highlighting the hypocrisy of Facebook advising their users to never enter their Facebook credentials on another site, then asking them for their webmail provider password so they can scrape their address book.

Tags: facebook, hypocrisy, passwordantipattern, passwords, security, techcrunch

Changeset 8162

2008-07-31T22:54:10+00:00

Changeset 8162

“Implemented a secure password reset form that uses a token and prompts user for new password”—also sneaks base36 encoding and decoding in to Django.

Tags: base36, changeset, django, luke-plant, passwords, python, security

Quoting Fasthosts

2007-10-18T17:27:24+00:00

Historically, Internet companies have rarely encrypted passwords to aid customer service.

— Fasthosts

Tags: fasthosts, security, passwords, wtf

The password anti-pattern

2007-10-12T09:25:25+00:00

The password anti-pattern

What I don’t understand is why Google / Yahoo! / other webmail providers haven’t just deployed a simple OAuth-style API for accessing the address book. Sites have been scraping them for years anyway; surely it’s better to offer an official API than continue to see users hand out their passwords?

Tags: gmail, google, jeremy-keith, oauth, passwords, phishing, yahoo