Nothing quite like starting the day by refreshing a password that was apparently compromised, and then trying to determine where/how the operators might have obtained the login credentials in the first place. Still, props to Google’s AI systems for detecting the aberrant login attempt and blocking it, as well as for password managers which make having unique login credentials for every service so easy to manage/replace.
Tag: Passwords
Categories
Thoughts on 1Password ‘Home’ Edition
People are worried that someone’s going to steal their data or secretly access their personal devices. Border agents are accessing devices with worrying regularity. Travellers are being separated from their devices and electronic when they fly. Devices are stolen with depressing regularity. And then there’s the ongoing concern that jealous spouses, partners, or family members will try to see with whom their partner’s been emailing, Snapchatting, or Whatsapping.
Few people are well positioned to defend against all of these kinds of intrusions. Some might put a password on their device. Others might be provided by updates for their devices (and even install the updates!). But few consumers are well situated to determine which software is better or worse in terms of providing security and user privacy, or make informed decisions about how much a security product is actually worth.
Consider a longstanding question that plagues regular consumers: which version of Windows is ‘the most secure’? Security experts often advise consumers to encrypt their devices to prevent many of the issues linked to theft. Unfortunately, only the professional or enterprise versions of Windows offer BitLocker, which provides strong full disk encryption.1 These professional versions are rarely provided by-default to consumers when they buy their laptops or desktops — they get the ‘Home’ editions instead — because why would everyday folks want to encrypt their data at rest using the best security available? (See above list for reasons.)
Consumers ask the same security-related questions about different applications they use. Consider:
- Which messaging software gives you good functionality and protects your chats from snoops?
- Which cloud services is it safe to store my data in?
- Which VoIP system encrypts my data securely, so no one else can listen in?
- And so on…
Enter the Password Managers
Password managers all generally offer the same kind of security promises: use the manager, generate unique passwords, and thus reduce the likelihood that one website’s security failure will result in all of a person’s accounts being victimized. ‘Security people’ have been pushing regular consumers to adopt these managers for a long time. It’s generally an uphill fight because trusting a service with all your passwords is scary. It’s also a hill that got a little steeper following an announcement by AgileBits this week.
AgileBits sells a password manager called ‘1Password’. The company has recognized that people are worried about their devices being seized at borders or about border agents compelling people to log into their various services and devices. Such services could include the 1Password, which is pitched as a safe place to hold your logins, credit card information, identity information, and very private notes. Recognizing the the company has encouraged people to store super sensitive information in one place, and thus create a goldmine for border agents, AgileBits has released a cool travel mode for 1Password to reduce the likelihood that a border agent will get access to that stash of private and secret data.
1Password Home Edition
But that cool travel mode that’s now integrated into 1Password? It’s only available to people who pay a monthly subscription for the software. So all those people who were already skeptical of password managers and who it was very hard to convince them to use a manger in the first place but who we finally got to use 1Password or similar service? Or those people who resist monthly payments for things and would rather just buy their software once and be done with it? Yeah, they’re unlikely to subscribe to AgileBit’s monthly service. And so those users who’ve been taught to store all their stuff in 1Password are effectively building up a prime private information goldmine for border agents and AgileBits is willing to sell them out to the feds because they’re not paying up.
People who already sunk money into 1Password to buy the software are, now, users the 1Password Home version. Or to be blunt: they get the segregated kinds of security that Microsoft is well known for. It’s disappointing that in AgileBits’ efforts to ‘convert’ people to ongoing payments that the company has decided to penalize some of its existing user base. But I guess it’s great for border agents!
I’m sure AgileBits and 1Password will survive, just as Microsoft does, but it’s certainly is a sad day when some users get more security than others. And it’s especially sad when a company that is predicated on aggregating sensitive data in one location decides it would rather exploit that vulnerability for its own profit instead of trying to protect all of its users equally.
NOTE: This was first published on Medium on May 24, 2017.
- 1 Windows 8 and 10 do offer ‘Device Encryption’ but not all devices support this kind of encryption. Moreover, it relies on signing into Windows with a Microsoft Account and uploads the recovery key to Microsoft’s servers, meaning the user isn’t in full control of their own security. Unauthorized parties can, potentially, access the recovery key and subsequently decrypt computers secured with Device Encryption. ↩︎
Categories
The Rationale for Retaining Passwords
Alec Muffett has a terrific piece that clearly articulates why, exactly, passwords are beneficial elements of a broader security apparatus. He also notes core ‘risks’ associated with passwords, and how many of these risks can be defrayed (spoiler alert: just use a strong password management system).
In today’s era of hyperbolic security warnings one of the easiest things that people can do to ‘protect’ themselves online is select super hard passwords to crack, stuff them in a centralized password manager, and then only have to remember a single password to access the rest in the manager. I’ve used a password manager for some time and there are real security benefits: specifically, if a single service that I’ve registered with is hacked then my entire online life isn’t compromised, just that one service.
Password manager companies recognize the first concern that most people have surrounding their services: how do the managers protect the sensitive information they’re entrusted with? The standard response from vendors tends to reference ‘strong security models and usage of cryptography. Perhaps unsurprisingly, it is now quite apparent that the standard responses really can’t be trusted.
In a recent paper (.pdf), researchers interrogated the security status of password managers. What they found is, quite frankly, shocking and shameful. They also demonstrate the incredible need for third-party vetting of stated security capabilities.
The abstract for the paper is below but you should really just go read the whole paper (.pdf). It’s worth your time and if you’re not a math person you can largely skim over the hard math: the authors have provided a convenient series of tables and special notes that indicate the core deficiencies in various managers’ security stance. Don’t use a password manager that is clearly incompetently designed and, perhaps in the future, you will be more skeptical of the claims companies make around security.
Abstract:
In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection
Categories
Phone hacking, for the most part, depends on remote access. Hackers obtain unprotected phone numbers from a variety of sources – Facebook must be a favorite – or by social engineering. PINs, for the most part, are easy to guess. Hacking typically takes place in the legitimate user’s absence.
Unless Apple or Google plans to bar remote access to devices, facial recognition security surely only solves a small part of the problem. Back to the drawing board.
~Kim Davis, from Internet Evolution
Categories
Passwords: uniqueness, not complexity
Graham argues that there are three tiers of sites and that you should apply variable password policies to each tier. The key lesson is to have unique passwords across the tiers so that a tier 3 site being hacked doesn’t endanger your tier 1 sites. You probably want unique passwords for each tier 1 site.
At the first tier is your e-mail account. Since a hack of your e-mail account means hackers can reset passwords on all your other accounts, it would be terrible if that password were lost. This should both be very complex, as well as wholly unrelated to any other accounts.
At the second tier are important e-commerce sites, like Amazon.com, NewEgg,com, Apple.com, and so on. The major sites are unlikely to be hacked. You could probably share the same password for all these accounts.
At the third tier are the unimportant accounts, like StratFor, where it wouldn’t be catastrophic if your password were lost. Again, you could choose a third, simple password, like “passwd1234” for all these accounts. It’ll probably get stolen within a year, but who really cares?
While I agree, in part, I still think that a highly complex passphrase (not password) and a strong password daemon like 1 Password is probably the best approach for most people. That way you can enjoy strong, unique, passwords and generate new ones for each account you open.
Categories
ContraRISK: Bad password advice
In the December issue of Computer Fraud & Security, an article by Prof Steven Furnell – ‘Assessing password guidance and enforcement on leading websites’ – presents some fascinating original research into the password practices of various leading websites – and also paints a somewhat…
Whenever I read about bad passwords, I’m reminded of XKCD’s comic on password strengths.
Excited Pixels 