The recent password thefts

So with everyone talking about it I guess it’s time I add my 2 cents (without saying anything others haven’t so feel free to stop reading ;).

I am a victim myself, having my password stolen at 3 different sites (League of Legends, last.fm, LinkedIn) and I am actually fairly certain that the password was the same on all three, as was the email adress I signed up with. My wife’s LoL account was also hacked and since her email account had the same password as her LoL account it was used to send spam emails until hotmail closed it.

Obviously I’m not concerned at all about any of the accounts being compromised. Both my LoL account and my Last.fm account were throwaway accounts with no value to me at all, which is why the password was probably one of the very first that was recovered (6 letters). My LinkedIn account either had the same password, or a slightly more complicated one with 8 characters that include letters and numbers. My LinkedIn account had a little bit of personal information but also nothing that I would really be worried about being available for anyone on the internet (given that it isn’t already).

My wife’s accounts were throwaway accounts, which means a LoL account with near zero value to anyone and an email adress that was used to sign up to throwaway accounts with, obviously also without value.

What I’m trying to say here is that, as most people know, it’s impossible for everyone without an eidetic memory to have exactly one secure password (letters/numbers/special characters, or something long enough to not be hacked such as 4 different words) for every single account you create anywhere. I can not even count the number of accounts for websites, applications, email accounts, etc. that I own. Therefore, as i have said before, I use the same password for everything that has zero value to me. Years later I still know that password. I also use the same password for things that have near zero value to me (hassle of getting the account back, etc. no monetary value to anyone). I use two factor authentication for pretty much anything that has real value to me.

Now that I’ve written a whole post about how stupid I am with passwords I guess I should get to the point I was trying to make.

I have written about how to hash passwords before and it is not only sad but inexcusable how relatively big companies are handling your passwords. I think that every site that wants you to make an account would educate users on password security rather than having arbitrary rules about what needs to be in a password you pick. I think that you should have complete freedom in what you want your password to be. If you think “1234” is secure enough for the account you’re signing up for I think you should be able to. However, I think it’s pretty retarded that some companies are saving passwords in plain text (plentyoffish used to send the password used to sign up with every email they send you…. in plain text), some companies are saving passwords with a single MD5 hash (which these days is almost plain text), and some companies are saving passwords with a single SHA-1 hash.

As this post shows it’s fairly useless to use a static hash (they didn’t even do that), since you can not look for collisions in SHA-1 anyway. To crack all the LinkedIn passwords by hashing passwords and comparing them to the hash they stole. Had a salt been used it would have not increased the time or difficulty to find out the passwords. However, even just using the username as a salt to hash the password of every user would increase the difficulty of cracking the passwords so much that it’s probably not worth it to try. To find out the passwords you would have to brute force/dictionary attack every single users password by itself, even if it just takes a minute per password they would need over 10 years to crack 6 million of them. So 6 seconds per password means a year total. Now if you don’t hash the passwords once but 500 times you would obviously increase the time to crack a password by 500 times.

A last point I want to make is that it’s fairly easy to change the method you’re using to store passwords. Assuming you have one table that stores a username and a password of every person using your site you could just add a new column to the table for the new method of storing passwords (this commentary suggests PBKDF2). Then you change your login checking function so it checks if there’s a value in the new column already and check the password against that, obviously using the new method of hashing passwords, and if it’s not, check it to the old value, calculate the new hash and immediately delete the old hash. Then depending on how often your users log in you’ll have most passwords stored securely within days or maybe weeks. You could then send an email to all of the people who haven’t logged in in a while asking them to log in, or have a flag in the DB that sends a password verification email the next time they log on, and just delete all the old hashes.

But the main question remains: I have not written anything that’s not common knowledge by anyone who’s even remotely security conscious and yet some fairly big companies just are not listening. They really should know better. We can just hope that the remaining companies that haven’t changed their hashes yet will do so in the very near future. This especially goes for people who make software for other people to use (pbpbb ???).

What not to do on your website

Or how to make me never come back.

Like other billions of times in the past (and I’m obviously not exagerrating) I just googled a very simple question and clicked on a link that seemed decent. And like many other times in the past I anded up on a website that I likely will not visit again, ever.

I would be willing to bet that many smarter people have already contributed to this topic, and a lot of them are more entertaining than me, but I just had to share something. There are a few very simple things that you can do to make me (and many others) never come back to your website. Quora.com just found one of them.

Experts-exchange is pretty famous for this one, and rightfully so. It seems like a basic Q&A site, but you don’t actually get to see the answers without registering. It also says you get a free trial, which makes me think that it will cost money after the 30 days. But I just never actually went to check it out because I can probably get better answers on a different site.

So now Quora.com pops up and I had never heard of the site before and is also asking me to register, or sign in with facebook. And the first thing I look for is literally the back button. I don’t spend another 3 seconds on the site checking out the features or whether or not it would be worth it. Although I do spend an hour writing a rant about it.

So since we now beat that specific problem to death, what are some other things that make me run from a website. Giant overlays are clearly at the top of the list. If you give me a full page overlay that doesn’t let me see the website there’s a good chance I’m gone by the time it finishes loading. If it’s an advertisement it’s probably even worse. Page load time finishes the trifecta. If it’s a full page advertisement that takes seconds to load I likely won’t see it because I’ll be long gone. Banners and ad blocks would be another, although fairly minor issue. If I do have to read something fairly long and I can’t focus on the text because something keeps blinking or moving on the side or top I might just get away. I do have advertising on this site, and I really wish I could tell google to only display text ads (But I would sell ad space if you have a non obnoxious ad you want to place !). And with that we have reached the obvious. If I get nauseated looking at your site I’ll probably leave, but colors and fonts aren’t actually that important as long as it’s fairly legible.