> and I know for a fact 90% of the sites I personally sign up to online also follow that same process.
This is a totally legit response. After all if something goes wrong they must have followed "best practices". No reasonable person would expect them to do more.
And it's true (if you only consider the needs of the business). This is a solid strategy for getting lawsuits dismissed. I've seen it in physical security too [+]. It only took one investment bank to put badge-checking turnstiles in place and then they all had to do it. That stuck with banks only for a while until one more conventional business did it...and now I was at Twitch the other day and they have it.
Of course who's missing here is the customer. But the customer's needs aren't paramount: the business's are -- and more specifically the manager who has to spend the money on security. If they have put in just enough that they won't get fired when it fucks up, and if they saved money and effort in the process: WIN!
[+] my favorite physical security story is old, so at the end: when leaving Intel's Santa Clara fab in the 1990s you would have to hand over your briefcase for inspection to make sure you weren't leaving with any Intel documents. They didn't care if you had floppy disks. Why? Because this was a defense against shareholder lawsuits and "what else could the guards do?" This is where I learned the explanation above: once anyone in the industry increased plant security they all would have to, which nobody wanted. So LCD was the name of the game.
But almost as bad: websites that insist on over-elaborate security measures for trivial stuff. Take a bow, HM Revenue & Customs:
> You’ve got a new message from HMRC
> Dear Fred
> You have a new message from HMRC about Self Assessment.
> To view it, sign in to your HMRC online account. For security reasons, we have not included a link with this email.
> Why you got this email
> You chose to get paperless notifications instead of letters by post. This means we send you an email to let you know you have a new message in your account.
> From HMRC Self Assessment
And HMRC have mandatory 2FA. So to read the spam they've sent me - and it is pretty much spam, it says "you need to do your self-assessment before next January", I know that already - I need to go through the rigmarole of entering my Government Gateway number, which I don't remember but starts with a 4 or something and hopefully that will be enough for Chrome to autofill it, then authing with my mobile phone. Which I think I left upstairs or something. Wait while I ring it with the landline to find where it is.
Seriously, I might just go back to getting letters by post.
Edit: No. My Government Gateway number which starts with a 4 is my company one. My Self-Assessment login appears to be a different number.
People elsewhere in the world, whenever anyone tells you that the UK Government Digital Service is a beacon of usability and good practice, please don't believe them.
Programmer (not me!) manually iterates over user file (passwords plain text natch). If he finds a matching username (format is enforced so dead easy to guess). He sets the auth cookie. THEN he goes looking for the password. You don't have to enter any password. At that point, just hit the back button a couple of times and refresh and BING! You can impersonate anybody on the system. Including the admin because guess what the admin's username is.
This guy is notorious for writing crap like this. But according to the powers that be, he's a 'god'.
I used to work at a life insurance company that had a sessions page for the developers that wasn't locked down at all. If you could get someone's id you could go directly to this page and set your user id to that. Done.
They also had a contest for their agents and the database they used to store all of the entries and information was an access database that happened to be sitting in the public directory for the website to simply serve to anyone who knew to request the database.
Seeing so much "security" makes me realize that a large majority of sites out there are a complete shit show, especially if the companies I worked for / with couldn't get it right and they actually had some money to their name.
Been there done that. The only thing you didn't mention was that if you do give a wrong password, it calls the logout function. So all tests do work. You can't login with wrong password.
Huh, couple years ago Santander in the UK changed their web layout. No big deal, except that my password wouldn't work anymore - I rang them up, and they said "did you have any special characters in your password? If yes, then they have been removed because the new system does not support special characters. Please use the same password as before, but without special characters".
1) This is one of the largest banks in the UK and they don't accept special characters?
2) If you store my password encrypted(as you should be!), how could you remove any characters from it?
I sent them an official complaint, they replied saying their security is fantastic and there is nothing to worry about, I closed my account a week later.
my (former) bank used social security numbers as user accounts, and lets you reset your password over the phone with nothing more than address and birth date.
They (as seems to be standard) ask you to enter 3 characters in positions of their choosing, so they need plaintext to be able to do that.
It's clearly not as secure as it could be, and it's annoying to work out too - I wish they'd just do normal 2FA. Those plastic keyfobs HSBC use are even worse.
I don't know if it's a good practice or not, but i usually just pick a word to use for all security questions, that's totally unrelated to the question.
ex. I what town did you first meet your best friend? "potato".
I feel like we need laws in place on software and hardware security. Laws to punish crimes is good, but we also need some regulation, simple ones, to govern how companies have the obligation to manage software and hardware security.
I think:
* companies running a website and collects customer data must have an incident response plan laid out.
If we punish bad service providers reported by consumers, why can't we do the same? We are talking about companies ignoring and downplaying even the most low-hanging fruit vulnerability, and companies that don't understand web security because the workers there have no clues what they are dealing. If we can't raise our cyber security awareness and education domestically, then we fail at being a top technology leader in this world. I don't expect every company hires a security engineer, perhaps under some managed services.
This is a very dicey subject. I think it's best to keep it loose as long as possible. Introducing a regulatory body into any field is perilous, but something as fast moving as software and security would be frightening. What happens when the regulation is that you have to use the algorithm that was cracked last month? Eek.
Voluntary, socially-enforced customs are better. Things like the MPAA rating system have successfully staved off government intervention. Such standards are much more flexible.
We already have this de-facto via TLS and the browser's angry messages if you don't comply with their expectations, but it'd be interesting if browsers started running a more thorough security verification program and giving preferential treatment to sites that implemented it.
That is also scary because it centralizes more control in browser manufacturers (which, today, means Google almost as much as it meant Microsoft in the oughts). But still better than the government I guess, and blocking a site in software is much more motivating than the risk of a fine for non-compliance.
I remember when cookies was where every site kept their cached credentials in plaintext. It was so popular you didn't need a password manager, just a cookie and form manager.
In case most of you didn't know/forgot: a large amount of the modern security practices on the web are due to browsers making it easy for sites to attack users, and making MITM trivial. The most common attack vector is literally the browser and protocol design, not a bug in the browser.
Also, to replace passwords, all you need is TOTP. You can combine TOTP with a 2nd factor for a little boost, but TOTP is much better than passwords, and more convenient when automated. Combine this with password reset and one-time use codes and the majority of users would not need to remember more than one or two passwords (the password for their e-mail or OAuth provider). You can also password-protect the shared secret to protect data at rest (some VPNs do this as alternative to physical tokens)
A protocol extension could define a handshake to negotiate TOTP tokens. The browser would generate a token with a plugin and send it securely after prompting the user to authorize it, and optionally try to verify the identity of the site. It could be extended to rotate the shared secret after an expiration period.
Also, it's about time we defined a better secure mail standard so we can rely on password resets to be valid and eliminate phishing.
If you contacted Rackspace's chat support while logged in, the representative sometimes asked the security question. To which (remember, you're logged in) you could click "Account Settings", "Security Question" copypaste.
A former employer of mine had internal security questions. Five of them. They were all inane questions, the "favorite movie?" type, so I came up with a somewhat random answer and used the same answer to all of them. The one time I had to use it, the representative asked all five questions, and I gave him the same ridiculous answer each time. He did it all with a straight face somehow, and looking back, I don't know why I didn't stop him at the fourth question to ask "if I knew the first three, you really think I don't know the last two?"
The number of webmasters who wanted me to set up ssl to 'secure' their site, while the backend emailed cc info in the clear to the orders dept is larger than I have digits, even the extra adolecent joke ones.
To be honest credit cards are a terrible system in terms of security. Everything to make a charge is on the card and people freely give it out to different websites.
Why do we still use passwords? When I connect to Amazon.com I don't ask them for a username and password to verify they really are Amazon. I verify their certificate. Why can't I authentic with a certificate too?
Back in the dark, dark days before LetsEncrypt, I had some StartSSL free certs. At one point, I was logging into their site using a certificate. I assume it was quite secure, but it was a complete PITA to set up. Especially when I wanted to log in on a different machine.
You can. Client side SSL is a thing, and it totally prevents phishing - pretty much any browser has supported it for ten years.
It is also a UX nightmare. The browser you are reading this with almost certainly support it, but try to see if you can find the menu option to install one.
This has been implemented before. I briefly maintained a legacy project that supported it via IE. In practice, it's a nightmare. Users constantly lose their certs and require manual re-auth. There was a complex install process to get the new cert in place. Usernames and passwords were still a thing; the cert was just to verify that you're coming from an authenticated computer.
Something like your proposal may work if it involves a one-way hash of biometric data (fingerprint scan) so that people can't "lose their cert", but that comes with its own problems too.
Does anyone here buy from auction sites often? Those are a nightmare, they let the sellers do pretty much anything and very few accept paypal (they're THAT stingy) - sellers on liveauction.com routinely ask buyers to provide credit card info over email. It looks like a lot of sellers are flocking to these because ebay is too strict, wait, I mean "sane".
Recently I won an auction at Galabid.com. They use Stripe and after putting my credit card, it was denied (I think because it was a large payment and I have no limits). Unfortunately, the Stripe JS popup didn't let me change the card. I don't know why - I tried incognito, diff browsers, but it was helpless. I had to send another Card number and all its data through email or the items were going to be auctioned again if I didn't pay in 24hs.
Another example of possible poor security (which seems to be depressingly common with UK banks) is to ask for certain characters from your password. Like say, the 1st, 3rd and 5th characters in the word.
However, if the password was encrypted, they shouldn't really have this information should they? So by asking for it, they're basically admitting everything's stored in either plain text (very bad) or a reversable form of encryption (also quite bad).
There are other complaints about this too (like accidentally encouraging people to write the passwords down so they can figure out which character is the 3rd one or what not):
I can't believe people still inform and try to counsel these tone-deaf corporations. The upside is so small and the downside is potentially quite large. Catch some moron CEO in a bad mood and they've got plenty of resources to make your life hell even if they don't have a legal case.
> And before we all lose out minds going "the password must die", nobody has yet figured out how to make that happen!
If I were designing a new product today, I would never consider having usernames and passwords. While it is a shame Mozilla killed Persona before it could even have a chance, it is still way, way more reasonable to use third party signin buttons than to try to do it on your own. Again. Brokenly. For the thousandth time per person.
It is a shame that one button alone does not work, but just OpenID connect includes Google, MS, and Amazon (so one login backend and three click buttons and you are covering probably 99% of people, who will have one of those three accounts).
Some of this stuff is absolutely terrifying. I mean, using the last four digits of a mobile number as a password? Damn, it's a site where a leaked username list is literally a major data breach.
If there’s one thing that needs to go away ASAP, it’s “security” questions. They are so time-consuming, they increase the amount of information shared with 3rd parties, and the quotes I used are intentional because the questions provide no security whatsoever. Quite the opposite: these questions simply force people to share more information than they should be required to share, and (for most people who don’t think to lie) it increases the chance that sensitive secrets will be revealed and used to impersonate people.
It’s even worse when these “security” questions are coupled with the “Monday-Friday, 9-5 ET” phone numbers. I once had a mobile login “lock out my account” on a Friday night and I was informed that I could not unlock it without calling one of those numbers and answering my “security” questions. So instead of having access as a customer, I had over two full days of nothing, followed by the obligation to find time to call these people, followed by the awkward process of wondering if I would even remember the damned questions or answers. Every last bit of that process is broken, wrong, unnecessary, adds no security, and disrespects customers.
And in case you think account-lockouts are any better, consider that it is TRIVIAL to use this as an attack. Someone you don’t like? Odds are you can find their E-mail log-in. “Guess” their password 3 times, and they can’t access their account at all for some extremely-inconvenient length of time. Ever-increasing delays between log-in attempts work just fine as an alternative to lockouts.
I've seen the "Express <Form with Personal Data>" vuln before, but with people's SSNs, DOBs, and bank account numbers, plus sequential numeric user IDs instead of emails. It's fixed now, thankfully, but, uh, yeah.
[+] [-] gumby|9 years ago|reply
This is a totally legit response. After all if something goes wrong they must have followed "best practices". No reasonable person would expect them to do more.
And it's true (if you only consider the needs of the business). This is a solid strategy for getting lawsuits dismissed. I've seen it in physical security too [+]. It only took one investment bank to put badge-checking turnstiles in place and then they all had to do it. That stuck with banks only for a while until one more conventional business did it...and now I was at Twitch the other day and they have it.
Of course who's missing here is the customer. But the customer's needs aren't paramount: the business's are -- and more specifically the manager who has to spend the money on security. If they have put in just enough that they won't get fired when it fucks up, and if they saved money and effort in the process: WIN!
[+] my favorite physical security story is old, so at the end: when leaving Intel's Santa Clara fab in the 1990s you would have to hand over your briefcase for inspection to make sure you weren't leaving with any Intel documents. They didn't care if you had floppy disks. Why? Because this was a defense against shareholder lawsuits and "what else could the guards do?" This is where I learned the explanation above: once anyone in the industry increased plant security they all would have to, which nobody wanted. So LCD was the name of the game.
[+] [-] oblio|9 years ago|reply
2. LCD = lowest common denominator in this case?
[+] [-] IshKebab|9 years ago|reply
Apart from the fact that it is totally untrue?
[+] [-] schwede|9 years ago|reply
[+] [-] throwaway6845|9 years ago|reply
But almost as bad: websites that insist on over-elaborate security measures for trivial stuff. Take a bow, HM Revenue & Customs:
> You’ve got a new message from HMRC
> Dear Fred
> You have a new message from HMRC about Self Assessment.
> To view it, sign in to your HMRC online account. For security reasons, we have not included a link with this email.
> Why you got this email
> You chose to get paperless notifications instead of letters by post. This means we send you an email to let you know you have a new message in your account.
> From HMRC Self Assessment
And HMRC have mandatory 2FA. So to read the spam they've sent me - and it is pretty much spam, it says "you need to do your self-assessment before next January", I know that already - I need to go through the rigmarole of entering my Government Gateway number, which I don't remember but starts with a 4 or something and hopefully that will be enough for Chrome to autofill it, then authing with my mobile phone. Which I think I left upstairs or something. Wait while I ring it with the landline to find where it is.
Seriously, I might just go back to getting letters by post.
Edit: No. My Government Gateway number which starts with a 4 is my company one. My Self-Assessment login appears to be a different number.
People elsewhere in the world, whenever anyone tells you that the UK Government Digital Service is a beacon of usability and good practice, please don't believe them.
[+] [-] bungie4|9 years ago|reply
This guy is notorious for writing crap like this. But according to the powers that be, he's a 'god'.
The funnier bit? This site is RSA protected.
[+] [-] BinaryIdiot|9 years ago|reply
They also had a contest for their agents and the database they used to store all of the entries and information was an access database that happened to be sitting in the public directory for the website to simply serve to anyone who knew to request the database.
Seeing so much "security" makes me realize that a large majority of sites out there are a complete shit show, especially if the companies I worked for / with couldn't get it right and they actually had some money to their name.
[+] [-] Sami_Lehtinen|9 years ago|reply
[+] [-] jjnoakes|9 years ago|reply
[+] [-] gruez|9 years ago|reply
What does that even mean?
[+] [-] gambiting|9 years ago|reply
1) This is one of the largest banks in the UK and they don't accept special characters?
2) If you store my password encrypted(as you should be!), how could you remove any characters from it?
I sent them an official complaint, they replied saying their security is fantastic and there is nothing to worry about, I closed my account a week later.
[+] [-] empath75|9 years ago|reply
[+] [-] OJFord|9 years ago|reply
It's clearly not as secure as it could be, and it's annoying to work out too - I wish they'd just do normal 2FA. Those plastic keyfobs HSBC use are even worse.
[+] [-] ilamont|9 years ago|reply
[+] [-] djtriptych|9 years ago|reply
This really makes me want to write a "Stupid security questions generator" website.
[+] [-] jfoutz|9 years ago|reply
ex. I what town did you first meet your best friend? "potato".
[+] [-] mandeepj|9 years ago|reply
[+] [-] OJFord|9 years ago|reply
If your grandmother is living and has a single dog, as 'security questions' go that would strike me as being pretty good.
[+] [-] sleepychu|9 years ago|reply
[+] [-] yeukhon|9 years ago|reply
I think:
* companies running a website and collects customer data must have an incident response plan laid out.
If we punish bad service providers reported by consumers, why can't we do the same? We are talking about companies ignoring and downplaying even the most low-hanging fruit vulnerability, and companies that don't understand web security because the workers there have no clues what they are dealing. If we can't raise our cyber security awareness and education domestically, then we fail at being a top technology leader in this world. I don't expect every company hires a security engineer, perhaps under some managed services.
[+] [-] cookiecaper|9 years ago|reply
Voluntary, socially-enforced customs are better. Things like the MPAA rating system have successfully staved off government intervention. Such standards are much more flexible.
We already have this de-facto via TLS and the browser's angry messages if you don't comply with their expectations, but it'd be interesting if browsers started running a more thorough security verification program and giving preferential treatment to sites that implemented it.
That is also scary because it centralizes more control in browser manufacturers (which, today, means Google almost as much as it meant Microsoft in the oughts). But still better than the government I guess, and blocking a site in software is much more motivating than the risk of a fine for non-compliance.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] peterwwillis|9 years ago|reply
In case most of you didn't know/forgot: a large amount of the modern security practices on the web are due to browsers making it easy for sites to attack users, and making MITM trivial. The most common attack vector is literally the browser and protocol design, not a bug in the browser.
Also, to replace passwords, all you need is TOTP. You can combine TOTP with a 2nd factor for a little boost, but TOTP is much better than passwords, and more convenient when automated. Combine this with password reset and one-time use codes and the majority of users would not need to remember more than one or two passwords (the password for their e-mail or OAuth provider). You can also password-protect the shared secret to protect data at rest (some VPNs do this as alternative to physical tokens)
A protocol extension could define a handshake to negotiate TOTP tokens. The browser would generate a token with a plugin and send it securely after prompting the user to authorize it, and optionally try to verify the identity of the site. It could be extended to rotate the shared secret after an expiration period.
Also, it's about time we defined a better secure mail standard so we can rely on password resets to be valid and eliminate phishing.
[+] [-] deathanatos|9 years ago|reply
A former employer of mine had internal security questions. Five of them. They were all inane questions, the "favorite movie?" type, so I came up with a somewhat random answer and used the same answer to all of them. The one time I had to use it, the representative asked all five questions, and I gave him the same ridiculous answer each time. He did it all with a straight face somehow, and looking back, I don't know why I didn't stop him at the fourth question to ask "if I knew the first three, you really think I don't know the last two?"
[+] [-] _jal|9 years ago|reply
[+] [-] jwilk|9 years ago|reply
[+] [-] Neliquat|9 years ago|reply
[+] [-] nojvek|9 years ago|reply
[+] [-] r1ch|9 years ago|reply
[+] [-] krupan|9 years ago|reply
[+] [-] drspacemonkey|9 years ago|reply
[+] [-] tomjen3|9 years ago|reply
It is also a UX nightmare. The browser you are reading this with almost certainly support it, but try to see if you can find the menu option to install one.
[+] [-] joncp|9 years ago|reply
[+] [-] cookiecaper|9 years ago|reply
Something like your proposal may work if it involves a one-way hash of biometric data (fingerprint scan) so that people can't "lose their cert", but that comes with its own problems too.
[+] [-] klez|9 years ago|reply
[+] [-] trevor-e|9 years ago|reply
[+] [-] saltyshake|9 years ago|reply
[+] [-] sphinx65|9 years ago|reply
Does anyone here buy from auction sites often? Those are a nightmare, they let the sellers do pretty much anything and very few accept paypal (they're THAT stingy) - sellers on liveauction.com routinely ask buyers to provide credit card info over email. It looks like a lot of sellers are flocking to these because ebay is too strict, wait, I mean "sane".
[+] [-] pmtarantino|9 years ago|reply
[+] [-] CM30|9 years ago|reply
However, if the password was encrypted, they shouldn't really have this information should they? So by asking for it, they're basically admitting everything's stored in either plain text (very bad) or a reversable form of encryption (also quite bad).
There are other complaints about this too (like accidentally encouraging people to write the passwords down so they can figure out which character is the 3rd one or what not):
https://security.stackexchange.com/questions/64589/is-it-bad...
And it also doesn't seem much like a good deterrent against keyloggers. But yeah, quite a few banking sites do this, which is a tad worrying.
[+] [-] gry|9 years ago|reply
[+] [-] draw_down|9 years ago|reply
[+] [-] yeukhon|9 years ago|reply
[+] [-] zanny|9 years ago|reply
If I were designing a new product today, I would never consider having usernames and passwords. While it is a shame Mozilla killed Persona before it could even have a chance, it is still way, way more reasonable to use third party signin buttons than to try to do it on your own. Again. Brokenly. For the thousandth time per person.
It is a shame that one button alone does not work, but just OpenID connect includes Google, MS, and Amazon (so one login backend and three click buttons and you are covering probably 99% of people, who will have one of those three accounts).
[+] [-] unethical_ban|9 years ago|reply
If there were a true, privacy-oriented product whose sole job was identity, perhaps.
Usernames and passwords are not hard. It's just that a lot of people are stupid.
[+] [-] pavel_lishin|9 years ago|reply
[+] [-] CM30|9 years ago|reply
LOL at 'reducing virus noises' too.
[+] [-] makecheck|9 years ago|reply
It’s even worse when these “security” questions are coupled with the “Monday-Friday, 9-5 ET” phone numbers. I once had a mobile login “lock out my account” on a Friday night and I was informed that I could not unlock it without calling one of those numbers and answering my “security” questions. So instead of having access as a customer, I had over two full days of nothing, followed by the obligation to find time to call these people, followed by the awkward process of wondering if I would even remember the damned questions or answers. Every last bit of that process is broken, wrong, unnecessary, adds no security, and disrespects customers.
And in case you think account-lockouts are any better, consider that it is TRIVIAL to use this as an attack. Someone you don’t like? Odds are you can find their E-mail log-in. “Guess” their password 3 times, and they can’t access their account at all for some extremely-inconvenient length of time. Ever-increasing delays between log-in attempts work just fine as an alternative to lockouts.
[+] [-] saulrh|9 years ago|reply
[+] [-] schwede|9 years ago|reply