https://login.swissid.ch does this too: disallow password managers from filling out the login. Upon asking them to fix: "Autofill completion is not allowed by us for security reasons. First, if that's the case, if someone gets to your PC, we can stop a hacking attempt and that's one of many reasons. For other questions, we are at your disposal."
They also only enforce SMS as two-factor authentication.
The idea of this SwissID is to become a nation-wide identity service, yet they manage to do everything wrong. Yeah, this annoys me to no end :(
Hah, that page actually allows you to test whether or not a certain email address is signed up for the service, which seems like an even worse idea given what they're to become.
I too have a bad feeling about SwissID. Only SMS as two-factor authentication, turned off by default. No other methods planned, according to the support.
The fact that the Swiss Post requires it as login method makes me uneasy.
Whenever I see messages of this kind, there is some doubt light that turns on in my head. Wondering if it’s possible I missed something, but I always have to conclude that, no, there isn’t anything wrong with my thought process.
Troy and Krebs should team up to create a security hall of shame and only remove companies when issues are fixed.
We have security vendors who have sslv2 enabled and they can't understand why that's an issue.
We have huge fortune 250 companies that we exchange full credit card data with that have TLS 1.0 enabled with Symantec certs and only two weak ciphers. I sent them an ssl labs report and they accused me of breach of contract for hacking the site.
This list of security and finance related vendors that are double facepalm worthy is just astonishing.
I'm doing this in the community where I live and I have discovered that it is super effective. I send an email to each company explaining a security problem with their site (currently focusing on simple lack of HTTPS for form data, and not mentioning the public disclosure because I want to see who fixes things because they care vs. those just avoiding negative publicity) and if they haven't resolved it or replied within a week, I list them publicly on https://www.insecure.org.je.
The site isn't winning me any design awards and needs expanding of the advice articles, but dozens of local companies are immediately spurred to action when they appear in the "Sites requiring extra caution" section. Thousands of local users have directly benefited by the added security, even though they are completely unaware of why it was upgraded.
The reaction from some business has been very predictable, with a mix of hostility, threats, confusion, outright lies, but enough respond politely and want to fix things, and I go out of my way to help those who want to learn.
"FedEx will renew the security certificate with Symantec for the following FedEx Web Services servers at 11 pm CDT on September 15, 2018. Please note that these certificates are valid for two years and will expire on October 4, 2020."
> You see, they knew this process sucked - any reasonable person with half an idea about security did - but the internal security team alone telling management this was not cool wasn't enough to drive change. Negative media coverage, however, is something management actually listens to.
I have compassion for these people who made these ludicrous comments -- they clearly aren't cryptographers or digital security experts. Let's separate the people making these comments from the corporations they represent.
Public shaming of a person is never the right response, in my opinion -- live and let live.
Public shaming of a corporation, on the other hand, may be the only way to get the attention of the decision-makers.
As noted in the article, they're a public face of the company. If they don't know the actual answers to questions being posed, they should reach out to someone in their organization who does, not make stuff up.
My compassion dies when their humility does. You cannot affect attitude towards disclosures by accepting the existing attitude. Compassion is bidirectional. A "we will investigate and get back shortly", or a "our internal team has investigated and here is their answer: '...'" is much more appropriate. Several companies' social media responders are courteous. Excusing corporate condescension mouthpieces just encourages the practice.
To be clear:
do you count shaming an official corporate account as shaming a corporation or as shaming the person that actually write the tweets?
Because of course corporations will always put a person in front of, so that you feel bad for speaking the truth.
That's why official corporation tweets often carry a signature with a person first name - it reminds me of Pennac's Malaussène, who by trade is a professional scapegoat.
There's a subtlety that people seem to be missing.
Okay: "that is a dumb policy." "Big Corp's security wicket is hilariously wrong."
Not okay: "You are a moron." "This customer service rep should go find a fast food job."
In the examples he posted, Troy seems to be staying strictly on the side of shaming the companies. Yes, he's doing it by interacting with a customer service rep, but that's their job: to represent the company. He's not attacking the CS reps directly, and I couldn't quickly find any examples from his Twitter account to the contrary.
I think the author agrees with this. And they see the employee behind the customer service account as acting as a mouth of the company. Responding to what they say in that role is shaming the company, not the individual. Bringing the employee's personal life or questioning their individual abilities would be unkind, however.
You clearly did not read the article. This isn't youtube comments; these comments are supposed to be for informed discussion. Please read the article before commenting next time so we can all have a solid place to discuss these issues.
This is addressed in the article, but your comment does not seem responsive to the article. (To summarize: shame works; social media reps function as the face of the organization.)
This is about shaming companies, not individuals. Most of the time you don't even know the individual behind the generic customer support channel anyway.
and remember that corporations are by definition a collection of individuals... is public shaming really the only way to get through to the decision makers? I hate the thought of regulations... but maybe there is a $$ solution here?
I really dislike websites that prevent the use of password managers by disabling the ability to paste. Recently[0], I discovered that you can stop websites from doing this in Firefox by setting dom.event.clipboardevents.enabled = false. This has already improved my quality of life slightly.
I can think of one exception to Troy's claim: companies that hold data of people who aren't their customers. No amount of shaming Equifax would have fixed their practices, because we can't choose to not have our data collected by them.
The worst offenders are max password length limits, especially tiny ones like 8 characters. It's a guarantee that the service does not properly hash and store passwords.
Just as bad - the ones that enforce an uppercase, lowercase, number and special character. Except that they don't tell you that when they mean "special character", they don't mean all of them, and don't tell you which ones are invalid.
I can't tell you how many times my 1Password generated password was disallowed because of a special character that I ultimately had to delete by trial and error.
That usually happens on banking sites because their system is backed by an old mainframe that can only handle 8 characters. The second thing you said is right though -- they probably have terrible security on that mainframe.
It's quite scary to think that a bank only fix obvious security issues after public shaming. There are a lot of internal services in a bank that are not exposed to the scrutiny of security researchers and will therefor never get patched.
Meanwhile 90% of the banks in France use a 6-digit password that you can't paste because you have to enter it by clicking on a super-secure-random grid... https://imgur.com/a/q91JDXi
Maybe Troy Hunt can publicly shame them into more secure practises but I'm not hopeful.
A question: I know of some companies and banks with such issues. I am no Troy Hunt - what would you do about this? Public shaming doesn't really work when you aren't a public person. Also this is in non-english environment, so there are no such public figures...
"Now, keeping in mind that the username is your email address and that many among us like cake and presents and other birthday celebratory patterns, it's reasonable to say that this was a ludicrous statement."
It would be interesting to ascertain how many times users' on social media flag a security problem to a company's social media team that isn't actually a security problem? In other words, how many false negatives get caught too?
Troy Hunt's post is really told from the victor's perspective (likely a bias rather than intentional or arrogance), but to form a well-rounded view, understanding how many false negatives would likely help...
If the flagging is respectful and the user is mistaken, either they will apologize for the mistake or it's up to the community to lower that user's influence. Troy Hunt is retweeted and upvoted and made famous because he has built a good reputation.
I wrote about non secure contact pages of various banks in Australia back in 2014 [1] and sent them all private messages. Didn't hear back from a single one saying they were working on it. Haven't checked lately to see how or if they changed.
I had a bit of a rant in a job interview about how storing plain text passwords was something only idiots do. I got the job and lo and behold the main feature being worked on when I started 3 weeks later was "encrypt passwords field". So even inadvertant direct private shaming can effect change!
Didn't browsers take a stand a few years ago by ignoring "autocomplete=off" on password fields?
I think it’s about time browsers start ignoring any onpaste events on password fields. I’m curious what Chromium folks think - have there been tickets about this? It would be a great way to end this dumb practice.
Firefox has the dom.event.clipboardevents.enabled pref which can be used to prevent a lot of web naughtiness however it does break a couple of legitimate use cases.
It's sad that what Troy is arguing for sounds like the best we can expect right now and he is probably right.
Ideally, there would be mandated processes for any commercial company like any serious security vulnerability must be fixable within x hours/days (if a fix is available) i.e. the excuse can't be, "we don't have the means or money to fix that right now" and there are certain things that seem to be accepted knowledge in the security community (like password managers) that somehow are allowed to be circumvented by random companies because they decided so.
The real question is why isn't there a mandated list of global best-practice for web app security that can direct any acceptance test of any web site? Can't people like isaca and isc2 agree something and make it the gold-standard?
> But the hesitation quickly passed as he proceeded to thank me for the coverage. You see, they knew this process sucked - any reasonable person with half an idea about security did - but the internal security team alone telling management this was not cool wasn't enough to drive change. Negative media coverage, however, is something management actually listens to.
Sounds like justification for bad-security whistle blowing too. The downside of encouraging it is that you are easily deanonymized if you had attempted to bring it up internally before. We need a, possibly crowd funded, corporate bad-security whistle blowing foundation that contacts your own company on your behalf and then publicly shames them if they don't fix the issue.
The Swedish Bank ID also disallows copy/paste of passwords. When I contacted the company that builds the solution I got more or less the same response, "it is safer for normal users" which I didn't really understand. Highly annoying.
I have heard the argument that regular users often believe that copying and pasting passwords makes them immune to keylogging, so allowing that will cause some of them to keep a copy of their password on a plaintext file on their desktop where otherwise they would just type from memory.
This is deterrent for storing a plain text password in a file on your desktop. Frankly, if you are already keylogged your plain text passwords are already stollen.
[+] [-] nickray|7 years ago|reply
They also only enforce SMS as two-factor authentication.
The idea of this SwissID is to become a nation-wide identity service, yet they manage to do everything wrong. Yeah, this annoys me to no end :(
[+] [-] timvdalen|7 years ago|reply
[+] [-] cstuder|7 years ago|reply
The fact that the Swiss Post requires it as login method makes me uneasy.
[+] [-] dcbadacd|7 years ago|reply
Also, would a fix be a password manager that just ignores the forbidding or is it done with JS somehow?
[+] [-] Aeolun|7 years ago|reply
They really are just that clueless...
[+] [-] auslander|7 years ago|reply
That prevents the page's JavaScript code to read autofills before user action.
Regarding can you trust Troy, check this out https://news.ycombinator.com/item?id=17398821
[+] [-] sschueller|7 years ago|reply
Personaly I like mobile Id which makes logging into PostFinance or swisscom easy but not all phone providers are able to offer it.
Sucks that for post and sbb I need yet another system, Swiss id....
[+] [-] abarringer|7 years ago|reply
We have security vendors who have sslv2 enabled and they can't understand why that's an issue.
We have huge fortune 250 companies that we exchange full credit card data with that have TLS 1.0 enabled with Symantec certs and only two weak ciphers. I sent them an ssl labs report and they accused me of breach of contract for hacking the site.
This list of security and finance related vendors that are double facepalm worthy is just astonishing.
[+] [-] tombrossman|7 years ago|reply
The site isn't winning me any design awards and needs expanding of the advice articles, but dozens of local companies are immediately spurred to action when they appear in the "Sites requiring extra caution" section. Thousands of local users have directly benefited by the added security, even though they are completely unaware of why it was upgraded.
The reaction from some business has been very predictable, with a mix of hostility, threats, confusion, outright lies, but enough respond politely and want to fix things, and I go out of my way to help those who want to learn.
Source is public and if you want to try this locally, I highly recommend it: https://gitlab.com/tombrossman/insecure.org.je
[+] [-] itsameta4|7 years ago|reply
http://plaintextoffenders.com/
[+] [-] dschep|7 years ago|reply
Though, imo, they should be sorted with the worst offenders on top.
[+] [-] tempuser24|7 years ago|reply
[+] [-] thaumaturgy|7 years ago|reply
"FedEx will renew the security certificate with Symantec for the following FedEx Web Services servers at 11 pm CDT on September 15, 2018. Please note that these certificates are valid for two years and will expire on October 4, 2020."
Heh.
[+] [-] user5994461|7 years ago|reply
[+] [-] nathantotten|7 years ago|reply
I could not agree more with this statement.
[+] [-] coleifer|7 years ago|reply
Public shaming of a person is never the right response, in my opinion -- live and let live.
Public shaming of a corporation, on the other hand, may be the only way to get the attention of the decision-makers.
Let's be kind and compassionate to individuals.
[+] [-] chasing|7 years ago|reply
[+] [-] kodablah|7 years ago|reply
[+] [-] lultimouomo|7 years ago|reply
That's why official corporation tweets often carry a signature with a person first name - it reminds me of Pennac's Malaussène, who by trade is a professional scapegoat.
[+] [-] thaumaturgy|7 years ago|reply
Okay: "that is a dumb policy." "Big Corp's security wicket is hilariously wrong."
Not okay: "You are a moron." "This customer service rep should go find a fast food job."
In the examples he posted, Troy seems to be staying strictly on the side of shaming the companies. Yes, he's doing it by interacting with a customer service rep, but that's their job: to represent the company. He's not attacking the CS reps directly, and I couldn't quickly find any examples from his Twitter account to the contrary.
[+] [-] rthomas6|7 years ago|reply
[+] [-] blauditore|7 years ago|reply
[+] [-] wbronitsky|7 years ago|reply
[+] [-] loeg|7 years ago|reply
[+] [-] manigandham|7 years ago|reply
[+] [-] the_clarence|7 years ago|reply
[deleted]
[+] [-] taf2|7 years ago|reply
[+] [-] QasimK|7 years ago|reply
[0]: https://gist.github.com/0XDE57/fbd302cef7693e62c769
[+] [-] AdmiralAsshat|7 years ago|reply
https://chrome.google.com/webstore/detail/dont-fuck-with-pas...
https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi...
[+] [-] murph-almighty|7 years ago|reply
[+] [-] manigandham|7 years ago|reply
[+] [-] slantyyz|7 years ago|reply
I can't tell you how many times my 1Password generated password was disallowed because of a special character that I ultimately had to delete by trial and error.
[+] [-] jedberg|7 years ago|reply
[+] [-] zimbatm|7 years ago|reply
[+] [-] cocoflunchy|7 years ago|reply
Maybe Troy Hunt can publicly shame them into more secure practises but I'm not hopeful.
[+] [-] marek995|7 years ago|reply
[+] [-] pentae|7 years ago|reply
This is when I lost it. Bloody good read.
[+] [-] amarant|7 years ago|reply
this leads to a situation where I have a 100 digit hashed password I have to type in by hand.
usually I just create a new account, preferably somewhere else.
[+] [-] adrian_mrd|7 years ago|reply
Troy Hunt's post is really told from the victor's perspective (likely a bias rather than intentional or arrogance), but to form a well-rounded view, understanding how many false negatives would likely help...
[+] [-] gowld|7 years ago|reply
[+] [-] oxplot|7 years ago|reply
[1]: https://blog.oxplot.com/non-secure-contact-page/
[+] [-] richrichardsson|7 years ago|reply
[+] [-] srinivasan|7 years ago|reply
I think it’s about time browsers start ignoring any onpaste events on password fields. I’m curious what Chromium folks think - have there been tickets about this? It would be a great way to end this dumb practice.
[+] [-] kevincox|7 years ago|reply
[+] [-] lbriner|7 years ago|reply
The real question is why isn't there a mandated list of global best-practice for web app security that can direct any acceptance test of any web site? Can't people like isaca and isc2 agree something and make it the gold-standard?
[+] [-] kodablah|7 years ago|reply
Sounds like justification for bad-security whistle blowing too. The downside of encouraging it is that you are easily deanonymized if you had attempted to bring it up internally before. We need a, possibly crowd funded, corporate bad-security whistle blowing foundation that contacts your own company on your behalf and then publicly shames them if they don't fix the issue.
[+] [-] Steer|7 years ago|reply
[+] [-] zorked|7 years ago|reply
Not sure if that's what banks are thinking about.
[+] [-] _pdp_|7 years ago|reply
[+] [-] Kalium|7 years ago|reply