As Peter touched on when relating his story about the Gawker password database compromise (in addition to numerous other mentions on this blog), maintaining secure passwords for all of your various online identities is not something to take lightly.  In addition to secure passwords, you should also use passwords unique to each site you are visiting.  You may not care if someone compromises the account you use to comment on Gizmodo, but if you also use that password for e-mail, banking, Facebook, or other sites you may value, you leave yourself open to a painful security breach. In a perfect world, websites would just use OpenID or other roaming credential, so that everyone would only have one secure password to[…]

I received the following email on Monday morning: You don’t know me.  I’m nobody.  My name is Steve.  I came across a database dump from earlier this evening.  It’s making its rounds around the internet.  Besides just the code dump from among other sites, it also contains email addresses and passwords for over 1.3 million accounts.  I’m sending this email to the 200,000 or so people who’s passwords were included, in plain text, in this archive.  I have your password.  However, I have 0 interest in it.  Obviously i’m anonymous so how can you trust me – you can’t.  But trust me, if I had interest in your password, I wouldn’t be emailing you saying I have it. That’s just[…]

Facebook recently introduced some interesting functionality that’s being touted as an “opt-in security feature.” When I first heard that they were incorporating one-time passwords (OTP), I figured it was probably a pretty good idea. In theory, OTP seems straightforward to implement, and can offer some substantial benefits when done correctly. However, after learning how Facebook expects people to request the one-time passwords (via mobile SMS), a potentially negative side-effect becomes apparent. Passwords are often the first line of defense encountered by an attacker. But in this case, OTPs actually undermine the benefit of the original password by creating a temporary token that can be used instead. This creates a security tradeoff, whereby the benefit of a secret password is sacrificed[…]

OAuth is a protocol that lets applications request data or privileges you have on a remote service without you having to provide your credentials for that service. A classic use case for this “valet key” system is contact import – you can let a site load your address book from Gmail without giving that site your actual Gmail password. Twitter recently required that any third-party applications using their API must authenticate using OAuth. Twitter’s implementation is based on OAuth 1.0, which was finalized in April but has been in development for several years and is already widely supported. But work on a new version is now under way, and Facebook has already implemented one variety of the draft specification for[…]

Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights: -30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords. -Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution. On the surface, these[…]