<preamble> I initially posted this as a comment on a duplicate submission, not realising it was a duplicate. So I've moved it here to the original. For some reason someone down-voted it there - no idea why - so I hereby give them the chance to down-vote it again, but ask for a reason.
</preamble>
Usually submitting XKCD is frowned on, but I'm pleased to see this one submitted. This attack vector is so seldom recognised as a real potential problem. It neatly explains the problem of password re-use.
As an aside, it's known that One-Time-Pad is provably secure. What's less well known is that during WW2 OTP systems were occasionally broken, because in the real world they ended up being Two-Time-Pads. People re-used a pad because they didn't get a new pad in time, etc. This was going to be one of my greybeard stories, but I'm still getting closer to the information source.
This reminds me of the good old days of searching Limewire for "password .txt .rtf .doc". It's incredible what folders and documents people would foolishly share.
But the most important thing I learned is this: email account passwords are worth their weight in gold! As soon as you have an email address and password, you have access to a searchable list of logins and password confirmations.
This is even more worrying than the example the comic utilises. You still have to (manually or automatically) go to these sites and guess the username (is it bob101 or is it 101bob this time?) and try the various passwords. As soon as you're into an email account you have quite the dangerous list. All of which are confirmed and ready to go.
-- This is entirely a work of fiction, and in no means describes my teenage years.
and the e-mail password is recoverable by guessing the answer to a weak security question, so in a sense a weak security question answer is the master password.
Instead of collecting the passwords, have the submission button show a page about sane password practices. (Something similar to http://ismycreditcardstolen.com/)
Actually, a company-wide Starcraft 2 tournament is more likely. Oh wait, we just finished one of those last week. And then had HDStarcraft come and cast the finals.
The fun part is that password complexity makes this problem worse, not better.
People use the same user/pass combo for every site they visit, except when one of them forces them to use a complicated password that they can't remember. So they send themselves an email with the site name, username and password so that they can find it next time they need to log into their bank.
So once your registry cleaning website has their email password, you also have a nice list of all their strong passwords too.
Adding to the irony, most people know that they need a different password for their bank, so if you just let them pick one without forcing complexity, they'll choose something they can remember, and their bank account will be safe.
But letting them pick a password without forced complexity makes it significantly easier to crack their password using one of the various, comprehensive, easy to find and download wordlists or dictionaries.
In the real world though, passwords aren't cracked nearly as often as they're read off a post-it note stuck to somebody's monitor.
Loosen complexity and you can eliminate that post-it. That's a huge overall win.
Complexity in itself isn't actually that bad. It's arbitrary complexity that spawns all those post-its. You can come up with a strong password that you and only you can remember, but it's useless if your bank rejects it due to its own silly complexity policy. There are sites out there that I regularly fail to log in with using my standard "strong" passwords, and it's not until I make it all the way through the Reset Password process to where it tells me its complexity requirement that I'm reminded which password I must have used last time I went through the process.
The only real solution is to let people use the word "password" if they really want. It's still orders of magnitude safer than having them keep a file/email/post-it full of plain text passwords sitting around in plain view.
Fully agree with the first post-it point, but I disagree with:
> The only real solution is to let people use the word "password" if they really want. It's still orders of magnitude safer than having them keep a file/email/post-it full of plain text passwords sitting around in plain view.
If I have "password" as password for my work webmail/remote login, it can be broken by any yokel on the internet with five minutes free time. If I have "ge.9u30!ey0" written on a post-it note on my desk, it can only be "cracked" people with physical access to my office.
Also note that people who have physical access to my office already have security privileges similar to mine own, mitigating the actual risk - they can't do much more damage with my password than they could without. And if they wanted my private stuff, they could just as well nab my harddisk.
Not that I'm justifying passwords on post-its in any means whatsoever, by the way. :-)
If you have a good bank, they should be limiting it to y wrong tries every x minutes, and have good fraud detection mechanisms in place. So the viability of brute forcing bank passwords should be rather low. So the risk looks rather minimal compared to the large scale exploitation that is possible with the other method.
I thought of this 9 years ago, and got stuck at the same step as the hat guy. Once you have the login details, then what? The only thing you can really do with the information is be a giant douchebag, and that's not cool.
I often wonder why this hasn't already happened on a massive scale.
I figure a bunch of Russian and Chinese hackers are skimming off cents at a time or something because they don't want to kill their golden goose by being too overt.
Well, exactly that is the reason why we should adopt something like OpenID. Of course, if someone catches the password of your OpenID provider, you are also fucked. But all OpenID consumers (i.e. any random site) will not get it that way. Also, you can easily globally change your password for just everything if you know that your old one has become insecure.
Why do people remember passwords? We've had browsers that can remember them for you, password1, etc. for years now. I make up a new password for every single site I have to log into and let the browser remember it.
Mainly because most people log into these sites from more than one computer.
It's imperative for me to recall all of my passwords as I need them both at work and at home. Currently I am rotating between three different passwords but this is an area I am becoming increasingly paranoid over.
use a password keyring! mozilla provides one if you enable master password and sync your profiles between home and work. kwallet, gnome keyring and keepass are other alternatives. i was working on backporting a gaim master password patch to pidgin but haven't had the time to finish it.
if you write down some passwords on paper and put them in your wallet, rc4-encrypt them with a master password and write down the base64 equivalent. there should be plenty of free javascript decoders for base64 and rc4 so you can decode them wherever you can find a browser. (yes this is paranoid, but if people know you keep passwords in your wallet it's trivial to get your pocket picked)
If you have relatively few passwords, use Bruce Schneier's advice and write them on a piece of paper that you keep in your wallet - safe and available.
I personally use KeePass, which isn't cloud-based, but I drop the database file into my Dropbox. I also have a copy of KeePass portable and my database on a disk-on-key which I keep on my keychain. This isn't usually up-to-date, but it does have the most important stuff in there.
LastPass is fantastic (http://lastpass.com/) for website passwords, but isn't too great for non-websites. It's very similar to 1Password, but cross-platform. It can be used to manage non-web passwords, but it's kind of a manual process using their secure notes.
I use Bruce Schneier's advice and keep them on a piece of paper in my wallet. Always safe and available. Of course, I only have a few dozen, not the hundreds some people claim they have to manage.
I store the data file on dropbox, so it is replicated across different machines I use. Each machine has the PasswordSafe program (binary) installed on it.
</preamble>
Usually submitting XKCD is frowned on, but I'm pleased to see this one submitted. This attack vector is so seldom recognised as a real potential problem. It neatly explains the problem of password re-use.
As an aside, it's known that One-Time-Pad is provably secure. What's less well known is that during WW2 OTP systems were occasionally broken, because in the real world they ended up being Two-Time-Pads. People re-used a pad because they didn't get a new pad in time, etc. This was going to be one of my greybeard stories, but I'm still getting closer to the information source.
http://news.ycombinator.com/item?id=1333934
http://news.ycombinator.com/item?id=996250
http://news.ycombinator.com/item?id=994358
http://news.ycombinator.com/item?id=1001262
I really have to find time to go back and organise them properly.