I take password security very seriously. I’ve already written about how people can improve their password habits to keep themselves safe. This piece, however, is for those of you who build websites which provide password-related functionality. This is a list of password crimes that some websites commit. I’ve described these crimes, then point out some criminals (a.k.a., websites) which commit these crimes.
(This list is not guaranteed to continue to be up-to-date. This post represents a snapshot in time, and is accurate as of early June 2014 when the first draft of this post was written.
I’ve been paying quite a bit of attention to the story of Edward Snowden — the former CIA contractor who leaked classified information to the American public about how the government is spying on us through acronym-laden programs known as “PRISM” and “MUSCULAR”. Allow me to be your tour guide as we uncover just a few of the ways in which the NSA has broken the law and spied on American citizens.
Foreign Intelligence Surveillance Act (1978) It all started in 1978 with the passage of FISA:
My friend Michelle recently explained to me that password is a perfectly valid password to use. Her reason? “People always say not to use it. So now that nobody uses it anymore, it’s totally secure again!” How I’d Hack Your Weak Passwords In this case, Michelle made a fatal assumption. She assumed that human beings would be manually typing in guessed passwords. What she failed to understand is that it’s really, really easy for any off-the-shelf computer to chew through possible passwords at an incredible pace.
I recently wrote about the work I did to change every single password I had into ones that were unique for every site, and far more difficult to brute-force due to their long and randomized nature. As part of this exercise, I was essentially trying to change 250 passwords on 250 websites as quickly as possible. When you do this, you end up seeing trends and patterns across unrelated sites that you might not have noticed otherwise.
Observations Here are some of the patterns I observed about how websites manage passwords:
I learned at a relatively young age what makes a good password versus a bad password, and I’ve tried to always use these qualities in the passwords that I choose. The Problem Unfortunately, even with the best intentions, you inevitably end up re-using one or a few passwords across every single website you log into. Some people do things as dumb as using the name of their significant other. Or their pet. Or a birthdate. Or something else equally guessable by one of the many supercomputers that exist (whereby “supercomputer”, I mean pretty much any computer invented in the past 5–7 years).
There is a Windows/Internet Explorer/Windows Media security hole that allows programmers to write a malicious script that opens all of your CD-ROM drives from the Windows Media ActiveX plug-in. This security hole has officially been patched. Just visit the Windows Update site to download the patch.