SoylentNews is people
SoylentNews
from the this-password-contains-patterns-known-to-the-State-of-California-to-cause-cracking-and-data-breaches dept.
Submitted via IRC for Bytram
Weak passwords to be banned in California
Default passwords such as "admin" and "password" will be illegal for electronics firms to use in California from 2020.
The state has passed a law that sets higher security standards for net-connected devices made or sold in the region.
It demands that each gadget be given a unique password when it is made.
Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.
The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features.
This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time.
The bill also allows customers who suffer harm when a company ignores the law to sue for damages.
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @10:10AM
Default passwords are stupid, changed mine from "Password to "12345". 10 times better than the code on my luggage.
(Score: 4, Insightful) by BsAtHome on Saturday October 06 2018, @10:12AM (13 children)
The default will be fixed, that is fine. Now the user can finally set his/her favorite password "password" and "123456" and be done with it.
It is a good thing that some default and basic security must be configured. The problem is that many users have no clue whatsoever how security in the computerized world works. The complexity of security is not something one can take lightly. It requires much more than a forced change of defaults. Most users will never understand the intricate relations and interactions of computers and the potential problems that creates for security.
In the end we will have indemnified producers and still no security. Not a good prospect.
(Score: 2, Touché) by Anonymous Coward on Saturday October 06 2018, @10:50AM (3 children)
This action doesn't solve all problems in the world. Should it not have been done? (Y/N)
(Score: 2, Interesting) by Anonymous Coward on Saturday October 06 2018, @11:04AM (2 children)
California: is there anything you won't legislate?
(Score: 2, Funny) by Anonymous Coward on Saturday October 06 2018, @11:13AM (1 child)
Hmm ... let's find out. Hold my gavel.
(Score: -1, Spam) by Anonymous Coward on Saturday October 06 2018, @12:42PM
There was a technique called 'redirection.' This was where one would redirect their anger towards a person to an object, so as to avoid unnecessary conflict. The man, who had bipolar disorder, and whose therapist had told him about this technique, favored this approach. Especially now, after someone had just bumped into him, causing his fury to reach unsustainable levels.
He recalled his therapist's advice, and searched for an object. From there, it didn't take long for the man to find a suitable object; he began pummeling it with all his might until his wrath dispersed. Satisfied, the man continued walking to his destination without a care in the world. Or, at least, until someone bumped into him again.
"Ugh!" screeched the man. An object. He needed an object! When he found one, he immediately began to redirect all of the hatred and violence in his heart towards said object. Since his anger had reached extreme levels, it took quite a long time before his anger dissipated. By that point, the object had already been completely annihilated.
"There," said the man, deeming this level of destruction to be enough. Then, he continued on his way... until another mishap occurred. Then, another one. And another one. Yes, one after another, mishap after mishap occurred, forcing the man to constantly redirect.
Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect. Redirect!
Finally, it was over, and the man returned to a state of serenity. He looked back at the results of his redirection and smiled. Today, there had been twenty-five of them. Eighteen women and seven children had bore the brunt of the man's fury and lust, their battered and violated bodies randomly strewn around the area. He would have to thank his therapist again for teaching him about this wondrous technique.
Yes, for without redirection, for without this technique, a person may have been hurt...
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @11:10AM (5 children)
Well, let's see here ... who do we want shouldering the majority of the security responsibility, the manufacturer or the end user? Both should share some of the responsibility but the manufacturer is more qualified than the end user - usually by orders of magnitude.
If the end user makes poor security choices it is not the responsibility of the manufacturer, though some minimum password complexity/quality should be enforced.
Seatbelts make driving safer. They don't save all lives, and there have been some instances where they have cost lives. But in the vast majority of cases seatbelts make driving safer. Still, the car manufacturers cannot force the driver or passengers to wear seatbelts. The end user is still responsible for their actions/choices.
(Score: 2) by BsAtHome on Saturday October 06 2018, @11:22AM (4 children)
The number of failure modes for a seatbelt are, for a trained individual, limited.
The number of failure modes for software are, for a trained individual, not well defined.
Changing the password is one thing. Updating the software is another story. You do not update your seatbelt every few weeks to get the bugs out, do you?
Therefore, concentrating on default passwords and "reasonable security" features are a step in the right direction, but have marginal impact in the long run. There is no silver bullet for security and no law can make your software secure. Especially when you consider the complexity of software in general and security in particular.
(Score: 2, Informative) by Anonymous Coward on Saturday October 06 2018, @11:45AM (1 child)
Car analogies are fun. Selling a device with the password "password" is like selling a car with seatbelts made of paper and expecting the consumer to retrofit real seatbelts.
(Score: 1, Insightful) by Anonymous Coward on Saturday October 06 2018, @05:12PM
I'd say it's more like selling a car with a generic key and expecting the consumer to shape the key and resize the pins themselves.
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @04:28PM
Yet for an untrained individual they are innumerable.
If software updates are necessary they should be automatic ... but that will cause havoc in the minds of the "it's mine! I paid for it!" crowd that doesn't want automatic updates. So a very conspicuous "Do you want this device to automatically apply software updates?" question immediately after the required changing of the password.
There are no perfect solutions to this, but a great deal can be improved with just a few small measures. Let's not ignore the 80% - 90% of prevention we can take with these initial small steps.
(Score: 2) by chromas on Saturday October 06 2018, @08:26PM
Not yet.
(Score: 2) by fyngyrz on Saturday October 06 2018, @04:18PM (1 child)
It's very easy to require that a password contain minimum N-length, out-of-alpha-order, out-of-qwerty-order, out-of-numeric-order, out-of-order mix of caps, punctuation, and numeric. Out-of-order can be enforced across alternating classes of characters. If there's enough space in the device, or you're building a desktop application, it's also easy to require that it not contain common English words. Dual-entry to confirm without copy/paste capability is also advisable.
Implementation and testing takes just a few hours. I'm speaking from experience here.
So there's no need to risk those kinds of problems. And then there's the generation of an initial default for the user of the device and throwing a sticker in the packaging.
I will grant you that for the low-level users, some frustration is encountered as their minds are taxed by the requirements, but clear error results during entry — not just after — mitigate that at least somewhat, and an automatic generator is be the obvious band-aid for them.
It's long past time that users learned to track passwords (and no, I don't think a "password manager vault" is a good idea. That's just a means to "lose one password, lose them all" or "have one password compromised, all are compromised.")
(Score: 2) by pipedwho on Saturday October 06 2018, @08:29PM
The problem with requiring ultra complicated hard to remember passwords is that they invariably end up saved in a password manager or written down.
These highly entropic undecipherable passwords would ideally have little to no ambiguity when written down and read back (ie. Oo0, Il, Ss5, jJ, 71l, 9g, etc.). The concept of the 4 words as per XKCD fame is a good one for users writing things down. The super complicated self/autogenerated ones are fine if the user has a decent password manager. To avoid users entering insecure passwords only requires decent minimum entropy and a few simple entropy checks for excessive repetition and/or monotonic increment 'eg password-password-password, 1234567891011121314151617181920, or password1-password2-password3, etc'. The entropy calculation should not include any substrings with the username/ID or the site/company name. A user might have a longer password with mostly low entropy characters (eg. english words), or have a short password with lots of entropy in the characters (eg. random base64 strings). It also helps if there is a description of a how to make a secure password with a selection of seemingly random but relatively easy to remember words. You could even run the password against a dictionary attack with some common dictionaries to avoid obviously broken passwords.
I'm not that concerned with the general case of users either writing down passwords or relying on password managers. Yes, both options have downsides, but they are heavily outweighed by the advantages.
Written down passwords may be lost or stolen and the user is out of luck with potentially hundreds of passwords. However, attacking this list requires offline access, and if the list is kept relatively securely (ie. locked draw, wallet, briefcase, etc) then it isn't likely to fall victim to a walk-by 'post-it note on the monitor' exposure. Also, a user can keep multiple lists at varying degrees of security. eg. important passwords in the locked briefcase or wallet, and stupid website passwords in a locked drawer of their desk. Photocopies can be used for backups if the lists are at risk of loss.
Assuming a password manager has decent backup/replication capability and is designed properly (ie. secure), then a user should only have one password to remember (or a few if they want multiple vaults) - a password that could be written down and kept securely elsewhere if the user thinks they'll forget it. Password managers generally have a consistent interface that is known to the user. And the master password request happens due to actions taken by the user out of band (and not in the browser window) of the remote password being either auto-entered or copy/pasted. So it is far less likely to be compromised than, for example, a spoofed misspelled domain asking for a corporate/banking/shopping/social media/email/etc password. Password managers are great because mis-typed domain names won't be auto-entered giving the user an extra level of protection. Good password managers can have multiple vaults if a user wants to avoid the 'one password to rule them all' allowing some additional passwords to be kept even more securely and segmented by site/security level/importance/age/etc. And can be accessed from a separate device to the one being used for password entry (eg. a smart-phone is used to bring up and manually type the admin password for a server attached to a KVM switch in the server room).
For the particularly paranoid, you can use your password manager or written list to keep a secure base password for each site. And then further transform that password with some additional secret out-of-band data (either static or generated based on the site name/password/date of generation/etc). This adds a certain amount of protection against stolen lists or hacked password manager master passwords. Some people do this without a password manager against a master password, but that is dangerous as the password from one (or more) sites may lead to sufficient clues to attack the 'algorithm' and therefore effectively leak the entire password list.
Yes there are downsides to password managers, but there is no way the vast majority of users are going to remember hundreds of secure passwords.
(Score: 3, Insightful) by Runaway1956 on Saturday October 06 2018, @09:00PM
Uhhhhmmmmm - if each device has it's own unique password by default - then user action will be required to change that default to 123456. If the user takes that action, then the user is entirely responsible for the consequences. Is this not an improvement over the default "admin" "password"? Most users won't bother to reconfigure a device, just as they have never bothered to do so in the past. If they have an 8 character randomly generated passwords, their security has been improved by several orders of magnitude. Even better, is if they get 12 character randomly generated passwords, using upper/lower case, numbers, as well as special characters. At this point, we can actually begin to consider the devices as kinda secure.
(Score: 2, Funny) by Anonymous Coward on Saturday October 06 2018, @11:09AM (2 children)
00000000
Good enough for me
(Score: 2) by Thexalon on Saturday October 06 2018, @04:41PM (1 child)
Thing is, that's not as stupid as it sounds. Let's say you're a bad guy who now has maybe 3 guesses to correctly say the code in the president's pocket.
Is "00000000" going to be something you're likely to try? Or are you going to think that there's no possible way they would have picked anything that stupid?
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @05:04PM
https://www.dailymail.co.uk/news/article-2515598/Launch-code-US-nuclear-weapons-easy-00000000.html [dailymail.co.uk]
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @12:17PM
Haven't had a lot of recent experience, but it used to be that a router (etc) could be reset to defaults using a "secret" service password. Obviously this sort of security-by-obscurity isn't going to work these days, but it would still be nice to have some way to start over if a device is wedged somehow.
What if California mandated a recessed button (oh noes, hardware!) somewhere on every bit of electronics that would restore it to original state, then let the user work through setup and put in a proper password.
(Score: 2) by Bot on Saturday October 06 2018, @12:17PM
If someone sells usb sticks with linux preinstalled, better put a root password reset step in the configuration program.
Of all things happening in cali recently, this one might be inconsequential, but at least it makes sense.
Account abandoned.
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @01:34PM
The thing is engineers DO say things to their bosses about things like this. Usually they are treated like assholes for "making trouble". Then after a million devices get pwned, the boss goes to the guy who brought it up and wants him to write software to commit a million counts of computer tresspass after the fact to fix the problem.
I'll leave it to your imagination as to whether that problem gets fixed. But there are a lot of engineers out there with "get out of jail free" cards in their personal safes. The problem became so common back in the thou's that they created a whole new term for it: "automatic update".
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @03:40PM
What about alpine?
(Score: 5, Interesting) by KritonK on Saturday October 06 2018, @03:53PM (4 children)
DSL routers in Greece already have this feature. Each router has its own admin and WiFi password which are both, of course, printed on a sticker at the back of the device for anyone to copy.
Silly as it may sound, this is more secure than having a default password, either fixed or algorithmically generated (e.g. a hash of the MAC address), as it renders applications, such as GWPA finder [google.com], that try to guess the default password of nearby routers, useless.
(Score: 4, Insightful) by deimtee on Saturday October 06 2018, @07:10PM (2 children)
It's not silly at all. For the vast majority of home users a post-it note with a complex password on it stuck to the monitor is far superior to remembering a simple password.
Yeah, physical access and you're screwed, but for most people that isn't the problem, and remote exploits have trouble reading bits of paper. Anyway, if the bad guys have physical access you are screwed with or without the post-it note.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 2) by Runaway1956 on Sunday October 07 2018, @04:20AM
The deep learning people are working on that one. All the exploit has to do is hijack the camera, focus on the glasses worn by any user, and decipher the reflection of the post-it. It doesn't work reliably yet, but those smart deep learners are starting to figure it out. One problem is that they key on pink and yellow post-its, but ignore Realtree™ versions. /sarcasm
(Score: 2) by Hyperturtle on Sunday October 07 2018, @03:38PM
There's nothing wrong with keeping a paper notepad or notebook with complex passwords and lists of accounts and so on.
It worked for me and others for years and years when calling BBS's. It made it very easy to have a different password for every board -- some SysOps were not above logging in a users to use their file points elsewhere and download stuff, or just be jerks. Today's issues are different, but there are still a lot of jerks that would cause harm with your passwords if they were easily obtained or the same or both.
People that complain that it's not safe to write your passwords down usually are either not recognizing that most people have better things to do than memorize an extensive list of passwords, or the person complaining is hawking some password gatekeeper program that either costs money, shares info, is insecure itself, or has one password to open it up that can be hacked just the same as anything else, and cloud. There are a lot of elitest know-it-alls in IT (hey no comments).
If my computer crashes--my pad of paper won't. Microsoft also won't wipe the contents of my local notepad during an upgrade, too. And if I really was worried, I can type the stuff in and save it onto a diskette or USB stick--diskettes tend to last longer since they don't need power now and then to prevent 'bit rot'; disks can last longer than the computer that wrote to them by many generations of computers... but really, paper only has problems when wet or left in bright lighting for a long time. I have lists of things that aren't valid anymore, but like to look at now and then to jog memories of sites or boards where there are no screenshots or internet archive to review. If I actually memorized all of those passwords, I'd have likely mentally erased a lot of that to clear up space for new problems in my head.
Back to paper... If you have little kids or snooping people around that want to see your stuff, then that's another issue, but ultimately it is a matter of how much inconvenience people are willing to put up with for security. Sometimes a lockable desk drawer or a privacy lock on the notepad (like a teenage girl's diary--they sell adult versions, too) are all that it takes to keep honest people honest. You also don't have to put all of the keys to the kingdom in one place, especially the important yet infrequently used ones.
If someone bust into your house and took your stuff, you have worse problems than what the account and password is for some forum you post to now and then might be.
(Score: 2) by el_oscuro on Sunday October 07 2018, @12:36AM
Simply setting the password to the device serial number is vastly superior to any default password. California is right: default passwords *should* be outlawed. Even if a serial number is easily predictable, an attacker would still have to guess it for each device they want to pwn. With any default password, *all* devices they can get to are pwned immediately.
SoylentNews is Bacon! [nueskes.com]
(Score: 0) by Anonymous Coward on Saturday October 06 2018, @05:02PM
"It demands that each gadget be given a unique password when it is made."
0, 1, 2, 3, ...
(Score: 1, Funny) by Anonymous Coward on Saturday October 06 2018, @09:32PM
I'm going to appeal your stupid law to the Supreme Court and Justice Kavanaugh is going to kick your butt.
(Score: 3, Interesting) by RedBear on Sunday October 07 2018, @04:17AM
This is just about the last forum where I expected people to be whining about manufacturers being legally barred from setting the default credentials of hundreds of millions of internet connected devices to something stupid like admin/admin or root/password. We're talking about devices that are not just used by consumers, they're used by giant corporations, government offices, hospitals, and even sometimes the military. How could it possibly turn out to be a bad thing for manufacturers to be held accountable for what is essentially leaving a publicly known backdoor in their devices?
Even if 50% of the owners of the devices choose to reset the unique password to "1234", which is of course ridiculously easy to prevent, that would still mean that you just cut the number of automatically-insecure devices on the market IN HALF.
The logic of being opposed to this utterly fails me. So what if every single owner of one of these devices puts their password on a post-it note on the front of the device? We're talking about devices that get attacked across the internet, not computers at the office. If I get physically close enough to read the password off the post-it, the device and the network is already compromised. As long as the password isn't allowed to be on the list of passwords commonly used by stupid people, we're already talking about potentially the most measurable improvement in overall security in the history of the internet.
I know security is a very difficult thing to do exactly right, but I'm forced to wonder what kind of steps could be taken that would actually keep some of you from complaining about moving in the right direction.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ