Submitted via IRC for AndyTheAbsurd
The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.
It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."
Source: SC Magazine
This discussion has been archived.
No new comments can be posted.
DHS Warns Against “Password Spray” Brute Force Attacks
|
Log In/Create an Account
| Top
| 30 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
(Score: 2, Informative) by Anonymous Coward on Sunday May 12 2019, @02:06PM
https://en.wikipedia.org/wiki/List_of_the_most_common_passwords#SplashData [wikipedia.org]
(Score: 2) by Hyperturtle on Sunday May 12 2019, @02:11PM (2 children)
I wonder when the day is coming when those biometric readers, like the fingerprint readers built into power buttons and touch screens, plus the cameras that enable facial recognition... are mandatory. But they will call it convenience and security when it happens, I am sure. I expect it'll get driven by free services like social media or 'profressional' ones like office 365 and various internet only applications that want to make it easy for someone to be tracked/log in from anywhere.
It is not like biometric data is kept private and secured. Facebook even was suing a few states in the US crying that biometric privacy laws were onerous regulations that denied them profits because they had to adhere to actual restrictions on biometric data use. I can't imagine Microsoft easily removing Windows Hello and all the data that security feature has managed to gather. Many modern devices now have fingerprint readers built into the power buttons and/or touch screens. It is not even possible in some cases to turn a device on without giving up biometric data to do so.
Ah privacy and security is so easy and often expected that we hand it away for free in exchange for a service, and yet often so unnattainably expensive to buy back. Often the services involved don't even have the option.
But more importantly, use a good password while you still can. If the government is complaining that passwords are hard, then it likely won't be long before an alternative is used. That would make it a lot easier to share data between various organizations, because really, sharing passwords is insecure, but losing control of your biometric data is described as safe.
(Score: 2, Insightful) by Anonymous Coward on Sunday May 12 2019, @02:36PM (1 child)
Biometrics is not security. Biometrics only gives you "what you have" type of security, not what you know. Also, unlike OTP, you can't change your biometrics. This means that passwords will ALWAYS be de-facto authentication method. If you use anything else, you are in major trouble as someone can just steal your "credentials".
Biometrics are useful to authenticate user with some document, like passport. But they are useless for almost everything else.
If you have a phone, and you unlock with a fingerprint, then you are doing it wrong. If you unlock it with password or pattern, then that's OK. If then you use fingerprint to authorize some transaction or login to google, that OK (convenience), as the phone is already authenticated you with password and the fingerprint becomes authorization verification. But if you only use fingerprint, then maybe your finger becomes valuable?
(Score: 1) by RandomFactor on Sunday May 12 2019, @03:04PM
I've never enabled fingerprint or 'face' unlocking on my devices and I can't imagine I ever will. I understand that in principle police can't currently compell an unlock [pcmag.com] using biometric data (at least until challenged/overturned) but with unlock being based on something I know instead, it becomes my decision to stand up to the wrench [xkcd.com] or not. (And none of that 'no, he left it unlocked, we didn't force his tragically broken finger onto the fingerprint reader, honest!')
В «Правде» нет известий, в «Известиях» нет правды
(Score: 5, Informative) by FatPhil on Sunday May 12 2019, @02:36PM (9 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by JoeMerchant on Sunday May 12 2019, @03:58PM (8 children)
TOTP is a crock.
Checking passwords against spray attacks' one million most common passwords and denying _those_ passwords would be much more effective.
TOTP with a requirement of 8, no two consecutive, characters, and 3 of: upper case, lower case, numeric, special can quickly lead to "degenerate" passwords such as: Q1q1q1q1 just due to the fatigue of having to come up with a new, compliant, not used before, password every month, or whatever your chosen TOTP interval is.
Longer change intervals, less stupid requirements, and longer length requirements (12 characters?) can get stronger passwords in use like: correcthorsebatterystaple
🌻🌻🌻 [google.com]
(Score: 1, Informative) by Anonymous Coward on Sunday May 12 2019, @07:05PM (4 children)
Your comment makes clear that you don't know what TOTP is and mistook it for password expiration.
TOTP stands for Time-based One-Time Password. The output of the algorithm is equal to the HMAC-based One-Time Password of a secret key, but with the current Unix time as the counter and the window length. HOTP parameters are a hash algorithm, secret key, and a counter. First you take the shared secret key, put that into the HMAC algorithm using the agreed-upon hash and current time as a counter. You then take that result and truncate it by taking the four least significant bits to get an offset, which you then use to select 31 bits from your result using a different algorithm. That number is turned into a positive signed number. Then using the length of your TOTP password (d), you then take the number modulo 10^d to get your final returned value. That password is accepted for three password windows (past, current, future) to allow for skew in the clocks and password entry.
The important notes are that current TOTP passwords cannot be used to figure out past or future TOTP passwords. Also, it only counts as something you have, because anyone that knows all the parameters can generate arbitrary TOTP values.
(Score: 2) by FatPhil on Sunday May 12 2019, @10:41PM (3 children)
Therefore it's something you *know*, not *have*, but I presume you mis-typed, as you seem to be mostly on top of things.
> shared secret key
However, not on top of things enough to be willing to address this issue from my gpp.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Informative) by Anonymous Coward on Monday May 13 2019, @12:58AM (2 children)
No, it is a "have" because most people save the compiled list of parameters+key to an authentication app, (e.g. Google Authenticator, FreeOTP, or Authy), rather than keep it memorized and calculate it manually each time. This app, by definition, is a "soft token" and tokens are "something you have."
And I wasn't trying to address your issue, I was addressing my parent's misunderstanding of what TOTP is. By its nature, you can't have a "salted and hashed" version of the secret key, because both sides have to have the same key, or the algorithm won't work. The second you salt it or hash it or whatever, the result just becomes another parameter to the algorithm or the new secret key, because both sides have to have the same information to calculate the same TOTP. That is a well-know and obvious pitfall of TOTP, but the algorithm was mean to cover a completely different threat model than passwords, not replace them.
(Score: 2) by FatPhil on Monday May 13 2019, @11:00AM (1 child)
I write my password down on a post-it note, and am so lazy I enter it using OCR via the webcam - is that something I know, or something I have.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @02:43AM
A written-down password is something you know, changing the medium doesn't change the original threat model reason for that authentication mode. If you are having a hard time with this, think of the TOTP token like an SSH key. The fact that you could theoretically remember all the parameters and a hundreds, if not thousands, of bits long pseudorandom number doesn't change the fact that it is supposed to be something you carry around in the proper form for authentication, as opposed to being locked in your memory.
(Score: 2) by crafoo on Sunday May 12 2019, @10:06PM (2 children)
I'm not familiar with TOTP. Password requirement as you stated will ensure 100% of them are written down and close-to-hand on a convenient sticky note pad.
(Score: 3, Interesting) by JoeMerchant on Monday May 13 2019, @02:02AM (1 child)
Yeah, AC is probably right - I took the "Timed" "One Time" to mean what our forced expiration policy does at work: you choose your password following their BOZO constraints, then you can only keep that password for a certain amount of time, at which point you must choose a new one - not a repeat of any password you have ever used before.
The priceless joke of corporate passwords is that they're in the Active Directory system, so you are forced to use this same password flipping everywhere, including when you've got your laptop hooked up to conference room displays - about once a year I see somebody entering their password for like the 20th time of the day on a big shared screen and the cursor focus isn't where they thought it was, so the whole room gets to see their password - for EVERYTHING, and of course the meeting is more important than running and changing it immediately, so ALL of their so-called secure accounts are vulnerable to anyone who saw it for at least an hour, in many cases I think they don't even bother to change it until the next mandatory expiration anyway. For extra fun, you can also get a sense of what they use to make their passwords memorable, combinations of their children's names and birthdays seem to be a popular choice.
🌻🌻🌻 [google.com]
(Score: 2) by pipedwho on Monday May 13 2019, @04:08AM
And don't forget the two digits at the end that usually equal the multiple of timed expirations that have occurred since they started working at the company.
Years ago I was a working with a big company that had their password database (plaintext naturally) compromised. Everyone was forced to reset their password (for Nth time since they had a 3 month password expiration policy) - and naturally they'd been conditioned to use their usual tricks for modulating their passwords. In a penetration test, our guys ran the old password system against the newly reset passwords and 90+% of the passwords were a simple modulation of a base password (mostly just adding 1 to a counter, or a date).
We recommended they get rid of their time password expiration policy and only force password resets for good reasons. Told them to get rid of the upper/lower/number mix and just increase the minimum password length to 12 digits. Users were given methods to avoid using 'bad' words for their passwords (like usernames, dates, counters, etc). Passwords were no longer kept plain text (but that doesn't help protect against easy to guess passwords when compromised hash tables can be attacked). And the users were explicitly told they had to change their password due to a compromise, and would no longer be asked to periodically change their passwords, so should come up with something secure.
After the next password reset, our pen testers could only get into about 0.5% of the accounts with a week long effort of dictionary attacks, modulations on the cracked password database, and targeted attacks on information gleaned from user social media profiles. Half a percent is pretty good for this sort of thing. Most companies come in orders of magnitudes worse when they create stupid password policies.
On a positive note, NIST has changed their best practice password strategy to explicitly recommend not using timed password expiration, and also not to require a mix of uppercase/lowercase/digits.
(Score: 1, Interesting) by Anonymous Coward on Sunday May 12 2019, @02:44PM (2 children)
When will they learn?
(Score: 5, Insightful) by Anonymous Coward on Sunday May 12 2019, @07:07PM (1 child)
Never. The point of SMS authentication is to track you by getting your cell phone number. Most people only have one of those.
(Score: 0) by Anonymous Coward on Monday May 13 2019, @01:40PM
yeah tie that to the biometric and they know for sure its really you. unless someone cut off parts and your body was just a tool to unlock the phone of course. cops try to unlock phones found on corpses and were angered Apple's face-id can detect the glassy eyed stare of the dead--and not unlock the phone. people were upset that law unenforcement needed a warrant instead of how they got used to doing it--use the body to unlock the phone, copy everything, and not say anything about it.
(Score: 2, Insightful) by RandomFactor on Sunday May 12 2019, @02:47PM
This is a common tactic to get a foothold.
They aren't trying to beat someone that uses a serious password, or get straight into an admin account or restricted system, they are just looking for any way in. Once they have that, then they can scan and escalate and move laterally.
So the bad guys starts with a list of usernames (email address work often enough, which may be trivial to acquire)
Then, rather than attempting to break one user account with decillions of combinations (which would typically be detected and stopped automatically after half a dozen attempts), just try the statistically most likely password ONE TIME against each account. This gives thousands or tens of thousands of attempts that ONLY COUNT AS ONE FAILURE to older detection algorithms that watch individual accounts. Then wait a couple of days and try another one. The user of the account will generally log in and clear the count long before it is locked locked out.
Sooner or later this nets a lazy account (or more likely a number of them) and it is off to the races.
.
.
In the corporate world they do things to protect at the edge like:
- Multi Factor Authentication (MFA), a base requirement on any internet facing entry point
- Front end user logins with solutions that monitor for this type of unusual login activity (Cloud Access Security Broker/CASB)
.
.
In a home environment it is less common for those sorts of controls to be available, but there are other common options (the more the better, and not an exhaustive list):
- get Keepass or other password manager. Start using randomized passwords. It's still a bit annoying, but you get used to it.
(SERIOUSLY. Password reuse by joe sixpack is why all those password breach notifications every.single.day matter.)
- standard NAT Router between you and the internet (mostly if you have a home network, you have this already)
- Disable scripts and ads in your browser
- Do risky, or even normal browsing from a VM, reset it periodically
- Run antivirus (plenty of free ones that automatically update)
- Switch to Linux (e.g. Mint). It works fine for everyday stuff for anyone that is even a little computer savvy.
- Backup your important stuff, pictures, passwords, financials, Turbotax files that sort of thing. (to an external drive you unplug afterwards, modern ransomware will look around you network and encrypt everything on accessible NAS drives also)
Feel free to add on ;-)
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Sunday May 12 2019, @02:56PM (2 children)
It is very hard to get people to change habits and this tool 'makes sense' to most people as it makes logins easier AND secure.
just get ONE really good password and then this tool manages your passwords on EVERY website.
https://www.pcmag.com/roundup/300318/the-best-password-managers [pcmag.com]
(Score: 3, Insightful) by Entropy on Sunday May 12 2019, @04:44PM
Then some genius would make them change their "one secure password" every month.
(Score: 2) by maxwell demon on Sunday May 12 2019, @05:08PM
And how exactly do you use a password manager for your login password?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Insightful) by Rosco P. Coltrane on Sunday May 12 2019, @03:14PM (1 child)
That's rich...
(Score: 2) by crafoo on Sunday May 12 2019, @10:09PM
Well, failure is the best teacher I suppose...
(Score: 1) by sfm on Sunday May 12 2019, @06:34PM (2 children)
"correcthorsebaterystaple" - several common words, hard to guess or brute force, easy to remember
(Score: 3, Funny) by sfm on Sunday May 12 2019, @06:38PM (1 child)
Even better if you misspell one of them.......
(Score: 2, Funny) by Anonymous Coward on Sunday May 12 2019, @09:25PM
Even better if you misspell one of them twice when setting it, then wondering why you can't login.
(Score: 3, Touché) by el_oscuro on Monday May 13 2019, @12:34AM
# zcat /usr/share/wordlists/rockyou.txt | john --stdin hashes.txt
SoylentNews is Bacon! [nueskes.com]
(Score: 1, Insightful) by Anonymous Coward on Monday May 13 2019, @05:20AM (2 children)
I don't understand why a bot is allowed to try gazillion passwords anyhow? Put the password engine behind a hardware firewall that throttles attempts, especially failed ones.
(Score: 2) by rob_on_earth on Monday May 13 2019, @12:44PM
that is what I came to say.
Back in 1999 all the websites I was involved with (developing) all had password hammering(brute force) protection as well as SQL injection mitigation (stored procedures).
These sites were for eCommerce not banking and security.
Why have things
(Score: 2) by Pino P on Tuesday May 14 2019, @02:02AM
Probably to reduce how many phone staff a service provider needs to keep standing by 24/7 for password resets should a legitimate user fat-finger his password too many times.