Personal tools
You are here: Home wikidblog Flaw in mail list compromises password file
« January 2009 »
Mo Tu We Th Fr Sa Su
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  
 
2005/02/11

Flaw in mail list compromises password file

There are a number of things that make passwords increasingly unusable. One of the biggest problems with passwords is that you're supposed to use different ones for different systems. It's a no-no to use the same password in multiple places because if one gets compromised, then the other systems are compromised.


In the recent compromise of the Full Disclosure mailing list, attackers got passwords and usernames, in this case e-mail addresses. If that is a corporate e-mail address, what is the likelihood (even on a security mailing list) that the same password would get you into the corporate VPN? Pretty high, I would think.


This points out the frailty of passwords. They increasingly look like a house of cards in the Internet age. Here's my solution (since not everyone is using WiKID's two-factor authentication solution): I have a set of passwords that I use. All are complex, meaning, for me, 8-12 random alpha-numeric & random. I have one for personal non-secure sites (list servs, forums, developer programs, etc.), one for e-mail accounts (yahoo, gmail, hotmail, etc), one of personal financial sites (online banking, credit cards), one for non-root corporate PCs and one for root for my corporate PCs. Of course, we use WiKID for remote access to servers, etc within WiKID.


This systems works pretty well, but I often run into problems. Some sites want passwords that are more complex than mine. I also have multiple user names. Some sites won't let me use nowen or nickowen. At gmail, I'm owen.nick. Some places want an e-mail address - so I give them one of my non-corporate addresses to keep the offers to a minimum. The worst are the sites that chose a password for you, then e-mail it to you. What is the point of that? There are plenty of less obnoxious ways to validate an e-mail address. At the AT&T Wireless developers site, they assigned my user name to me as wowen and then e-mailed me a password. I don't think I have been back.


Many people think that federated identity is an answer, but I think that's going to happen quickly and when it does happen it will be where there is an economic incentive for the companies to share your information, which may not be in your best economic interest as a consumer.


One of the key benefits of WiKID is our ability to handle multiple "domain relationships", each individual and unaware of the others. You could use the same PIN across multiple sites as each site. In the unlikely event that your encrypted PIN is compromised on the hardened WiKID server, they will still need to get your private key off your WiKID client. If they get your private key, they will still need to get your PIN and try it against the WiKID server. A brute force attack would quickly be noticed and the account deactivated.


http://news.com.com/Flaw+in+mail-list+software+leaks+passwords/2100-1002_3-5571576.html

Category(s)
Authentication Attacks
The URL to Trackback this entry is:
http://www.wikidsystems.net/WiKIDBlog/7/tbping
Add comment

You can add a comment by filling out the form below. Plain text formatting. Comments and Trackbacks are moderated.

(Required)
(Required)
(Required)
(Required)
This helps us prevent automated spamming.

Start using WiKID today
Got Questions? Get Answers.