Lots of articles popping up on the #stratfor leaks all over the web. Some good, some not that good. Just a few comments from me, until I eventually get the time to do a bigger blog post on the subject.
1. Written policies
Lots of websites has a written password policy. Many of them are just *stupid*, others are better. Very few are what I would call good policies, in terms of both usability and security. Example from the stupid side of password policies: "do not use any word from any wordlist. ever!".
2. Technical implementation
If they have a written policy, there is a rather high probability they haven't implemented it. Some "requirements" just cannot be implemented, try implementing the example above. For English you would have to block words like Pneumonoultramicroscopicsilicovolcanoconiosis from being used as whole or part of a password. More ideas on what to block? Look at wikipedia for long passwords.
3. Choice of password hash algorithm
Many sites still does plaintext storage of passwords. In many cases they are easy to discover (password sent to you be plaintext e-mail), but site owners way too often doesn't care at all. IF they do implement some sort of hash algorithm to protect your password, it will probably be something "default", like MD5 without salting. This happens because the techies installing your shiny new website doesn't think but use default configurations. Nobody told them to do otherwise, they are on a strict budget, with strict deadlines. The damage potential of leaked passwords being reused by their customers at other sites probably never struck their minds at all.
4. Change of password hash algorithm
We have seen leaks where password hashes has been found to be in different formats. This suggests a change of algorithm has occured at some point in time, but little/no action has been carried out in order to move all users passwords from old (weak?) to new (strong?) algorithm.
5. Password change frequency
Directly connected to the change of password hash algorithm, but there are many other aspects to this as well. I'll get back to this in a planned blog post later on.
Summarized:
Read the article "Don't blame users for bad passwords" by Robert Lemos at for Infoworld. Troy Hunt, myself and Cormac Herley with Microsoft research. If the hacker's can't crack your password - so what? They've got everything they need after a complete compromise such as #stratfor. I do not believe that #stratfor will be able to keep the hackers out again. Customers are bound to reuse their passwords, eventually just do a +1 update to their passwords - and so the hackers will gain access to multiple accounts again - at least.
The observation about written policy being inconsistent with technical implementation is a good one. It makes you wonder how much of a disconnect there is (was) between what is probably two discrete groups (IT and Legal).
ReplyDeleteIt also goes to show how ultimately, legal statements like privacy policies are a thin veneer of assurance at best. Here's Stratfor's via the Internet Archive: http://troy.hn/rrDVWT
"we will not share your personally identifiable information outside of Stratfor"
That's not working out so well for them...
... and that inconsistency is a pretty common finding while doing audits, believe me. The privacy policy is something that is just "legal talk", I'd say it is pretty disconnected from reality in many cases.
ReplyDelete