Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
It is not odd; they are still working to get the system up, so that users CAN ACTUALLY change their password.
http://ubuntuforums.org/ says it is still down.
Ubuntu Forums account information breached
Posted Jul 22, 2013 14:15 UTC (Mon) by farnz (guest, #17727)
Breach notification isn't just about changing my password on the breached site - it's also the point at which you tell me that if I've been foolish enough to use the same password in two places (which most people do), I need to change it in the other place, too. For example, if I used the same password for ubuntuforums.org and for my bank ("because Ubuntu is secure, so I don't need to worry"), I need to change my banking password ASAP.
Posted Jul 22, 2013 15:34 UTC (Mon) by drag (subscriber, #31333)
Having to memorize a hundreds of passwords for each new website you join is a impossible task. Having been told over and over again 'not to write down passwords' from so-called 'security experts' who really are completely and utterly ignorant of security... most people just resort to getting a password they think is really secure and then using it over and over again.
Given the fact that saying "Don't write down passwords", "Use secure passwords", "Use unique passwords" is just setting users up for failure then it's natural that they fail.
It's really the fault of the 'security culture' of misinformation and bad practices that is commonplace in computer-land.
You can't blame the 'average person' for listening to people who are purported as experts, but are not, but follow memes that are so widely repeated that most people just accept them as fact.
Posted Jul 22, 2013 15:57 UTC (Mon) by raven667 (subscriber, #5198)
Unfortunately I agree, most security practices are cargo-cult repetition of best security practices which were codified 20 years ago. Ideally security practices would be based on performing a thorough risk assessment process and then that would drive priorities on taking reasonable and appropriate measures to mitigate the risk to whatever level is acceptable to your organization. Without defining what is acceptable risk, what the risks are and how your mitigation strategies affect the total risk you aren't doing real security, you are just doing cargo-cult security.
Posted Jul 22, 2013 16:21 UTC (Mon) by lopgok (guest, #43164)
I have done some minor password cracking over the years. Now with GNU acceleration, very little is safe. I ended up changing all of my passwords to be unique and randomly generated. I use keepas and a random password generator I wrote myself. For example, my lwn password is 20 characters long, and impossible for me to remember.
It is quite interesting the restrictions different sites place on passwords. Some have length limits that they don't publicize. Some have character restrictions they don't publicize. The most common limitiation I have found is no spaces are allowed. Some make it hard to find out where to go to change the password.
The random generation defeats all dictionary lists.
Not reusing passwords limits the exposure if a site does get compromised.
My password do resemble line noise, but that is a small price to pay for security.
Posted Jul 22, 2013 22:37 UTC (Mon) by mathstuf (subscriber, #69389)
Posted Jul 23, 2013 9:56 UTC (Tue) by tialaramex (subscriber, #21167)
I say "just", this is clearly a ridiculously over-complicated system, but that's the price we pay for marginally better (email resets mean it can never be more than marginal) security in the face of interfaces designed for the appearance of convenience. Real authentication systems are too difficult for the zero friction experience that is desired by advertisers, and thus by the services they fund.
Posted Jul 23, 2013 15:21 UTC (Tue) by mathstuf (subscriber, #69389)
Well, this is what 2-factor authentication on email is for :) . Or SSL client certs if you run your own email.
As for using your phone, yeah, I'm aware the phone can fill the gap, but that doesn't mean its the only solution. Plus, given the sync solutions available, services which encrypt.the data would be nice (personally, I'm anxious for git-annex to be supported on Android).
Posted Jul 23, 2013 16:34 UTC (Tue) by raven667 (subscriber, #5198)
With the deployment of mobile computers and wireless data, needing to log in from some unknown computer is a fading use case.
Posted Jul 23, 2013 23:47 UTC (Tue) by lopgok (guest, #43164)
The best solution is a smartphone with keepass or something compatible with it. I do have a few memorized passwords.
However, I have a total of about 350 unique passwords, and there is no way to memorize all of them, with reasonable password complexity.
If I am logging in somewhere, I almost always have my notebook available, and I have keepass for it. If I don't have a notebook or smartphone, I am severely limited in what I can access. I think that is a reasonable tradeoff for my security. Beats getting my apple/ubuntu/sony account hacked.
Posted Jul 25, 2013 10:03 UTC (Thu) by pabs (subscriber, #43278)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds