Avoiding password reuse defeated by accidents

A place to discuss the science of computers and programs, from algorithms to computability.

Formal proofs preferred.

Moderators: phlip, Moderators General, Prelates

User avatar
scarecrovv
It's pronounced 'double u'
Posts: 674
Joined: Wed Jul 30, 2008 4:09 pm UTC
Location: California

Avoiding password reuse defeated by accidents

Postby scarecrovv » Sat Jul 13, 2013 4:23 pm UTC

It is often pointed out that reusing passwords is a bad idea. The theory is that different computers and services should have different passwords, so that if one is compromised the rest remain secure. I follow this advice, and I have a different password for each system where security matters. Because I use all these systems regularly, and type the passwords daily, the passwords are stored in muscle memory, and I can type them all without thinking. Unfortunately, because I can type them without thinking, I often do exactly that, and type the password for system A into system B by accident.

While I have no particular reason to suspect that system B is compromised, if it was compromised hypothetically, then the attacker could make a list of all the things I accidentally type into the password field, and thereby find the password for system A. This defeats the purpose of having different passwords. Does anybody else have this problem, and do you have any suggestions for increasing my attentiveness at the password prompt?

User avatar
Snark
Posts: 425
Joined: Mon Feb 27, 2012 3:22 pm UTC

Re: Avoiding password reuse defeated by accidents

Postby Snark » Sat Jul 13, 2013 4:39 pm UTC

Make the first two characters of each password the first two characters of the site name. Should hopefully prevent typing GO******** anywhere except Google.
Dashboard Confessional wrote:I want to give you whatever you need. What is it you need? Is it within me?


Avatar by Matt

User avatar
SlyReaper
inflatable
Posts: 8015
Joined: Mon Dec 31, 2007 11:09 pm UTC
Location: Bristol, Old Blighty

Re: Avoiding password reuse defeated by accidents

Postby SlyReaper » Sat Jul 13, 2013 5:30 pm UTC

Snark wrote:Make the first two characters of each password the first two characters of the site name. Should hopefully prevent typing GO******** anywhere except Google.

Note to self: the first two letter's of snark's forum account are "x" and "k".
Image
What would Baron Harkonnen do?

User avatar
Snark
Posts: 425
Joined: Mon Feb 27, 2012 3:22 pm UTC

Re: Avoiding password reuse defeated by accidents

Postby Snark » Sat Jul 13, 2013 5:31 pm UTC

I don't actually use that system. :P
Dashboard Confessional wrote:I want to give you whatever you need. What is it you need? Is it within me?


Avatar by Matt

elasto
Posts: 3568
Joined: Mon May 10, 2010 1:53 am UTC

Re: Avoiding password reuse defeated by accidents

Postby elasto » Sat Jul 13, 2013 5:38 pm UTC

Using a password manager is always an option.

User avatar
skeptical scientist
closed-minded spiritualist
Posts: 6142
Joined: Tue Nov 28, 2006 6:09 am UTC
Location: San Francisco

Re: Avoiding password reuse defeated by accidents

Postby skeptical scientist » Sat Jul 13, 2013 6:18 pm UTC

Accidentally typing the wrong password is nowhere near as risky as using the same password.

Sure, if the xkcd forums turn out to be an elaborate datamining operation for identity theft, accidentally typing your bank password when you want to log in once is just as bad as using your bank password as your xkcd forum password. But my guess is that the people who run the forums do not have any ill-intent. The main danger with using the same password as your bank password is that the xkcd forums are also probably not as security conscious as your bank, and someone might decide to hack the xkcd forums, steal their password database, and use those passwords to break into online accounts. (Hopefully the xkcd forums only stores a cryptographically secure salted hash of your password rather than your actual password, but you can't assume that will be the case for every website you use that requires a login.)

So if your password for the xkcd forums is your bank password, and someone knows your bank login info (or can guess it), if they hack the forums you're effed. But if you accidentally type in your password once, you're fine (assuming the xkcd forums don't store mistyped passwords, and they haven't been hacked yet and had an incorrect-password-logger installed).

However, it is still risky. That's why you should change a really sensitive password if you accidentally type it into the wrong website even once.
I'm looking forward to the day when the SNES emulator on my computer works by emulating the elementary particles in an actual, physical box with Nintendo stamped on the side.

"With math, all things are possible." —Rebecca Watson

Derek
Posts: 2179
Joined: Wed Aug 18, 2010 4:15 am UTC

Re: Avoiding password reuse defeated by accidents

Postby Derek » Sun Jul 14, 2013 6:25 am UTC

Incidentally, my work computers will detect if I type my work password into any non-internal site, and trigger a mandatory password reset.

Secure, yes, but also quite obnoxious. Especially when an internal link takes you to an external contracted-out page and you type your work password in without realizing it.

User avatar
Xanthir
My HERO!!!
Posts: 5330
Joined: Tue Feb 20, 2007 12:49 am UTC
Location: The Googleplex
Contact:

Re: Avoiding password reuse defeated by accidents

Postby Xanthir » Sun Jul 14, 2013 1:34 pm UTC

Mine too, but given the very real data security attacks we face regularly (at Google), I think it's reasonable for the cost.

My muscle-memory issues are helped by the fact that I only memorize three passwords - my work password, my email/personal-computer-login password, and the master password I use to generate everything else. This means I only have a handful of things that I ever type a password into manually; everything else gets a copypaste.
(defun fibs (n &optional (a 1) (b 1)) (take n (unfold '+ a b)))

User avatar
WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

Re: Avoiding password reuse defeated by accidents

Postby WarDaft » Mon Jul 15, 2013 12:13 am UTC

One would think that a system which can detect when you've entered the wrong password in the wrong place and force you to change it... could also stop you from submitting it in the first place.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

Derek
Posts: 2179
Joined: Wed Aug 18, 2010 4:15 am UTC

Re: Avoiding password reuse defeated by accidents

Postby Derek » Tue Jul 16, 2013 1:04 am UTC

WarDaft wrote:One would think that a system which can detect when you've entered the wrong password in the wrong place and force you to change it... could also stop you from submitting it in the first place.

That's an interesting point. I don't know how the system is implemented, so I don't know if that would be viable.

User avatar
skeptical scientist
closed-minded spiritualist
Posts: 6142
Joined: Tue Nov 28, 2006 6:09 am UTC
Location: San Francisco

Re: Avoiding password reuse defeated by accidents

Postby skeptical scientist » Tue Jul 16, 2013 1:59 am UTC

Derek wrote:
WarDaft wrote:One would think that a system which can detect when you've entered the wrong password in the wrong place and force you to change it... could also stop you from submitting it in the first place.

That's an interesting point. I don't know how the system is implemented, so I don't know if that would be viable.

It could stop you from submitting it, but not from typing it. Your password is potentially compromised the moment you type it into a webform on an untrusted website, even if you don't actually submit it, so that wouldn't really help.

I suppose the work computers could try to detect when you were starting to type your password into a non-trusted site and then warn you before you finished. However for security reasons a system that did this would need to increase the minimum password length to ensure whatever remained of the password after the warning was triggered still provides sufficient security. So such a system would probably have more cons than one which simply detects when the work password has been entered on an untrusted site to force an immediate password reset.
I'm looking forward to the day when the SNES emulator on my computer works by emulating the elementary particles in an actual, physical box with Nintendo stamped on the side.

"With math, all things are possible." —Rebecca Watson

User avatar
WarDaft
Posts: 1583
Joined: Thu Jul 30, 2009 3:16 pm UTC

Re: Avoiding password reuse defeated by accidents

Postby WarDaft » Wed Jul 17, 2013 4:13 pm UTC

Or just not submit any prefix of your password until it knows you're not typing it in full.
All Shadow priest spells that deal Fire damage now appear green.
Big freaky cereal boxes of death.

User avatar
skeptical scientist
closed-minded spiritualist
Posts: 6142
Joined: Tue Nov 28, 2006 6:09 am UTC
Location: San Francisco

Re: Avoiding password reuse defeated by accidents

Postby skeptical scientist » Thu Jul 18, 2013 2:10 am UTC

WarDaft wrote:Or just not submit any prefix of your password until it knows you're not typing it in full.

If your computer can decide whether an arbitrary string is a prefix of your password, it knows your password. This is a potential security issue, since if someone steals your computer they will get your password. Most computer security systems (for sensitive systems, anyways) are designed so that your password is never stored anywhere (even trusted computers) except in short-term memory; only a secure hash is stored so that it's possible to verify that a given password is correct.

Passwords should only be stored when the convenience-vs-security tradeoff is understood and accepted. Here we are specifically talking about systems where security is a high priority.
I'm looking forward to the day when the SNES emulator on my computer works by emulating the elementary particles in an actual, physical box with Nintendo stamped on the side.

"With math, all things are possible." —Rebecca Watson

mr-mitch
Posts: 477
Joined: Sun Jul 05, 2009 6:56 pm UTC

Re: Avoiding password reuse defeated by accidents

Postby mr-mitch » Fri Jul 19, 2013 8:01 am UTC

skeptical scientist wrote:
WarDaft wrote:Or just not submit any prefix of your password until it knows you're not typing it in full.

If your computer can decide whether an arbitrary string is a prefix of your password, it knows your password. This is a potential security issue, since if someone steals your computer they will get your password.


I'm not too sure that is the case, but it can significantly weaken security. For example you can hash every prefix of the string, and you can determine if a string is a prefix by checking it against the hash corresponding to the same length; which doesn't require the original password. That said, if you know all of the hashes, it reduces the work to find out the password 26n instead of 26^n (assuming 26 is the size of the alphabet and n is the length of the password); so you're probably not going to want to do that. Being able to test if it is a prefix with length k, divides the space of passwords "in half".

As long as your password is massive, and the prefix is small enough (and only one given length), it should be ... okay.

User avatar
scarecrovv
It's pronounced 'double u'
Posts: 674
Joined: Wed Jul 30, 2008 4:09 pm UTC
Location: California

Re: Avoiding password reuse defeated by accidents

Postby scarecrovv » Fri Jul 19, 2013 11:26 am UTC

Indeed, if you know that the password is 100 characters long, but you have a hash for the first character, the first two characters, the first three characters, etc, then you can break it really easily by trying out every possible first character until you get it, then every possible second character once you're certain of the first character, etc.

I like the idea of prefixing the password with the hostname or another identifying string (but not reducing the length of the secret part of the password). I may try that in the future.

User avatar
skeptical scientist
closed-minded spiritualist
Posts: 6142
Joined: Tue Nov 28, 2006 6:09 am UTC
Location: San Francisco

Re: Avoiding password reuse defeated by accidents

Postby skeptical scientist » Fri Jul 19, 2013 9:48 pm UTC

mr-mitch wrote:I'm not too sure that is the case, but it can significantly weaken security. For example you can hash every prefix of the string, and you can determine if a string is a prefix by checking it against the hash corresponding to the same length; which doesn't require the original password. That said, if you know all of the hashes, it reduces the work to find out the password 26n instead of 26^n (assuming 26 is the size of the alphabet and n is the length of the password); so you're probably not going to want to do that.

That is exactly what I meant by "knows your password". If the computer can check whether an arbitrary string is a prefix of your password, it can quickly compute it. The algorithm you describe is fast enough to carry out by hand. I obviously didn't mean the literal string had to be stored in memory.
I'm looking forward to the day when the SNES emulator on my computer works by emulating the elementary particles in an actual, physical box with Nintendo stamped on the side.

"With math, all things are possible." —Rebecca Watson

jareds
Posts: 436
Joined: Wed Jan 03, 2007 3:56 pm UTC

Re: Avoiding password reuse defeated by accidents

Postby jareds » Sat Jul 20, 2013 2:11 am UTC

Finding a password character-by-character calls for the classic Tenex password story.

User avatar
jaap
Posts: 2085
Joined: Fri Jul 06, 2007 7:06 am UTC
Contact:

Re: Avoiding password reuse defeated by accidents

Postby jaap » Sun Jul 21, 2013 4:06 pm UTC

Not quite character by character, but I cracked the password hashing system of the Psion Organiser (series II, LZ models) due to a similar flaw. It used an 8 character/byte password which was turned into an 8 byte hash. However, two of the bytes of the hash depended only on 4 bytes of the password. Therefore you could easily brute-force 4 characters first (only 53^4 possibilities since passwords were upper case only!), and only if they gave the correct two bytes of the hash, brute-force the other 4 characters. Even back in the late 1980s / early 1990s, this would not have taken long.

User avatar
3rdtry
Posts: 152
Joined: Sat Feb 16, 2013 1:46 pm UTC

Re: Avoiding password reuse defeated by accidents

Postby 3rdtry » Sat Aug 17, 2013 10:46 am UTC

jaap wrote:Not quite character by character, but I cracked the password hashing system of the Psion Organiser (series II, LZ models) due to a similar flaw. It used an 8 character/byte password which was turned into an 8 byte hash. However, two of the bytes of the hash depended only on 4 bytes of the password. Therefore you could easily brute-force 4 characters first (only 53^4 possibilities since passwords were upper case only!), and only if they gave the correct two bytes of the hash, brute-force the other 4 characters. Even back in the late 1980s / early 1990s, this would not have taken long.


Sounds a lot like What they did with WPS.

And by the way, I use Hashapass for passwords on important sites. It uses standard cryptographic hashes so if the site goes down you can still get your passwords. For extra security save the page locally so that nobody can tamper with the javascript.

User avatar
Moose Anus
Posts: 397
Joined: Fri Oct 14, 2011 10:12 pm UTC

Re: Avoiding password reuse defeated by accidents

Postby Moose Anus » Mon Aug 19, 2013 11:13 pm UTC

I think I have to change the combination on my luggage.
Lemonade? ...Aww, ok.


Return to “Computer Science”

Who is online

Users browsing this forum: No registered users and 7 guests