Hacker News new | past | comments | ask | show | jobs | submit login
Passwords, Backups and a false sense of security (julieng.me)
31 points by eliaskg on Aug 4, 2012 | hide | past | favorite | 31 comments



Generating hard passwords is actually kind of pointless.

Yes, a hard password means it's difficult to brute force the authentication or crack a password hash you've stolen. But if you just use unique passwords for each service you use, it multiplies the work required to crack all the accounts.

The biggest risk to your accounts and your data is simply having everything in one basket. The other biggest risk is saving passwords, but nobody wants to memorize a bunch of difficult passwords. So it's actually easier to have a whole bunch of kinda similar easy-to-remember passwords, so you don't have to save them.

See, if you use Windows, chances are you've had some malware before. And if you've had malware, everything you type, everything you've seen or stored, including live browsing sessions, are controlled by somebody else. So doesn't really matter what your password is or how many you have if somebody's on your PC extracting your password database.

But nobody wants to think about that. So they craft themselves a false sense of security, using password generators and copying files to the ends of the earth. Truth is, if someone wanted to, they could probably ruin your day. The only safe backup is an offline backup, and the only safe password is one that's never saved anywhere.


Once you've chosen to use unique passwords everywhere (and you're insane not to these days), you're effectively committing to some form of password storage, so whether or not "hard passwords" are pointless, they're just easier. I just use 1Password to generate strong 16char passwords because it's easier/quicker than "thinking up something random enough and recording it somewhere suitable".

Sure there's the "all eggs in one basket" problem with my 1Password database, but it's got a strong (~25char) pass phrase, and even then there's a class of passwords I store only on my head. My 3 banking passwords, my pgp key pass phrase, my root passwords, and my DNS registrar passwords.

One thing I think people often overlook is that your DNS registrar access credentials trump your email's two factor auth - if I can change your MX records, nothing you've done to secure your email account matters - I'll just get everyone to send your password reset requests to a mail server under my control…


The whole point of a password manager is that it is convenient. Sure, the database may be exposed to malware, but that applies to any password that gets used, so the additional risk is pretty small.


No, the additional risk is enormous. If they get your password database they get all of your passwords. If you don't use a password database, they only get the passwords you use, which (unless you sign into everything every day) should not be all of your passwords.


I would expect the malware to sit there quietly until it collected at least a few interesting passwords. So it sort of depends on what the attacker is trying to do and how many interesting accounts the attacked has.


Yeah, I figure you've got a good month before they do something with the collected accounts, or more depending on who they sold it to.

At the very least, never save a password to a critical account, such as a financial account or a root/administrator password. I could care less if someone takes over my Twitter and Facebook (if I had them) but am highly paranoid about accounts which will actually affect my life.


Just to chime in: The only safe back-up is actually more than one physical back-up, in more than one location.


"more than one physical back-up, in more than one location"

And to take that even one step further, one of the onsite versions that we do is to a fireproof drive. (Other versions are physically offsite as you mentioned).

Anyway on the onsite version the fireproof drive is physically disconnected (USB) from the computer after the backup is complete. (It could be powered off but that would spin up and spin down it seems less detrimental to not do that..)

But it gets even better. There is also hidden safe that contains hard drives only (which are encrypted). The safe is left unlocked (it's not physically attached and could be hauled away). In the unlocked safe, in addition to the hard drives, is some money (cash). The theory being that if someone breaks in and easily opens the safe (if they find it) they will take the money and leave the drives alone.

(This dates back from the same practice being done with cash registers you leave a little money so the thief doesn't trash your place. I know this will raise questions as far as having a tempting cash stash but it is known by only a select group of people and there are pros and cons to any approach obviously.)


(It could be powered off but that would spin up and spin down it seems less detrimental to not do that..)

Uh, actually, you want to do that. First of all, spinning down does not do anything bad - it actually saves the life of the drive. Secondly, the whole point of backup tape robots is to constantly re-check tapes to see if they're readable, and report bad tapes to be replaced. You should really be turning off the drive, turning it back on, and doing a full disk block check to see if there's any corruption. Welcome to the nightmare that is backing up petabytes of enterprise data.

An unlocked safe? The whole point of a dummy safe is to make it seem like the real safe, so you keep it locked. And there's no reason they wouldn't take the extra two seconds to pick up some valuable intellectual property with their cash. What kind of crack are you people smoking, and what is your business so I can avoid it in the future?


"First of all, spinning down does not do anything bad - it actually saves the life of the drive."

That's your opinion I disagree. And it's not the spin down anyway. It's the spin up. You've also got the cycle on the on off switch for that matter as well as the power surge. Trivial but it's there. All in all the solution is to cut the cord. You also don't know if we are doing this procedure 1 time per month or 7 times per hour. Do you? So you make an assumption on what you think we are doing.

"Secondly, the whole point of backup tape robots is to constantly re-check tapes to see if they're readable, and report bad tapes to be replaced."

What in the world are you talking about? We don't have "backup tape robots" we have a hard drives that we backup our data to. You have no idea of how much data we are talking about nor do you know what the purpose of the backup is. Thanks for your concern and assumptions.

"nightmare that is backing up petabytes of enterprise data"

You are solving a different problem that we are working on. We don't have petabytes of data.

"And there's no reason they wouldn't take the extra two seconds to pick up some valuable intellectual property with their cash."

Once again you are making assumptions as far as the thief we are protecting against. You don't know where we are located and you don't know anything about, once again, what we are protecting.

"What kind of crack are you people smoking, and what is your business so I can avoid it in the future?"

Seriously, who writes stuff like that?

Your comment illustrates what happens when people try to learn something from what they read online (as PG says "don't believe what you read in online forums"). I've illustrated what we do which fits a particular purpose. You do something else. Neither of us provides (either time or space wise) enough detail for anyone to decide for themselves only gives information so they can further think about this.


My definition of 'Safe' is: "Protected from or not exposed to danger or risk; not likely to be harmed or lost".

It's not likely both your live copy and offline, off-site, backup will be wasted at the same time. One is 'safe'. Two is redundant.


Instead of the program suggested in the OP, on the command line you can also do this to generate random passwords:

perl -le'print map { (a..z,a..z,0..9,"\$","!","-")[rand 65] } 0..pop' 7

Note this particular one only generates 7 digits with no UC. You can alter it to your taste or needs.

You can also wrap it in a shell script to generate a bunch in a row (in this case 10), like this:

for i in {1..10}

do

perl -le'print map { (a..z,a..z,0..9,"\$","!","-")[rand 65] } 0..pop' 20

done

As an aside I don't like any web based site that generates passwords (nor do you need that as just shown) since there is no way to know if the passwords generated are being logged along with some identifying information.


# apt-get install pwgen

$ pwgen -1

enieQu3C

$ pwgen -1y

fa]m\e8O

$ pwgen -1sy 12

D[=,*j=65%

pwgen by default outputs a screenful of possible passwords. This is useful if two people are looking at the screen. -1 flag limits the output to a single password.


For a secure password, you might want to use something with a better random seed: http://cpansearch.perl.org/src/GARY/Math-TrulyRandom-1.0/exa...


rand() is not cryptographically secure. You should not rely on it in security-sensitive situations.

http://perldoc.perl.org/functions/rand.html


Agree but as I said it also "only generates 7 digits with no UC" which is even worse. My point is simply that you can do this by the command line. And depending on what the purpose of the password is (and how difficult you want it to be) in many cases it fits the purpose.

If I was generating initial passwords for someone's email account for example I probably would also leave out digits and letters that are easily confused, like 0 and O and l and 1 and some other things which isn't a best practice either but might be appropriate for other reasons.


Can you give a practical example how this can become a problem if I use rand() to generate a password to be used on a website?


Many PRNGs only have 32 bits of state. If someone knows your settings (alphabet chosen and length) the max number of passwords to check is 4 billion.


or use apg: http://www.adel.nursat.kz/apg/ (installable via apt/yum/brew)


What about the password manager of Firefox? It seems to be better at remembering passwords from signup, so the only missing ingredient seems to be generating a random password upon signup.


Last time I checked, Firefox saved passwords in plain text. Has that changed?


Firefox is perfectly capable of encrypting the passwords you save -- you simply have to set a master password for your keyring.


Not if you use a master password.


You might also want to try "Super Duper" which allows you to clone an entire Mac disk very easily. You can then test the backup by booting from the disk. It's also helpful when installing a new OS. Clone your existing disk, install the new OS on the clone (or on the original knowing you have an exact clone if anything goes wrong).


I'm a little disappointed how this article and many of the comments here ignore the specifics of what actually happened.

Yes "use different passwords" and "use a password manager" are good general advice. But this blog post expressly uses a specific case - the Honan hack - as a case study, without highlighting the one major lesson from that case.

The actual problem most strongly highlighted by the Honan case is that your Gmail account is only as strong as the "backup email address" it is tied to. Honan's problem has nothing to do with using the same password -- he /had/ different passwords which you know if you read his post carefully. Problem is, his iCloud email was his Gmail backup email, and Gmail apparently allows arbitrary persons to instantly take over an account as long as they control the backup email. No waiting period, no warning email to the Gmail account, no SMS notification. Yes this can be fixed with two-factor auth (apparently) but by default that is off and by default Google badgers you about setting up a backup email address until you do so. By default Google does not badger you about two-factor auth.

The other big issue highlighted by the Honan case is that it is way too easy for bad guys to wipe your Apple devices. In retrospect, it really seems like there should be more between having your laptop, phone, and tablet wiped than a single password. At the very least, a security question, but ideally something like a credit card number (compared against a stored hash), confirmation SMS to a pre-registered backup phone (spouse's phone, friend's phone, relative's phone, etc) or a confirmation robo-call to a work phone number.

If you think about it, it's a little insane that you can protect your Gmail with two-factor auth but you can't protect your laptop the same way.

Maybe a password manager would have encouraged Honan to use a stronger iCloud password, and maybe a stronger iCloud password would have prevented this attack, but that's not established because we don't know how the attack was pulled off. It was a seven char alphanumeric password and the attacker specifically told Honan it was not a brute force attack.


"The other big issue highlighted by the Honan case is that it is way too easy for bad guys to wipe your Apple devices. In retrospect, it really seems like there should be more between having your laptop, phone, and tablet wiped than a single password. At the very least, a security question, but ideally something like a credit card number (compared against a stored hash), confirmation SMS to a pre-registered backup phone (spouse's phone, friend's phone, relative's phone, etc) or a confirmation robo-call to a work phone number."

That depends a lot on what kind of threats you're trying to protect yourself against. I suspect there's a lot of people for whom the correct response to a misplaced phone/laptop is "remote wipe immediately - if it turns up in the back seat of my car I'll just restore from backup - if was left in a plane/taxi/competitors-office/deacon I want everything o. It wiped _right now_!"

I bet if pg lost a laptop with emails/documents about current and prospective YC deals or exits, he'd rather not have to wait till a office hours robo-call gave him a remote-wipe-PIN.

It didn't work out for @mat, but I think "good backups and easy remote wipe" is a better default than "making remote wipe harder just in case your backups don't exist."


I don't think generating more complex passwords will completely solve the problem.

The problem is using only one cloud service for your data.

Basically, don't put all your eggs in one basket. I always recommend to replicate all your data and files to other cloud service which has different security characteristics. For example, if you use Google Docs and Evernote - replicate everything to a separate Dropbox or Google Drive account (using cloudHQ or some other system). Doing offline backup manually is also a solution but it is easier just to replicate everything to a separate Dropbox account and Dropbox will put everything to your PC - you can map that Dropbox account to an external drive.


A second on Super Duper - I do this at least once a month to have a completely cloned system on an external USB Drive. Equally important - take the USB drive off site! I plan to buy a 1TB drive every six months so that I can take a complete clone to my cabin, just in case of a disastrous fire at my house. That's in addition to Time Machine, Dropbox, etc.


[dead]


Alright, so ignoring your (poorly executed) trolling, this actually is an important issue. Whether or not you approve, a lot of people use products that leave them vulnerable to situations like the one described in the other post. What's your objection to posts describing safer operating procedures?


That they are being delivered in the context of one person's utter incompetence.


Does the catalyst really matter?




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: