Stronger Passwords, or Stronger Administrators?

We all know that the user cannot be trusted because often times, the user is not concerned with security. Websites have been pushing users to make stronger passwords for years, but silly passwords like “password” or “12345” still are prominent. The question for website administrators remains, “how can we ensure the security of the user?”

A study from Microsoft (available here) shows that the demands of website administrators are often ignored by the user. The push to get users to use more complex passwords is often a failing attempt. The study suggests that administrators should do more on their end to protect the user.

The authors suggest that a password that’s targeted in an online attack needs to be able to withstand no more than about 1,000,000 guesses.

An online attack is the most common method of attacking. Users’ passwords are subject to dictionary attacks. However, security measures like a limited number of password guess attempts limit the success of the attacker. Diligence in administrator response to abnormally large amounts of login traffic can limit the success of an attacker. Therefore, it was concluded that a password only needs to survive about a million guesses, as long as the proper security measures are in place with the responsibility of the administrators.

So how strong does a password need to be to stand a chance against a determined offline attack? According to the paper’s authors it’s about 100 trillion…

Offline attacks are harder to protect against once an attacker gains a hold of the back-end of a system. However, this is entirely the responsibility of the administrators. Once an administrator detects that the system has been breached, a reset of all users’ passwords should occur to ensure the safety of their accounts (so long as they haven’t already been compromised). But again, the responsibility is to be put in the hands of the administrators to protect the user.

Systems administrators, they say, should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen.

There is an apparent inconsistency in the quality of website administrators. With new breaches being announced almost weekly, there is more than enough proof to back this claim. Some websites remain well defended while others fall victim to the attacks. Many administrators seemingly have given up on their end to defend the user, and have placed all of the responsibility in the hands of the user, who is not often a security professional (or even a person with a strong computer background). In a world of constant online-attacks, website administrators should be beefing-up their efforts to securing the systems they are supposed to protect along with their campaign for users to use stronger passwords.

Source: http://nakedsecurity.sophos.com/2014/10/24/do-we-really-need-strong-passwords/

Advertisements

You May Soon Regret Sending that Snapchat

Snapchat has been quite popular among smartphone users in the past two years. It has given users the ability to send possibly embarassing photos of themselves to others without the fear of anyone else seeing them ever again. For a while, Snapchat blocked the ability to screenshot the photos, and during that time, websites like SnapSaved have allowed users to secretly save every snapchat that they receive.

That has been great for users, until now. SnapSaved.com has announced that

[We] would like to inform the public that snapsaved.com was hacked… We had a misconfiguration in our Apache server. SnapChat has not been hacked, and these images do not originate from their database.

This can spell trouble for many people. With Snapchat being used by people of all ages and many of these people using SnapSaved.com, this is a huge privacy leak. Nearly two hundred thousand Snapchats were leaked.

A blogger named Kenny Withers has been keeping updated posts of 4Chan about the leak, and claims that there is a torrent of 13GB of all the photos and videos. It is believed that a large amount of these photos are of intimate nature. This leak comes as a harsh reminder to users that even though it seems like the photo “disappears,” it really doesn’t go away.

You can read the original article here: http://nakedsecurity.sophos.com/2014/10/13/the-snappening-snapchat-images-flood-the-internet-after-snapsaved-com-hack/