?

Log in

No account? Create an account
[tech] Password, password, what have you heard? - Lakeshore — LiveJournal
An author of no particular popularity

Jay Lake
Date: 2013-06-28 07:33
Subject: [tech] Password, password, what have you heard?
Security: Public
Tags:tech
As you might imagine, I've been doing an enormous amount of work lately on various Web sites. Banking, financial services, health insurance, disability insurance, Social Security, and so forth.

One thing which has surprised me considerably (though it's hardly news) is the number of Web sites dealing with healthcare and financial information that have weirdly simple password rules. Some have eight or twelve character limits. Many will not allow any non alphanumeric characters, so the user cannot include characters such as *, &, _, !, and so forth. Which in turns means the passwords are much more easily hacked. Some are not case sensitive.

It's a very weird mishmash of standards which will make any coder, or anyone with even a passing understanding of security, cringe.

I really don't get this.

Post A Comment | 12 Comments | | Link






a_cubed
User: a_cubed
Date: 2013-06-28 14:58 (UTC)
Subject: (no subject)
If you (or other regular readers) really want, I can point you to numerous papers about the weaknesses of these systems, why we still use passwords, all sorts of alternatives (and analyses of why they haven't been adopted), and also about some of the counterintuitive elements of the "strong" password requirements and how in many cases they leave many users with weaker passwords despite their rules.
Security and privacy are hard, usability is hard. Usable security and privacy are not just double-hard but hard-squared.

a-cubed, chair of USEC 13, the 2013 Workshop on Usable Security.
Reply | Thread | Link



Dan/Дмитрий: The Sign at the End of the Universe
User: icedrake
Date: 2013-06-29 01:56 (UTC)
Subject: (no subject)
Keyword:The Sign at the End of the Universe
Would you point me to discussion of alternatives, actually? Only one I'm aware of are passphrases (admittedly because I've never made the concerted effort to look into the subject)
Reply | Parent | Thread | Link



User: joycemocha
Date: 2013-06-28 15:22 (UTC)
Subject: (no subject)
It's surprising, especially given HIPPA confidentiality snake dances. I always cringe when my paperwork process involves HIPPA issues, because that triples the amount of time I have to spend on that one case--and it's all around that HIPPA confidentiality stuff.
Reply | Thread | Link



Debbie N.
User: wild_irises
Date: 2013-06-28 16:09 (UTC)
Subject: (no subject)
*nods*

My work insists that passwords be 9 or 10 characters long and contain no double letters. My security-minded friends say this is a very bad policy.
Reply | Thread | Link



Julie, JulieInTheGreen, "Squire!": Tina Tech Writer
User: brickhousewench
Date: 2013-06-28 16:09 (UTC)
Subject: (no subject)
Keyword:Tina Tech Writer
As someone who has worked in the software industry for a decade, i can tell you that the two industries that MOST need to guard their data (medical and financial) are the two industries that are slowest to upgrade their systems. I don't know if it's fear of change, their desire to hold off on upgrading until they've thoroughly tested a new system, or just plain foolish penny pinching to keep costs down, but I've seen it over and over again. I keep asking at my current job why we still support Internet Explorer 6 for our product, and it's because one of our customers (a financial company) is still using a browser so buggy that even Microsoft themselves tells you not to use it.
Reply | Thread | Link



Jay Lake
User: jaylake
Date: 2013-06-28 16:16 (UTC)
Subject: (no subject)
I also work a lot with both the financial and medical industries in my Day Jobbe. My experience is that the conservatism comes in part from liability fears. A system which at any point was approved is essentially grandfathered for liability purposes, even if now serious outdated. Making any change, even one undeniably to the better, strips away that safe harbor and opens the door to major liability issues.

Secondly, both those industries are heavily regulated, and regulation tends to be very conservative (in the linguistic sense, not the political sense). Look at the ongoing role of faxes in many medical records transactions. That's been an obsolete method of complex data transmittal since at least the EDI days of 1990s, let alone decent, secure Web services data exchange. But a lot of compliance issues around Medicare/Medicaid regs, and state-based medical regulation, require the fax in lieu of a paper original. An electronic transmission simply doesn't comply. I cannot even get my clinic to electronically transmit a prescription to my pharmacy -- the systems at both ends are fully software-based, but the prescription has to be faxed to provide that paper trail.

So yeah, crazy stuff.
Reply | Parent | Thread | Link



Msconduct
User: msconduct
Date: 2013-06-28 23:50 (UTC)
Subject: (no subject)
This doesn't surprise me in the least. I co-own a database consultancy, and at the multiple sites we have gone onto security is invariably appalling. Common example: everybody including casual users using the same administrator-level ID and password, so that there's little security and no traceability. If we point security flaws out, the news is met with utter indifference - even *after* they've had terrifying security failures. And we work with corporates, not small companies who are beginners in this kind of thing. Granted, IT is pretty bodgy in New Zealand due to the paucity of people who know what they're doing - it's the wild frontier. Perhaps things are better in the US. I certainly hope so.
Reply | Thread | Link



Msconduct
User: msconduct
Date: 2013-06-28 23:52 (UTC)
Subject: (no subject)
PS: my business partner urges me to add that when I say "terrifying security failure" I mean "theft of $120 million". And they still did nothing!
Reply | Parent | Thread | Link



russ: lyles constant
User: goulo
Date: 2013-06-29 07:37 (UTC)
Subject: (no subject)
Keyword:lyles constant
Yes, it is crazy idiotic and frustrating how so many websites, especially financial institutions, force you to use weak passwords, typically by enforcing pointlessly low maximum lengths (e.g. only 8 or 12 characters) and arbitrarily not permitting various non-alphanumeric (yet ordinary ASCII) "special" characters. And often they don't even clearly define what their password rules are, or their information is incomplete or incorrect or even inconsistent on different pages, so one must experiment by trial and error to make as strong a password as possible.

To say nothing of how many sites don't STORE the passwords securely, i.e. instead of storing strong slow-to-compute one-way hashes, they simply store quick MD5 hashes, or decryptable encryptions of the passwords, or even simply store them in plain text.
Reply | Thread | Link



russ: lyles constant
User: goulo
Date: 2013-07-01 09:32 (UTC)
Subject: (no subject)
Keyword:lyles constant
PS: I just saw this:
http://www.troyhunt.com/2013/07/how-to-build-and-how-not-to-build.html

about a common anti-pattern: websites which foolishly store your password in plaintext in a browser cookie on your machine as a way for you to stay logged in. (Amusingly, one of them seemed to think using Base64 coding would make it sufficiently secure...)

Troy Hunt's blog often has interesting/amusing/scary anecdotes about security incompetence which he runs across and dissects.
Reply | Parent | Thread | Link



Larry Sanderson
User: lsanderson
Date: 2013-06-29 11:13 (UTC)
Subject: Passwords
I'd rather all healthcare sites allow for complex or simple passwords. I get mad as hell when a pharmacy chain demands a complex password to let me reorder a prescription. (I'd really rather they let me set my own level of security and paranoia.)
Reply | Thread | Link



Nat S Ford
User: natf
Date: 2013-07-02 19:41 (UTC)
Subject: (no subject)
As someone may have already commented, the most secure password is four unrelated and randomly thought up words strung together and of 16+ characters. You do not need uppercase, lowercase or punctuation. I will try to dig out the reference when I can.
Reply | Thread | Link



browse
my journal
links
January 2014
2012 appearances