How Do You Know If A Web Site Is Secure?

[FoolKiller]

Umm... most of you are talking jibberjabber to me.

What I will contribute to the whole matter is that I think the security questions are flawed. I like it when I get to create the question. I already use other stuff to answer them, but it would be better if I got to create the question too.

Square Enix is terrible in this regard. I've had to keep resetting my FFXIV: ARR password because I played at a different household. Same system, different household. Every damn time. I can't keep up with what I've made it at this point.

 

[Username Redacted]

Just had to change my password for a site I don't use especially often and I had forgotten that the site broke pretty much every recommendation except that its character range was 8-20 rather than 8-12. It's good to know that the government is at the forefront of internet security. -_-

 

[Zombie_Fish]

Another thing I dislike about length limits on passwords is that just because the limit is enforced on one of the password forms doesn't mean that it is enforced on all of them.

I once reset my password on a website, and it turned out that the password entry had a character limit on it and as a result cut off part of my password. Yet the password entry on the login screen didn't have a limit, and thus submitted my full password.

I only figured this out when my account was locked out for so many incorrect logins and I said that I forgot my password. After that, they emailed me my password in plain text (-_-') and I noticed what was up then.

 

[DoPo]

The difference in "crackability" of a 14 character password and a 15 character password is in years of processing time and that's only if they don't use the traditional algorithms and brute force measures.

This is because passwords that are 14 characters or smaller are all stored in a hash and broken up into two 7-character parts (easy to crack a 7 character password) but if it's 15 characters or larger then windows does not store the LanMan hash correctly so both segments will be incorrect or null passwords to any decryption utilities trying to crack the LM. That basically ruins brute force attacks.

Umm, ignoring the out-of-date-nesss of the advice/article, I'd also want to point out that if any website is using Windows of all things to secure the passwords...well, how should I put it - that must me another entry in Shamus' list.

In addition any advice for "oh, here is how to go around an insecure hashing algorithm" is wrong. Saying "use 15 characters" instead of "FUCKING STAY AWAY FROM IT!" can be called "misleading", if we have to be short, and "actively harmful and counter-productive" for practical purposes.

Don't encourage sites to be even more of a pain just to be able to post on a damn forum!

Encourage how exactly? If anything, Shamus advocates making it easier by removing the nonsensical "security" restrictions. Even then, that's not new take on it, anyway - anybody dealing with security and is at least half-decent has been advocating the same points for years now. Shamus us bringing these points to the wider public - a good thing if we are to abolish these "security" practices.

Which exact point makes it harder to use websites?

But aren't passwords written in real words like your second example easily crackable by using rainbow tables?

No, rainbow tables only help with straight hashing - pretty much anybody uses salted hashes. To say these are extremely hard to defeat with a rainbow table is an understatement. An attacker needs both the hashing algorithm AND the hash to generate the table. And since every user has their own hash, then they can't feasibly do it. Even if they were to somehow gain the hashes, they would still need to generate one table per hashed password. Thus, they would need to attack each user seperately which is way more resource intensive than an attacker usually wants to deal with.

Sure, if the attacker targets you specifically (or any other single person) then you (or they) might be at risk. Still, if that's the case, chances are the attacker would most likely go for other attack vectors rather than blow so much CPU power (as well as all the other time and effort needed) to just attack a single password.

The problem is that these factors don't actually determine how secure a website is, they determine how secure the website thinks it is. The most important vulnerability in account driven websites is how the data at rest is stored and secured. Admittedly this isn't stuff you can/should test yourself but it's far more important than how secure your password is.

For example; your password being fully CORRECT HORSE BATTERY STAPLE'd up is of absolutely no use to you if they don't properly encrypt the passwords at rest since an attacker that gets hold of the database can just read them out. In addition if the hashing algorithm is found or derived then it's child's play to reverse the hashing, strip the salt and get the password that way.

That's before we even get into badly validated input or cross-site trickery. None of that encryption means jack if an attacker can overwrite the email field for a record, request a reset and just reset it themselves.

At my university, we had some overly draconian password policies - they had to be really long and not contain anything that would "aid" in brute forcing it - in addition to capitalisations, special characters and length, you couldn't have sequences (123password or abcpassword), nor any word, for that matter. And whoever developed the fucking password validator decided to include all sorts of dictionaries - English, French, Italian, Welsh, Polish just to name a few. I don't even know how many they were, as when trying to create a password, you just get "entered text contains a word in " - these are just the ones I've hit. And for many of them, I never found out what the word was - seemed that any time I tried anything with a vowel in it, I'd hit a word in some language or other, so, in the end, the password had to me a long line of gibberish which is really hard to remember. And since you just wasted, like, 15-20 minutes entering various passwords, few moments later the gibberish would have evaporated from your head.

Setting aside that making the users unable to remember the passwords does not help with security, and that the restrictions actually made the attacks easier (reduced search space), we found another issue with it. Email only used 8 characters. Ever. Even if your password was 20 characters long, if you were logging into your university email box it truncated the input to 8 and everything 9+ was ignored. And you were logged in, if those first 8 characters are were correct.

On a separate note, related to websites and security - the user security is one part of security. There are various other attacks that don't rely on the users' actions (e.g., password selection). I'll just use uni again for an example. Or rather, just my time in uni - one relatively well known pizza place came to the town. And they offer ordering over the internet. In the same week compsci students realised that the website was a joke from security standpoint - all the data for the order was stored client-side. ALL OF IT. Including the price. So anybody could easily order any amount of pizza for a pound. Or whatever price they wanted, really. It got patched eventually but it still took a couple of weeks.

Even though it's not to do with with compromising other accounts, it's just a real-world example of how an attacker doesn't necessarily need to attack other accounts. Exploiting SQL Injection vulnerabilities can bypass even the strongest password, while various bugs can remove the need to login as a specific user at all.

 

[ClanCrusher]

I think the only program that ever encouraged me to make a password without those stupid upper/lower/symbol/number rules was Guild Wars 2 where they explained the benefits of just using four words you could remember in a sequence. Funnily enough, I still remember that password to this day despite the fact that I haven't written it down anywhere or even played Guild Wars 2 in several months.

 

[ForumSafari]

On a separate note, related to websites and security - the user security is one part of security. There are various other attacks that don't rely on the users' actions (e.g., password selection). I'll just use uni again for an example. Or rather, just my time in uni - one relatively well known pizza place came to the town. And they offer ordering over the internet. In the same week compsci students realised that the website was a joke from security standpoint - all the data for the order was stored client-side. ALL OF IT. Including the price. So anybody could easily order any amount of pizza for a pound. Or whatever price they wanted, really. It got patched eventually but it still took a couple of weeks.

Even though it's not to do with with compromising other accounts, it's just a real-world example of how an attacker doesn't necessarily need to attack other accounts. Exploiting SQL Injection vulnerabilities can bypass even the strongest password, while various bugs can remove the need to login as a specific user at all.

That's just fantastic. I've seen some pretty majestic fuck ups, like the one you mentioned where a user account is logged in via a client side token and a simple URL edit can take you anywhere because you're logged in, but I've never seen financial data client side.

This is my profession too, I took computing at university and work as a sysadmin, so it's a little galling when people think complex passwords = security. Realistically as long as your password is good enough to prevent:

1. Some random shitlord guessing it whilst you're afk
2. you being in the first ~25% of cracked passwords

then a better password is doing jack all. Most vulnerabilities are security cock ups from the storing of data, proper account encapsulation or service deployment. Things like not properly assigning account rights to the database (our old friend 'GRANT ALL ON *' strikes again), providing cookies that can be easily rewritten or that contain easily read data, not validating input (that still happens in 2015), not encrypting files and, surprisingly common, not preventing users from backtracking up the server's filesystem to files they shouldn't have access to because the admin doesn't understand how to properly secure their web service.

Heck, as you rightly say a complex password is only going to make it harder to remember and the best password in the world is defeated when the user feels the need to right it down on the device.

EDIT: The other biggies are not patching servers in a timely manner, not changing default passwords and not preventing things like root login.

I'd also want to point out that if any website is using Windows of all things to secure the passwords...well, how should I put it - that must me another entry in Shamus' list.

I'm not sure I agree with this though, in my experience Windows services don't seem to have a significantly different attack surface to Linux/BSD services. Heck, IIS seems to be good against, and susceptible to, the same monkey business that Apache is. Windows is easy to get running compared to Linux for newbs so you see a lot of badly configured Windows stuff but I think in the hands of a professional it's probably about as secure to malicious attacks.

 

[DoPo]

I'd also want to point out that if any website is using Windows of all things to secure the passwords...well, how should I put it - that must me another entry in Shamus' list.

I'm not sure I agree with this though, in my experience Windows services don't seem to have a significantly different attack surface to Linux/BSD services. Heck, IIS seems to be good against, and susceptible to, the same monkey business that Apache is. Windows is easy to get running compared to Linux for newbs so you see a lot of badly configured Windows stuff but I think in the hands of a professional it's probably about as secure to malicious attacks.

I didn't mean Windows as in a Windows based application, but Windows as in the OS itself.