Random Passwords in the Wild

Interesting analysis:

the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach to password security.

Posted on October 20, 2011 at 6:25 AM • 26 Comments

Comments

DanielOctober 20, 2011 7:04 AM

This highlights something I've suspected for a while now. Complex passwords don't really have much benefit for online systems, there are to many other things that can (and do) go wrong and there are other controls which are fairly effective at any sort of password guessing attacks.

Per ThorsheimOctober 20, 2011 7:12 AM

My initial guess would be that this will lower the chances of an successful online attack, but user friendliness is severely lowered, especially if end users are not allowed to change their initial random password.

In most corporate environments users are by default equipped with simple and "standard" passwords, seriously increasing the risk of successful compromise of several accounts, even through limited online attacks.

MarkTOctober 20, 2011 7:12 AM

Given such a high percentage of random passwords, I suspect this was one of those sites that assigns you a password when you register, and most visitors simply don't frequent the site enough or don't have the technical knowledge to go into their account and change it. But at least that means their leaked info won't compromise their accounts elsewhere...

Mike BOctober 20, 2011 7:14 AM

I'll best most of those with random password log in by clicking the "forgot password" button and then having a new random password mailed to them. I guess you can call that a form of single sign-on xD

WillOctober 20, 2011 7:14 AM

@Daniel
Complex passwords on their own are not a defence against unauthorised account access.

But complexity PLUS using random unique passwords for every account is a useful tactic.

Steve JonesOctober 20, 2011 7:16 AM

From the LBT article: "Unfortunately, myBART still emails passwords in the clear if they are forgotten, requiring them to store passwords un-hashed in their database."

Oh dear :-(

SethOctober 20, 2011 7:17 AM

This worries me.

There isn't really any evidence that people 'accept' the randomly generated password. I just expect that the number of users that don't visit the site again after signing up is considerable, or the password entry isn't actually required (e.g. by the 'keep-me-logged-in' cookie approach seen everywhere, or by letting the browser routinely remember the passwords for you). The sum of these groups accounts for the number of unchanged initial passwords...

Even more ironically, even if mass adoption of generated passwords were visible here, it is actually not a sign of a secure site (passwords are being mailed **and stored** in plaintext... also it shows that people will accept a password that they _know_ someone else has had access to (i.e. has generated and sent) - that's the opposite of privacy-awareness if you ask me.

PaeniteoOctober 20, 2011 7:35 AM

@Seth: "it shows that people will accept a password that they _know_ someone else has had access to"

Where's the problem with that?
Obviously, the website operator has access to all passwords that you transmit to the website.

It might even be advantageous to only use their generated passwords, so as to keep them ignorant about your personal password generation strategy...

AlanSOctober 20, 2011 7:59 AM

@Will
"But complexity PLUS using random unique passwords for every account is a useful tactic."

Agreed but then the end-user needs a method to manage all those passwords. These occasional password releases are interesting but I think it would be more interesting to see data on how users manage (or fail to manage) their passwords. Storing and using hundreds of unique, high entropy passwords is a manageable problem with database programs like Password Safe, KeePass, LastPass, etc. but what percentage of people use those type of tools or some other secure, systematic approach?

LeeOctober 20, 2011 8:34 AM

This might be a newbie question (okay, fine, it is, I am) but when we say "randomly generated" does it actually mean that an algorithm was written to produce random combinations of letters and numbers, or does "random" really indicate the users perspective?
Please excuse my very limited understanding of this process, but it seems that if the initial algorithm (or formula) can be conceived, is it possible that a pattern could still be detected, and a clone algorithm reverse engineered?
(Please take it easy on me. ;-)

PaeniteoOctober 20, 2011 8:51 AM

@Lee: "an algorithm was written to produce random combinations of letters and numbers"

This is what 'randomly generated' commonly means.

As to reverse-engineering the algorithm, there's commonly no need for it as they are open source.
And if the algorithm is worth its salt (pun intended ;-), knowing even a few million passwords generated from it does not give you a clue about the password that will be generated next.

steve kOctober 20, 2011 9:45 AM

Different sites have different privacy demands from the user's point of view. I don't care if a site like a transit schedule site has my password and stores/sends in cleartext because they store nothing personal about me except, possibly, my origin station of preference. The fact that the passwords are generated by them protects me from the common-password problem.

Other sites with more important info such as frequent flyer (medium) or banking (high) are where good practices are essential.

By the way, I have a unique, complex password for every site, managed by lastpass. Steve Gibson has a great [archived] podcast on that product and how it works.

AppSecOctober 20, 2011 10:15 AM

@Steve K

the problem is, if it is allows users to change it then there's a great chance users are using the same password elsewhere.

Yes, I know the recommendation is to use different passwords everywhere, but please, do you really think that *if* the majority of people are using different passwords that they are that significantly different?

Yes, there are a lot of tools out there for end users to use, but how many do you realistically believe use them?

The group that reads this blog is small (I use KeePass, used to use PasswordSafe, but I couldn't get it approved at my last job because the guys in the info sec group were keen on KeePass, go figure) in comparison to the majority.

So.. any site that stores passwords in a clear is a problem site.

-bOctober 20, 2011 1:58 PM

Two things:

1. Password Haystacks
2. Latin Squares (as in Off The Grid passwords)

3 (Our three primary weapons are): TNO (Trust No One)

gascheOctober 20, 2011 2:00 PM

Paeniteo:
> Obviously, the website operator has access to all passwords that you transmit to the website.

That's not the case if the authentification scheme involves client-side key generation from a master password. The website operator still has access to the identification token, but not the "password"; which is good if you want to use a password already used somewhere else.

Of course, such client-side key generation schemes are difficult to implement, because they require client-side technology, and for that reason, not necessarily more secure in practice, e.g. if they allow a silent fallthrough to a server-side hashing mode. You could consider, however, that client-side "key stores" are a per-user implementation of this system..

Pat St-ArnaudOctober 20, 2011 8:06 PM

Daniel, I would agree with you. The usefulness of a complex password is greatly reduced as well if you use it everywhere, as was seen with Lulzsec datadumps earlier this year.

If all you need is a single leak somewhere to make you vulnerable everywhere, if feels far worse than a potentially weak password being cracked on one site, but the rest remaining secure.

I like the prefix-root-suffix method best myself; easy to generate, easy to retrieve even when forgotten, and as long as you do not share the details, as safe as anything random.

Dirk PraetOctober 21, 2011 11:15 AM

Actually, it's not that rare an opportunity. Subscribing to the Twitter feed of @pastebinleaks generates a daily stream of user/password databases to toy about with.

Although many of the portals, blogs, CMS's and the like indeed use randomly generated passwords for newly registered users, it is outright amazing that so many are still stored in clear text and when hashed without a salt.

And for all practical purposes, the site owners and administrators don't even seem to care that much about the security and privacy of their users and data. A while ago, I came accross a password database from @pastebinleaks that I managed to trace back to the website of a religious organisation here in Belgium. I actually sent them an email explaining they had been hacked and compromised. Much to my surprise, they didn't even bother to reply and for all I know they're still a sitting duck.

dobOctober 21, 2011 12:16 PM

Consider the user population here before extrapolating to the rest of the world. BART serves the San Francisco Bay Area, so the population is already skewing somewhat geeky. MyBART serves the frequent rider population with constant email access, skewing the membership much further into the geeky end of the distribution. I would venture to guess that many of these users are very tech savvy and are using 1Password or some other secure password storage to generate random passwords for each site.

bobbyOctober 21, 2011 2:07 PM

@mike B i think that would be a one time password and not sso. Problem is that it doesn't expire till your next visit so can be hijacked

RogerOctober 21, 2011 6:40 PM

The stuff posted by "Anonymous" is pretty lame: some email addresses, and some passwords, most of which are not usable anywhere else and probably were never used at all.

myBART may have had weak security, but it didn't really need strong security. Apart from the password list itself, everything on the site is totally open.

And in a rare but commendable concession to common sense, myBART has decided to upgrade security by no longer requiring logins at all. Now there will be nothing at all on the site to steal.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..