Password Security at Linode

Here's something good:

We have implemented sophisticated brute force protection for Linode Manager user accounts that combines a time delay on failed attempts, forced single threading of log in attempts from a given remote address, and automatic tarpitting of requests from attackers.

And this:

Some of you may have noticed a few changes to the Linode Manger over the past few weeks, most notably that accessing your "My Profile" and the "Account -> Users & Permissions" subtab now require password re-authentication.

The re-authentication is meant to protect your contact settings, password changes, and other preferences. The re-auth lasts for about 10 minutes, after which you'll be asked to provide your password again on those sections of the Linode Manager.

It's nice to see some companies implementing these sorts of security measures.

Posted on April 18, 2012 at 1:30 PM • 27 Comments

Comments

Carl 'SAI' MitchellApril 18, 2012 1:46 PM

It depends on how they are doing the time delay. If it's in their software, then a dump of the database of hashed, salted passwords is still rather easy to brute force. If they have used key strengthening measures (hash it a million times or so, for example) then it's much harder to brute force.

DavidApril 18, 2012 1:54 PM

@Carl:

No, it doesn't depend - it's good practice. Hopefully they are using key-strengthening measures *as well*.

JeffApril 18, 2012 2:11 PM

Carl: If you hash passwords a million times, every login attempt must take about half a second of CPU time, which introduces an easy way for an attacker to DoS the site with very little bandwidth.

Why is it a website's responsibility to compensate for poor passwords anyway? If you just add three random characters to your password, that gives the same ~1 million times increase to the cost of brute forcing, with almost no added computational cost for logging in.

If there is really a need to protect people from themselves, then maybe websites should just stop letting users pick their own passwords, and instead force them to use passwords generated by the server.

JoshuaApril 18, 2012 2:39 PM

@Jeff: And when the website gives a gibberish password that can't be remembered, it gets written on a sticky note and stuck on a monitor.

NobodySpecialApril 18, 2012 2:48 PM

@Joshua - that's not necessarily a bad thing.

Threat model for a website = some distant hackers get a dump of the passwd DB and start brute forcing it. They are unlikely to find a post it note on my monitor.

Threat model for my phone = need to have my phone, so a short pin held in my head is fine.

ThunderbirdApril 18, 2012 3:34 PM

@Joshua - that's not necessarily a bad thing.

Threat model for a website = some distant hackers get a dump of the passwd DB and start brute forcing it. They are unlikely to find a post it note on my monitor.

Actually another threat is "website gives me gibberish password I can't remember--I'll just use a competitor's website."

John David GaltApril 18, 2012 3:58 PM

I don't know what service Linode offers, but it seems to me that such precautions should always be left up to the individual account owner. Otherwise you get counterproductive results such as forcing people who don't own a computer (and thus always login from public sites) to write down their password and "security question" answers and carry them around with them.

Similarly, I do not appreciate sites which disable the "remember password" feature in my web browser at home. Even if a burglar stole my computer, it's full-disk encrypted with TrueCrypt; all he could do with it is to install a new operating system from scratch.

If site owners are finding it necessary to be this difficult just to avoid losing lawsuits brought by idiot customers, it's because we've gotten so infested with lawyers it's time to call the Orkin man.

Jim: "automatic tarpitting" means once an attacker's site is IDed and added to a blacklist, all future login attempts from that site (presumably defined by its IP address) will fail with a message like "password wrong," even if they happen to supply a correct ID and password.

CurbyApril 18, 2012 4:14 PM

Keep in mind that none of these new features requires non-memorable passwords. Server-generated passwords were something that Jeff suggested in his comment; not something being done by Linode.

No one is forcing Linode to implement better security, and you can argue about responsibility all day long, but I'm with Bruce: I'm glad that companies are doing such things. It seems like some commenters here are protesting against such progress. You really can find everything on the Web.

ThunderbirdApril 18, 2012 5:30 PM

ok so what is "automatic tarpitting"?

Briefly, slowing request handling down progressively based on how suspicious it appears: Wikipedia entry.


As for my earlier post, I too applaud web sites doing smart things. I was just commenting on the idea of forcing users to have auto-generated passwords.

DavidApril 18, 2012 6:39 PM

@Jeff re protecting users from themselves.

A server that I use for mail etc., deals with protecting its users from themselves by regularly attempting dictionary and bruteforce attacks upon its own password file. Any passwords that get broken get expired (forcing a change next login) and the user gets a (mostly polite) email explaining why their password was expired and how to avoid it happening again.

Mike RoseApril 18, 2012 6:43 PM

I've been a customer of Linode for years now; their approach to security is what became the deciding factor in me going to them in the first place. I would recommend anyone needing VPS or hosting to at least give them a looksee, I have nothing but praise for them.

It's sad day when we're giving special mention of a site that's just simply adhering to security best practice, but coming from a customer, it's much appreciated!

HybridAUApril 18, 2012 7:49 PM

@John David Galt; I suspect that disabling the remember password for your browser is to prevent the much more likely* threat of malware somehow making onto your computer and sending all your saved passwords back to some C&C server. Full disk encryption dose nothing to prevent that. As you say TrueCrypt full disk I’m going to assume Windows so your OS has a lot of malware floating around. It is trivial to recover all the passwords saved the 4 major browsers with their default settings.

Personally I don’t like and disable the save password feature on any browser I use. I think that if users want to save their password they should use a tool like KeePass.

*Perhaps not in your case but certainly for most of their customers malware is more likely than burglary.

Glenn MaynardApril 18, 2012 8:35 PM

Rather than sophisticated, this just sounds naive.

Often, huge numbers of people are behind a single IP. Some ISPs and most mobile carriers use NAT, putting large numbers of customers behind a single IP. This means delaying login attempts based on IP will cause problems, and allow one customer to make it hard for any other customers on that address to log in.

Delaying it based on user account, rather than IP, means an attacker can DoS a user's account by attempting passwords on it repeatedly.

Delaying it based on user account and IP tuples doesn't work, either--if you have access to a lot of IPs (eg. through a botnet), then it's trivial to defeat this outright.

Delays don't work. The only approach I've seen which can work is captchas, as Google uses after a couple failed login attempts; that way, the worst typical scenario is users being shown a captcha, rather than not being able to log in.

> Some of you may have noticed a few changes to the Linode Manger over the past few weeks, most notably that accessing your "My Profile" and the "Account -> Users & Permissions" subtab now require password re-authentication.

Amazon has done this for a long time, requiring reauthentication to access things like your order history.

(It's 2012. I don't suppose we can get a bigger comment box by default?)

DonApril 18, 2012 9:01 PM

Neat but too late as Linode's crap security allowed hackers to steal $200k+ of bitcoins a few months ago. See story on slashdot.

PerseidsApril 19, 2012 1:15 AM

@HybridAU
What's wrong with the browser integrated password managers? As far as I can see they have basically the same attack vectors. Though Firefox's password derivation function is a bit too fast for my taste.

AdamApril 19, 2012 3:07 AM

@Don, Linode played its part in this but the real issue is that until fairly recently the standard Bitcoin client didn't even bother to encrypt its wallet. So whichever way thieves got the wallet.dat once they have it the money is as good as gone. The code throughout the client was pretty bad the last time I looked through it though I assume password protection is part of some broader effort to secure it.

donApril 19, 2012 7:30 AM

@adam the real issue is that linode was insecure. Even if the wallet.dat was encrypted they could still have decrypted it since the software running on the server necessarily had the password to it to interact with it.

If the srver had contained CC numbers, then this would have been the same problem. linode is at fault here.

JimmyApril 19, 2012 7:34 AM

Is this an unusual marketing way of saying SRC IP Filtering, so only pre-defined src addresses can authenticate?

"forced single threading of log in attempts from a given remote address"

LesApril 19, 2012 7:44 AM

Delaying logon attempts just makes sense.

Humans won't notice if it takes one second more to log on, but password cracking software becomes so slow as to be ineffective. Any reasonably secure password should take hundreds of years to crack by brute force at one attempt per second.

There are ways around this, of course, but delaying attempts is literally the least you can do.

Actually, salting/hashing passwords is the least you can do, but time delays are next on the list.

Nick PApril 19, 2012 8:36 AM

Now they need to focus on the availability aspect of their site design. I just spent 30 seconds each trying to load both the "home" and "why linode" links. I gave up after 30s.

Mark CurrieApril 19, 2012 12:01 PM

Webservers had to employ hardware accelerators to speed up the digital signatures for HTTPS connections. Why can't they employ GPU's to allow them to do multiple hashes on passwords?


@Jeff - reducing the user's password by 3 random symbols is a lot for most people and multiple hashing also makes building rainbow tables impractical.

Mark RApril 19, 2012 1:57 PM

@Jimmy:

An automated cracker might open several connections to the web server in order to make multiple attempts simultaneously.

I took "single threading" to mean that only one authentication attempt per user name will be processed at a time; this would significantly slow down the automated tools.

James SutherlandApril 21, 2012 5:05 PM

I've been very impressed with Linode's security facilities. I can *optionally* set it so any access from a new IP address requires me to retrieve a nonce from email before logging in - so in my case, with very few endpoints, it helps; another user with different needs can turn that off.

I've had that server since 2004, same IP, same price - 8 times as much RAM and disk as I started with, rebooting roughly once a year as needed for major changes (usually extra RAM/disk, I tend to update the kernel at the same time). Problems? A massive DDoS took out a 10G pipe somewhere near them, so I had packet loss for a while ... a reboot due to a big power outage ... in several years. Much, much better than I've had with Amazon EC2, certainly.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..