The question for us, as technologists, is what are we doing about this?
2FA is nice, but not the end all, be all. OAuth has largely failed to gain any reasonable traction. Using Facebook login means Facebook gets to track me as I move around the web.
Our users reuse passwords, primarily due to the proliferation of dozens or often hundreds of online accounts that a single individual has. We can't expect people to use password managers (they're complicated and then centralize everything into a single point of failure). Forcing people to use crazy passwords just results in weaker passwords.
I was hopeful that something like persona from Mozilla would catch on, but that has failed. Where are we with replacing the password? It is flawed technology.
On top of this we have the compounding factor that our systems are more complicated than ever and it appears that they're simply impossible to secure. Too many layers exist with too much code. Many sites just don't both with even hashing password, meaning those of us that care, are just kind of throwing our hands up and saying "well it wasn't my site that was compromised, so it isn't my fault". All the while, bad guys walk in the front door because we've decided to ignore the reality of the situation.
I know I'm not providing a constructive alternative here, but I'm a bit ashamed that we've even let it get this far. We're failing those that rely on our systems. I don't have the answer, but would love to hear some ideas about what can be done.
However I think you have captured something essential in the idea that Mozilla Persona "failed to catch on", and it wasn't, as far as I can tell, for technical reasons.
The real problem is that any change from the username/password system has a cost (in programmer hours, and support retraining, etc.) and so long as "nothing is broken" it is hard to justify diverting funds from features that are customer-visible to providing a defense against an attack that is arguably the user's fault anyway (password re-use).
To me this issue is sort of a monument to the strange insincere lipservice we pay to technology and technologists. Of course technology is business-critical and of course we work to hire the best and brightest, etc. But somehow organizations keep storing passwords in plain text in spite of the fact that engineers who work there know better.
This idea SERIOUSLY needs more attention, Steve is basically presenting a complete blueprint for how to do web login security right on everything from smartphones to desktops. A startup could run this implementation-wise and if the hype was right it could be a massive hit.
It is our job to explain to the business what the value is. It is our job to convince them of the value.
I know this can be hard/impossible in some situations. I've lost those battles for things that are much more trivial than replacing large parts of the authentication system. However, if you keep beating that drum and take any opportunity to push that goal, you can sometimes create the time to work on something like this.
Are your customers requesting some kind of compliance (SSAE or something of the like)? Use that as leverage. See the recent news (or not so recent higher profile Sony hack news)? We should really address some of our shortcomings.
The problem then becomes, what is the market pushing towards so that you can help push that forward. Right now there isn't a clear answer, solutions keep dying on the vine.
I've bought 1Password for everyone in my family, and nagged them into using it. I console people online to do the same, or use keepassx, or last pass.
It's not effortless security, that's for sure. In a perfect world we would have a better system than passwords. But we live in a world of compromises, and I feel it's presently the wisest course of action.
It would be a great start if sites that don't actually require an account to get the job done would stop asking you to create one. For instance, most e-commerce transactions where you buy a single item still require you to register with the store. That's like having a loyalty card forced upon you because you tank gas somewhere.
Usually I just want to buy the item, not become 'a member'.
> I was hopeful that something like persona from Mozilla would catch on, but that has failed.
I talked with two people from Mozilla at a conference in February and was disappointed (though not altogether surprised) to discover they couldn't articulate the compelling reason why someone would move to using Persona. For something to mainstream, the marketing, positioning and ease-of-use is crucial. They had no answers other than 'privacy' and 'ease of use' -- which while valid, aren't going to convince my aunt & uncle to adopt something new. Until they've been hacked, scammed and otherwise suffered pain.
Just throwing this out there but when signing up for sites while using Safari, Apple gives me the option of using a (Apple generated) random password that is stored to my keychain and synced to my iCloud account. This means both of my MacBooks, my iPhone, and my iPad all have access to these sites with no effort on my part (I never could remember my passwords) while also being random and secure(-ish?).
All that is needed is a service (Microsoft, Google, Apple, Facebook) that you trust as your password manager and is integrated either with the sites you browse or the browser you use.
Having read Apple's iOS security document (http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.p...) I have just the right combination of convenience, ease of use, and feeling secure with their services to use keychain for most of my password needs.
Awkward time to bring up iCloud as a potential SPOF for users' security. Apart from technical flaws in the service (and any cloud service is likely to have one eventually), cryptographer Matt Green (on his twitter feed) has pointed out that Apple chose some poor defaults, particularly the use of peoples' phone password as default for cloud storage. Quoth Matt, "Of course people pick terrible iCloud passwords. You can't enter a good password 50x per week on a mobile device. You'll go carpal." (In subsequent tweets, he acknowledges that password caching would help with this, but says he had to turn it off after his kids ran up a $200 bill.)
Of course, it's not clear that password brute-forcing was what led to the recent leaks of celebrity nude selfies, and not even complely clear that they came from iCloud (though a lot of clues point that way). But regardless, they do illustrate the risks of relying on cloud storage generally, regardless of who provides it.
Sorry, but there's no way I'd allow any cloud service to hold my password vault, and recommending it to end users seems like a colossally bad idea.
I'd want at least two layers of different encryption types (generated by distinct software) protecting any such file if it were to be stored in the cloud. That way if one software package or one encryption algorithm were compromised, there would at least be a chance the other layer would protect it.
So at the moment I put my vault on my laptop and copy it directly to my phone, but I don't copy it into the cloud, ever.
I might consider using something like SpiderOak [1] in conjunction with a Keepass encrypted container, for instance. But I haven't even done that.
What about you load a site, get an HTTP 401 response, your browser sends back an auth header with a password generated for that domain name, based on some secret global key/password. Then in response, most sites would set a cookie. To change the password, you could have a second header that has the new password, along with the original. No usernames needed. The browsers would have a global password for cases of shared computers. Log out buttons on sites just remove the cookie. Or without cookies, just have the browser send the auth header each time until a native log out button is pressed.
>> We can't expect people to use password managers (they're complicated and then centralize everything into a single point of failure).
> What about you load a site, get an HTTP 401 response, your browser sends back an auth header with a password generated for that domain name, based on some secret global key/password.
You essentially describe a password manager with deterministic password generation. It has all the upsides and downsides of a regular one, except migrating passwords is harder (you need to change them instead of storing them).
All the security measures usually presented (including here) are completely unrealistic - no one can use different, complex passwords on every site we log into, and then change them every month!
The only way to do this would be to use a password manager in an Saas mode... and if it gets cracked then you're completely doomed and lose all access to all services.
People probably assume that the time saved by not caring about security is greater than the time they will lose if (when) they're attacked, and they may be right.
keepassX seems to be a local application: how do you use it on mobile, or when you're not at home?
Also: if the database gets corrupted, you lose access to all services; if you have backups then it's a little less safe; if the main password for the database is strong you may forget it (or need to write it down somewhere outside the system); if it's not strong it's not safe.
There are mobile clients for KeePass databases. So you just need to keep a copy of your database on your phone. That's extremely easy to do with syncing data apps like SpiderOak.
You still have to do it manually I think. Having a standardized API to change passwords (a "Rotate all my passwords" buttons) would be nice, but potentially a huge step forward in automating password attacks.
Whatever the solution is, it needs to allow remote permits. e.g., I need to be able to grant an employee access to my NameCheap account for client work purposes.
I don't think there's anything wrong with user-names and passwords in concept. It's familiar to users and easy to implement. Users need to create better passwords and we need to help them do it.
Don't impose any restrictions on what the password should be, e.g. "Must not contain any special chars. Must contain a number..."
Use the word "pass phrase" instead of "password". Encourage people to use memorable phrases and quotes as their pass phrase. The English language has approx. 250,000 words. If a pass phrase contains 4 words, that's 1.62764322e+20 permutations. That's a naive view since "habit osteopath circumference telephone" isn't a particularly memorable password. With this in mind, You could use statistics to reduce the number of permutations, but that's no small feat.
OT, but why is that providers like Namecheap implement 2FA but not organizational team support?
If I set up 2FA, only my device can log in. If I become unavailable for some reason, none of my team members can access the account. The only way to do this is for all team members to do the 2FA setup at the same time, which I believe will seed the generator so that they will all produce the same sequence of tokens. But that's just unacceptable. It's like renting an office and only getting a single key.
I find it amazing that in this day and age, most providers still conflate the concepts of "login" and "account". I log into an account; that login is a set of credentials giving me access, but one account obviously must support multiple logins.
Without a clean separation, you turn employees into single points of failure. Shared account credentials is a potential security risk. And it makes it harder to lock out employees who leave the company once given access. And of course, it makes auditing harder because you just have the IP.
Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS and iWantMyName, all set up like this. Cloud-oriented providers like Digital Ocean and Mailgun, same problem. AWS does the right thing.
You can also add other phone numbers to your 2FA preferences, although I can understand if that's annoying for your colleagues if everyone is getting an SMS on every login.
Could you have people adding multiple phone numbers to the 2FA process and then allow someone to set their preferred, whitelisted number for the SMS?
I need to grant access to a second account to purchase services on my behalf. Does your solution of granting domain modification access work in that case or are we going to have to deal with the SMSes?
Also, is there a plan to upgrade the internal tools that don't much the newer public design? It's pretty jarring.
At least with gandi, you can keep the barcode of the 2FA seed around (or the text seed) and set up new devices with it. We use Gandi and everyone with access uses Google Authenticator with the same 2FA seed.
I use Gandi as well and I've noticed that you can have 4 separate accounts with access to yours, the different domain contacts each can be separate accounts.
My phone often has no service, which would make 2FA with you a roadblock. Please consider using Google Authenticator for generating the code, instead of sending a text or voice call.
I have been using 2FA on NameCheap since you added the feature, but it's one of the more annoying implementations -- compare to Google's 2FA setup, for example. There I have to jump through the hoop of getting an SMS once a month (and verify my password a bit more frequently).
For NameCheap, it's every single time I log in, which translates to every single time I need to do or check something in my account.
This is probably only a minor annoyance for most of your customers; for me it sometimes means I can't sign in. I live in an area with fairly poor mobile coverage, so internet access & ability to receive an SMS do not always coincide. I'm also not tied to my mobile, so I may need to go find it where it's charging downstairs (or plug it in if it's dead) before I can continue.
I'd really appreciate either the option of a code generator (Google Authenticator, Authy, etc.), or a longer "remember-me" time -- it's rather more likely that my phone would be stolen than my laptop... so letting the laptop I've just double-authenticated be a "thing I have" is perfectly valid.
We're rolling out Google Authenticator support sometime in the fall. I know SMS can be a pain sometime but we definitely recommend having it enabled, regardless.
If you simply sent the SMS as soon as someone enters their login credentials instead of requiring another button to be pressed, it would make your system a bit less annoying.
Unfortunately, your 2FA is unusable for me. I have pretty bad cell phone reception in my home and cannot receive the SMS messages.
Also, it's unusable for anyone that travels outside their home country and cannot receive SMS messages.
We've been waiting for ages for another 2FA option from Namecheap, either Authy or Google Auth. Now I'm just registering my domains elsewhere and when my Namecheap domains come up for renewal I'm jus transferring out.
I’m curious what evidence you have that ties these login attempts to the CyberVor (1.2bn) hacked credentials database specifically?
Given that (to my knowledge) none of the data from this database has yet been leaked publicly, couldn’t the credentials being used for these attacks be coming just as easily from any number of sources, or previously-disclosed databases (Adobe, LinkedIn, Forbes, etc.)?
Just trying to distinguish “what we know” from “what we suspect”, here. Thanks!
Hi, did you turn on (or can you) selective forensic logging from the ip-adresses you believe are attacking, logging username/password pairs? AFAIK the list in question isn't public, it would be nice to see if there was a pattern (to uids and/or uid:password pairs) -- that might be turned into an IDS rule? (failed login for user: alfa, followed by user beta, followed by... -> block/flag originating ip etc)
two factor authentication via SMS is the biggest waste of time. It's not true two factor authentication as you need to depend on the network and protocol between namecheap and my phone. Not to mention the code is probably not originating from a namecheap server but from a third party service.
TOTP is a standard, it's great, there are open source implementations, and it's easy to integrate. Google even has that pam module. Use it.
I don't think you understood my comment. SMS is not something "you have". You have your phone, the SMS is sent (presumably from namecheap, or from a third party service) through the network and arrives at your phone.
This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.
If you use true TOTP, i.e. Google Authenticator, then the code is generated via a secret key that lives on your phone, and nothing ever leaves your phone besides printing to screen and showing it to you when you need to log in.
Therefore, SMS "two factor" is not only costly and annoying, but ineffective.
As to why it may be on-topic here: the activity reported by NameCheap in the OP lines up pretty well with the reports of a large collection of compromised accounts in the hands of a criminal group.
Teddy, I'm a Namecheap user (over 30 domains and a bunch of SSLs) and what really concerns me is that I find out about this security issue via hacker news, instead of being sent an email. This is not how you communicate with customers when these types of security issues arise.
Agreed -- it would be a great service to customers without 2FA enabled to inform them all directly that this is in-progress, not just the ones whose accounts have already been successfully accessed.
I know you wouldn't want to provoke panicked overreactions, or risk customers thinking that this indicates a flaw in NameCheap's security, but direct contact is essential for this kind of ongoing attack.
> continue to update our customers through our blog and social media
I'm not sure what percentage of your customers this will actually reach, but surely not a majority (certainly not me, anyway).
We take these issues very seriously and always try to get the word out about as quickly as possible. We emailed everyone that was affected this morning and continue to update our customers through our blog and social media.
Which is not something people should expect an email about.
At last count, I have several hundred logins with various online services. I do not want a note every time one of them is subject to a dictionary attack, no matter the scale.
As someone who runs an online game we find that a huge percentage of our users arrive pre-compromised.
Vast quantities of people wander around from site to site using the same email/password combo that has been compromised a long time ago.
We do a GeoIP check now and send an email with an unlock code any time someone logs in from a different city than last time. This reduced the account compromise problem significantly. Most of these pre-compromised people have a different password on their email at least.
As someone who plays online games, I get really, really annoyed when I'm forced to create a password to log in.
ALL non-secure online sites that need to identify users should allow for Google or Facebook authentication, or I will never try to access the game from my phone or tablet.
I refuse to use the same password everywhere, but that means I have a password vault on my computer. If I need to create a password and I'm on my phone, I simply click "close" (and uninstall if necessary). I sympathize with those "precompromised accounts," given that it's such a user interface failure (not to mention arrogant) to require a new password for every single little service/game/whatever.
OTOH, if I can "login with Google" and/or Facebook, both of those are already authenticated on my phone, and through the magic of OAUTH I can securely connect to your game without needing to generate a password. Certainly having the OPTION to create a password is fine; there will be people who hate Google/Facebook/whatever and who won't use them. But not having the option is an instant fail for me.
Not saying you're doing it wrong, since I don't know what game you're talking about, but I've certainly encountered many games that have no OAUTH options.
Some of us use password managers like 1Password and get really, really annoyed when we're forced to use Google or Facebook to log in.
There are two sides to this - some prefer convenience and are happy to give up some control. Others do not want to depend on a third party and want to have control themselves.
I already mentioned that I use a password manager. The problem comes if I have to create a password on my phone, where I have a read-only copy of the password vault.
OAUTH is a far better solution in general. If there were a standard privacy-respecting third-party to replace the Google and Facebook options, I'd be all over it. But I'll happily let Google know that I'm playing a game in exchange for not having to manage yet-another-password.
Find a better vault solution. Keepassx is available for every platform out there, and when combined with a file sync solution like dropbox, box, etc can be trivially used on iOS or android.
I do use Keepass, but I don't want to need to trust Dropbox etc.
I know the Keepass file is nominally password protected, but once I upload a Keepass file with all my important passwords to a site like Dropbox, there's no way to ever recall it reliably.
So if there's a Dropbox security hole, someone can potentially grab a copy. And then if there's a Keepass security hole (or if they otherwise acquire my password), then all my important passwords are compromised.
To me it's a form of "two factor" authentication for my passwords: One factor is the passphrase, the other is the physical file itself. And one of those is defeated if I upload the file to some cloud service.
My assumption is that a skilled attacker targeting me in particular will be able to compromise my access to services. Easiest vector is probably compromising email and doing password resets.
IMO the security controls that I have in place for my vault files are strong enough to make it too expensive for a general attack on files in Dropbox to be cost effective.
I (and probably the vast majority of the world) have a single separate password for sites I couldn't care less about being compromised or really serve no purpose for anyone to compromise.
So, having large corporations (google, facebook, etc) know everything you're doing all the time at every site and in every app is better than...having to keep track of various passwords? I don't get it.
I find 3rd party authentication without the slightest appeal. Maybe it's a teensy bit easier.
Everything? Hardly. Certainly everything important lives in the password vault.
But playing games? Why do I care if Facebook or Google knows I play a particular game? On Android Google is going to know what games I have anyway.
"MAYBE" it's easier? On a PHONE?! Let's see, I can click "Google" to log in, and I'm done, or I can...open my key vault, enter my 16-character-random-password into my key manager using a touch keyboard, and then do the copy/paste of the user name and the password.
What? I don't have a password for this site yet? Then I have to get my computer and generate the password there, because I don't trust "the cloud" with my critical password vault, encrypted or not.
It's so much easier to use OAUTH it's not even a close comparison.
Funnily enough there was a HN post yesterday that looked like a phishing attempt on namecheap accounts:
Gift HN: Unused domain 'appstores.io' with ~11 months registration left
Post your namecheap username and I'll pick someone at
random in 24 hours and push it to the winner.
> The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account.
So basically PhantomJS? Or is it more sophisticated than that?
Also, this might actually let me see if I'm in the list, since I will get an unsolicited 2FA text if they try my account.
I've seen a huge uptick in spam email the last few days, and although I have no indication that I've been hacked, I feel as though I should probably fear for the worst and aggressively change all my passwords from their current kindergarten security levels. Is there a widely accessible, secure, multi platform, free/libre password manager that is recommendable as easy to use? I reuse passwords because its easy to remember, and I'm hoping there is something out there that is light years better than those I found the last time I tried (2007).
This is a good reminder that we all need to encourage our friends, family, and colleagues to not use the same password everywhere. Almost all of them currently do.
The best solution I've found thus far is getting them to use 1Password or the like. They still only have to remember 1 password, and the browser extensions make it trivial to log in different places. If necessary, buy them the software.
If you disagree, please reply with why. Save the downvotes for spam, trolls, jokes, memes and genuinely off-topic comments.
The concept of securely checking the hash of a chosen password against a database of known compromised credentials hosted by a trusted 3rd seems like a reasonable addition layer of security to me. I'd love to hear counter-arguments.
Thanks. Getting a mix of results here - server issues (should be fine), and 404s - but the page wasn't deleted. Not sure what it is but we'll keep an eye on it. Thanks!
For sensitive sites like this, users should not be given the option to use the same username/password as other websites: The username should be issued by the site in the form Sally379687 or Fred965912
What Namecheap do is better - two-factor authentication. usernames are not meant to be secret, and forcing users to look up a username as well as a password is going to be annoying.
Off-topic, I switched to Namecheap (from GoDaddy) a couple of years ago, and have been impressed. Things like two-factor auth and being aware of and publicising this attack are all signs of a good corporate citizen doing things right.
It would only be better if namecheap mandated two factor authentication.
Giving the user the option to use poor security is like a bank that lets its customers decide what bank vault to install, then blames its customers when they are robbed.
Define "sensitive site". Any email provider, if it's your main email account would qualify as very sensitive. However, people also have myriad junk accounts. As soon as you start to enforce this sort of thing you limit who's going to sign up.
I've got accounts with two brokers. One has good tools which I can use with simulated ledgers but won't manage SIPPs. It has a crap password which I can remember and bang in whenever I want to check performance. The other's password is in KeePass and requires a small but significant effort to access. You could argue that the former doesn't want my "business" but if they started handling SIPPs or if I start doing some speculation I'd convert instantly. Is my low level leeching worth an instant convert?
The way I have organised is to have 5 varying levels. This limits the volume of passwords I have to recall whilst maintaining variety. While there is still opportunity for cross-use if one is hacked it does create breakage points from areas more likely to be hacked and avoids a single point of failure. It's structured something like this;
1) Random sign-ups.
2) Slightly personal information e.g. Hackernews
3) Personal or slightly financial: e.g. mail accounts
4) Financial: e.g. Banking/Share trading
5) Work accounts
I've been wondering if I should expand this to have the same as above but bring in a component of the URL into the password to create variance for all but keeping it easy to remember. Does that seem a good method or do people have better systems?
Isn't there greater risk in using these than my method?
My logic: If one of these solutions e.g. LastPass is compromised then I am compromised across all sites. They may even bypass 2 factor authentication that goes via my email/messaging. Whereas using my method if one website gets hacked then I only give access to a segment. If it is worst case and a financial site is compromised they still don't have the password for accounts where they could see any 2-factor authentication messages. Does that make sense or am I missing something?
You are missing something, LastPass and other password services don't actually store your information in any way they can read them. What they do is store the password information as a encrypted blob and the public key derived from your password. When you "log in" you actually are running the key derivation function on your password locally then signing a message with your private key and sending that to Lastpass. When they receive the signed message they check it against your public key and if it passes they send you your password information. Which you then decrypt clientside. So anyone who compromises lastpass gets nothing except a bunch of encrypted blobs and public keys. The only way to get at your lastpass information is to retrieve the unencrypted copy off your computers memory, but if a hacker can do that they can just steal your passwords as your type them in anyways.
KeePass is just an encrypted database stored on your machine. If it's compromised, your machine is compromised, so you're screwed either way. Meanwhile, if any of many online services you use are compromised (and some inevitably will be), you have minimised the cost of that.
A hacker group has accumulated thousands (millions?) of email+password pairs. Anyone who uses the same password on all sites could be compromised, even if their password is 16 characters and random (i.e., immune to dictionary attacks).
There's been stories for a while of massive malware infections sniffing usernames and passwords of infected users. Simply because there's little to give away that such an activity is going on (ie, if you were spamming or mining bitcoin there would be a real-world impact shown immediately) it's extremely hard to confirm or deny if this is happening and at what scale. In my mind it doesn't seem unlikely that would be happening though. Combined with large websites like LinkedIn being compromised, you're looking at a very, very big problem.
> WTF is this "urgent"? How might this affect "all internet users"?
Suppose you have a domain registered with Namecheap (or really anyone). You've reused your password and the attackers get into your account at the registrar. What does that get them?
First they change the MX record for your domain. Immediately they're receiving all your email. Now that they control your email they can get a domain-validated certificate for your domain. Then they can change all your other DNS records to point at their servers and operate them with valid TLS certificates and MITM all the connections to your real servers. Then they can collect all the credentials of users using your website including the administrative credentials that allow them to compromise your real servers. Now they have all your data and your users' data and your password database and your website is hosting malware.
There are very few things more compromising to large numbers of people than attackers quietly getting control of multiple legitimate active domains.
2FA is nice, but not the end all, be all. OAuth has largely failed to gain any reasonable traction. Using Facebook login means Facebook gets to track me as I move around the web.
Our users reuse passwords, primarily due to the proliferation of dozens or often hundreds of online accounts that a single individual has. We can't expect people to use password managers (they're complicated and then centralize everything into a single point of failure). Forcing people to use crazy passwords just results in weaker passwords.
I was hopeful that something like persona from Mozilla would catch on, but that has failed. Where are we with replacing the password? It is flawed technology.
On top of this we have the compounding factor that our systems are more complicated than ever and it appears that they're simply impossible to secure. Too many layers exist with too much code. Many sites just don't both with even hashing password, meaning those of us that care, are just kind of throwing our hands up and saying "well it wasn't my site that was compromised, so it isn't my fault". All the while, bad guys walk in the front door because we've decided to ignore the reality of the situation.
I know I'm not providing a constructive alternative here, but I'm a bit ashamed that we've even let it get this far. We're failing those that rely on our systems. I don't have the answer, but would love to hear some ideas about what can be done.