A reason why every site should move past passwords: Kiwi Farms hack.

submitted by x0x7 from self.technology

Posted in another Saidit discussion is this screen shot.

In it Kiwi farms admits they were attacks and successfully breached. That's fine on it's own. It happens especially when you are a major target. But under the user impact statement the admin tells users they should assume their password was stolen.

But this admits they were storing the passwords in plain text or an ineffective form of hashing at best.

You cannot trust a website to store passwords correctly no matter how much they understand that they would be a target or no matter how big a company they are and ought to have the resources to be responsible. Look at how many corporate credit card leaks there have been. Each of them a demonstration of how armature data storage can be even when "professionals" are hired.

The answer is that we should not encourage a security model that requires users to give us something that might be valuable if taken from us if we can help it. Identifying who someone is in a verified way is not a new concept to people in tech. There is a right way to do it (if not several) and passwords are not it. We only continue to use them because the shock of moving to an alternative would be jarring to the average internet user. All sites are marketed and so no site wants to implement anything that would be jarring to a user even if that means putting their security interests last.

The correct solution is cryptographic signatures. It doesn't require 0-auth which has its own problems especially for privacy. And it means you are giving exactly zero data out that could allow someone to spoof you.

But wouldn't that require a second piece of software that users don't want to use? Well, if you are doing passwords correctly you are using a password manager and so you are already using a second piece of software. To the degree that a password manager can be added to a browser to simplify it's use so too can a key manager. Second there would be no store of a large list of unique passwords to keep synchronized across multiple computers often requiring your password manager to act as a middle man (scary). Instead one key would be all that would need to be mirrored across all devices and would cover all sites so no continuous synchronization is needed. If you want identities across sites to be unique a single key can be used to generate an unlimited number of other keys using the website as a muse for how to derive the daughter key, so you still need no continuous synchronization or third party facilitators.

But no site wants to be the first to scare users by asking them to participate in their own security, nor do they want to give up the alternative "solution" of 0-auth that helps them compromise user privacy and participate in data mining. The other reason why 0-auth / two factor authentication is a non-solution is it helps facilitate the ability to cut people off of services at will. If they can cut your phone or cut your email you lose everything, and you lose it much faster than if they did that to you now.

Why tell this to people who mostly don't build websites and mostly use them? Because when you see a company doing the right thing and getting rid of passwords (if they are swapping them for signatures) it helps if consumers understand that they are the good guys for it and to not get angry. That fear of consumer anger is what prevents things from actually being secure.

Also, demand that website owners store passwords better. @magora. We're not cleartext here are we?

all 13 comments
sorted by:
top
newinsightfulfun

[–][deleted] 3 insightful - 3 fun3 insightful - 2 fun4 insightful - 3 fun -  (4 children)

Maybe use an old school dongle as a second factor. Some providers allow using more than one phone number as a second factor.

When I can, I only use passwords with 24 characters length. I watched a terrifying lecture on quantum computing last year and according to it, this kind of risks are only to mitigate by increasing password length. (We'll never really know what kind of computing power is at somebodies command in some secret lab, sadly.)

Otherwise, from a user's perspective, I try to spread my risk by using different E Mail from different providers.

[–]x0x7[S] 6 insightful - 3 fun6 insightful - 2 fun7 insightful - 3 fun -  (3 children)

I'd prefer to not give out a phone number of any kind to almost any site, let alone minor sites like kiwifarms of saidit.

[–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (2 children)

I'd prefer not to, too.

But in EU this is mandatory for online-banking e.g.

[–]iamonlyoneman 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

Online banking is stupid.

[–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

I know. But since i got to manage accounts that are kept in Lithuana, i'm sometimes out of options regarding this.

[–]iamonlyoneman 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (0 children)

"we should move beyond passwords on one site" is another way to say "we should use passwords on a different site" usually with "oh and fucking record your biometrics so those can be hacked when othersite is hacked too LOL"

Passwords are not the problem. Poor website security is the problem. A corollary problem is retards using realnames and personally important and ID-traceable email accounts to register online.

[–]LarrySwinger2 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

/u/magnora7 <-- this is how to summon him.

Users can address this issue by using unique passwords. I'm guessing the average person will have trouble remembering one password for each site, but that's what password managers are for, and they can generate passwords for you as well.

[–]GB43 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

The solution is not to get rid of passwords. It is for people who run websites to pay attention to security. For example, I run a small social media site. On my site, users' passwords are stored 256-bit encrypted with a long salt. So, even I can't decrypt them. If they are stolen, it isn't really a big deal, because all the thief has is gibberish. I also do not ask users for ANY private information, so there is nothing else on my server that a thief might want. Josh Moon seems to me to be too smart to store passwords unencrypted on his site, so I hope you just misinterpreted what he was saying.

By the way, I have been following the drama surrounding Kiwi Farms, and it is a fascinating illustration of the current state of free speech on the Internet.

[–]JasonCarswell 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (1 child)

The correct solution is cryptographic signatures. It doesn't require 0-auth which has its own problems especially for privacy.

What's the matter with OAuth?
https://en.wikipedia.org/wiki/OAuth

But no site wants to be the first to scare users by asking them to participate in their own security,

I'm not an I.T. guy, nor admin, nor a coder - but I'd be happy to help facilitate whatever is needed to make more ethically-managed (FOTPACH fair, open, transparent, peaceful, accountable, consistent, honest), self-regulated, decentralized instances to be as flexible, resilient, robust, secure, and sustainable as possible.

I have several guys and communities eager to fund the set up with several local communities keen to relocate to Movim, YaCy, etc. Maybe SaidIt folks might like a couple Lemmys too, maybe not.

Why tell this to people who mostly don't build websites and mostly use them? Because when you see a company doing the right thing and getting rid of passwords (if they are swapping them for signatures) it helps if consumers understand that they are the good guys for it and to not get angry. That fear of consumer anger is what prevents things from actually being secure.

Truth-seekers, free-thinkers, and freedom/resistance folks understand what is at stake. Those are the only folks I/we need to worry about when starting up.

[–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

What's the matter with OAuth?

When you give an app OAuth credentials you effectively give it carte blanche to access data associated from your other accounts using those credentials.

Personally I think passwords are less of problem than OP. If you want to do key signing, the problem is that you are still relying on a central key authority, randomly generating non-unique keys, or using some secret phrase hash that is essentially a password anyway. The password is at least under your control. Although things like ensuring the password isn't stored in cleartext in the database is not

[–]package 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

... op the post literally breaks down exactly what happened and it has nothing to do with passwords. It isn't saying that they store your password as plaintext or even that anything to do with passwords or anything else was accessed. It is saying that regardless of the severity of any hack on any site, it is always a good idea to assume the worst and update all security info.

[–]fizzparentlanguid 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

Administrators of online platforms should take precautions to prevent unauthorized access to their platforms. For instance, I manage a little social networking site. Passwords on my site are 256-bit AES encrypted and salted for further security. This means that even I am unable to read them in their encrypted form. It's not a big deal if they get stolen because the thief will only driving directions be left with meaningless nonsense. Moreover, I do not solicit any kind of personal data from my visitors, thus there is nothing of value on my server that a criminal might steal. I think Josh Moon is too savvy to save passwords in plaintext on his site, therefore I'm crossing my fingers that you misunderstood him.

[–]x0x7[S] 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (0 children)

That is not how to handle passwords. If they are encrypted then they have to be decrypted to compare against a user's password. That means an automated system exists on the site to expose passwords.

The right solution is hashing. It should be a one way path, e.i; not encryption. You salt and hash it 100,000 times. To do that without blocking your site you do it in a separate thread.

This is the problem. People are inventing ways to store passwords when there should just be one right way. Every programming language that mainly targets web should have a tutorial visible on their front page (how to store passwords in our language). It should practically be taught as a hello world. It's crazy to me that people get multiple years into a language and never run into such a link and have to invent password storage on their own. The how to store a password tutorial for a language should be equal in order as "how to read the file system" or "how to connect to a database."