Passwords and Websites 2
I’m like many of you. I use a few websites for convenience. About 3 yrs ago, I had 10 reused passwords, based on the importance of the service. Social sites got shorter passwords, more important sites like banks got longer, more complex, unique passwords. At that time, it made sense, and I had all these documented inside a plain text file that I kept ZIPed with a password.
Then I started using KeePassX, my password manager of choice. 20 or 60 character passwords didn’t matter. I was never going to enter them anyway. Complexity was handled by the built-in random generator and having a different password for every login became easy to do. That’s how I do it now.
I’m lazy. I didn’t go back and change every one of the old passwords to be more secure. Seriously, how important is a LinkedIn password?
Website Trust
This XKCD.com comic explains what you are trusting on other websites when you use the same password.
Doesn’t seem very smart now.
LinkedIn Email
This morning, I received an email from LinkedIn that claimed my password was in the list of those leaked. That seems strange, since I’ve never loaded an app for Android or iPhone for LinkedIn and I’ve never logged into the website except from home using a single browser that I trust. Still, the email sits in my inbox, waiting to be handled. Time to change the password, I guess.
Fortunately, I don’t use the other 2 massively linked websites at all, so those do not affect me at all. eHarm…. or something.fm. I wonder how many people do AND use the same password everywhere. Probably more than we think should.
Looking at the old password, it is a non-trivial 16 characters. No words of any kind and appears to be random. It is not a password that I would have come up with. I can’t think of why this password would only be 16 characters, unless LinkedIn limited the number of input characters. When I started using KeePassX, using passwords over 30 characters became normal. Some are 30, 45, 55, 64 … whatever the limit was from the last website. I wasn’t worried, since 30 was enough. Of course, a flaw in the implementation or flaw in the algorithm could completely negate the length and complexity.
I understand that.
I visit linkedin.com in the normal way. During login, I’m told to check my email. Huh? This seems dumb. I just logged in, so they know it is me or do they? Anyone could type in anyone else’s email address to get an email with a link to change the password. The link is emailed to the email address, not just anywhere, so if you control the email, that is good enough. I typed in a completely bogus password and still got the email. Wanna have some fun? Pick a buddy and type in completely different passwords on that page – they’d get 2 emails for each attempt. I wonder if it resets the password for anyone even if they’ve already reset their password too? All sorts of mischif here.
Email Headers
Even the link in the email appears to be phishing … it says www.linkedin.com/settings, but the actual link under the Simple-HTML is to an IMAP server for my internal network. Not good, but this could be a bug in a new version of Thunderbird – Time will tell.
Ok, so I just checked my email again and there were 2 new LinkedIn emails. Now I’m curious. I need to look at the email headers. The email subjects are:
- Important update regarding your LinkedIn password
- Reset Your LinkedIn Password
- Reset Your LinkedIn Password
The first email headers appear valid.
- From e.linkedin.com
- With DomainKey-signature
- The path the email took from there to here makes sense
- It is addressed to the email address I use for LinkedIn
- Both the FROM and TO fields, easily spoofed, make sense. They aren’t to some other domain like gmail, yahoo, hotmail, etc.
- There is no REPLY-TO at all.
The second email header arrived a few minutes after I attempted to login to LinkedIn this morning.
- From linkedin.com
- With DomainKey-signature
- The path the email took from there to here makes sense, but …
- the TO field is not to an email address used for LinkedIn. I’m suspicious. I try to keep different email addresses, aliases actually, for different purposes. Time to check the real TO from the server-side. Ok, the correct alias was used according to the server. Fine.
Looking at the content of the email, it has lots of links that are automatically generated and LONG. I know never to click on a link in any email, so I’m confused. Should I or shouldn’t I click? We need to look at the next email first …
The third email looks like the same as the 2nd one, but they were emailed 1 second apart. The TO field is back to the alias that LinkedIn knows. The 3rd has lines wrapped, which is strange since I’m looking at 7-bit ASCII text. The HTTPS link included is identical to that included in the 2nd email. It is a change password link, good for 24 hours and points to a www.linkedin.com website. So far, so good. Seems reasonable. They’ve assumed that I have control over the email address, which is just about as much security as they have access.
Ok, so all 3 emails seem reasonable.
So, my initial thought that emailing instructions to reset the password may have been foolish. LinkedIn doesn’t know much about the users except an email address and a password. They already know they can’t trust the password.
Problem Fixed?
Nowhere that I’ve seen, not on the web or in the emails, does LinkedIn say they fixed the issues. NOWHERE. Why should I and millions of others change our passwords at all? Did they fix anything? Did they even try? Will we be back next week after another breach?
Ok, so do I click on the link to reset the password or not? I’m stuck. What should I do? Click or not? Did you already click?
Centralized Authentication – OAuth or OpenID Better?
On the surface, these seem like better answers, until you consider that XKCD comic. Now you have 1 authentication point of failure that gives access to a few other sites, if not 50. Just look at Facebook and twitter – both are pushing us to use their authentication even when we rather against. There are 3rd party sites using them too, as openid providers. Why?
As a facebook-connect user, you gain access to facebook information, likes, interests, AND friends. That’s a bunch of information. I can see why lots of smaller websites would like this access to increase profits.
Further, every time you login with the FB credentials to other websites, FB gains access to that knowledge too. I bet they have a tiny bug on every webpage on that other site, so you are tracked everywhere. Have you seen those Like icons everywhere? You are being tracked.
As a facebook user, you already have given up lots of privacy without considering the consequences. Being able to reuse that login for hundreds of other websites is really convenient for you. Instead of 50 passwords, you just need 1.
That’s much easier for everyone. Users think it is great and websites get access to deeper knowledge about their users. Win-Win, right?
Even with using KeepassX, I still find using my facebook, twitter, or google account for authentication useful. I can revoke the authorization at any time, and while I might be tracked, I use a free service, they have to monetize themselves some way.
Another reason is that a lot of the recent password breaches have been due to lax security. I see the (sometimes overbearing) scrutiny that Facebook and Google especially are under, and know that if they had such fatal flaws, they would be exposed very quickly and probably shouted from the mountain tops, I mean everybody loves to hate them, right?
More like lose-lose! No privacy or acct traceability that way.
I didn’t get any email from Linkedin about password being compromised.
I saw some news about it, and links to checker sites, but I dont feel comfortable entering my password on a random site. Fortunately I’m using KeePass and have a random pwd that is LinkedIn specific. Have not been compelled to try to change it yet.
So far I have refused to use a Facebook login for any sites that offer it. I prefer to have a unique login and password per site, usually with an email I can trace to that acct. I don’t like the idea of losing control of my identity.