security frustrations

[naomikritzer]

Back in January, in response to a post from someone (probably Synecdochic but possibly over on Twitter), I changed my Dreamwidth password. I used the "how would you like me to generate a password for you, don't worry, you won't have to remember it" autogeneration dealio from my browser. I use Firefox these days for browsing on my laptop, but Chrome on my phone.

My phone doesn't seem to know the new password. No problem, I figured, surely I can dig up the password on my computer and painstakingly type it in and then my phone will also know it? Well, neither Firefox nor Google want to admit to knowing the new password; they're showing the old one. The Dreamwidth site autofills it for me but won't tell me what it is, unless I'm missing something. I am probably going to have to change my password AGAIN.

I am in favor of autogenerated passwords in theory (more secure) and strongly in favor of browsers or Google or whatever remembering them for me (because if I have to type it in, I'm not going to choose a secure one) and god almighty it would be nice if all this tech actually resulted in me being able to get into my accounts, lolsob.

Comments

[julian]

Hey, me too. If you get a good workaround OTHER than changing your password, post about it here?

[naomikritzer]

Via DTM, who posted below a couple of days ago:

If you have a place that autofill a password and would like to know what it's putting in there, on Chrome what you can do is right-click (ctrl-click on the Mac) on the filled in password field, choose "inspect" and then in the console window that pops up type $0.value and press enter. That should tell you what it autofilled.

I believe that the process on Firefox is nearly identical except that the menu is called "inspect element" instead of "inspect".

...I will note that after choosing inspect I had to click on "console" to get the console window and for some reason I couldn't copy/paste the $0.value part, I had to type it in, and the password appeared with $0.value appended. BUT IT WORKED.

[sabotabby]

Relatable. This kind of shit happens to me constantly and the result is less security, not more.

[cnoocy]

Have you considered using a separate password manager?

[sraun]

My Firefox has two saved passwords for dreamwidth - one for dreamwidth.org, one for sraun.dreamwidth.org. Could that be your problem?

[dreamshark]

Maybe I'm missing something, but I truly do not understand how this system is supposed to give you more security. If someone steals your phone or laptop, they can automatically login to every one of those protected accounts and reset the passwords. And it seems like the probability of someone finding or stealing your phone or computer is higher than someone caring enough to spend time trying to hack into your Dreamwidth account by guessing your weak password.

The fact that so far the system has just protected YOU from learning your own password adds to the ridiculousness of course. But I'm not convinced that the original premise makes sense.

[synecdochic]

The issue is twofold: it genuinely does only take seconds to break most weak passwords, and people reuse passwords across sites. The former is an issue because someone trying to break into a batch of 100 accounts will have about a 40% success rate just by trying the 100 most-used passwords and also because if an intruder manages to get a site's password database, they can run the password breaking software on it offline even if the passwords are encrypted and not stored in plaintext. (Sites will put in rate limits to slow down someone who's trying a bunch of passwords against a single account, but offline password breaking software doesn't need to check with the site until it has what it thinks is a likely decryption of the password. Most password breaking software is good enough these days that if someone manages to get a file of encrypted passwords, 2 days of a computer working on it will be able to break about 90% of the file.)

The combination of the two problems is why we -- DW, that is -- keep telling anyone who had a LJ account to change their DW passwords if they ever used the password on LJ or aren't sure if they did or not: someone got LJ's password database, and released a file of about 26 million accounts' information. (LJ still denies it happened, but I've seen the file and it's extremely complete and accurate. Every single one of my 8000 old LJ accounts were in it, including ones I'd made as test accounts when I was still working there and never used.) As soon as that file hit the underground market, we saw thousands of DW accounts being broken into and used for spam, because those people had reused their logins. The final tally of how many accounts were vulnerable because their login information was in that file was something like 30% of personal accounts. It was a shitshow, and we're still seeing fallout from it even though the file hit the underground market like 5 years ago.

These people don't care about your account individually: they want any account that's older, established, and has enough content that links posted to it get a good boost from Google's algorithm. They don't care about whether any user of the site itself sees their spam: they're trying to boost the Google page rank of the sites they're spamvertising. That kind of "account breakin to turn it into a zombie spambot" hijacking is incredibly valuable for search engine boosting, and the difference between appearing on page 1 vs page 2 of Google results can be a difference of millions of dollars in revenue. Fresh dumpfiles from any social media network are incredibly valuable because of that; a relatively new dumpfile that hasn't been picked over already can be worth a lot of money. (An established DW account with good Google rank sells for about $20 on the underground market. An established Twitter or FB account with a reasonable number of organic followers and no rate limiting/shadowbanning/etc will go for about $100. The LJ dumpfile first sold for around $1m.)

Using 2FA is best, but even just using any kind of automatically-generated password that's different for every site is a huge leap in security, because "you lost your phone/computer" is way, way less frequent than "you used the same password, or a really similar password, on another site and that site just had a breakin". Human brains are bad at coming up with true randomness, and people tend to use the same or similar passwords across multiple sites in a way that the automated password breakers are really tuned for, so it's better to let the computer generate and remember it for you because that's the only way that you get something truly random enough to defeat the password breakers.

Naomi: seconding the suggestion to use a dedicated password manager; most of them will sync across devices without any issue at all. I use 1Password and am very happy with it. Bitwarden and Keepass are two others that my friends use. Don't use LastPass, they have kind of shat the bed recently.

This is very, very late, but...

[dtm]

If you have a place that autofill a password and would like to know what it's putting in there, on Chrome what you can do is right-click (ctrl-click on the Mac) on the filled in password field, choose "inspect" and then in the console window that pops up type $0.value and press enter. That should tell you what it autofilled.

I believe that the process on Firefox is nearly identical except that the menu is called "inspect element" instead of "inspect".

Re: This is very, very late, but...

[naomikritzer]

HOLY SHIT THAT WORKED. Thank you!!!!!!!