Over the lats couple of years, I've been increasingly providing governments with better access to their departments' data exposed in breaches by giving them free and unfettered API access to their domains. As I've been travelling around the world this year, I've been carving out time to spend with governments to better understand the infosec challenges they're facing and the role HIBP can play in helping them tackle those challenges. During my time in Norway, that included spending time with their National Cyber Security Centre in Oslo. Today, I'm very happy to welcome Norway as the 6th national government onto Have I Been Pwned!
Yes, I'm in my car. I'm completely disorganised, rushing to the next event and really didn't plan this very well. But hey, what an awesome little soundproof booth it is! That said, I did keep this week deliberately concise... until I went to edit it and then Adobe Premiere (or the NVIDIA drivers on my laptop) decided to turn a 16 minute video clip into a multi-hour shit-fight. That's before the multi-hour upload process too because "Australia" 🙃
It's a late, early in the day, hazy, bush-firey Aussie weekly update with a whole bunch of various bits and pieces of interest from throughout the week. The references below will give you a sense of how much I've jammed into this week so I won't repeat it all here in the intro, but I reckon it's a really interesting mix of different things across the industry. Enjoy 😎
Let me break down what's happening here: I'm in (yet another) hotel and on complete autopilot, I start typing "xer" into the address bar which Chrome then dutifully auto-completes for me:
Because it's hotel wifi I expect it to be slow, so I flick over to another tab to do other useful things before switching back to the Xero tab ready to log myself in. Now, imagine for a moment that I'd been confronted with this page:
I've doctored this image to represent what could easily have been a rogue Xero homepage, but would I have hit the login button if I'd seen it? Would I then have entered my credentials on the resulting page, even if still served insecurely? Possibly, although a saving grace would have been Chrome's red indicator once I started typing the password (although in my case, I would have tried to autofill from 1Password and I'd have 2FA to protect me if someone else grabbed it, but you get the point). No really, I pay a lot of attention to this stuff and I'll admit that I could easily have missed the absent padlock. And why is there no HSTS which would have avoided this situation altogether? So I decide to check out the response headers on the login page and behold, there's HSTS:
That's one year's worth of seconds and I visit the site regularly, so what's the problem? Well the obvious one is a combination of the domain being different to the one I originally went to and the HSTS setting not specifying that it should include subdomains. With no such header being returned on the apex domain coupled with my mental autopilot then Chrome autocompleting to xero.com and defaulting to the insecure scheme (as all browsers presently do), meant no HTTPS and the local network effectively MitM'ing the request.
The irony with all this is that Xero obviously recognises the value of HSTS or they wouldn't have used it anywhere, yet by failing to use it on the landing page they leave customers vulnerable to precisely the sort of risk they added HSTS on the login page to prevent. So the moral of the blog post is that HSTS must exist across the entire route of navigation and ideally, also include subdomains and be preloaded. And hey, it's free, easy and one of the best defences going for precisely this threat.
It's been a pretty full week this one with a couple of talks in Sydney followed by another in Melbourne. Then, to top it all off, getting sick hasn't helped and oh boy did this one hurt. Good news is that even just a few hours after recording this video I'm feeling much better, but I desperately need to take a longer period of rest if I don't want a repeat of this any time soon. That'll come, but not for a while yet.
Oh - I forgot to mention it in the vid but I'm also now publishing this podcast via Spotify. Check out the link below if that's your preferred means of consuming podcasts.
Ah, impending summer on the Gold Coast! It's that time of year when you can just start to sense those warm beach days and it's absolutely my favourite time of year here. Which means... it's time to head off to other events again. Fortunately it's all domestic this time as I head south to Sydney and Melbourne and maintaining my "no fly unless I absolutely have to" stance, it's long, open road drives, copious podcasts and lots of thinking time.
On the infosec side of things, there's a a bunch of HTTPS related content this week plus a couple of (really) sensitive data breaches. I do give a warning at the beginning of this week's update that one of them in particular is pretty, uh, "edgy" and may not be something you want to listen to, but it consumed a bunch of cycles this week and IMHO is worthy of discussion. It's a weird, weird world out there on the web...
It's my first conference back in Australia since probably about May and I'm experiencing a rare luxury - not flying! I'm sticking to driving some big distances just to get a break from the tyranny that is check-in, security and airport lounges. Seriously, it was beginning to do my head in so now it's cruise control and podcasts for me in the foreseeable future.
This week's travel has brought me to Sydney where the new iPhone got a good workout:
Night Mode on the iPhone 11 Pro is rather amazing. This shot last night was just point and shoot well after dark - no filters or touch up! pic.twitter.com/zcklC3VxML
Beyond that, I'm going through some of the highlights (lowlights?) of this week's tweets as that seemed to resonate the last time I did it. Next week will be Gold Coast sunshine and if I time it right, some kangaroos as well 🦘
Australia! Geez it's nice to sit amongst the gum trees and listen to the birds, even if it's right in the middle of some fairly miserable weather. I'll continue to be here for the foreseeable future too, at least in one state or another. But being back here hasn't stopped me talking about European laws being handled by a local American website nor commentating on the (now well and truly over) debate about the usefulness of visual identity indicators in browsers. But hey, at least the discussion keeps in providing entertaining material!
Well, this will be the last weekly update done overseas for some time as I count down the return to beaches, sunshine and fantastic coffee (yes, I'm confident saying that even whilst in Italy!) It's been a non-stop trip with an attempt of a bit of downtime at the end of it, albeit with limited success. Regardless, this week I'm covering off the last few days travels, reflecting on 10 years of blogging and looking at a really cool use of HIBP related to net neutrality comments lodged at the FCC. Next week... who knows, but at least I'll be home.
It's been a bit of intense country-hopping since the last update so this one is a consolidated "this week in tweets" version. I actually found it kind of interesting going back through the noteworthy incidents of the week in lieu of having original content of my own, see what you think. Given the coming schedule (and a deep, deep desire for a few days of downtime), the next one might be more of the same so I hope it resonates!
Because this week is predominantly about noteworthy tweets, I'm going to do the references a little differently. Firstly, with a sponsor shout-out:
This is fascinating: an amazing story of technology having a profound effect on someone’s wellbeing. Equally, a technology that’s only possible due to constant monitoring and tracking. https://t.co/3pI0OdfYBz
There are periodic flareups of anti-HTTPS sentiment thanks to a grumpy technologist who doesn't want to upgrade his sites. Read this by @troyhunt for why even static sites need a security and privacy standard that's been around since 1994. https://t.co/zdxeqP1aBa
Hungary! And that's about as much intro as I'm going to do on that because this is going out super later and I'm writing this at the end of a very long day. Only other thing I'll mention is the audio - the Instamic failed to record again so it's now going firmly into the e-waste bin.
Anyway, on a more positive note, enjoy the beautiful sights of the Hungarian parliament before you jump into this week's update:
Allow me to be controversial for a moment: arbitrary password restrictions on banks such as short max lengths and disallowed characters don't matter. Also, allow me to argue with myself for a moment: banks shouldn't have these restrictions in place anyway.
I want to put forward cases for both arguments here because seeing both sides is important. I want to help shed some light on why this practice happens and argue pragmatically both for and against. But firstly, let's just establish what's happening:
People are Upset About Arbitrary Restrictions
This is actually one of those long-in-draft blog posts I finally decided to finish after seeing this tweet earlier on in the week:
My bank tells me that their exactly-5-digit password policy is secure since it has 1.5bn permutations and the account gets blocked after 3 attempts. This just feels wrong but I can’t come up with a strong argument against it. Any thoughts? @troyhunt@SmashinSecurity ?
It feels wrong because 5 digits presents an extremely limited set of different possible combinations the password can be. (There's something a little off with the maths here though - 5 digits would only provide 100k permutations whereas 5 characters would provide more in the order of 1.5B.)
That said, Westpac down in Australia certainly appears to be 6 characters:
Finally thought @Westpac had upped their password game, moving from the long pointless on-screen keyboard (OSK) with a character count limit, to 'normal' password entry. But nope... 6 characters... MAX... for my *online banking*. @troyhuntpic.twitter.com/9FMSdvVRiL
@TSB Please remove the 15 character maximum password length restriction and allow any characters without having to include any specific ones. This is also the advice of the @NCSChttps://t.co/WTmWEldLBO
So on the surface of it, the whole thing looks like a bit of a mess. But it's not necessarily that bad, and here's why:
Password Limits on Banks Don't Matter
That very first tweet touched on the first reason why it doesn't matter: banks aggressively lock out accounts being brute forced. They have to because there's money at stake and once you have a financial motivator, the value of an account takeover goes up and consequently, so does the incentive to have a red hot go at it. Yes, a 5-digit PIN only gives you 100k attempts, but you're only allowed two mistakes. Arguably you could whittle that 100k "possibilities" down to a much smaller number of "likely" passwords either by recognising common patterns or finding previously used passwords by the intended victim, but as an attacker you're going to get very few bites at that cherry:
Good morning, Keep in mind with ING a 4 digit access code is the maximum we offer. However, after 3 attempts of entering an Access Code your account will be blocked. ^Alissa
Next up is the need to know the target's username. Banks typically use customer registration numbers as opposed to user-chosen usernames or email addresses so there goes the value in credential stuffing lists. That's not to say there aren't ways of discovering someone's banking username, but it's a significantly higher barrier to entry than the typical "spray and pray" account takeover attempts.
Then there's the authentication process itself and it reminds me of a discussion I had with a bank's CISO during a recent workshop. I'd just spent two days with his dev team hacking themselves first and I raised the bollocking they were getting on social media due to a new password policy along the lines of those in the tweets you see above. He turned to me and said, "Do you really think the only thing the bank does to log people on is to check the username and password?" Banks are way more sophisticated than this and it goes well beyond merely string-matching credentials; there's all sorts of other environment, behavioural and heuristic patterns used to establish legitimacy. You won't ever see a bank telling you how they do it, but those "hidden security features" make a significant contribution to the bank's security posture:
Hi. I understand your concerns. Our Online Card Services login is our first line of security, but we do have many other hidden security features in place that help us to protect your account and details. ^LauraP
Then there's the increasing propensity for banks to implement additional verification processes at key stages of managing your money. For example, one of the banks I regularly use sends me a challenge via SMS whenever setting up a new payee. Obviously, SMS has its own challenges, but what we're talking about now is not just needing to successfully authenticate to the bank, but also to prove control of a phone number at a key stage and that will always be more secure than authentication alone.
And if all of this fails? Banks like ING will give you your money back:
Hi Owen, your online banking is safe and secure with ING. We take security seriously, and use industry-leading technology to protect your accounts. Plus, we have an Online Security Guarantee in place. In the unlikely event that an unauthorised...
How much sophistication do you think is behind those username and password fields in that vBulletin forum? Exactly, it's basic string-matching and this is really the point: judging banks by the same measures we judge basic authentication schemes is an apples and oranges comparison.
However, I disagree with banks taking this approach so let me now go and argue from the other side of the fence.
Banks Shouldn't Impose Password Limits
There are very few independent means by which we can assess a website's security posture in a non-invasive fashion. We can look for the padlock and the presence of HTTPS (which is increasingly ubiquitous anyway) and we look at the way in which they allow you to create and use passwords. There are few remaining measures of substance we can observe without starting to poke away at things.
So what opinion do you think people will form when they see arbitrary complexity rules or short limits? Not a very positive one and there are the inevitable conclusions drawn:
Hey [bank], does that 16 character limit mean you've got a varchar(16) column somewhere and you're storing passwords as plain text?
As much as I don't believe that's the case in any modern bank of significance, it's definitely not a good look. Inevitably the root cause in situations like this is "legacy" - there's some great hulking back-end banking solution the modern front-end needs to play nice with and the decisions of yesteryear are bubbling up to the surface. It's a reason, granted, but it's not a very good one for any organisation willing to make an investment to evolve things.
But beyond just the image problem, there's also a functional problem with arbitrarily low password limits:
I've been through this myself in the past and I vividly recall creating a new PayPal password with 1Password only to find the one in my password manager had been truncated on the PayPal side and I was now locked out of my account. This is just unnecessary friction.
So wrapping it all up in reverse order, arbitrary low limits on length and character composition are bad. They look bad, they lead to negative speculation about security posture and they break tools like password managers.
But would I stop using a bank (as I've seen suggested in the past) solely due to their password policy? No, because authentication in this sector (and the other security controls that often accompany it) go far beyond just string-matching credentials.
Let's keep pushing banks to do better, but not lose our minds about it in the process.
Turns out it's actually a sunny day in Oslo today, although it's the last one I'll see here for quite some time before heading off to Denmark then other European things for the remainder of this trip. I'm talking a little about those events (all listed on my events page), this week's changes to EV, more data breaches and a somewhat semantic argument about the definition of "theft".
From the emerging spring to the impending autumn, I'm back in Oslo at the beginning of another series of European events that'll take me across Norway, Denmark, Hungary and Switzerland. This week's update comes from under the glow of a warm outdoor heater at ridiculous o'clock as my sleep cycle keeps me making early starts. But it's all transient and by this time next month I'll be back to a very warm, very familiar Aussie landscape. For now, here's what's new on my side:
Back on business as usual, there's the SIM hijacking issue with Jack Dorsey's Twitter account, more data breaches and joyously, the HIBP API being back in full swing with the 500 subscription limit issue on Azure's APIM now being overcome. Next week's update will be from Oslo so a rather different scene, followed by some other cool places across Europe in the ensuing weeks.
Australia! Sunshine, good coffee and back in the water on the tail end of "winter". I'm pretty late doing this week's video as the time has disappeared rather quickly and I'm making the most of it before the next round of events. Be that as it may, there's a bunch of new stuff this week not least of which is the unexpected limit I hit with the Azure API Management consumption tier. I explain the problem in this video along with a bunch of other infosec related bits. I'll do another one from Aus later this week (if I can stick to schedule) and will try and find another nice little spot. Until then, enjoy:
I made it out of Vegas! That was a rather intense 8 days and if I'm honest, returning to the relative tranquillity of Oslo has been lovely (not to mention the massive uptick in coffee quality). But just as the US to Europe jet lag passes, it's time to head back to Aus for a bit and go through the whole cycle again. And just on that, I've found that diet makes a hell of a difference in coping with this sort of thing:
The number one most effective way I’ve found for coping with jet lag, stress, crazy work loads and general health is to focus on diet. It’s hard to control a lot of other environmental factors, but food is definitely one I can easily take charge on. pic.twitter.com/sUdXDbzbbw
This week it's almost all about commercial CAs and their increasingly bizarre behaviour. It's disappointing to see disinformation and privacy violations from any organisations, but when it's from the ones literally controlling trust on the web it's especially concerning. Maybe once they're no longer able to promote EV in the way they have been that will change, but I have a feeling we've got a bunch more crap to endure yet. See what you think about all that in this week's update: