If one were the administrator/developer of a service that requires users to supply credentials, can you picture the amount of data one will receive if you:
- Use an email as the username.
- Provide tight restrictions on the password creation (Decent minimum length, requirements of alpha+digits)
- Log unsuccessful logins and password changes
I’m sure you can see where I’m going with this, but if the service is popular the users will always first try their other common passwords until they list their entire mental list of every password they generally use (which most likely do not match the ones they came up with to register with the site), thus collecting credentials of other services the users are members of (A few google searches of their emails, or just the user-name part of the email will reveal most services they are members of.)
I am going on the basis of the idea that most people (or the ones I’ve spoken to) believe that some data like failed authentication attempts, passwords that were changed, and accounts that were removed are erased from existence after the event, but in today’s world of virtually limitless storage and facile logging mechanisms, why wouldn’t administrators log everything that goes through their systems?
I have never heard of such a harvest vector and was thinking of ways to protect from this. Using a password manager like PassSafe can reduce failed attempts and randomly generate a fresh password, but careful attention has to be paid to keep that database secure. Whichever method you use, the goal is to not supply data to a third (or second) party without them needing-to-know.
Loading ...
Less than a year ago I still thought it was neat to use the same handle (pet name?) for all of the services I use/subscribe to/put content into, to build some name credit at some point. I thought, hey, all those people out there, if you use the same name, people can pick you out. Then one day I used the_name to sign up for one of those services that is unique to a geographic area, so everyone else who signs up can be aware of people within the same common location and it hit me. I found I should change that kind of leave-your-signature-everywhere style or else I would have lots of the theoretical bots Yan’s talking about, out there building up my record, not really caring about how cool it is that I am trying to build a name cred.
Then again, it has become newly popular a few months(?) ago to use your real name everywhere (we’re doing that right now!). It makes harvesting your activity [though not so much your password] easier.
But a comment about storing password attempts: how many people actually use the same passwords over and over again and how many stick to random logins.
As for another way, what about using passphrase abstraction: you remember your list of easy words but a front end hashes it to the real password before using it in the form. ( I believe Ling presented on this last year, but I know the browser implementation she talked about was really impractical ).