So the Edinburgh Fringe Festival ended last week and, as usual, they announced the winners of the under twenty seconds joke category. The winner, it seems, was Nick Helm’s contribution of “I needed a website password containing eight characters, so I used SnowWhiteAndTheSevenDwarves”. Oh dear. And second was Tim Vine with “Crime in multi-storey car parks – that’s wrong on so many levels”. Yet it made me realize just how much of a waste of time my recent web administration tasks probably were.
Several years ago we set up a website for our village resident’s action group. It’s a lively site that displays news, weather, events, photos, and other generally useful local information. We set it up with membership capabilities so people can register to keep in touch, and to read committee reports and meeting minutes. It was adapted from a very old version of the ASP.NET Club Starter Site, much modified to our requirements.
However, it also used the default personalization and security settings, storing passwords and answers to security questions as plaintext in the database. We never really considered this to be a major risk because, even if you got hold of somebody else’s login details, you’d only get to see the list of members and the committee meeting minutes. And you can do that just by registering anyway.
But I’ve always been a bit nervous about this, and with the increasing number of attacks and stolen credentials we seem to be hearing about these days, I needed to do something about it. Especially as I suspect many people, despite the large warnings we show on the Register and Login pages, use the same password for every website they visit – including their online bank.
Of course, changing the password storage mode is easy; you just switch the attributes in the web.config file to turn off “retrieve password”, turn on “reset password”, and specify “hashed” or “encrypted”. Except that it only affects new accounts. I experimented with both existing and new accounts, and discovered that even resetting the password doesn’t change the mode for an account. So I played with creating a script to update them, but never managed to get it to generate a hash that was the same as the membership system would create for the same user.
In the end, the only solution seemed to be to delete and recreate all of the accounts. The existing accounts need to be deleted first so that the new ones can use the same username and email address, so I can’t just get people to re-register whenever they like. Thankfully there aren’t that many accounts, so in the end I decided to manually re-register them all myself. Users won’t see any difference, and I can do them one by one in any periods of spare time I can find to devote to the task.
Of course, to do this I needed to read the existing details of the user, including the security question, answer, and password. I’m not sure of the legal position here, but there seemed no other workable option and I would only be copying them from a database table into a text box so it seemed safe enough. At my senility-approaching stage of existence, I’d never be able to remember any of them anyway – even under torture (such as being locked in a cold room with no access to chocolate).
And it’s here that the “wrong on so many levels” bit hit home. I only saw one password that was even remotely complex; every other was a simple dictionary word, occasionally with a number or two on the end (but I suppose I should be pleased that nobody used “password” for their password). As for the security questions and answers, most were typical pet, child, or mother’s maiden names. Though a few were somewhat less secure – “Colour of my front door” (when they also put their address on public view in the membership pages) being a typical example.
And what really amazed me was one where the question was “What is 1 plus 2?” OK, if the security answer had been “79” I would have applauded them for originality, but sadly their answer was “3”. I know that the mechanism emails the password reset code only to the registered email address, but this seems to be someone intentionally flaunting our attempts to help them stay secure. Or, perhaps more likely, not actually understanding what they are doing.
Still, now everyone has a hashed password and security answer in our database, and I feel a lot more comfortable. I even updated the Privacy page to add the recommended disclaimers and explanation of what we do with their personal information. And I also added the stuff that the People’s Republic of Europe now demands about storing cookies on user’s browsers.
In case you hadn’t heard, the faceless bureaucrats of the State Of Europeland now demand websites obtain consent from visitors to store cookies in their browser. Supposedly it doesn’t include cookies “necessary to enable websites to work correctly”, though how that is defined nobody seems sure. I’m guessing that they realize what will happen if they ban use of the ASPNET session cookie. And it’s not like banning something will have any effect on the visitor-tracking and other malicious practices already in use on the web. Let’s face it, most users don’t actually care that much about privacy anyway…
But what’s really worrying is if the kind of behavior I’ve seen in the last few weeks with regard to passwords and general security awareness is typical. If so, we really do need to do something to help people protect themselves from themselves. Thankfully most sites that do contain sensitive information now demand complex passwords, but I still know of at least two people who – despite my nagging – insist that a single dictionary-word password is enough for all their accounts.
Meanwhile, the third prize (in the joke competition – keep up at the back) was “People say ‘I’m taking it one day at time’. You know what? So is everybody. That’s how time works.” In fact, I reckon that one should have won…
Footnote: British readers (who know what B&Q is) will perhaps not be surprised to hear that our favorite comedian and magician Paul Daniels came last with “I said to a fella ‘Is there a B&Q in Henley’, and he said ‘No, there’s an H and a E and an N and…'”
FootFootnote: The title of this week’s rambling is from the radio show that inspired not only Edinburgh Fringe Festival, but also most other comedy revue shows since then.