?

Log in

No account? Create an account

Previous Entry | Next Entry

Our Password Security Changes

I know some of you guys have been complaining about the new message you get when updating your journal saying your password is insecure. Please believe me when I say that we do not have other options when trying to protect account security at this point. Running some statistics we saw that many users share the same password as others, thus creating havoc for our abuse team in terms of account break-ins; no fun for everyone. We will be talking more about this in our News post on Monday, but I wanted to link to a reply to a comment I just left explaining bits of our password policy a bit more.

http://www.livejournal.com/community/changelog/2405086.html?thread=1126622

Basically our requirements are the following:
Cannot include your username
Cannot include your email
Cannot include your display name
Is not found in the English dictionary used by CrackLib
Must contain one digit or piece of punctuation (new)

We've also updated our CrackLib dictionaries to include 415 new words that we have found to be quite common passwords. While we don't think this will solve all of the problems, we plan to look at this again in about a month to see what sort of progress has been made. We also will be forcing users with a password that CrackLib does not approve of to change it. The messaging with this further explains the reasoning and I hope our News post will also do a good job of addressing this; we all know it will piss off a good deal of users. In the end though, these changes are not just to help reduce abuse case load, but to protect you and your account's security. I would like to hear if you run into specific issues with all of this where you feel the system is not acting correctly. While I know that I cannot appease everyone with this, I at least ask you all to give us the benefit of the doubt that we aren't just trying to screw you or make your life more difficult.

Comments

( 7 comments — Leave a comment )
dark_iris_eyes
Oct. 28th, 2005 05:54 am (UTC)
Makes sense to me :p
midendian
Oct. 28th, 2005 05:57 am (UTC)
Running some statistics we saw that many users share the same password as others, thus creating havoc for our abuse team in terms of account break-ins

I don't get the correlation there... People accidently logging into the wrong account because the passwords happened to be the same? That's rather lucky of them.
daveman692
Oct. 28th, 2005 05:59 am (UTC)
No, much more people trying to hijack accounts by guessing what these common passwords are and brute forcing logins until they find one that works.
jamesd
Nov. 2nd, 2005 05:40 am (UTC)
Which of the following does LJ use to inhibit brute force and dictionary attacks?

1. time delay between login attempts for each account, so you can't try 1,000 times per second.

2. Blocking logins after multiple failures unless the attempt is from a previously successfully used IP address range.

3. Requiring a kaptcha after n failed attempts. to inhibit automated attacks.

daveman692
Nov. 2nd, 2005 06:45 am (UTC)
We do the first one, as failed attempts increase we add rate limiting that increases wait time as they continue to fail.

Two is part of one although we don't store IP information from previous logins. We never want to store more information then we really ever need to in regards to IP addresses. The less we have, the less we can be court ordered to give.

I'm not sure if we do this or not, although it seems reasonable. Then again, apparently our captchas can be broken by programs fairly easily so improving them would first be required.
folk
Oct. 28th, 2005 11:00 am (UTC)
Wow. I am really surprised, but there has been almost no kvetching on my flist. Which is unusual, because kvetching is sort of the mothership for my flist.

(And, hey, who knew that my ten-digit, sentence-formed letter/number/symbol password was insecure?)
arie
Oct. 28th, 2005 11:48 am (UTC)
There are a couple of pws that were like that. It was fun a couple of weeks ago when some clever fellow *cough* decided to try some of the more common ones against users' accounts.

Since you're former AT, you'll get this:

I beat the record of most AP in a single day.
( 7 comments — Leave a comment )