(Pardon the excessive alliteration in the title, I got a little carried away. 🙂 )
Last night, I got a message from my instant-messaging program, indicating that it had been logged out of one of my IM accounts because I’d “logged in from another location.” I’m pretty sure that it was an error in the program (rather than someone else actually logging into my account), but it got me thinking, and I realized that my e-mail and IM passwords were pretty weak — I’d created most of them long before I came up with a way to remember difficult passwords, or started using a program to create and store them, and hadn’t thought about them since. In other words, most of those accounts used the same easily-memorable but very weak password.
(This isn’t as much of a problem as it sounds though. All of my important e-mail is GPG-encrypted. But it still isn’t a good idea.)
So I spent a couple hours this morning changing the passwords for all of my IM and e-mail accounts. The Skype one was already secure (because I’d opened it after I improved my password system), and one e-mail account was as well (because the company that runs it insists that I create a new password every few months). I was able to find and change my Yahoo and GMail/Google Talk passwords on the ‘net with minimal effort, and my primary e-mail account is on a server that I control, so that was simple enough as well. But then I ran into trouble.
After digging through the online help system, I discovered that ICQ only allows password changes through their client program, which (of course) is Windows-only. Heaving a put-upon sigh, I fired up my VMware Windows XP system and downloaded and installed it. After that, it was pretty easy, but I shouldn’t have had to do that, in my opinion.
I also discovered that ICQ limits you to eight characters at most in a password. That’s probably secure (my bank uses the same limit, and they can cut off Internet access to the account if someone starts pounding it with a dictionary attack to guess the password), but it’s irritating that I couldn’t use my preferred password length.
Next up: my MSN account. You would expect that you could go to the MSN homepage, log in, and somewhere in all the crap on it find a link to change your password. You’d be wrong, of course… Microsoft could never make things that easy. Nor would they provide any link to a FAQ or help page on how to do it, so after trying and failing to find any information on their site, I did a web search and discovered the way: you have to go to https://accountservices.passport.net/ instead. Of course, it should have been obvious! And they limit password length to sixteen characters, so I couldn’t use my preferred length there either. Grr!
After all that, changing my ISP e-mail password (the last one on my list) was fairly anticlimactic.
Anyway, they’re all changed to secure ones, so if anyone was able to log into my IM account last night, they should be locked out now. 🙂
Research has shown that 8 characters was, a few years ago, the bare minimum to avoid cracking via dictionary attacks. There’s really no excuse for having a limit that small anymore, especially in this distributed botnet password-cracking era. 8 characters is a common limit, unfortunately. Unix originally had that limit, if you use the standard encryption algorithm on your password file, you also end up with only the first 8 characters as significant.
Of course, most modern Unix variants offer an alternative, but Solaris 10 was stupid enough, IIRC, to default to the old algorithm; I assume in the name of compatibility with ancient /etc/passwd files. Hopefully they’ve changed that in OpenSolaris. Solaris is a nice system, but it’s main achilies heel is cruft – it’s an old OS, with a lot of baggage; albeit not Windows-baggage, at least the baggage is mostly well-designed Unix stuff. 🙂
As I said, for web services, an eight-character limit isn’t necessarily a problem. The service can notice if someone (or a number of someones) is pounding on a particular account name with different passwords and block the entire account until the actual owner can be contacted. Most OSes don’t support that kind of thing; I don’t know if Solaris does or not.
There are third-party tools that can do things like block ssh access to IPs that try to pound on them. Now, for login(1), I don’t know if one has been written. If login(1) logs (good alliteration, nu?) then it might be possible via a script.