John Doe’s Credentials

by Axelle Apvrille
November 16, 2009 at 10:53 am

Since my last post on Jane Doe and Bredolab, John has been slightly jealous of her fame. He told me that, he too, as a manager of the returned material service, was dealing with plenty of parcels and that he could have been the perfect target. As I was curious to see what a genuine shipment company e-mail looked like (to compare them with Bredolab), I asked him if I could have a quick look at his mailbox.

I had hardly started reading his e-mails, that I ran into one that had me immediately start.

credentials

For those of you who do not speak French, I have highlighted the most important parts: a sales rep from a legitimate company (censured :) is asking John Doe for his login and password on their website on behalf of some administrative reason ! This email is genuine (I mean it is not a spam nor a joke). I can’t believe it. This looks straight out of the books “Things One Should Never Do In Security”. The main reasons not to do that are:

1- Counter-educative. If legitimate companies start asking for user logins and passwords, how will we tell the difference with phishing emails ? Asking for credentials really is bad practice, and it should be banned from all policies.

2- Passwords are personal. Giving one’s password is always a bad idea, because, for mnemonic reasons, we often use similar patterns in all our passwords. If I use ‘darthvador’ on a website, there are strong chances I will also use it on another website, or something similar, such as ‘lukeskywalker’ or ‘r2d2′. By the way, those passwords are weak because they are straight out of the English dictionnary (or quite).

3- Separating roles. Administrative tasks should be performed by a dedicated account, or, if necessary, a super user account. Otherwise, it is impossible to tell the difference between administrative actions and those of an authenticated user.

As a side note, all decent authentication systems are designed so that the administrator cannot know – and does not need to know – user passwords. For example, on any Unix system, the system administrator can only reset user account passwords. The /etc/passwd or shadow authentication file do not store the plaintext password but a password digest – where digests cannot be reversed.

John, for this e-mail, you absolutely deserve a blog post, and even better, glory for not having answered the sales rep. Congratulations.

And if you, readers, one day receive a similar e-mail, please remember this one should go straight to your trash.

– The Crypto Girl.

Author bio: Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS. She is a senior antivirus analyst and researcher for Fortinet, where she more specifically looks into mobile malware.