Each month, we publish a review that covers essential activities of the last 30 days. This month, we talk about passwords, a new Webbkoll feature, Turris OS 5, and more.
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
News of the month
In June 2020, we read the following reports:
In 2017, the National Institute of Standards and Technology published their updated “Authentication and Lifecycle Management” guideline (SP 800-63B). The guideline states, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.” In Appendix A of the same document, the NIST explains that humans “often choose passwords that can be easily guessed,” and analysis suggests that most password rules don’t increase the strength of the passwords while severely impacting the “usability and memorability.”
In other terms, software shouldn’t force users to change their passwords from time to time. However, the reason for this isn’t that changing passwords technically results in weak passwords, but users try to cope with enforced rules by creatively bypassing them.
A recent paper shows that forcing users to change their passwords after a data breach isn’t better: Only 33% of affected users changed their passwords after a data breach; 13% did so within three months after the breach became publicly known. Moreover, most passwords were weaker or of equal strength. Thus, both ways likely result in weak passwords due to the human factor. Besides, you have to consider that the vast majority of data breaches are detected after a long period.
Webbkoll now detects reporting directives
In October 2019, we requested that Webbkoll detects reporting directives in HTTP response headers. In June 2020, the developer of Webbkoll added the feature.
Several HTTP response headers allow server operators to set either “report-to” or “report-uri” directives. As soon as web clients (e.g., your web browser) run into an issue with the website, they may produce an error report and send it to a reporting API. However, the reporting API can be provided by a third party. In this case, your web browser sends the error report, including personal data (like your IP address), to the third party. You can only detect this by inspecting your network traffic.
Some HTTP response headers that support these directives are the Content Security Policy, X-XSS-Protection, NEL (Network Error Logging), and Expect-CT.
Webbkoll detects reporting directives in several HTTP response headers and shows directives pointing to third-party APIs.
Turris OS 5.0 released
In June, the team behind the Czech Turris routers released Turris OS 5.0. Their latest open-source operating system is based on OpenWrt 19.07. Turris OS 5 allows you to use WPA3 (see our guide).
Turris OS 4 was automatically upgraded to 5, while automatic migration from Turris OS 3 is planned. At present, you can manually upgrade Turris OS 3 to 5. However, manually upgrading is only recommended for advanced users.
Data breaches and leaks
Moreover, there were some breaches and leaks. Have I Been Pwned added information about the following breaches and leaks:
- Lead Hunter (breached in March 2020)
- Zoomcar (breached in July 2018)
- Mathway (breached in January 2020)
- Foodora (breached in April 2016)
- Quidd (breached in 2019)
2020 spring cleaning (part 2)
At present, we think that we will add a “News” section to our blog that contains the content of our Fediverse feed. This section shouldn’t be a simple mirror, but provide additional links, information, and comments. Update (August 2020): We added a “News” section.
This approach ensures that the content remains available if our Mastodon server disappears (happened twice before). There is no character limit for posts, and we can update the post later. In total, this approach addresses 3 out of 4 issues that we presented last month. This approach also ensures that our account in the Fediverse stays active.
If you have any suggestions, feel free to send us a message.
Ask Me Anything
Beginning tomorrow (July 13, 2020), we host our first “Ask Me Anything” (AMA) event. The rules are simple: Ask us anything; don’t be afraid to ask. Jakub and Benjamin will answer your questions.
The event at a glance:
- Start: Monday, July 13
- End: Thursday, July 23
- What can I ask? “Anything.” However, a focus on information security is appreciated.
- Where can I ask?: E-mail us or ask in the Fediverse.
- Who answers my questions?: Jakub and Benjamin.
Follow us on Mastodon:
Our activities of the month
In June, we started updating our Home network security series that shows ways to secure your network at home. A friendly reminder: We documented the upcoming changes of our Web server security series on codeberg.org. Feel free to comment on this.
- (How) Do People Change Their Passwords After a Breach?external link (PDF file)
- Webbkoll – [Feature Request] Detect use of report-uri and report-to directivesexternal link
- Turris OS 5.0external link