login

Internet retailers miss opportunities by not using Facebook login, Sociable Labs says

interface, Marketing, Your Brand 215 Responses »

Sep 132012

Only 30 of the top 500 Internet retailers offer Facebook login as a registration option for their sites, according to research by social commerce software company Sociable Labs.

That’s only 6 percent of the top online retailers making use of a feature the social network launched in 2008. Sociable Labs says it’s not because Facebook login isn’t useful. The option simplifies account creation, eliminates the need for another password, allows companies to better personalize their sites and collect richer CRM data, in addition to increasing referral traffic from the social network. Sociable Labs says the problem comes down to technical barriers, perceived security concerns and, in general, lack of priority among online retailers that have another registration system in place.

MORE: Internet retailers miss opportunities by not using Facebook login, Sociable Labs says.

Why passwords have never been weaker—and crackers have never been stronger

Internet News, Tech News 281 Responses »

Aug 212012

In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren’t typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites’ servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.

The warnings Brooks and millions of other people received that December weren’t fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.

“The danger of weak password habits is becoming increasingly well-recognized,” said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, “show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks.”

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

A new world

The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. As the Gawker breach demonstrated, such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.

Newer hardware and modern techniques have also helped to contribute to the rise in password cracking. Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago on similarly priced PCs that used traditional CPUs alone. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second, depending on the algorithm used to scramble them. Only a decade ago, such speeds were possible only when using pricey supercomputers.

MORE: Why passwords have never been weaker—and crackers have never been stronger | Ars Technica.

Developer Quits OAuth 2.0 Spec, Calls It ‘a Bad Protocol’

interface, Tech News 304 Responses »

Aug 032012

OAuth 2.0 is a rewrite of the original OAuth spec, which offers a secure way to sidestep the dilemma of having to hand over passwords to third party sites and apps to access user data. Google, Facebook, Twitter, and Yahoo are among the high-profile sites that have embraced OAuth in some fashion.

Unfortunately, according to Hammer those same big names are at least partly responsible for making OAuth 2.0 the fiendishly complex and convoluted spec that it has become. Hammer is not the first to question the usefulness of OAuth 2.0. In fact, we’ve previously argued that OAuth 2.0′s complexity is hurting the spirit of API experimentation on the web.

Hammer isn’t just questioning OAuth 2.0, he’s abandoned it entirely and completely erased himself from the project, calling it “a bad protocol… bad enough that I no longer want to be associated with it.”

In Hammer’s view OAuth 2.0 is “more complex, less interoperable, less useful, more incomplete, and most importantly, less secure” than its 1.0 cousin.

MORE: Developer Quits OAuth 2.0 Spec, Calls It ‘a Bad Protocol’ | Webmonkey | Wired.com.