[dkopi]

Mistakes were made, and there are definitely lessons to be learned, but if we want to improve the state of security, we really need to change the way we react to these types of bugs.

If a service has an outage and a company posts a postmortem, we all think: "wow! that was an interesting bug, lets learn from this". We shouldn't be treating security issues differently.

People who make security mistakes aren't idiots. They aren't negligent. They're engineers just like us, who have tight deadlines, blindspots and mistakes. Shaming people and companies for security bugs will only cause less transparency and less sharing of information - making us all less secure.

This is a really cool bug. Kudos to the researcher for finding it, responsibly reporting it, and to paypal for fixing it in a timely fashion. Hopefully - this type of bug changes some internal processes and the way the company thinks about 2FA.

As for security questions - these are obviously insecure, and should really never be relied on. If you can opt out of security questions - do so. If you can't - just generate a random password as the answer. "I_ty/:QWuCllV?'6ILs`O12kl;d0-`1" is an excellent name for your first dog / high school. Just don't forget to use a password manager to store these.

[ploxiln]

I disagree. Your "lets be super nice to everybody" strategy has come to an absurd conclusion. Is there no-one who can be held accountable for competency which they claim, when it comes to computer stuff?

PayPal doesn't write on its websites "We're some enthusiasts with no software or security experience. Let's see how well this works, together!" No, like everyone in this industry, PayPal claims its security experts have your money and financial information super secure. It's one of the first in this space, and has almost two decades of experience.

This wasn't a tricky subtle bug, this was obvious. This should have been caught in code review and tests. PayPal should be afraid of rolling out slick easy-to-use features without code review and tests. It is many years too late for PayPal to be learning the basics.

[hoorayimhelping]

>I disagree. Your "lets be super nice to everybody" strategy has come to an absurd conclusion.

You and I must have read a different response, cause I saw nothing in there about "being super nice to everyone." What I saw was a reasonable request not to commit the Fundamental Attribution Error. Which is paraphrased as: when I screw up, there were extenuating circumstances. When you screw up it's cause you're a moron.

https://en.wikipedia.org/wiki/Fundamental_attribution_error

[Karunamon]

A company comprised of otherwise reasonable people can behaving shockingly dumb. The only way to make companies learn is to impact their bottom line, and that means not-nice words need to be said.

[Karunamon]

-4 but not a single response? Folks, I wasn't aware it was in question that companies can behave in irrational ways.

[TeMPOraL]

> If you can't - just generate a random password as the answer. "I_ty/:QWuCllV?'6ILs`O12kl;d0-`1" is an excellent name for your first dog / high school. Just don't forget to use a password manager to store these.

Be wary of social engineering attacks though.

- <support on the phone> I'd also need you to provide me an answer to your security question. What was your first dog's name?

- <me> Oh, you know, it's a long string of random characters I generated, I'd have to give them to you one by one...

- <support> (looks at the answer) uh, right. I see. Let's continue then.

[dexterdog]

I always fill all social engineering-vulnerable questions with nonsense, especially when it is a banking site. I like when they let you set the question yourself so you can put something like "Why would a secure financial institution allow such a horrible security hole in it's system?" To which the answer is Tyrolese4Tokyo_Beulah!Papuan.

[zifnab06]

I fill them with nonsense words unrelated to the question. Mother's maiden name? Fire truck. First car? Air conditioner.

If I have to call a company they always ask me why. The explanation is anyone who has me as a Facebook friend can figure out who my first girlfriend was, my maternal grandmother's first name, my mother's maiden name, where I was born, my first car, etc. And if every company has the same data, a data breach at one makes the entire system fall apart.

[beagle3]

Same here. But recently, United airlines changed their system to only allow selecting from a list (your favorite dog breed ? Choose 1 of 8. Your favorite movie genre? Choose one of 12). I picked a random set and wrote it in my password stash.

Seriously bad security practices.

[vacri]

And the answer is "because, by and large, it works just fine". Yes, people fall afoul of these kinds of questions, but the general public cannot handle proper security hygeine - and educating them takes so much effort on both sides, that your customers will just go elsewhere. Proper security procedures would also lock a great many more people out of their own accounts than would be lost to fraud. Can't satisfy security questions? Well, take the morning off work on Monday morning and bring in several forms of identification...

It's why ATM PIN codes are so short - it's easier for the bank to just reimburse losses in case of fraud than to properly/strictly control security access.

Any time I see someone talk about how dumb general banking security procedures are, it tells me that they've spent no time in tech support for the general public :)

[M_Grey]

Exactly, it's just another opportunity to password protect things.

[dkopi]

Great point. "correct horse battery staple" wouldn't be vulnerable to such an attack.

[i336_]

But it must be said that GPU evolution, and that password cracking software developers are naturally going to go where the passwords are, that this type of simple password design does NOT work anymore.

[jstanley]

How so? The point of a random-four-words password isn't that it won't be hit by existing brute force software, it's that it's easy to remember but impractical to brute force with any software - with a 60,000 word dictionary there are more than 2^63 possible passwords.

[Sophira]

That's true, but the whole point of the strip was that you use words that evoke an easily-memorable scene in your head.

That will probably mean you can confine your list to words that most people know, which reduces the search space significantly. "correct", "horse", 'battery" and "staple" are all very common words.

[anchpop]

The strip used a 2048 word dictionary. 2^44 is still far too many to brute force

[dexterdog]

Is it really an easily-memorable scene or has the strip just been referenced in every HN and reddit discussion about password security? There is no way I'm remembering some random story for an account I login to once a month. The point is to have a password that is easy to see in a password manager and then type on a different device. Seeing D8hsegfw_#7Ax42 and then trying to type it into a hidden password field is painful esp. on a phone. Seeing Dynamo-Stench3Player and typing it in is very doable.

[Ensorceled]

They are suggesting it for a security answer, especially one you give over the phone to tech support, NOT a password.

[kevhito]

Irrelevant. It works fine for passwords too. The security of "correct horse battery staple" method is (nearly) optimally resistant to GPU (or any other) brute force attack.

[i336_]

Oh, of course, right. Misinterpreted that bit.

[raverbashing]

Yes, having something readable (and "believable") is more useful and secure than having to rely on saying a random string

Just put "Plymouth Creek High"

(Not to mention the possibility that some "security genius" will ban special characters on those answers)

[CamelCaseName]

Generally what I do is put something tangentially related to the question.

For example, "What's the name of your high school?" would be answered with something like "Khan Academy" (the name of a site that helped me) or "Mr. Jefferson" (A teacher, or best friend)

[dhimes]

Mine was Rainy Purple Road. Then I get to educate the person on the phone to, in her personal life, never give the correct answer to anything googleable for a security answer. That usually involves a discussion of Sarah Palin...

[Drdrdrq]

That's why mine answers are "DO NOT ACCEPT THIS ANSWER!!! <long string of random chars>". Hopefully the support person will get the hint. :-/

[Sophira]

Unfortunately, if they don't or are forced by policy, then you've just told the Internet your security answers.

If I were you I'd edit that and reword it without specifics.

[Drdrdrq]

Thanks for your care, but there is a part that is random, and the wording is probably a bit different. I don't disclose passwords on the internet. :)

[SoreGums]

at least with one of my banks customer support centres this wouldn't happen, if you stumble for a split second they shut down the call and tell you to go into a branch to verify your identity, this is pretty annoying...

[TeMPOraL]

Good, they should be commended for the practice! I wish I could trust that all companies would do that, though.

(Anyway, I like the idea of using answers to security questions as hard passwords.)

[jeff_tyrrill]

That's terrible, because it makes using password managers impossible (while on your phone for example, or you simply don't have it open that instant because you didn't know when/if they would ask).

[tptacek]

While I strongly agree with the thrust of your comment, I'd like to chime in and say that this is not a cool bug. On the scale of web security bugs, this is the kind of thing you expect an intern to find.

I actually think the post was written in recognition of that fact, and was amused by the thudding, abrupt conclusion it had; it was like the author was sharing a joke. "Yup, it was that easy".

People who do this kind of security work (check out the rest of the author's posts) tend to be running their browsers piped through a local interception proxy. Once you develop the habit of mind to look for stuff like security parameters, it's hard not to notice these kinds of things. I think more developers should tool up the same way and learn the same habits.

[dylanz]

What are some tools you'd recommend running? I'd love to have more awareness as I passively browse.

[tptacek]

The open source tooling here is getting better but the gold standard, used by virtually every professional application security worker in the industry, is Burp Suite. Lots of people have tried to make modernized, open source versions of Burp, but at this point cloning it is like cloning Microsoft Word.

If I was your director of security, one of the first things I'd do is build a plan to get all your developers trained up on Burp. It's useful for more than just security testing.

[raesene9]

In addition to burp that's already had a mention, I'd recommend looking at OWASP ZAP. It's fully open source, which is nice and has had a lot of new features over the last couple of years.

It can also be integrated into CI pipelines for automated security testing.

[fritzw]

All great points and true! The problem is PayPal hasn't been a great company to so many people their practices are abysmal. I've had my company account frozen more then once and it was a terrible experience and it's happened to lots of people. This is a company that makes a lot of mistakes and has bad judgement. They don't deserve my understanding. They haven't earned it. Other companies have.

But otherwise you are right. Less scrutiny more understanding so companies will be open and honest when they screw up.

[SoreGums]

Indeed - I've long since given up on security answers/questions as being secure. Kind of defeats the purpose of unique passwords if all the answers are common knowledge... Had to laugh at one instance where I actually had to read out the 30 character secret answer on one support phone call :P

[mtgx]

The problem is in PayPal's case, 2FA has been terrible for years. I've even been locked out of the account for a whole week because of their shitty SMS sending service. This prompted me to disable 2FA on Paypal, because weirdly enough that makes me feel "safer" (as in safer from losing my money due to Paypal's stupidity by being locked out of the account).

So in this case I'm certainly not one to say "hey, mistakes were made - let's give them another chance." They've been getting reports about their 2FA system for years. So there's no excuse at this point.

[jamez1]

> They aren't negligent

What would actually qualify as negligence in your view of the world!? This is as bad as it gets, this isn't an ordinary mistake.