Rant Time: Password Bombing
What is password bombing? This is a malicious activity by Internet trolls just to inflict chaos and to annoy legitimate account holders on the Internet. Like DDoS attacks affect Internet providers, password bombing affects individual Internet users. It works like this. You have an account somewhere, let’s say Apple. Apple institutes a policy that after 3 failed password attempts your account is locked. You must then jump through a bunch of hoops to unlock the account… typically answering ‘security questions’ in addition to entering your password. Sometimes these hoops are much more problematic, like bank logins. You might even be required to call in to have someone there verify your identity and unlock your account. You might also be required to reset your password. Some companies, depending on the lockout procedure, might even require that you re-register a brand new account. The hoops you are required to jump through can be minimal to numerous… all in the name of security. A password bomber takes advantage of these security practices and bombs your account to force this account lock inconvenience on you. Let’s explore.
Security and Logins
Yes, we all want our login IDs to remain safe, but not at the expense of being locked out of our account by a random schmoe on the Internet. After all, when they enter your account’s password incorrectly, there’s nothing that affects the malicious troll except a few failed attempts… at which point they can move on and try yet another account. All of the burden and inconvenience is firmly placed on the account holder to resolve the lockout. The malicious user gets to lock you out, you as account holder have to jump through the hoops to get the account reinstated. Depending on the organization’s security practices, you might be online in a few minutes, sometimes it can take days for the lockout to expire.
Overreaching Security Methodologies vs User Preferences
As more and more breaches occur, ever more organizations are making huge security knee-jerk reactions by, in most cases, silently instituting tougher and more problematic security measures for user accounts. After all, it’s my account and, in many cases, I’m paying to have that account (in one way or another).
This is one of those times where organizations think they know better than you. They think they can simply institute security procedures and everyone will just go along with them all happy like. It doesn’t work that way. If you’re an organization instituting security practices that will affect your user accounts, you need to not only inform your user base, you need to also offer ways to set preferences to control these security practices. If you’re planning on instituting a lockout policy, then you should offer ways to prevent lockouts (multi-factor authentication) or in ways to remain informed of lockout attempts. For example, if you’re planning to lock an account due to bad data, send an email WHY your system locked the account and the IP address that caused the lockout.
Locking out accounts may sound like a great security prevention practice, but it’s what’s happens after a lockout that makes this security measure useful or a fail. Making your users jump through a bunch of sometimes impossible hoops to reactivate their account is not cool. Simply because some random schmoe on the Internet decided to type in my account name with a bad password three or more times shouldn’t require me to spend 30 minutes or longer resolving this issue. It’s your system that allowed that schmoe to continue to enter the password multiple times. That had nothing to do with me.
Why not just block that IP address from your site after multiple bad attempts and then inform the actual account holder that someone attempted to gain access from that specific IP? Let the account holder determine how to handle this issue. That’s the better way to handle this. Let us know that people are attempting to access our accounts and tell us where they are from and what device they are using. Let us make the decision. Don’t just lock us out without a word, then assume we’re okay with spending 30 minutes jumping through your silly hoops to gain access again. Do you really want us to use your services?
Password Bombers
As we are forever required to have and own more and more accounts on the Internet, it’s becoming much more common for our usernames to clash with other people. This is especially true when we’re required to use our email addresses as our login IDs. I preferred the time when we could choose our user IDs so they could be unique. Instead, we are now forced to use our email addresses which can be easily confused with other users, particularly when using an email domain like @gmail.com, @yahoo.com, @outlook.com or similar common email services used by perhaps millions of other users.
Worse, though, is when malicious trolls decide to be contrary. When they can simply go out to Yahoo or Apple or Google and just plug in random data into the login screen simply to lock user accounts. Even though this vulnerability has been around for a long time, it’s now becoming more and more common. As we move forward, it will become even more common in retaliation to stupid things like Internet comments.
These password lockout practices need to be refined to not inconvenience legitimate account holders. But, instead, it should inconvenience the password bomber. Yes, inconvenience them. Make them pay for their stupidity of entering incorrect data multiple times. Instead of locking out our accounts, block that IP from your site for 24 hours after entering incorrect login data. Prevent them from locking any further accounts through their contrary actions. Make them contact your team to get the IP unblocked. Leave the accounts alone unless it’s absolutely necessary, like under a real breach. If your organization loses password data, then yes lock our accounts until we change passwords. If some random troll decides to password bomb as an activity, make them pay for this activity by blocking their IP from your login screen.
If you have been password bombed by someone on the Internet, please leave a comment below with your story. If you like what you read here, please subscribe to the Randocity blog so you don’t miss my newest posts.
Rant Time: Xbox One and PS4 automatic downloads
So, I have reasonably fast internet service. It’s not the top speed I can get, but it’s fast enough for most general purposes. I’ve clocked it on wireless at about 18-20 Mbps down and 6 Mbps up. If I connect a device wired, it will be somewhat faster. With wireless, it’s not the fastest, but it’s definitely sufficient. The wireless is obviously for convenience, but it works well the majority of the time. However, when the PS4 or Xbox One get going with their automatic downloads, it absolutely kills my network connectivity. And so starts my somewhat shorter than usual rant. Let’s explore.
Automatic Downloads
I always turn off automatic downloads whenever possible, no exception. When there is no ability to shut off automatic updates, then I unplug the device. There’s no need to have devices automatically downloading at the most inopportune times. In fact, several months back I explicitly disabled automatic update downloads on my Xbox One. Yet, just yesterday I find my Xbox One automatically downloading again. I’ve finally had enough of rogue network devices and out of sheer frustration, I’ve finally just unplugged it. I also unplugged my PS4 for the same reason. No more rogue network devices. If these systems cannot respect my wishes when I explicitly turn off automatic downloading, then they’re going to remain unplugged until I decide to use them. Worse, these devices would also decide to randomly begin downloading updates at random times (usually in the middle of the night, but it could be any time).
The primary problem is, neither the Xbox One nor does the PS4 limit its download speeds. In fact, both try to download as much as possible, as fast as possible. If both of them get going at the same time, it’s a disaster on my network. Even just one of them downloading is enough to cause problems. If I try to ask Siri or Alexa a question, I get no response or I get the Echo’s dreaded Red Ring (no connectivity).
Rant
At least Apple respects disabling automatic downloads on its devices. These devices dutifully wait until you click update before beginning any downloads. Unfortunately, Microsoft does not honor its no auto updates setting. Instead, it just overrides that setting and dutifully starts downloading whatever it wants whenever it wants. I just can’t have rogue devices like that on my network. Rogue devices need to go away and Microsoft needs to understand that making rogue devices needs to stop. If your software can’t respect the owner’s wish not to download automatic updates, then you really don’t deserve a place in the home.
I haven’t yet determined if the PS4 overrides my no download wishes, but I recall that it, at times, the PS4 will also do this for system updates. Updates which, again, should not automatically update unless I explicitly ask it to update.
Just say no to rogue network devices like the Xbox One. For now, the Xbox One and the PS4 will remain unplugged until I decide I need to use them. Though, in the last few months, there really has been a substantial lack of game titles on both platforms. I’m really finding that the spring and summer to be a dead season with new game titles. Instead of overloading us with too many fall titles which we can’t play that fast, why not spread them out throughout the year and let us have adequate time to play each? This, however, is a whole separate rant topic in itself.
Random Thoughts - Randocity! 
leave a comment