At the end of last week, online accounting service Xero emailed customers around the world telling them that they should change their passwords after a “small number of customers” had their accounts compromised.
It turns out that that was a mistake. Yes, some accounts were compromised – but Xero meant to send the alert only to active users in Australia, rather than around the world.
The company confirmed the boo-boo in a blog post , although it chose to paint the goof as a “useful and timely reminder to change your passwords frequently.”
Nice spin for what was clearly an error that would have given some users the jitters (especially when the version of the Xero website local to their territory shared no further information and their Twitter account was silent), but I’m not sure it’s entirely sensible.
In my opinion, frequently changing your passwords is not a good idea. Indeed, I think that the reasons why you should change your passwords are fairly easy to describe:
1. If you believe your password has been compromised – perhaps because you shared it with someone else.
2. If you believe that your password is weak, or you are using the same password anywhere else.
Because if you have chosen a strong, complex, hard-to-crack, unique password – why bother changing it “frequently” as Xero suggests?
Indeed, when users are told to change their passwords frequently (I’m thinking in particular of some corporate environments where staff are forced to change their passwords every X weeks) that they often will choose poor passwords.
It’s all too easy to imagine users, who find it tricky to remember passwords, choosing dumb passwords like “XeroJanuary”, “XeroFebruary”, “XeroMarch” or some similar sequence which is all too predictable.
Maybe some will consider me nit-picking on this point, and that’s probably a fair assessment.
To balance things out, I’m pleased to see that Xero is increasing account security for users with a couple of new features.
Firstly, the site will now allow you to check both when you last logged in and the apparent location (based upon IP address) of where those logins originated. This clearly could help someone notice that their account might have been accessed by an unauthorised user.
Furthermore, Xero reports that it is hoping to introduce a form of two-step authentication soon:
We are currently testing additional Two-Step Authentication (2SA) and will release that as soon as we can. This will provide a further layer of protection. Under 2SA you will need to enter a Time-based One-time Password (TOTP), which will be generated by an authenticator app you’ve installed on your phone or other smart device, and you would need both your password and the TOTP to gain access to Xero.
This seems like a positive step, because anyone who managed to steal a Xero user’s username and password (whether it be via phishing or keylogging spyware) will not be able to access their online accounts without also having access to the one-time password.
It goes without saying that none of this obviates the need for close attention to the websites you visit (especially when you might be asked to enter your password) and strong, up-to-date anti-virus protection on computers.
Many small companies use Xero to manage their finances, so it’s good to see the service strengthening its security.
Read more on the Xero blog.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
11 comments on “Xero says it will increase security following password scare”
'(I'm thinking in particular of some corporate environments where staff are forced to change their passwords every X weeks)'
Just so you're aware: it's called password ageing (in Linux the command is 'chage' – pretty sure it is a carry over from others like SunOS, the BSDs, and so on – but it's been a long time since I was able to work on most of the others).
No remark on the rest other than yes it is typically a bad idea because it inconveniences users which only lessens security because users will find workarounds.
Just to confirm: I was indeed remembering right. 'chage' is a carryover. But it is still a bad idea.
One could argue that every time a pasword is entered there is a risk of a password being compromised (shoulder-surfing, network hacks, key-logging etc); but if sensible precautions are taken then the risk should be low. Similarly for the risk of a password being stored somewhere and being compromised (and heck, what was it doing being stored in clear anyway? if stored properly this just isn't a risk).
Another case is shared passwords – multiple users using same account – where other people may compromise the password (say disaffected people leaving a company or children being careless with a family account password). The solution here – never share passwords or accounts across people. In a business context sharing means you have no accountability for anything that happens – you can never prove who it was that took a particular action.
In short – I concur with Mr. Cluley's logic!
'(and heck, what was it doing being stored in clear anyway? if stored properly this just isn't a risk).'
It's unfortunately not that simple. Dictionary attacks for one example of others. Ciphertext (like Salted+hashed) is a lot better than plaintext, though, yes. But unfortunately there still are risks.
"hashed" is really the wrong term. They should be using a password based key derivation function like PBKDF2, bcrypt, or scrypt.
It's good to see sense on the password issue. Many sites require passwords for their own convenience rather than the protection of the user.
We have too many. And all that stuff about not writing down somewhere? How am I supposed to remember otherwise (other than having the same password everywhere? I would rather trust my hidden notebook at home than one of those password sites. Discovering that would take a break-in and then a search among many rooms for what looks like a standard notebook (so thieves would have to read it first). I suppose I could encode its contents next time around!
Do you distrust password management software?
And to extend Graham's point, you don't have to use a website to manage your passwords. You can use software (including free open source software – so you could audit it if you wanted) on your computer. Because indeed relying on a third party isn't a good idea when it comes to password safety.
"In my opinion, frequently changing your passwords is not a good idea." — in fact, your opinion is exactly what researchers have shown to be the case. See:
"The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis" by Yinqian Zhang, Fabian Monrose, and Michael K. Reiter (UNC at Chapel Hill), 2010 ACM.
ABSTRACT: This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account's password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker's continued access. We develop a framework by which an attacker can search for a user's new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration.
A lot of companies, including large banks, have stopped the unjustified policy of password expiry, but sadly, Xero is still living with a stone age security mindset.
SaaS financial software companies, especially those servicing the SMB market have an obligation to protect their customers, who are many times, small, clueless "mom and pop" owners. 2 Factor authentication (if deployed properly) is a strong compensating control against the compromise of a users credential.
Xero's own user community has been clamoring for 2-factor authentication since April 2013!
And Xero keeps saying "yeah yeah, we'll do it when we're ready."
Are they ready?