Jul 17 2009

Steekr’s low password entropy

Only letters & numbers? Why not punctuation & special characters?
No Gravatar

Twitter suffered yet another security PR nightmare when a hacker gained access to their most vital internal functions, including even the ability to sell the domain name “twitter.com” itself. The problem began when a trusted Twitter employee posted ultra-sensitive documents on Google Docs … all guarded by a weak password.

F-Secure's Steekr online file storage ser­vice only accepts letters and num­bers.  Why doesn't it also accept punc­tu­a­tion and special characters?

F-Secure's Steekr online file storage service only accepts letters and numbers. Why doesn't it also accept punctuations and special characters?

This wouldn’t exactly be a perfect time to announce a free 1GB online file storage service. But hey, you can’t let someone else’s PR nightmare interfere with your own well-laid plans. Antivirus firm F-Secure recently announced their purchase of “Steekr” and they invited the world to take advantage of secure free online document storage.

A mature antivirus firm would certainly understand the need for strong password entropy. Yet Steekr’s security is weak — they only accept letters and numbers in passwords.

Now to be perfectly fair, Steekr’s entropy value might not improve all that much if/when they upgrade users’ passwords to allow ampersands & asterisks & parens & semicolons. Still, when a user devises a truly strong password—

—you shouldn’t tell that user to downgrade it.

This explains why I just don’t feel confident using F-Secure’s online file storage for the spreadsheets I can’t show to the IRS and the computer virus source code I write for Al Qaeda and the email love letters I get from each of my concubines…