Spotify Community

Thank you very much for your advice and sharing your experience.

Hi @trufyre,

Nice explanation of the security issues sorrounding all the internet day after day but there is a small issue, people use really simple passwords!

Come on! How many times do they change it? Or do they ever change it after they create a profile in a service in the internet? 

I always use super strong long passwords and never had an issue with that.

Another problem rises, how am I going to remember those long passwords?

Use a password manager? No, you just have to create long passwords that are meaningful to you. You don't have to use a meaningless password with tens of stupid nonsense characters. It is easier than anyone might think creating such kind of password. 

Nevertheless, nothing is safe these days so we must be careful. I totally agree to what you said, though, don't take it as an attack to your reply, not at all.

I am simply implying, people should be more careful what their passwords are and don't let the security of their private stuff in the hands of some algorithms out there.

It happened to Twitter not longer than 2 weeks ago, where all the passwords were made available to their employees in plain text!

I hope you get the point of what I meant to say. It hasn't happened to me yet luckily but it might happen. My secret is that I use really strong passwords for the emails I create any single profile in any site out there and use different passwords on those sites because when I forget them, my email will always be there.

Here is the contact to Spotify for the topic here:

https://support.spotify.com/us/contact-spotify-support/

All the best,

Loren.

Loren, in a way, you are validating my concern.  Research has shown that complexity in passwords has not shown to be effective as a defense against an attack against the password itself.  From the NIST Special Publication on Digital Identity Guidelines, here is the summary of what they found regarding the matter.

"Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed."

You can find this document here.

If, for some reason, the link is removed, just search for NIST Special Publication 800-63b.

While this is, indeed, part of an arguement for passwords to be longer (and not more complex), it is also an argument for multi-factor authentication.  Passwords are just one factor, being "something you know".  Multifactor defends against an attacker's efforts by expanding the scope of what they need to accomplish.  So something like biometrics (something you are) or a cryptographic challenge token (something you have) can be used to greatly improve your defense against an identity attack because now an attacker has to know something you know and have something you have...  very hard to do.  This is why the industry has moved in this direction.

The document I linked talks to this as well but in jargon that is difficult to follow.  Check out wikipedia instead.

With well documented and open implementations of this technique readily available, I have to question the priorities of the good folks that run Spotify.  Passwords are irrelevant and, by themselves, not secure.  It's easy to add two-factor authentication.  Why don't they?

Hi @trufyre,

Of course I am! I told you, that you are right but that's not the only solution. I implied that users shouldn't leave their security in the hands of an algorithm and other security forms.

About the passwords, yes the long ones have proven to be the best protection against brute force. How long do you think would it take someone to crack it? Don't even bother to count the centuries. 

It might not be the best way but I told you my trick. Just use few emails and use strong long passwords only on them. Also enable the 2FA on the emails you own since they do have such an option.

I know the passwords aren't the best thing there and as I said nothing is safe these days. Nor your the ones you mentioned are the best way. If someone is determined to hack you, they will. The best thing to do is being alert all the times and check everything.

Thanks for the article, I should read it.

Cheers!