Slashdot Mirror
Passwords May Be Weakest Link
blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"
Passwords May Be Weakest Link
And in other news, "The Earth May Not Be Flat".
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
damnit
--
pants ahoy
Passwords, you are the weakest link... Goodbye!
If you know the methods of forced passwords you can write a program around them. All of a sudden not only do you have a ton of passwords that are unnacceptable, you can predict patterns of tricks people will use to fool the force password picker into letting them choose an easy to remember password.
...people will write them down.
Preferrably on post-it notes and stuck to the keyboard or the screen.
I have seen it all.
Based on the number of hit's I'm getting from the
current rampage of SQLsnake, this is a very astute observation.
Did anybody think that passwords wouldn't be the weakest link in security? Remember that, in general, "easy-to-remember" and "secure" are mutually exclusive. And if we forgo "easy-to-remember" for "secure", we will have people writing their passwords on a piece of paper on their desk. There's security for you.
I can't say that I don't give a fuck. I've just run out of fuck to give.
...the potentially costly consequences of weak or non-existant passwords.
There is a reason that passwords exist. It's for security and yes, privacy. The same privacy that most people complain about being invaded.
Think about your privacy when coming up with your next password.
I am the evil aardvark!
Sounds like they put a password cracking utility against the NT sam file. The thing is that if your security is done right, you should at least need the Administrator password to access that file, no?
...secure passwords are usually difficult to remember. Thus users tend to use the month (05 for may, etc) for the mandatory digits, and sometimes cusswords to vent their frustration at the secure password policy. Also, it's not too difficult to find sticky notes with obscure strings a la "h0tgr1tz99" stuck on people's monitors. Hmmmm, wonder what that could mean?
Sources: interviews and sticky notes on monitors
--
martin
Are especially vulnerable when bonehead admins let you remotely dump the registry. I've seen that one a couple of times. They don't let the users change the time or date on their machine, but the users can dump the registry on the servers. One company told me that "of course, we know that could be a problem, but the users are'nt going to know how to exploit it". One of the dumbest examples of security by obscurity that I've ever seen.
...every 39 days, and it remembers an ungodly number of old ones, so you can't recycle. I don't have enough kids to come up with that many passwords.
I am not your blowing wind, I am the lightning.
My company is a service based company. We're a group of professional sysadmins who contract to large customers to take over network and SysAdmin duties. We are also responsible for security of our systems.
The problem with password policy enforcement is that users want weak passwords. Ordinarily this is no problem, since security often trumps user needs.
However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.
It seems like we're caught between a rock and a hard place here, but since our customers are all senior civil servants, what're we to do? The more we enforce strong passwords, the closer they'll get to looking for someone who won't be so picky.
But they need to use intelligent password change policies... I hate having to change my password every thirty days... I even wrote a program that would automatically change my password 30 times and then change it back to what it was originally just to get around this.
No one is going to break my password with a cracker and if someone uses a sniffer and picks it up then the company is in trouble anyway so a password change policy is just an annoyance... in fact it is probably a security flaw as people will begin to just write their password on postit notes.
it's just another article that proves that many people have shit for brains and should not be allowed anywhere near a computer.
Users are the weakest link. Always has been. The user chose the password.
-- Who is the bigger fool? The fool or the fool who follows him? --
In my opinion, I think that a good, secure password is a good approach, but forcing someone to change it every 15, 30, or even 60 days sort of defeats the purpose. Too many people can't remember 10 digit passwords with a minimum of 2 numbers and/or special characters. After a while, they start picking something somewhat secure and taking on numbers or random garbage in the middle or end. For those sites that require X characters change, they just use the same X+1 number of passwords, to get around the system.
I would rather see a good policy on creating a password (including automated password cracking) and let them keep it for an extended time. In sites where password snooping is important (not as many as needing a secure password), then it should be rotated, but someone snooping the password isn't going to wait 15 days before using it, they are going to use it in about... say... 10 minutes, or that night.
Give a good password (10-15 characters with all those extras that people seem to think is important) and let them keep it. Let them use the same password on multiple machines, but don't expire it as often as possible. It just makes more insecure passwords because they don't want to remember as many damn passwords that keep changing every 5 hours and require everything to be different.
Yes, I have a lot of passwords. More than I need, but that is a different issue.
--- My novel, The Mummy's Girl is now for sa
Our company requires strong passwords, changed every 45 days. I suspect that there are a lot of cubicles scattered around where you could find passwords jotted on a scap of paper placed under keyboards, in desk drawers, etc.
What would be cool, since we all have to wear (stinking) badges anyway, would be to have a card reader at each workstation and use the badge. Probably cost-prohibitive but it would make life a lot simpler.
MG
Randomly distributing Karma whenever possible.
After dealing with multiple incidents of hacking at my former work, we formed a security policy that included enforced, complex passwords. Luckily we did the same analysis on existing passwords to justify the change because it caused quite an uproar.
Our heuristic was simple (to me)- inlcude one character from each of the following subsets of characters; UPPERCASE, lowercase and Numbers, minimum of 8 digits.
I must have spent at least 10 minutes with most people helping them choose passwords that fit the criteria. The worst ones of course were the executives, one made me sit with them for over a half an hour while they figured it out.
Luckily it was a small company of 40 people or so, I might have gone crazy.
Also we instituted a policy where, if we see a password on a post-it note on your monitor, you get your password changed and a warning. Second offense, we walk over, unplug your system, and take it away.
Did I mention that we will still require you to do your job?
Xaotik Designs
probably 60-75% were cracked within 8 hours.
People do not understand how computers work. If they do not understand how computers work they cannot understand how computer security works. If they do not understand how computer security works, they will likely never ever understand the gravity of a password no matter how much it's explained to them.
To users a password is an annoyance. And they are trained to not be secure with their identities. How many people just give out their SSN? Something that is a definative source of identity, and allows access to tons of things: bank accounts, medical info, home addy. People will just give this to pretty much any customer service Joe.
Why shouldn't they do the same with a password?
Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it
Mine did. Every 3 months our payroll server refused to let us in if we didn't send in a new Password, then and there. Same thing with the filesharing/print server. The cool thing is, they were staggered so that you've have to change one of your passwords every six weeks or so. Kept it regular, kept it part of routine.
Triv
"You are theweakestlink! Good-BYE!"
In my experience, in a large corporation, there are hundreds of independently managed password domains, at least a dozen of which any one person will usually have to deal with on an ongoing basis. Differences in password change frequency, minimum lengths, differentials from prior passwords (sometimes from ANY password used by ANYONE on that system in the last year), and digit inclusion rules vary in a tower of Babel that make it difficult to even maintain passwords, let along ensure they are all maintained securely.
What do you mean they cut the power? How can they cut the power, man? They're animals!
I can tell you that IBM makes us change our passwords on a regular basis and they have to be all kinds of random. Even my standard passwords that I consider pretty random don't stand up to their scrutiny sometimes.
when i started at this company i had 20 character password with all kinds of 3l1te stuff. but they make chage password eveyr 30 days. and start remidning about it after 15 days. i changed it once, twice, but than got bored making up new passwords and remembering them and just switched to month stuff. dont care any more
In what way does changing a well-chosen password increase security on a non-compromised system?
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
All hail Attack of the Clones!
Attack of the Clones Rules!
This is so tech-elitist... "The users are the problem!"
- all-my-users-to-32-char-monthly-passwords bullshit attitude.
Give a look at any paper by Sasse, Brostoff and Adams, such as this one, and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force
The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.
Can we have some evidence as to how harmful weak passwords really are? I know people that would be a lot more trouble if they were forced to remember good passwords (They'd probably end up wrighting it on a piece of paper). I think it's a lot better to make sure that the compromise of the account could not do much damage by restricting priviledges.
no wonder so many people are using this Anonymous Coward account. I forgot to put a damn good password on it!
Get the database of passwords that "John the ripper" and other popular crack utilities try.
If an employee tries to enter a password found in these programs(tested against database)
"Your password is too easy, try again,"
God spoke to me
I wouldn't be too quick to judge the admins with this one. I know the last time I tried to impliment a more secure password format, the users whined their way up to my boss and demanded that it be changed back. Despite my insistance for a more secure environment, they made me change it back. It was too much for them to remember more than 6 charaters with non-alphanumerics every 90 days. And these are academic types.
THIS is what you get when you hire people with lots of experience and not fresh graduates. The more modern security measures that are taught in University in NetSecurity 101 such as using shadowed password files instead of using /etc/passwd for everything simply get "lost in the woodwork".
Therefore by hiring only EXPERIENCED people these old security threats remain until these EXPERIENCED people retire.
A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
SQLSnake story that just got posted? Passwords suck because people are lazy, with all the stuff they(end users) already have to remember... pin numbers, telephone numbers, ssn, I think their (end users) small brains are full and cant remember one more pwd.
I know of plenty of my customers that have really, really easy passwords.
I did the same thing on our NT SAM database a while back. 75% of all passwords fell in about five seconds. ;-)
Anything less than six characters, no matter what they are, goes so fast it's not even funny. Well, it is funny, but not in a good way.
We now have a password policy of 8 chars, letters and numbers, and we run cracks against them every so often to make sure folks are complying.
-EvilMagnus
The company I work for (large, national insurance company with over 50,000 users) has a "strong" password policy that is enforced by the system. A password for our domain must be a minimum of 8 characters with a mix of upper and lower case letters plus numbers. Password changes are forced every 2 months, and a previously used password is not able to be reused for the next dozen password changes. That being said, just yesterday I was working with a user whose password was their first name with a number one tacked onto the end of it. I imagine that she started with Firstname1 and then just incremented it on subsequent changes.
The problem isn't just forcing "strong passwords" onto the end users, but making sure that end users understand the reasoning behind it. Making someone use complex password formulas is useless when a large number of the users are going to use something that can still be easily guessed that conforms to the formula.
where I use to work use to provide easier access than even guessing passwords (which was quite easy). They use to place the remote desktop software on the fileserver in the root directory for them to use from other work PCs (and any-bloody-body else of course) for everyone to access and then forget to set a password on the server software installed to the main servers.
This means anyone could install the software and be able to do whatever they liked to the servers.... I use to sit there and just observe while waiting for my reply back to my offer of a slow painful death from being "cheese grated" on the back of an old Compaq server network card.
.... then there was the belief that they didn't need to apply NT 4.0 security patches on a regular basis..... if the link to the outside world from this server wasn't so shit the servers would of been trashed a long time ago.
Also generally have no passwords. An install technician told me that they don't like to put passwords on them because it makes it harder for tech support to remotly troubleshoot. When I told them that that wasn't acceptable, they used "12345", explaining that it would be easy to remember and that the technician "always used that one when the customer wanted a password". Maybe a combination of a strong password policy and a beating with a clue-by-four would be a good start for people like this.
Those people are a liberal myth, dude.
crack this with JTR:
K wa U3KprZ4oidOjSwu UAWW/X1NxdC1Dog2 ra/sUWmNYClJWC0 LOXSfpvL8HgEBMG4 eibA124QIVAMznc 3oJ/BAr7IMDyCBF1 Iidf0ou4PvaeBjm ZyUyMT7zrCZtQC2C 7ZUbow5vPlVSbrV Eb1Uko7F0Z/914Tc 4qx3/wW3eBheNmF RHt/fL/6qgLhInab nXiOn4N8egBuuNR 5p0icOY6L/zaBMqw iGn3gm3LgE9MkKy KAhM5hHU1GyoYUSe +OV6wCFCBN9faK
MIIBuwIBAAKBgQCvUCC9yWCa83yU3Ebjc5su9pFCoENwPEu
J9Q4Or2FqIK9zd/VDvTsbW875/pKe13BN
vHz4JGz6HRSNWyW0KweCNN6oNAiICks87
RJxmFVhZ5gF4/Pt1GHkFSAyHAoGBAJ/7p
VkcsSYMizrbP9O4Gwtt30MdWqUxY21NFA
7RWmzF4P+xN8zZABbHXlv01uDGZvnmK9W
elSArUMLAoGAO4cO0FqefRT6VshGt4T3v
7hBy56BNWMuP7Z/ixROhxv59gCJTsKEFt
Gk8LxtdRBPgpoK0BwmEQhZEAL5pfemW94
BQG08IhGGotd8mBIfO4s
no, of course that is not my private key. But it proves a point. Don't rely on false randomness to enforce security. Do it the right way.
While you're at it, read Schneier's book(s) and subscribe to Crypto-Gram. I force-feed it to my network users every time it comes out...
Remember that what's inside of you doesn't matter because nobody can see it.
At our institution we have implemented password patterns that must be used. These rules have greatly inhanced security and we have yet to have one of the passwords cracked (we are running a cracker ourselves).
The ruleset it easy:
#1 Passwords must not contain a dictionary word
#2 All passwords must contain a at least 1 number and 1 special character (ie #$%^&....)
#3 The at least 1 number and 1 special character can not be the first or last character of the password.
As for password rotation. I actually believe that harms password integrity. If you are using passwords good enough to stand to crack attacks then changing them only encourages people to write them down someplace and thereby loosing all the benefits of a better password.
Telcos have alot of dark fibre in the States. Most people assume that's optical fibre...but it's actually moral fibre.
> Sounds like enforced password formats and
> mandatory changing of passwords would help
These measures only force users to choose an easily guessable algorithm instead of an easily guessable password. Make your passwords expire every 30 days, and your users will switch from password == userid to password == month name.
My last office job, we had a defined amount of time between which we had to change passwords. No minimum lengths, which would have been good, too, but it was something, right?
Every time passwords got changed, people would take down their old post-it and write up a new one. And you were also required to keep your password on file with your supervisor. Most people just kept incrementing the default password, which was a very short word--so you probably could have gotten 75% of the company just by using default1, default2, etc. ('Default' wasn't the word itself.)
Now, I'm headed off to college in the fall. I've just gotten my university email account, and been informed that you cannot, in fact, have a password longer than eight characters. You just aren't allowed. (Thankfully, they also don't allow less than 6.) We were then recommended to keep it all lower-case and something we could easily remember.
For non-geeks, I've concluded, ease of use trumps security every time. Nothing's ever going to change that, and nothing easy is ever going to be truly secure. Such is life.
Now "dictionary word" -> "easy to remember" -> "insecure" but that doesn't imply "insecure" -> "easy to remember". Far from it in my opinion.
EnkiduEOT
There is no trap so deadly as the trap you set for yourself
-Raymond Chandler, The Long Goodbye
My password would never get cracked this way, I use caps, numbers, and characters
B#d!ACc-0 I mean look at it..
Of course I need to keep it written on the monitor to remember it, and since it is had to type every time I need my password until recently I had to have a file on my desktop (labeled password of course) that had the text to copy and paste, but now I have a programable button on my keyboard with the code in it to save time. This is all still secure right?
In my experience password expiration just forces you to pick memorable passwords. I have several passwords thatt haven't changed in years, but they are secure by most definitions, 8 chars, upper lowercase and numbers. They would be impossible to remember except that I have been using them for years. The only thing password expiration protects against is limiting the damage of a password which has already been compromised.
Spencer Ogden
In an environment where passwords are forbidden to be recorded for any reason, constant password changing can lead to the selection of weak passwords. I for one can easily manage a small number of random passwords, but if I have to be constantly changing them I have to resort to less secure but easier to recall passwords.
Ever try an make a non technical user to create a good password. They can never remember it. I either end up having them create a new password or I find their password written on a post-it note near their monitor.
UNIX/Linux Consulting
People should use passwords that are easy to remember but still long and tough to crack, such as the style of "block+audible" that my old AOL account used years ago, or using the first letter of each word in a phrase like "TitbmoE" for "Taco is the biggest moron on Earth"
funny fingerprint scanners should be offered as a/ 223321 4&mode=thread&tid=172
solution when we all know how insecure those are:
http://slashdot.org/article.pl?sid=02/05/15
"The direction controls are the same in Nethack as they are in vi." "Yeah, I hardly ever die in vi anymore."
- A great deal of passwords are simply PASSWORD. Try it, you'll be amazed
- If you know the names of the target's immediate family (and possibly pets), you've just gained 1-5 more possible passwords.
- Many people simply make their passwords 'qqqq' or some chain of identical letters. This is because they don't want to have to bother with remembering a password.
- On a similar note, try QWERTY, ASDFGH, ZXCVBN, etc. Look for strings of letters on the keyboard that fit the minimum password length (typically either 4 or 6.
- If you have access to the target's desk, you've hit pay dirt. The password is likely written down somewhere. It would be nice if most software didn't say write down your password, etc.
Good password creation tips...Mother's maiden name is too obvious. But what about just any random name, or maybe a confirmation name (if you're Catholic)? For example, my confirmation name is Anthony. Here's what we do. We reverse the characters, and it becomes ynohtna. Let's remove the vowels. We get ynhtn. Screw around with case. Make it YnHtN. Then throw some easy to remember chain of numbers in there. For example, the last 4 digits of your phone number (0799 for me.) So it becomes Y0n7H9t9N - a password that would take weeks to bruteforce, and can be remembered fairly easily with a bit of practice.
Also consider biometrics. But the problem with biometric input devices is if your password is cracked, you can't really change it...
I've rigged up a
But hey, if you have your password set to PASSWORD, let me tell you, you're asking for it.
-Evan
news, and in other news, Computer systems are 100% safe except for the users. Anyone who has been in any sort of IT environment can tell you this, and probably for a whole lot les money than the consulting firm charged. Unless your policy is enforced and dictionary used on passwords, (L)Users will compromise security for ease of use almost ALL the time.
errr....umm...*whooosh* *whoosh* Is this thing on ?
Maybe that will solve your problem.
At my company, I initiated a policy requiring strong passwords (8+ chars, at least 1 uppercase, 1 lowercase, 1 digit, one punctuation, no dictionary words beyond two characters in length allowed). The policy also requires monthly password audits (using programs like John the Ripper).
I got the policy signed off on by the board, then I wrote a memo that explained the policy and showed how it is easy to come up with and remember good passwords (through the phrase --> password method, for example).
So far, it's worked out well. There was some grumbling at first, but once people came up with their first passwords, they realized how easy it was and it didn't bother them any more.
-Joe
I work at a small ISP (400 customers), I ran this on our password list once just out of curriosity on how stupid the customer passwords were.. sad part was, some how 10% of the passwords were the same as the usernames...... No more letting users change their own passwords.
Can all fish swim?
The best solution to the password problem are authentication tokens like Cryptocard or SecurID.
jon.sable@sympatico.ca
For years I've been creating my passwords not based on words, but on easy to remember hand motions. to give a very simple example: Qwerty78 a simple rolling left to right motion, plus a few numbers. Very easy to remember, tough to crack if you try a brute force attempt.
.....
Good Bye!
.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Tokenized fobs, or one-time passwords are the best answer, I think. Too bad an ACE server costs so much. :-(
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
IT revelations in this month's edition of Duh!
put the what in the where?
Here at work, the DBAs are setting up strong-password checks on all of the Oracle databases. Passwords are restricted to more than seven characters, and must contain an upper-case alpha, lower-case alpha, a numeric, cannot be one of your last 10 passwords, and cannot have similar substring matches with your last password.
However, with Oracle versions 8.1+, there is a bug with the supplied verify function that rejects nearly ALL passwords supplied, even passwords that are completely random strings (such as g8kLK58sS). Anything used in the "ALTER USER [NAME] IDENTIFIED BY [PASS]" will fail, and we users are getting a bit angry that we've lost the ability to change our own passwords.
What this has resulted in is an abundance of ORA-28003: password verification for the specified password failed messages. This is the default error message when your password is not complex enough. Note that by default, Oracle passwords are NOT case sensitive.
"There is still some speculation about that last announcement," said Norman P. Obvious, ZDNet spokesman and 1997 StarSearch Spokesmodel winner. "We're planning on doing some more testing over the next few weekends."
You need to have a password policy that encourages better passwords without requiring a specific password makeup.
If I encounter a system where my password must include mixed case and digits and punctuation, I'm going to make up a random string, and then have to write it down.
Some Unices I've encountered had a passwd(1) that would NOT allow you to enter a "bad" password, while others would nag you gently depending on how "bad" it was, but would eventually relent and let you set your password to "flower" if that's what you REALLLY wanted.
The REAL answer is not "password" but "pass phrase" where the text can be lengthy and meaningful to none but the user.
Furthermore Opie is a neat project to avoid keyboard snooping.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
I just started working for the federal reserve a few weeks ago and was astonished at the password awareness. Every month they try to crack our passwords, and then model that and try to put new policies in the reduce the percentage cracked. (started with 8%, now down to 3%, makes your money feel secure, doesn't it?)
Our passwords change every 30 days and we can't use the same passwords to access our email as the network. Standard stuff really. The amazing thing is during orientation everyone gets an hour lecture about passwords, what is good vs. bad. Then every week we get flyers and emails updating all employees.
The current policies are things like no words, you must use numbers and special characters, lower case and uppercase, etc, etc, etc...
So, the company pulled a Randal Schwartz, but in this case nobody goes to jail?
tmy password, "p@$$w0rd" will never be guessed, it is too strong.
Phrases can have lots of entropy, and still be easier to remember than the equivalent entropy in 8 chars.
Enforcing policies that make people choose random passwords just leads to people writing them down on postits stuck to their monitor. Just make sure it has a couples spaces in it and has a decent length, like more than 10 chars. If your system is still enforcing an 8 char limit, trash it, it sucks.
When I was sysadmin (for a Windows network), I would just run l0pht. If A) the dictionary could hack it, or B) if they didn't have a number or special character, then I forced them to change their password on the next round. (Here is a detailed explanation of the Microsoft vulnerability.)If they didn't change it to something better, I'd give them a quick phone call and politely explain the security policty I was implementing. (Most people are very cooperative if you tell them politely and don't shave your security policy down their throat.)
There are other free programs out there (I forget the names) that generate nice reports based on l0pht findings. You can, for example, say that 80% of the users have passwords the same as their user names, 50% have passwords with one special character in it, etc.
Perhaps CxOs should visit sites like Astalavista.com. They'd then see how easy it is for a cracker to compromise your network!
Believe me. I worked in a 200 person department at a major university for several years as LAN admin. We tried to enforce strict password rules. Within a few weeks we were the most hated IT department on earth. Eventually b/c of upper management pressure (b/c of all the bitching) we had to let them set their passwords to whatever they wanted.
We ran a password cracker against the new passwords just to see how bad it was, and it had 187/200 passwords in about 10 minutes. The only ones it couldn't get were the IT staff.
The crazy thing is, if there ever was a security breach, guess who takes the heat? The IT guys. It doesn't matter how many times you tell management that easy-to-remember passwords are dangerous. It doesn't sink in until somebody proves they are dangerous by stealing them and using them for something bad.
I think the solution has to be biometric. This way the sheep don't have to remember anything. they can just swipe their eyeball past a sensor and get logged on.
One thing this article doesn't really talk about is the difference between online and offline password cracking. Online passowrd cracking means you are asking another computer (a server) if your password guess is correct - only the server can tell you if the password is correct. In offline cracking you don't need the cooperation of the server - you can try every possible combination and determine if a guess is correct without the help of the server.
Obviously there's a big difference. Online password cracking can be easily defeated - just lock the account out after a certain number of tries. The attack they performed in this article was an offline password crack.
The article says it would take 13 years for the fastest pentium 4 to run through all 8 character possible passwords. But how long would it take an easily affordable cluster of them? A cracker could use trojaned machines out there to search a portion of the keyspace. Or just recruit workstations at your job or school to help. Or easier yet, just rent a bunch of fast servers for a month or two from one of those managed colo places like rackspace.
Bottom line is, the average human cannot be expected to remember a password that is insusceptible to offline cracking. That's what real crypto keys are for, and is why passwords should not be trusted as crypto keys or in any situation where an offline attack could be performed on them.
All Microsoft would need to have done is buy out Verisign before the anti-trust actions and before Verisign became a monster.
Seastead this.
Lets face it: one of the weakest features of username/password authentication is the fact you must declare your ID and then your password. No matter how well you hide your password that fact you declare your ID into the system is probably just as bad as easily guessed passwords.
Think about the difficulty in authenticating hacking if the all usernames were completely unknown or never declared. I could tell you there are 4 users on "login.supervaluable.com" all of which the passwords are "easy12remember". Unfortunately if you never figure out what the names of those 4 accounts are the passwords are worthless. However if you have a list of the 4 account names but don't know the passwords you have at least a place to start your intrusion.
So just as much as easy to guess passwords are a problem I stipulate that easy to guess usernames are too. Does this mean the username/password scheme needs to be rethought? Anyone have alternative authentication schemes that requires minimal "declaring" of any information?
-
The algorithm used requires that the length of the password be
within configurable length limits, and that the password not
have triplet statistics similar to those associated with words
in the English language. This is an inversion of a technique
used to find spelling errors without a full dictionary. No
word in the UNIX spelling dictionary will pass this algorithm.
That's enough to defeat the usual attacks. And it's one page of code, plus a few pages of table.Users should be advised to pick a password composed of random letters and numbers. Eight randomly chosen letters will pass the algorithm over 95% of the time. A word prefaced by a digit will not pass the algorithm, although a word with a digit in the middle usually will. Two words run together will often pass.
When we did try to add a strong password policy, the CEO and several executives of our company stated that it was simply too inconvenient for them.
Single sign-on is a joke. There is no standard for this. There is no single solution to authentication that spans across all platforms. Take, for instance, a vendor of a turn key product, say a web based materials management system. They would probably role their own authentication system because they need authentication but can't rely on their customers to have a particular system in place to interface to for authentication purposes. So in addition to the ten other papsswords I need to remember for all of the other systems with custom authentication, I will need to add one more to my list. Thee solution is the development of a authentication standard that can be applied to future systems and retrofitted in to legacy systems. Kerboros? Seemed good at the time, but why hasn't is caught on more? Tall order? You bet! But how else are you going to solve the problem of having to remember multiple passwords. Most people just go back to remember one or two and use them for all the systems they log in too. Not a good idea, but let's face the truth, almost everyone is doing this and this won't change until a real single sign-on solution is delivered.
-- Knuckle Blood : Official Lube of Team Rusty Nuts.
But this is definitely one of the few areas where NT/2K still scores over (most) Unices (as far as I know, please cluestick me if I'm wrong...) , namely it's trivially easy to enforce finely grained password policies. On NT, it's a case of find the dialog, check the options you want to apply , enter some numbers (length to time to remember old passwords and reject them, how often to force changes), minimum length, whether to force uppercase/ digits / alpha-numericals etc. I've been using Linux, BSD and Solaris for three years professionally, and tinkering at home for several years before that, and I frankly wouldn't know where to start to enforce password policies. (Well, OK, I'd use Google, the LDP, how-tos etc, but you see my point.)
That said, I just installed Mandrkae 8.3 out of curiousity to see what a Windows-friendly distro looks like, and I'm VERY impressed. Bob Young is wrong - IMHO - I think Linux
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Oh wait, forget about the last sentence, I'm still having problems translating Sun Tzu's advice to today's world.
Did you know you can fertilize your lawn with used motor oil?
I worked for Hospital once where people's users AND passwords were their first initial and last name (user:jdoe, password: jdoe.) Most of them used this scheme for user accounts, email, and pretty much everything else. And if that wasn't bad enough, some of the them had to write it on their monitors so they wouldn't forget (no joke.) The lusers couldn't even remember their own names.
The story is rather obvious, everyone knows the human factor is always the weakest link, and that includes passwords people pick.
On a side note, password policies can sometimes do more harm than good. Our company enforces password changing and password strength rules for NT logins. We change passwords once a month, and the requirements read "At least 6 characters, must contain capitals, numerals, or punctuation, cannot be any of your previous five passwords, cannot be based on username"...
Well, someone goofed in the logic of the password ruleset. As it turns out, it requires the use of both capitals *and* numerals. They've actually managed to limit the number of possible passwords... as the majority of the passwords at this company now start with a capital letter and end with a numeral (most often "1"). Since they have to change passwords once a month, most employees erither write them down or pick very easy ones.
11*43+456^2
Over the years I have moved from systems administrator positions to being an IT director at varying companies ranging from health care to heavy manufacturing. While the health care company (a major meto area hospital) I worked at had some policies (change every 60, minimum length etc.) people would still choose passwords such as "password1" and then increment the number ever 60 days or whatever. The manufacturing firms I have worked for had abismal policies for passwords (setting the default password to the same as the username and never forcing a change after that.)
What is key in this discussion, in all places I have worked is that the executvies who have the access to the most sensitive info and demand data security are the ones who never want to remember a password or have them change. If they don't want to participate, why burn out your Network Admins enforcing password policies as well as all of the support headaches they bring from locked accounts, forgotten passwords, screwed up password changes etc?
Really, my opinion from 7 years of 'real world' experience running 1000 - 5000 node networks plus large multi user systems (Unix Terminal environment to AS400 to Mainframe) is that passwords really only secure you (somewhat) from internal employees accessing information they are not supposed to. It is probably impossible to really say with any certainty (would you bet your salary on it?) that a system that has 1000+ logins and is accesible from the outside world is ever really "safe."
So, I must concur with some of the other posters and give a big "No Duh" on this one. IMHO It would be a waste of money and time to chase password policy enforcement for 10,000 users versus providing a total lockdown from outside acccess to your important systems and controlling that access with long passwords, 128+bit encryption etc. Of course there are exceptions for your financial institutions and other high sensitive government areas, but I have a feeling that they too are more lax on password policies then we would expect.
Jesse Wolfe Sr. Manager Systems Integration
These techniques are reviewed, for example, in Cryptography and Network Security: Principles and Practice by William Stallings
When anybody ignores the fact that 30% to 50% passwords entered by random users are easily guessable, they get what they get. It's a known result. You don't need to run a password cracker on every password file, just make sure there is no check at the password input form and you know the outcome.
17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
Pick one or the other. Either have employees memorize a really tough password once (maybe once a year) or make them memorize easy passwords once a month.
See, the problem with enforcing rules like frequent password changes and mandatory "good" passwords (not from a dictionary word, upper case and lower case, non-alphanumeric characters, etc) is that users will, when forced to remember passwords like this, write them down.
Sometimes, the more spectacularly idiotic users will write down the password on a post-it note and stick it to their monitor so they never have to remember it at all.
Just making those passwords mandatory is trivial programmatically (though things like 'P@ssw0rd' are still perfectly legal under those rules). Hell, most Linux installs I've used are set default with a passwd that checks to make sure you're not using a dictionary word. The hard part is trying to fix stupid users.
--AC
This reminds me of a website I was designing a few years back. I required root access to configure the databases and apache. I almost had a cow, correct that, I did have a cow, when I was given the password. "Hostname".
The only thing stopping a barrage of hackers was:
user: root
pass: hostname
And that was the actual hostname of the site, not 'hostname'. I changed it to a random set of digits and sent a notice to everyone working on the site. 7 hours later the owner emails me:
No, you must change password back. I never remember this. Change back to hostname now or you fired.
After arguing with her for 2 days on the risk (she was going to store credit card numbers) I quit. I wanted nothing to do with managing hackers. Due to a good M$ like contract I still got paid but that's another story.
Luckily the site hit a brick wall and never had any customers let alone any CC#'s. Ugh, some people.
BTW if wondering it was going to be a porn site portal, collecting the credit card info, billing them, and redirecting them to the hosted porn sites.
I just really worry about what website she is going to try next.
-togtog
Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?
We enforce this quite easily with W2K and ADS. Active Directory supports a group policy which allows you to set things like minimum password length, number of remembered passwords, how often you have to change it, and even minimum requirements (i.e. numbers, capitals, etc.) MS even released the sourcecode for the passflt.dll so you can write your own custom password requirements for everyone to comply with.
------
"And may your days be long upon the earth."
In my view, the real problem lies in the number of web sites which require (free) log in. Say you use 20 services and that they all require logins. Are the punters supposed to remember 20 different name/password combinations? No, they'll often reuse. And what is to stop billg/msft1234 who has logged in at both slashdot and the New York Times being compromised by CmdrTaco to read the NYT for even freer? I personally re-use passwords for sites where there is no risk involved, elsewhere I often create throw-away passwords which I'm happy to have in a cookie but forget before I'm ever asked to use them again (and thus create a new account).
I believe you AotC "spoilers" has an inaccurate assumption in item "3) Jengo dies".
It is true that we see Jengo Fett's helmet get knocked from his body (actually, the body of his armour) and roll across the ground. This does not neccessarily lead to Jengo Fett dying.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Ever seen a Securid card with the username and password on a post it stuck to it?
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
The only way this truely becomes a vulnerability is if you acknowledge the security problem as real. Have we all not yet learned anything about security from Microsoft? Ignorance is bliss!
Wouldn't access to the password file be the weakest link? Who doesn't run a shadowed password file anymore? ..
:-) Oh, wait, every system has root! Well, show me a system that lets you login as root and I'll show you a sysadmin who should be shot.
Without that - you're looking at brute force. So, start guessing at usernames, and start guessing at passwords for those users. At since the Unix login slows down the more you attempt to get in, well, it's pretty damn hard.
Windows - on the other hand - is no issue, they lock accounts after a couple failed logon attempts. Microsoft knows how to implement tight security controls.
My IT folks love to talk about the mandatory password change. I change my password once every 15 days. It has to include three of four character classes: numeric, uppercase, lowercase and symbols. And finally, it can't be any of your last five changes.
And yet, we've been hacked a few times. How's that possible, you ask? Well, the same IT folks have set up a network that uses plaintext passwords for everything, unless you know how to properly tunnel things.
The draconian password policy has created other difficulties. A few employees have a set list of five passwords that they rotate; one has his written on the calendar. Many of us have password lists under our keyboards, which in an open floor is about as secure as...well, it isn't secure. Finally, the majority of the passwords follow a simple theme: capitalize the first letter, add a numeral to the end. A dictionary attack for that would take what, five minutes?
Rapidly changing passwords are a hassle for everyone but the paranoid, and that makes them insecure based solely on inconvenience. Want a nice, secure password? Change it once every six months (with a reset any time you suspect network funny business) and generate it yourself. Anybody can memorize any password given enough time -- and forcing the change only results in easier to crack passwords.
Hey freaks: now you're ju
The major problem I have with passwords is that we are required to have too many username/password/PIN # combinations. If you want to enforce a strong password requirement, then complement that program with a single-signon system. That way I can throw away this piece of paper sitting on my desk ;->.
I once work at a research institute where they have very nice policy regarding the passwords.
They constantly run the best available password cracking program and when users password is cracked, he get either the warning or account lockout right away depending how long it takes to crack. No other restrictions were applied.
Microsoft knows how to implement tight security controls.
That <grin> didn't show up very well!!! Should have previewed my message. Hah.
to know each others' passwords, or even share OS logins (we use separate authentication at the
application level because we know they're doing this). It's even fairly common to use the login as its
own password...
Just wait for the HIPAA security regs to kick in.
[Posting as AC because I'm not a corporate spokesmodel. But if you really want to figure out who
I am, you'll know. I just won't admit to it.]
Most co-workers that are non-savy will often change their password every six months, its up to the network admin, to force or change it.
A good method to create strong password I known is named "passphrase".
;-)
;-)))
People think a phrase (a statement) with 4-6 words and get the first (or latter, as you wish) chars off the words.
For example:
phrase: my linux box is equipped with an athlon 850
Using the first 1 char, you get:
mlbiewaa8
which is a "strong" password but easy to remember.
My 2 cents.
I can just see the pop-up now..
Your fingerprint has expired. Please enter a new finger print:
[scan]
Fingerprint too similar to previous entry. Please enter a new finger print:...
Also there has been some hacking of finger print scanners published lately, see this article.
You never know...
There are at least three great alternatives from a variety of vendors:
1) Dumb Cards
Key +ve: Really Cheap, both cards and readers.
Key -ve: Doesn't know you are really you.
2) Smart Cards
Key +ve: Can be made nigh-on-impossible to crack depending on your needs.
Key -ve: A tad on the pricey side; integration harder.
3) "Alternative Ident" (like eye recognition, voice print, assorted sci-fi stuff)
Key +ve: People who come to your office think that you're cooler than James Bond!
Key -ve: Super expensive as of press date.
I've installed dumb cards at a couple of sites (I don't work for a dumb card manufacturer and will not give free advertising, contact me personally if you want more) with high user satisfaction resulting. People walk past a guard to get into the building (who verifies their ident from a screen if s/he doesn't know them personally) and then the card "unlocks" their PC with a reader that costs about $15 per station to install. To "lock" their PC for a toilet stop (for example) they simply re-swipe. Secondary benefit (on one site that could get away with it (read no unions!)) they collected productivity data from the computer unlock time, which of course meant people immediately compromised security and left their machines "unlocked" when they went to the can, to lunch, etc.!
Passwords are so 1992 - and you can save a nice wad of cash in medium to large corps by not having to employ those couple extra help desk employees simply to change people's passwords when they (always) forget them.
Get with the program, people.
Handing out your password file isn't
a good idea in the first place, for just
this reason.
7) Natalie is way hotter in AOTC than in Phantom Menace.
The net impact of requiring monthly password changes is the majority of the user-base will work the month/year into their password. This means that your typical password will be bobmay02, or at best bob8mylf5, where 5 is the month. Making people change the password frequently causes them to split the password into the root, and either a time identifier or a monotonically increasing integer. Thus, your 8-char passwords are now really 3-7 char passwords.
Has anyone written a cracking program to take advantage of this? Instead of having to decode the entire password, you merely look for transformations that result in the beginning or end of the password translating to a string resulting in a mnemonic for the current month/year.
Remain calm! All is well!
At the last MS Tech Ed (in New Orleans about a month ago), the badges had the user ID and password used to register for Tech Ed printed on the back of the badge. That's right, not encoded into the magnetic strip, printed on the back. In plain text.
Denver Isuzu Suzuki
I used to work for a small company (12 people) and was one of their two programmers. I also did all the system administration in my 'copious' amount of time. A month after I began working for this company, their server was hacked for the third time. Their domain was on at least a few hacking lists. So, I went to battle stations, setup a firewall, rebuilt the server, assigned everyone new and ulgy passwords, hide all those horrible services that used to be open to the world (like samba), and lo and behold no problems at all for the 2 years I worked there.
Everyone in the company hated the fact that I gave them purely random and truely ugly looking passwords. But, I just told them to write it down somewhere and keep it on their desk. I dont think that company is a target for industrial espionage, and if it is, no physical security measures that they were willing to pay for would stop such a thing. Their idea of physical security measures is a door lock, and maybe the deadbolt being thrown on a regular house door. So, if they have passwords hanging off their monitor, its not that big of a deal.
So the only real defense was the firewall and the couple of services I allowed through (ssh, http, smtp, dns). Notice, no plain text protocols that use passwords. :) And I was annoyed at having to allow dns through. It has too much of a history of being hacked.
Moral of the story, if you can live with users putting their passwords on sticky notes on the monitors, they wont complaign too much about the assigned passwords.
RedShodan --------- Never underestimate the bandwidth of a station wagon full of tapes.
Look. Passwords make nice window dressing and make the auditors feel all gooey and warm but Let's face it. You're getting ripped off by insiders who obey your policies whatever they are and outsiders who already have your password files to examine are already in too far. You might as well sell your own children into slavery and let you neighbors have sex with them.
PROTECT THE DAMN DATA, THEN WORRY ABOUT THE ACCESS. COMPARTMENTALIZE AND DISSAGGREGATE EVERYTHING.
In "Security Engineering" by Ross Anderson (Addison/Wesley), he gives an interesting statistic on password memorability vs. crackability. In the studies he referenced it was found that:
1) Computer-generated passwords were the hardest to guess/crack (had the most entropy), but also the hardest to remember.
2) User-selected passwords were the easiest to crack (had the least entropy), but were easy to remember and,
3) User-selected passwords created by having the user pick a phrase or song lyric and using the first letter of each word; had nearly the same entropy as computer-generated psuedorandom passwords and were nearly as easy to remember as regular user-selected passwords.
This has been true since passwords were first used. I've run password cracking programs against all of my systems and projects as part of a standard assessment. I would say that finding 30% of passwords in less than a day would be a fairly typical result.
The truth is that passwords are not a good security tool for all the reasons you would expect. The basic one is that memorable passwords are generally easily cracked passwords.
I use tricks like passphrases where I take the third letter of each word, mix case, and numbers for certain letters, etc. Even with those tricks, the password is still fairly easily attacked (the frequency of letters in the english language is hardly random).
IMHO the best solution is to combine authentication methods. Use a token system like SecureID combined with a password. Better yet, use password, token, and biometrics.
If you have to use passwords and only passwords, run the attacks yourself and lock accounts you can crack. If you don't run them, someone else will.
[ryu@linus
Starting nmap V. 2.11 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on adsl-78-196-1.sdf.bellsouth.net (216.78.196.1):
Port State Protocol Service
23 open tcp telnet
Interesting ports on adsl-78-196-2.sdf.bellsouth.net (216.78.196.2):
Port State Protocol Service
23 open tcp telnet
.
.
.
Shit! My ISP just called and shut me down!
Stupid lameness filter....junk characters? The funny thing is, a large amount of Cable/DSL/ISDN providers do this.
You can always telnet into a ISDN router, change the phone numbers of the ISP to, say '911' or your favorite FBI office, and then disconnect, and then the ISDN device will be dialing up numbers!
1) write a program that generate a almost-random password based on a triple set of one string plus two numbers (all passed by cmd line), making sure it will generate always the same password for the same input trio.
2) the string is the server's name, the two numbers are month and year
3) put the running copy of the program (all the other are offline backups) in that old P133 notebook and keep it UNPLUGGED hidden in the rack, between some switches and routers
I actually used it to change monthly the root/admin password for dozens of servers. Each one has its own, unique password.
If you can read this, thank an english teacher.
Are not the sole solution, if they are a solution at all. It's one thing to say "Users should be able to pick strong passwords, made of varying characters, and remember them without writing them down." As most of us who have actually been involved in implementing this, it doesn't quite work. This is just like saying "Humanity should be comprised of responsible, mature, and free-thinking people" - nice in concept, but a little difficult to enforce. With certificates, secure tokens, biometrics, and image based passwords (as opposed to text) this problem will finally be solved. I think it's sad that the security community has been willing to rail against the stupidity of users for 30 years instead of coming to accept the fact that people like simplicity, not security, and finding ways to make passwords secure AND simple. We can bitch and moan about passwords all we want, but for a 30 year old system that has had no major revisions except for how they are stored, passwords are woefully outdated and inadequate as an authentication method.
I admit i dont choose the best passwords. but have a few quite secure ones for special cases.
but at work i didnt get to choose my password at all and it doesnt expire. it is the default password they use wen setting new users up. Id like to change it but there is no IT on hand over hear and isnt worth the trouble ticket to have them take care of it. manytimes admins assing week passwords and user doesnt or cant change them.
not to mention when you force a user to use a "good" password they prolly wont get it or understand why. not to mention forget it after they choose it.
Depending on who you are, and what context you're in, the answers could be totally different. And depending on that context, the strength of your password may matter a lot, or not at all.
If you're just some schmoe in marketing, with no access to change anything on your personal system, no access to anything on the company network except to alter files in a personal directory on one server, your company's network does not allow remote access, and your building requires a card to get inside and another one to get up the elevator, then the importance of you choosing a strong password is relatively small.
Making people choose strong passwords is a computer based version of a tradition risk-reward scenario. Users are going to hate keeping track of multiple passwords, with mixed case, numbers, special characters, and then throwing it all away and remembering a new one every 60 days. The reward of doing it has to outweigh that risk. Unfortunately I haven't gotten the feeling that either in this article or on many of the people here take into account the relative nature of computer security.
One of the key questions that need to be asked before a password policy is defined and implemented is what are we securing and how valuable is it? How devestating would it be if people got access to it, and how would one go about getting that access? In most of the cases that people have mentioned, the items being secured are potentially not that critical/confidential/valuable and therefore the importance of a strong password is significantly diminished.
Similarly, writing down passwords is more or less of a problem depending on where your threats are coming from, and what that password secures. I am not worried that the root password to my linux box at home is written down and taped to the box itself. Or even that it says "Root Password" right above it. It's securely formatted and difficult to guess, there's not a whole lot of important/critical info on the machine, and my main threat is coming from a random person on the network outside, not from someone specifically targeting me and breaking into my room to read the paper taped to my machine.
Memorizing multiple truly secure passwords on a rotating basis are a pain in the ass. Before you force everyone on your network to do it, sit down for a second, think about how your systems and permissions are set up, and make sure that that pain is truly necessary. If it is, you will have a solid, business based reason why, and will be easily able to explain and convince others of your position. But implementing it because it's what someone told you is the "right" way to secure a system is lazy, and because people won't see the value, they'll shortcut it anyway.
People at work hate me for enforcing hard passwords. (And other assorted security measures)
Basically I am a BOFH so I don't care.
Unfortunately the common joe/jill user has no clue when it comes to computer security.
You just have to resign yourself to the fact that people are not going to like you. (i.e. Security Nazi)
A good way to help *push* them towards secure passwords is to crack your own systems passwords.
You can use John the Ripper for Unix passwords OR l0pht crack for Windows systems.
Nothing disturbs an end user more then when you email them their old password,
(You have changed it to something hideous now...) and warn them that you can read their email.
If you use Microsoft systems then use the password "Account Policies" options to increase password length/complexity values.
If you use Unix try npasswd to enforce difficult passwords.
The most important factor is to get Management buy in. Try cracking some VP's passwords during a "standard audit".
Help them come up with a creative password. (First letters of a phrase work good. Throw in some numbers/metachars..)
Once I had Management buy in it was smooth sailing. Just hold their hand for a while.
I've already heard of several companies mass-implementing the EBP Lites. I'm getting one next month to keep some of my S/Keys around with me all of the time.
The solution is a combination of measures. Good security should be a based on something you know, something you have and something you are.
Something you know is easy, passwords fulfill this purpose but on their own they are not enough. You need to also have something you have, for example a key, or more probably a smart card. This has the advantage that people are generally good at managing the security of physical objects. For example users think nothing of putting their password on their desk, but wouldn't dream of making a copy of their door key and leaving it in the lock.
Together these options are good, and probably enough for most situations, but if more security is needed then biometrics can be used fulfilling "something you are". As reported, biometrics are not perfect, but in combination with these other methods, biometrics adds significant security to the system. All without reducing the ease of use.
Steven Murdoch.
web: http://www.cl.cam.ac.uk/users/sjm217/
At the extremely large multinational financial firm I work for forces us to change passwords once a month with a min amount of 6 characters. Also after 3 unsuccessfull password entries the profile is locked and only a sysadmin can unlock it. Also you can never use the same password twice. So in theory it seems like we have a halfway decent security situation. In practice, however, changing a pasword so often makes life hard for an employee. We are not suppost to write down the passwords and after working here for 2 years or so you rapidly run out of easy to remember, hard to guess passwords. So people use stupid easily hacked ones such as spouses, hometowns, pets names ect. When I first started I used good passwords with number combos and different case combos but after the seeing the sysadmins face after locking up my profile for the 24th time I have since gone to the stupid easy stuff.
So it just goes to show that even somewhat high level well thought out security can be easily foiled by the non-technical.
-- No Comment
I strictly enforce "difficult" passwords on all of my clients - but I don't make them rotate them.Why? Because difficult passwords are by defenition hard to rememeber - and I don't want them to write their new-passwords-of-the-month on post-it notes.
In this day in age, it's usually easy to add SSH/IPSec gateways to everything, and filtering all unknown ip addresses helps as well - I use these to augment any system that brain-dead enough to transmit passwords in the clear.
Quite often, password rotation causes passwords to be transmitted in the clear - over help-desk phonelines, in un-secured palm devices and on sticky notes.
Food for thought - and yes, I do know it's against your MCSE training.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
The network where my father works (Netware at a hospital) forces a password change every 2 months. That worked for the first few months, but after 10 or so passwords, people started forgetting them.
To fix this, the users resorted to an even more dangerous solution. Now, most, if not all of the consoles have at least 1 valid username/password combo written on a Post-It(tm) Note on the side of the monitor. There are plenty of terminals in dark, back areas, where a determined cracker could sit, setting up a backdoor.
If we make passwords harder to guess, they will be easier to forget, and users will, in all cases, write them down. A password easily found is worse than do password at all.
-twb
'Well,' said Bob, 'I like to use the same password for everything so I just used the SQLServer default... how was I supposed to know?'
Why not implement a password change policy based on the strength of the password? The stronger the password, the longer the period between forced changes. This way the system can encourage good passwords.
Example
S.E.S.S.D.E.N.E.E.NW from west end of hall of mists
Everyone knows the first part of this. If a password is easy to remember, it is easy to crack. If a password is changed frequently, it is almost impossible to remember. Why are we still using passwords? Passwords rarely catch on in any of the other places we try to use them (car locks, electronic padlocks, electronic house locks, etc.) The few places they have caught on are typically a joke. I recently went to the side door of my sister in law's high security apartment. There were four keys on the entry pad with the numbers worn off. I didn't even bother to call up to her until I had the sequence figured out. Thirty years in trying to lock down systems seems to have taught us nothing. Why aren't we damanding something better, such as USB keys, fingerprint scanners, etc? Whenever I discuss this, there are quite a few who say it is the users fault, that they must be trained to use passwords that are secure, and then everything would be fine. Sure, and if everyone loved each other, there would be no more war. But let's deal with people as they really are, not in some theoretical alternate universe. I'll say it again - thirty years of experience has taught us that passwords do not work. At some point we need to stop trying to start that car and get a new one.
This implementation of S/KEY includes a scheme for making machine-generated passwords that are supposed to be memorable by humans. Does anyone have any experience with such a system, as used in real life?
Just because there's a tradeoff between ease of use and security, that doesn't mean that you can't sometimes improve both; most real-life systems are probably not optimal in either way.
To give an example of a really retarded password system that's completely nonoptimal, I teach at a school where the faculty turn in their grades on a computer. Security is obviously an issue. The password policy is that your password must consist only of digits, at least six of them. Now this certainly will stop people from choosing "password" or "rover" or "aaa" as their password, but they'll probably end up using their birthdays, or writing their passwords on a post-it, because they can't remember a string of digits. And of course the idea of restricting it to a character set of only 10 digits is pathetic -- it just reduces entropy. (The people who wrote the software are so clueless, they even set up the default configuration so that you have to type in your password twice in order to log in -- I guess that was meant to increase security! It took a few months for the school's admins to change that.)
Find free books.
I've often felt the idea of putting the responsibility on the users to pick obscure passwords is a bad idea. As others have pointed out, this leads to all kinds of problems, (especially when the users have to change their passwords every month or two on many different systems).
If the problems occur because of software which cracks passwords, why not make the systems more secure against the methods used by such software? One obvious method is not allowing multiple log in attempts in quick succession. Many systems only allow 3 attempts at a log in before you have to wait 5 minutes to try again. To me this would make software that takes the shotgun approach to cracking passwords fairly useless. (And it would still allow users to pick obvious passwords like "shoe").
Am I missing something here? (I am not trying to be facetious, I am seriously interested in why this approach isn't used more often).
Our company's business is shipping medical software on laptops for drug studies. We had to start complying with 21CFR Part 11 for all studies done in the US (has to do with electronic signatures and record-keeping). Fully half of the sites that we have visited for training or orientation on a study have post-it notes with user IDs and passwords either on their screens or on the underside of the laptops...and this is when they KNOW we're coming to train them on this and they KNOW we're gonna holler at them for the violation, because the FDA will do more than holler at them when they show up for an audit and the FDA doesn't have to announce their visit before they show up.
I would be less surprised at this if we forced strong passwords, but we don't. 21CFR Part 11 doesn't specify how strong passwords have to be, so we use fairly weak rules--four to ten characters, not case sensitive, symbols allowed, expire after a year. (And the only reason we went with four characters was because the user ID is three characters and we didn't want the password to match the user ID). Then we had one of our trainers going around suggesting to users that they use their year of birth as their password...nobody knows anyone else's year of birth, right? We actually had a user at one site write THAT one down on a post-it note, too...
We actually had to fight administration here on development of our next software package because the PHBs wanted passwords to be a minimum of one character. I finally convinced them by having the vice-president change his screen-saver password to a one character password and manually hacked it while he was sitting there, but then he just wanted to change it to two characters! We finally got them up to five characters, but it took some doing...and forget about trying to get them to approve case-sensitive or forcing numeric entries too...
Denver Isuzu Suzuki
Funny that they scored 30% of the accounts in an hour.
Back around '93 or '94 I did the same sort of password analysis at one of the big-3 auto companies. An hour of cracking yielded roughly the same percentage of accounts.
If I recall correctly, I used an HP-750 and Crack.
Of course good password policies are very tricky. If you regularly require your users to change their passwords to new and difficult to remember strings, they will simply write them down.
with the coming of usb-size hard drives, passwords will not survive the next generation of communication systems. a public/private key system will take its way, with those USB small hard drives containing the keys to access the system. No need to change passwords either; it can be completely automated, and the keys will be long enough to be safely uncrackable.
also, a usb hard disk will become what a metal key is now: a fundamental piece of our daily job.
the other side of the medal is that those keys can be given easily, or even stolen. True, but how many times did you hear your users tell their passwords each other (can you check my e-mail while I'm away? thanks) for whatever obviously stupid reason?
and also - you can force users to use long, difficult passwords. but how long can you screw your CEO patience off?
cheers
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
So you suspect that your paswords are crackable? Here's an obvious idea: Every week run a 4 hour crack attempt on your password database. Users who come up with bad passwords must change them upon the next log in. If a user can't pick a decent password 3 times in a row, then a random password is assigned to them (or you pick one for them).
Shzaam@! No more bad passwords!
IMNSHO, the best policy is to allow the user to have a password that does not expire, and force it to be a good password. That way the user will have a virtually uncrackable password that they can also remember. Of course if compromise of the password, or a system the password is contained or used on is suspected, THEN you force the password change.
Of course, all bets are off if you are using insecure protocols and hire web programmers who cannot figure out how to handle/store session data securely.
I have my own policy when it comes to passwords and how difficult they are. It's all a matter of degree.
Our NT network uses a fairly weak password system to be honest (8 characters minimum, no uppercase or numbers required), which I find completely silly. I can use most dictionary words to log into my workstation in the morning, but I don't. Because I have admin access to my own machine, and access to a lot of other resources, I make sure my password is somewhat obscure by throwing in mixed-case and numbers where they wouldn't be expected.
Now, if you're talking about a silly login to the NYT website, and other assorted types of sites, I have a standard easy to remember password I use for it, completely seperate and apart from any of my other passwords. If anyone gets ahold of it or guesses it or whatever, the worst they can do is browse the NYT site on my login id. woo.
Then there's the big ones. Root access passwords to critical machines. Those are always completely obscure, meaningless, hard-to-remember strings (at least for anyone else... for me, they're associated with something I'm personally familiar with).
Moral indignation is jealousy with a halo - H. G. Wells
I wonder if holding something like a "password cracker demo meeting" would help. Set up a test machine, let everyone enter a password of their choice, then run crack or similar on the password file.
:-)
Golly, yes, the users will be impressed by that: here, enter a password into our computer here and we'll tell you what you just typed
Matthew @ Bytemark Hosting
I had strongly considered posting a response similar to this one in the worm thread appended to Slashdot earlier today.
Nearly every member of the Slashdot community is an advocate of "secure programming," but the possibility exists that we may be overlooking some of the most trivial preventative measures that could be utilized to protect our applications from intrusion.
Don't assume that the individual installing your program is competent, proficient, or intelligent. Had MS SQL been programmed in this manner, it would have never accepted logins to usernames without (strong) passwords applied. SQLsnake would most likely not have propagated as easily beyond its author's machine.
Both programmers and administrators must act responsible for an application to be configured securely. I'm certainly not suggesting that administrators should be permitted to shirk becoming educated and competent. I'm merely recommending that programmers attempt to prevent incompetency from compromising an otherwise secure application by dedicating a small amount more of time and effort.
Appromimately fifteen minutes of the Microsoft programmer's time and ten lines of code may have prevented the loss of hundreds of manhours and perhaps gigabytes of bandwidth.
Do you like German cars?
As many others have pointed out, it's between a rock and a hard place. Allow weak passwords and you'll get them. Force strong ones and they'll be written down where anyone can find them (I used to work at a company whose Unix admin wrote down all the root passwords on the bottom of his keyboard wrist rest. Yes, he sucked.)
The forced password changes really piss me off though, especially when combined with long memories of "previous passwords". I use secure, uncrackable passwords for most things, and particularly for work. But when I'm forced to change them every 30 days you can bet I'll run out of things that I can easily remember, especially since I have passwords for work, for home, for email, for websites, my ATM card(s), the company's alarm system, and so forth. Eventually I end up relying on wonderful passwords like "abcdef1" which may as well be an invitation to use my UID.
It really is a catch-22 situation. I suppose SecureID and the like are the "best" solution, but they're nearly as unwieldy for the user as strong passwords. But at least they can't just be written down -- just lost or stolen.
Could someone please explain how this qualifies as news? Slashdot is so fucking worthless now.
The article is needless to say stating the obvious, but it is nevertheless drawing attention to an increasing problem as more people use computers, more people use simple passwords.
I think this is particularly the case with novice users- speaking from experience my first use of a password was the school computer system. Firstly, in the first term we were not allowed to change our password from "password"! Then we were told to think up something a bit random that you wouldn't forget- well how was I meant to do that- something random _is_ hard to remember. So I use my middle name. This remained unchanged for a long long long time, until my hacking boyfriend decided to hack into my school network and easily worked it out. It was only then that I decided to change to the serial number on my mouse.
So really, novice computer users simply do not see the need to choose good passwords- who's going to go hacking into the system anyway? Paranoid about credit card usage perhaps, but average users like myself generally don't think too much about anything else. It is here that the problem lies.
Some years ago a danish hacker managed to hack his way into pentagon. This was done by using the first letters in the title of the persons whose account he was trying to break.
/dev/random (to pick in the set of all allow characters) and memorize them. Then you might have a chance.
Your way might prevent you from a dictionary attack, but not from any dedicated hacker who knows what he's doing, if the sentence is in any way related to you.
You should chose you passwords from
I don't mind having to have a good, secure password. My gripe is having to change it every 30 days, when I'm logged into 3 different NT domains, and I have to figure out how to get my accounts passwords all synchronized when trust relationships are broken. NT and domain trust relationshipss fucking sucks. MS created Active Directory to kill Novell, and IT bought it hook line and sinker, and nobody is even fucking using directory services.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Login: Bob
Password: password
You are the weakest link! Good bye.
Logout
Outdoor digital photography, mostly in New Engl
The problem users are bonehead sysadmins who use their authority to bypass the password policy or just don't set secure passwords.
I'd be eating dinner and drinking expensive wine at a nice restaurant if I had a dollar for every time I've found an Oracle SYS password set to "change_on_install" or "oracle".
The only solution to the password problem is to eliminate passwords. At my organization, we are moving to a smartcard-based system that removes the password problem completely.
Conformity is the jailer of freedom and enemy of growth. -JFK
SSN = social security number, also called "your sosh" for short, because it is used for so many more things than USA retirement benefits. Like as a password. Many organizations actually use people's SSNs for authentication, which is insecure and opens people up to fraud.
Why not just drop passwords entirely and go with smart cards? All the new Sun workstations I've seen come with smart card readers, and they're an option with most new business Dell boxes.
The problem with users choosing their own passwords was solved for us. We choose for them. Labor intensive? Yes it is, however a few hours work for us (150 users) each password change period is worth it.
Now if I could only get some of them to quit posting their #$@$%@#$ passwords on their cube walls!
I don't find this terribly difficult. Here's what I normally do...
I find a book. I take a word or string out of it's title, then convert some 'easy' characters in to similar number (i becomes 1, 3 becomes e, etc), and bingo.
For example. You may have the Perl Cookbook on your desk for a month; password: p4rl-c00b0ok. All employees/students need to remember are words, then have a mapping of letters to numbers. Alternatively, just choose a random pattern on the numpad which is at least eight characters long.
I work in healthcare information security. Do you know how hard it is to convince doctors (and even nurses) that they need a secure password? And how can you expect them to remember a password when they're remembering that you have idiopathic thrombocytopenia purpura, and allergy to penacillin, and 120/50 pb, a foley, a GI bleed, fractures to your lower occipital floor, blood gasses, blood type, meds and your age, weight, race, name, room number, etc - along with several other patients. They want computers to be wasy and work all the time, not 'secure' - their concern is for saving lives. If the network dies/gets hacked, people don't start dying! We need CHEAP biometrics, not complex passwords! These guys balance chemical equations in their head in order to SAVE YOUR LIFE! It's infeasable to require that they have a password like LWs34%k - and one like that on the 5-6 different systems they use. We've tried pki, but when you're running such a massive variety of software, they just don't want to plat nice. Trust me, if there was a cost-effective way to insure good passwords that DOCTORS and NURSES coudl use easily, we would have done it by now...
There are systems that can scan your retina for a digital fingerprint and other systems avaliable today including strong passwords but the best defense is to have Layered Security and combine them together. Linux is an example a lot of little programs when combined make a powerfull robust Operating System. How much trouble would it be to have your employee look at the terminal while it scans their retina to identify them. The employee would have a hard time saying they forgot their eye today and cannot access the system. This combined with other security options in a layered approach is your best defense. This technology is already being used in the financial services sector why not deploy it in your company.
OK, one password for life might be a bit extreme, but if a user is on to a good thing, do not get them to change.
.. .. ok I have oversimplified things a bit but you get the point right?
I have never understood why people think that passwords suffer from wear and tear. I have never seen evidence to convince me that the longer one uses a password, the more vulnerable it becomes.
I remember in university, one of my courses had a module in something about maintenance/replacement of machinery, from a managerial perspective. One thing I recall is that with a lot of mechanical equipment, the older it got, the shorter the mean time between failure.
Digital equipment was almost the opposite. New equipment had a high chance of failure. If it survived the first couple of weeks, then it became almost impossible to predict failure rates. It was entirely random. Hence replacing aging mechanical equipment made absolutely no sense, whereas replacing digital equipment actually introduced a danger of failure
Well, passwords are like that. If you force users to change their passwords, and they change it from John, to Luke, to Mark to Peter, you have not really done much.
If you get really funky, and force them to change from adf0708 to 1433lkh to kh432lk to 23HGLY9 then you are beginning to get somewhere. The problem with these is that users then tend to write them down, because just as soon as they remember them off by heart, they are force to change them. As long as a password is written down somewhere, it is not secure!
A more thorough plan is to get users to choose one password, and set rules on numberics, caps, etc.. (or better yet issue passwords). At the same time, run a basic brute force dictionary cracker on the password file(s) and force *all* users with simple passwords to change them. Keep forcing them until they choose something sufficiently hard (or issue them with one that they can't change for the first 3 months or something).
Once users have a robust password, allow them to use it indefinitely!
Live today. Tomorrow will cost a lot more!
To increase the protection against brute force attacks, you need to increase the number of possibilities that the attacker must examine. One method is via passwords that include numbers,
mixed case, etc. Unfortunately, those are difficult for many users to remember. Another approach, however, is to use more than one word--and most users have less difficulty remembering a phrase than an obfuscated list of symbols.
In short, use passphrases instead of passwords.
In practice, when people have to change their password every few weeks or months, they typically either have a standard modification of a base password, incrementing a number on the end or the like, to make it easy to remember the new password, or because they have to think if 'secure' passwords again and again, they have to record them somewhere to remember them.
The first action renders the new password only barely better than the last, and the second opens a physical attack, by finding the file or piece of paper where the passwords are recorded (ever see Wargames?)
If someone's conducting a brute-force attack on a password, it doesn't matter whether you change it often, as the chance of hitting it in any given time interval stays the same whether it's changed or not.
Expiring passwords only help to lock out people who already have access to your system because they guessed your current password. In most cases once someone has breached your system it's irrelevant to lock out the password they used, as they've either changed the password themselves, created a new account, installed another backdoor, or done the damage/thieving they set out to do.
To sum up: Making passwords expire incents users to make passwords that are easier to guess, or makes them write the passwords down to remember them. Both of these are bad.
Kevin Fox
"Memorizing multiple truly secure passwords on a rotating basis are a pain in the ass"
Not only that, it's risky, because either you write them down (risky) or you sometimes forget them. You are perfectly right about weighing the costs and benefits, but remember to take into account what the cost is if you lose your password. Is there anyone reading this who hasn't at one time or another lost a password? For a random user, it's no big deal, because you can probably, with a little effort, prove your identity to some admin and regain access. If you're the admin, the price is a lot higher.
I am not a computer scientist, but I don't see why we are still using 8-char passwords. Is it some obscure UNIX compatibility issue? The least we could ask was that those 8 chars be the product of a hashed password (which could be longer).
xkcd is not in the sudoers file. This incident will be reported.
Just wondering if there are any tools that 'test' how good a password might be. I have plenty of different passwords that I think are 'strong', but are they really?
DieCowboyNealDie
Ad luna, Alicia! Ad luna!
Lots of good points here, but anybody ever work on or manage a help desk? Suppose you institute a new policy and set the global account preferences for a 30 day password expiration? What do you think you will be dealing with on the morning of day 31? I had to implement a similar policy at a major oil company with 7500+ employees. Unfortunately the rocket scientists who came up with the password rules didn't bother to notice that NT, Novell and OS/400 treat such things as leading numerals, special characters and capitalization quite differently. Whoops! There went single-sign-in for 7500 people! Why not consider a few things? Secure physical access to servers and critical devices. (get me a NT SAM on a properly configured and secured server without first having admin access...possible but easier said than done) Properly apply security patches and policies. Properly assign user rights and privileges. (seriously, how much damage will be done if somebody gets the password of a low level user, and who is going to target such an account instead of spending time on common admin and system accounts?) Teach users about email attachments. One could easily find the password no matter the complexity of the format by sending an attachment containing a keystroke logging trojan or application and then just sit back and wait for the harvest. There are several which do not trigger virus warnings. Imagine: > From: enforcement@sec.gov To: CEO@bigcompany.com Dear Sir, This email is to notify you that the SEC is seeking information to determine whether further action is required concerning a filed complaint. Please see the attached document for the full text of the original complaint: >> Now, even if the CEO doesn't personally read this, his assistant will, or a company attorney will. Do you think the CEO will be happy to find out his 30-day password of %^HL23@qqEw was cracked and that every time he changes it, it's sent off to some hacker?
then just use unshadow to combine the passwd and shadow files and run john on it. I just did it and one of the passwords on my system was cracked within 10 seconds.
Bah! It's time to tell the system to expire my gf's password... wonder if she'll be pissed :)
Oh yeah, on debian, you can have john run as a cron job which mails users with weak passwords to change them.
*I have a feeling gf will be complaining to me soon how she's getting spam from somone named john. heh.*
Liberty.
Sure - some legacy systems may only accept username/password as credentials - but most newer systems will accept digital certificates, biometric authentication, token, kerberos tickets etc etc.
One other method is to use single sign on technology integrated with strong authentication - take a look at Novell Security solutions
These combine single sign on technology with strong authentication against a cross platform directory service.
Evil ZEN Scientist
well back when i had a real job as a sysadmin not as a QA monkey, our CEO (and CFO) demanded their passwords never changed and where passwords they picked. stuff like: "rocket" .. what am i gonna do? they signed the checks...
.cig
Treating it all as the same problem is stupid. Microsoft isn't the only one doing it. Most companies out there are treating it as one problem. A lot of companies in their excitement at riches didn't implement multiple levels of security in their networks. Things like having two layers of security infront of your database and only allowing outside connection to your app and database server from trusted IP's.
you're average windows system shouldn't need hardcore protection, but your excel spreadsheet with you're SS#, account numbers and other sensitive data should. Why in the world should windows have high security if I want to let some one check a website real quick. I'll be damned if every freaking time some one elses uses my system requires I log out and let them login. Windows XP does allow multiple logins, which is a good start, but far from a complete solution.
The problem is the people who set them. Most of them think that their accounts are nothing more than a place that people can read email sent to them. They do not realize that a malicious person has no interest in accessing their personal correspondence, but rather in assuming an identity that is not their own.
The simple truth is, and it becomes evident when you think of it this way, the people with the greatest vested interest in password security are not the people who the passwords belong to, but the people providing the service that password gives access to. In real life terms, the company wants John Doe's password to be secure a lot more than John Doe does.
I'm working at the IT Helpdesk for my school, and I've found that a brief addendum to our 'introductory' speech that we give new employees and students can often clarify a lot of misunderstanding. That addendum consists of a simple explanation that password security isn't done as much to protect their own personal emails, but to prevent people from pretending to be them. This little bit of "insight" seems to change a lot of people's perception of password security, and they tend to be a lot more understanding of password uniqueness, length, and character variety requirements.
Of course, this still doesn't prevent them from leaving their logins and passwords on a sticky note on their monitor.
Moo
here.
[o]_O
all it takes is one mistake in WHERE you type that password, and suddenly there can be a plain text record of it. Look over your logins and there is a good chance that someone has typed their password there. Same with email and logins, people will enter the password that jumps to mind, even for the incorrect service.
Do you mean to tell me that the technology that kept so many police out of speakeasys has finally been toppled? I'm shocked!
From now on, I'm going to run my systems on authentication via signed permission slips.
And I just figured out the terminology for why: they're not a capability. And I'm not a raving capabilities geek like the erights folks, it's just that passwords are so "exposed" by virtue of the fact that they're entered, often in plain sight, and typically for other mechanisms, have to be stored in config files that now have to be kept nonreadable, because they contain database passwords. Every other security mechanism I'm comfortable with isn't really subject to the guessing attacks, to being written down, to being exposed. Everyone can look at an ACL or a PAM config file, know who has the access, but it's all quite pat, one has the access already by virtue of having some existing credentials, or they don't. Nothing that can be taken and duplicated, no piece of information that can get stale and has to be changed.
I guess that's just how it works, you have to initiate the chain of authentication/authorization somewhere, and lacking a physical token, you choose something that's easily replicated to whatever needs the security. A secret stored as a string fits that bill nicely.
About the only thing that feels "squishier" than passwords than passwords is the timeout aspects of kerberos auth... the whole notion of a timeout as a security feature just feels like a race condition to me.
I've finally had it: until slashdot gets article moderation, I am not coming back.
The solution to this is simple - two-factor authenication. Most Americans are already using it every week (and don't even know it) in the form of an ATM card and PIN. You can give away your pin, and as long as your ATM card is not stolen by the person who know's your pin, you are fine. The reverse is also true.
Once this comes to network security, users will even be able to set their pin to "4444" and be reasonably secure (provided that they report when they lose their card so that the security folks can lock out the card, and that the security people lock out the user after 3 incorrect pin entrees).
Also note that I'm talking about a simple magnetic stripe card, not a smart card. It can be easily put on the back of your employee badge, so if a user loses it, the sysadmins will know because your front desk won't let them in the building.
Enjoy,
-Mark Radulovich, CISSP
That deserves a much praise. I've seen 70% broken in 20 minutes at an unnamed company I used to work for. That was 12000 accounts (NT domain). And that was a few years ago on slower hardware.
Seriously - 30% isn't all that bad if the cracking software is configured well.
Evan - needs to hit preview before submitting
I'm not convinced that mandatory chaning of passwords helps. It would seem that having to change a password every 30 days or so would encourage weak, easy to remember passwords. Or, the infamous sticky note on the monitor with the pw on it. Does anyone know of any actual research into the value of forced password changes and/or the optimum cycle time? Or, is this just something security admins cooked up to look like they were doing something?
Geeky modern art T-shirts
Can somebody explain to me how I could possibly come up with a password that would take decades to crack? Or even years? I just don't see it.
-joshjs
One concern I personally have regarding passwords is the need to either use the same password at numerous different locations or to remember numerous different passwords and where each was used. With the number of different internet sites requiring passwords today, the second option often isn't feasible. Yet, on the other hand I hate reusing passwords because I am never sure of the security of the password database on the other end. If one database is compromised, that password is compromised for all the sites I have used it at.
What I wonder is if the traditional password system can be replaced using a model based upon the public/private key encryption model. (This idea is somewhat beyond my technical knowledge/capabilities, so please excuse any mistakes.) I know that using my private encryption key, I can digitally sign something such that it can be identified as coming from me using my public key. Could there be a similar setup in which I have both a private and public half to my password? The public half would reside on the other ends database, but if it were compromised, it would not compromise my password at all other web sites.
(Stripping it down to a simple enough form that I can handle it...) My password for site www.abcd.com is www.abcd.com, and this schema is followed for all websites. Each website is given a copy of my public encryption key. However, if somebody tries to log in using my password, (www.abcd.com), the website rejects them because it only accepts the password if it is digitally signed using my private encryption key. My private encryption key is never given by me to any website! Therefore, if any cracker gains access to a website's password list, the information is useless for attacking any other websites, because there is no secure information in it. He can have my public encryption key if he wants, and I expect he already knows the name of the website he cracked. He does not, however, have my private encryption key, which is essential for logging in on any website as me. Because each website has a different URL that must be encrypted using my private key, he also cannot simply log the encrypted password as sent to him at the cracked website and send it to another website to log in as me.
Can anybody tell me what weaknesses or technical problems there are with my idea? One that I can see is that anybody gaining my private key can gain access to all websites, but that could be remedied by having several different private keys, but still private keys than you would need secure passwords for otherwise. Another problem would be that the private key would need to be transported around by the individual, because it would be much longer than the typical individual would care to remember. (1024 or 2048 bit would seem appropriate, if I remember how public/private bit strength compares to symmetric)
My place of work attempted to get some kind of compromise. How well these would stand up I don't quite know.
The system gave you three choices of password pseduo-randomly generated. This was the users entire creative input, choosing 1, 2, or 3.
They were all 9 characters long.
They were all lower case letters
They were three groups of constonant - vowel - constonant
e.g. yeglitpuk
(This has not been my password, nor will it ever be)
Is the problem really with weak passwords here.
In 10 years computer power will be increased. With quantum computer passwords will be very easy to crack. I mean will we ever be able to enforce a 3000 character password?
In most cases protecting your password file, and preventing password crackers/guessers from working is the key.
Your login page/dialog is your first line of defense. Setup lockout functionality, only allow a certain number of attempts. Track logon attempts and throw alerts to system admins. We need to catch the people attempting to break in.
If someone gets your password file, or acces to your database your screwed, period, it doesn't matter how strong your password is.
What does a fingerprint or retinal scanner cost? Biometric passwords are definitely easy to remember and would take pretty serious effort to crack (though I've heard it's possible).
I know this wouldn't work in every situation. It seems that a lot of places where I use passwords would be amenable, though. Certainly if I'm physically located at the terminal, this is an easy solution (and there are many devices already on the market). If I'm not at the terminal, like accessing a website, why couldn't my biometric password be used as my public key for SSL et al.?
Rather than having the same arguments again and again about easy vs. secure text passwords, why don't we start using something better?
Passwords are to hard to remember in an age when you have five billion numbers you have to remember just to tie your own shoe. SSN, locker combination, voicemail number password, home password, work password, 12 other work passwords on poorly designed networks, slashdot password, passwords to all your favorite protected websites.....
.or you can associate to yourself that people can't easily guess. For example, if your Name is CmdrTaco, if your password contains the word "Taco" its not a good idea. Maybe two small words will work just as well.
People don't think creatively about their passwords, and most people can't memorize that much information. A computer can't think creatively, so if a person thinks creatively and uses only information they know, they can beat password crackers. Here is the best way I feel to handle passwords.
1) Pick one password for all your secure personal and work information.
2) Pick one password for your nonsecure information (business sites with no personal information on you, gay-pedo-sheep porn sites, news sites)
3) If you can't avoid it, pick a password for your place of work different than the first two.
4) Rotate these passwords every 6 to 12 months. Remember to go back and update as many sites as you can, but keep in the back of your mind those old passwords in case you miss a site or two.
5a) When thinking about the password, pick a word you can think of, not necessarily a dictionary word, something thats easy to remember
5b) Then think of a number thats easy to remember, something significant that an internet cracker might not know about. 69 and 42 are bad choices, but your old high school sports number might work, especially if you are 40+ years old and no one knows where you went to high school and they aren't singling you out.
5c) Mosh the word(s) and number together in an easy to remember format.
For example, say your high school football number was 88. Say your best sweethearts nickname is "goober." Maybe you could come up with a password called, 88Ngoober, or GooberN88. You could even do 88Goober88. You've come up with an easy to remember password by creating a good mental schema and the password satisfies most password format and length standards (that is if you only have an 8 character standard).
People too often are given passwords like SFTJYADEBAVSDFGHSRTDBDFC and expected to remember them without writing them down. Thats ludicrous.
"All great wisdom is contained in .signature files"
RDB164771829MILLER
To make it even easier on myself I always use the same username OICU812.
Noone is ever getting into my accounts!
Worth a read. Talks about graphical passwords and a little on biometrics.
Link
Never confuse feeling with thinking.
IBMs policy is
1.) pasword must be >= 8 char
2.) must contain at least one letter (A-Z)
3.) must contain at least one numeral or sym (1-$)
4.) cannot contain any parts of any past passwords
IE "stop4me0" == "this1stop" and is not allowed
5.) cannot "recycle" passwords (system rembers all old passwords and cannot reuse any of them)
6.) user must change passwords every 6 months
about the only thing they have not done is force users to have different paswords on evey system they are on.
The thing that pisses me off the most about these rules is not the rules but more the lack of a update system. Every 6 months I spend apx 2 days just trying to find all the diffent systems I have accounts on. I wish there was a tool that just listed all the systems with your useid on them and had a link to where/how to change them....
A few years ago, I had an account at a local ISP that offered shell access. Amazingly, they were not using shadow passwords even though that option was available at the time. I grabbed the file, and using my trusty 486, I cracked 4000 out of 6000 accounts in 2 weeks. I didn't do anything with the passwords I found, but someone more evil than me obviously could have.
John the ripper is an excellent tool, and will also work on windows passwords also with an addon.
Need Free Juniper/NetScreen Support? JuniperForum
The security implications are horrifying.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Weak passwords should be acceptable because a well-designed system should never let the crypt strings become available for inspection.
John the Ripper is useless if it doesn't have an input to spin against.
A weak password to a website is unlikely to be cracked if the developer takes even minimal care to prevent someone from replaying code to repetitively test it.
Almost any approach of hashing passwords is, or is going to be, amenable to cracking and brute force attacks.
Keeping the hashes out of the hands of the criminals is as doable, even more, than trying to handle the very real social problem of forcing users to adopt strong passwords.
Indeed, strong passwords are a joke if the user turns around and uses the same password on their "home to local isp" pop3 account because they can't use their work e-mail for ebay.
The focus of system administrators should not be wasted on trying to force folks into using strong passwords. The focus of system administators should be on ensuring the crypt strings under their control aren't exposed and on educating the users on the security needs of the passwords they do use.
For example, on our site (University) we use the concept of an Enterprise and LAN password. The Enterprise password is used on only one interface (kerberos-based system). Users know that this password can register and deregister them from the University, change W2 Withholding, and change their various LAN passwords. The LAN passwords are what they use for moving files around the Dept., reading e-mail, maybe a different one for another Depts. Unix machine, etc.
Users know that the Enterprise password is to be kept very secret and shouldn't be used on any other system. The tenets surrounding the use of the Enterprise password ensures that a compromise will have to come by shoulder-surfing, keyboard catchers, writing it down, etc.. The password won't be compromised because of network sniffing or "back-ending" on passthrough authentication.
The LAN passwords, well, telnet survives, Apple Network Assistant is useful, and Dreamweaver still doesn't have sftp. Administrators need to make it straightforward for users to handle a variety of "bad" passwords. After a telnet session, the next time the user logs in, they are warned that their password might be compromised and they should change it. Two things happen here, the user decides to avoid telnet and they learn to change their password if they do.
In all of the places I've worked, the biggest barrier to implementing password policies is the users. People want simple passwords because they are lazy, and they don't want to be forced to remember a new one every month. Management has an interest in not pissing off users as it makes them look bad, and if there was a breach of security, it would make the people under them look bad, not them.
I've found that the best way to convince management to allow password policies is to whack up some sort of brute force password cracker, and run it with them sitting right there. Scare them into it. Make lots of mention about all of the bad PR you'd receive if you were hacked and what your clients would think. This will usually sway them in the right direction. A much better system would be Secure Computing's Safeword product, one-time use passwords that are event based, not time based like RSA's product. This way users don't ever have to change their password, and if it gets sniffed over a silly telnet connection, the attacker can't use it for anything.
Need Free Juniper/NetScreen Support? JuniperForum
Stated that water is wet, and that the sky is still blue.
"Shake yur bon bon"
This is a problem where I work, and I work at a police station!
It is not possible for me to implement strong passwords around here, because my users are dirt-dumb, and I would spend 100% of my time resetting forgotten passwords. The majority of passwords around here are:
badge numbers
children's names
spouses names
and birthdays.
and of those, half of them still get written down on little slips of paper and 'hidden' under mousepads.
::sigh::
http://entries.the5k.org/609/passpal.htm
Something like this could be useful if you have a lot of passwords that you can't remember... on the down side, it's a pain in the ass to fire-up a secondary program and then load in the data, just for a password, cuz you're probably not going to remember the md5 return string you get back from the program.
It was a good idea though...
Hmm... reading through the comments, one thing that bothered me was the claim that users are the problem. I really don't agree with that. The biggest problem is that nobody has put all that much thought into really making anything secure. It seems reasonable to me that somebody could develop a security system that has some common sense to it.
Here is an example: Let's say that I am working on my highly secure workstation that only responds to my thumb print. This should trigger a set of rules that the computer should respond to. "The user is sitting here at the workstation, so whoever is trying to access data from this terminal from the Vancouver office cannot possibly be him."
I know that there are some security systems that use similar rules to verify access, but what Im describing is a computer that uses more intelligent deductive abilities to grant or deny access. If a computer were to be aware of what hours somebody works, and what key was used to open the door to the office, and was even smart enough to call the guy's cell phone and see if it can hear it ring, then it would be more discriminate about what is legit and what is a hack. *realizes that is one huge run-on sentence and apologizes*
The point Im making is that security is more than just passwords, it is about common sense. I believe this is possible. If a webserver, for example, knows that the word 'haxx0red' probably wouldn't show up on one of the pages, it could heal after somebody breaks in. Heck, the website could even be smart enough to know 'Hmm, it is 3 am, and the computer accessing me is 400 miles away from me. I seriously doubt this is somebody with legitimate access.'
Put more time into giving your systems common sense security, and they'll be harder to break into.
"Derp de derp."
www.winguides.com/security/password.php?guide=secu rity
I'm using only one or two passwords, that I use everywhere where I have to login.
Now the good part is, that both include lower/uppercase letter and numbers. Pure random. So those are almost impossible to crack. Every admin should be glad.
But the problem is, that if one of those sites has an evil admin (ain't they all?), he can then easily use that password on other sites I login. Especially if I use the same login name. There is NO WAY, I could remember different difficult-to-crack passwords for every site where I have to login, without writing them down. Sorry admins, I just don't have photographic memory!
Sometimes I have to learn new difficult password, when I change company, school or something like that. No problem, if I use the password every day, I'll quick remember it by heart. But if I need it few times a week, maybe only few times a month... There just isn't a way to remember things like that without writing them down.
And using the same l/p everywhere is also a risk.
What you say is certainly true, but I want to put a big caveat on it:
It's very difficult to answer the question " what are we securing and how valuable is it?" for a number of reasons. To do that, you need to define what it is you're afraid of losing and how much of it you might lose from a particular attack. Both are very difficult questions, and are often gotten wrong.
Looking at the first, people often underestimate the risk from a security compromise because they're only thinking about the confidentiality (secrecy) of their data. At least as important to consider are integrity and availability, that is whether the system and data remain correct and usable. There are lots of things don't really need to be confidential, but do need to be right. Picture building design specs, for example. They're not secret at all - most of them will become matters of public record - so it doesn't really matter if they get stolen. God help you, though, if they get altered and you don't find out until halfway through construction.
Supposing you can somehow estimate the total VAR (Value At Risk) of your information systems, it's still nigh impossible to figure out what portion of that would be endangered by any particular attack. An apparently minor attack can easily be a stepping stone to a much more serious one. Parlaying limited access - whether aquired legitimately or otherwiss - into greater power is generally called privilege escalation, and it's a common component of attacks. The "root kit" is a classic examples of this. A root kit won't get you onto a system, but if you can get unprivilleged access some other way, the kit will then get you root. You can't assume that the security of a given account is unimportant just because that person hasn't been granted access to anything sensitive. There's always the possibility that a user has, or could get, access to things way beyond what was intended. Consider your marketing schmoe whose password security you claim is relatively unimportant. It's entirely possible (even likely) that the network which "does not allow remote access" does indeed have a gap somewhere. And if it does, someone could telnet in, log in as Mr. (or Ms.) Schmoe, and escalate to root on their one server. At this point, the attacker can probably compromise the username and password of any other user on that server, one of whom may have access to something that does realy matter. This is just a hypothetical story, but it illustrates a very important point about computer security: A series of weaknesses, any one of which would be unimportant as long as everything else worked as intended, can often be strung together into a succesfull attack.
As you said, security policies should be based on a rational economic evaluation of what's at risk and how much it would cost to mitigate that risk. The problem is that it can be difficult indeed to assess how much risk hinges on a given decision, so it's usually wise to be more conservative than you think you need to be.
Now, how about trying another way of authentication...
The idea is to combine the previous two. A smartcard must be inserted and to logon, your fingerprint must be used. This way, you make it really hard for someone to crack it, and still, it's easy to use/remember.
Is it 100% foolproof? Nope, but in this day and age, what is? Best security is to do everything in your head and even that can be compromised, but hey, it's better than nothing.
Why am I writing this comment? Well, I adminstrate the network at work (atleast 3 passwords), I logon at work (1 password), I have computers at clients (2-3 passwords) and I run my own servers and workstations (2-3 passwords). To sum it up, I must know atleast 10 password where 7 of them must be really hard to crack. It's getting on my nerves damn it ;-) ... Thats why!
Well, there you have it... My two cents...
Why is it an accepted and often encouraged practice to force users to change their password after a certain number of days? Obviously most of the vulnerability is caused by users selecting simple and easy to remember passwords. However, changing passwords frequently causes the very behavior we are trying to avoid. In my experience, users who previously had very secure passwords switched to easy to remember passwords such as "lastname01, lastname02, lastname03..." when forced to change every 60 days.
The more obfuscated a password is, the more difficult of a time people have remembering it. thus is more likely it is that they will write it down and store it on a piece of paper near their workplace.
Try a combo of a reasonable but not insanely restrictive pass phrase plus a digital token (smart card, assuming you trust smart cards) to be safe. that way just writing the pass phrase down doesn't hurt and the pass phrase doesn't have to be so difficult to remember that it needs writing down.
Mandatory periodic changing of otherwise good passwords is the most annoying thing about password policies. One time, such a policy inspired me to switch to a password that the login programs couldn't accept, so I couldn't login again. This was a SunOS cluster over 10 years ago.
;^L^K (where the ^L and ^K were control characters). Nowadays, it seems that Microsoft systems don't even allow control characters in passwords. That sucks. Control characters would provide another avenue for recycling otherwise good passwords that get expired.
It ended in:
Users are lazy.
If you have a small company with, say, fifty people, and you educate and assist all fifty of those people, a significant fraction will still say "there's no way my account would be cracked" and use set their password to "PASSWORD" or somesuch.
The fact is, you do need to force users to enter cryptic passwords, or there will always be lazy, irresponsible types who just don't do it.
of course we all know this! it was posted on slashdot before! duh!
Your mother implements multi-vendor protocols without synergy
But I have never heard of a system being compromised because of weak passwords (except for wargames :)
I know that default passwords have been problems, even slashdot was broken into because of this. But is this password stuff just hype, or has anyone on slashdot actually heard of problems deriving from weak passwords.
HOT GRITS!
Recently I went about cracking the admin logon to my sisters laptop so i could use it when she wasnt home. I dumped the passes while she was logged in as admin then loaded them into LC3 (the latest l0phtcrack). Her password is quite possibly the best one I have ever seen an average person have. It is 8 characters long, contains numbers, lower and uppercase letters, and non alphanumerics. Sure, techie friends of mine have 22 character passwords, but for a person whos barely computer literate, her password is pretty good, and would meet almost any policy ive seen. ... Because of the qualities of her password, it was not succeptible to any dictionary or hybrid attacks, so next comes brute force. I have an athlon 850, hardly a speed demon by today's standards. I started the audit when i went to bed, and it was done when i returned home from school the next day, approx 16 hours total. If it takes less than a day to crack a real good password, are people ever gonna have secure passwords that they can remember without having to write them down?
Anyway, my point
NOTE: In windows, the LM password hash is more vulnerable because it is case insensitive, so while this reduced the time, its the way it is on most windows boxes anyway
Moderation Totals: Flamebait=2, Troll=1, Redundant=1, Insightful=6, Overrated=1, Underrated=1, Total=12. (not mine)
I'm not sure if this is accurate, but if it is, it sounds like anyone relying on an 8 character password and giving free access to their password file might as well be using a sailor's knot to keep people out of their machine.
If a P4 can crack an average password in 13 years, a midsized network of them could generate all possible hash pairs in less than a year, sort them and store it all on a big drive. Then the problem of cracking any password is just a table lookup.
I'm not sure if current hardware could handle storing this many passwords, but we've got to be getting close.
A long time ago a friend of mine was running an ISP. This was back in the days when ISPs usually had a user shell machine for people to log into. He ended up with a "non-authorised user" infestation. He had me run Crack against the user machine password file. I was shocked at how fast the first few passwords popped up... literally before my finger had left the "return" key. Of course, these were the ones where the password matched the username. :-( After about a week of running, fully one-third of the user passwords had been cracked. By that time Crack was getting into the "weirder" rules, and I stopped it.
I gave the list of usernames to the support folks so that they could force the users to change their passwords. I don't think I'll ever forget the shock of seeing those passwords pop up the instant I hit "return"!
Milalwi
...and so what, this is not uncommmon at all for any company I've done similar work at.
To but it in other words: Man bites dog, the sun shines, now move on.
Must have been a slow newsday.
It depresses me to see how many of the comments on this article are complaints about how stupid the users are.
I think this really misses the point. If one or two people have trouble with strong passwords, ok, maybe. But if strong passwords are almost uniformly either not used, or written on post-its, then the solution is busted. It's not the job of tool-makers to demand that people change to fit the tools. We need to give users tools that they can use. If passwords suck, get something else.
And thank you. A password like that was given to my by the network administrator. F*ckgng hard to remember and f*ck1ng hard to crack. Well brute force will do, but combined with the "three wide and you're out for 30 minutes" makes sure it will take some time ;)
:)
Passwords like 'b@rbed-*-w1re' will do nicely too I think
Privacy is terrorism.
I have the greatest password ever ... shadowfax!
I work for a large confectionary manufacture who have one of the best password policies I've come across in the 7 years of my IT career.
8x90. It's simple. Eight characters with forced policies on every system to change them every 90 days. Splash screens at startup give advice on choosing stronger passwords. We advise choosing a six letter word, breaking it in half and inserting a two digit number.
e.g. let01ter
Simple and effective.
Of course, without running a cracker over the password lists I guess we'll never know if the policy actually works!
My bank's online service enforces WEAK passwords -- no puctuation or symbols allowed, only letters and digits. 8 characters max.
What are they thinking? This is a very large multi-national bank. Genius, right?
I'm not sure I ever understood why changing a password every month increased security.
If you lost the keys to your house at a burglars' convention, and your address was written on the keyring, how long would you wait to change the locks?
Your (/etc/shadow|SAM file|whatever) is like that keyring, except it's possible for someone to get a copy of it without you noticing. And when they do, they have until the passwords expire to run cracking programs on it and reenter your system.
And of course there are, metaphorically speaking, many, many burglars' conventions happening at any given time on the net.
Best damn dongle there is.
If you have 15 different systems you have to log in to and you are forced to change them frequently, two things result:
1. You (at least try) to use the same password on all of them.
2. When you are forced to change your password you will do so only in the most trivial of ways, typically by incrementing a digit by 1. For example, flim7flam will become flim8flam, then flim9flam, etc.
The reason you end up doing this is as otherwise it is impossible to keep track of them all. Security would be improved by *stopping* the insidious practice of forced password changing. Continue to enforce password selection rules, such as having both letters and digits or symbols as well as educate people on how to pick good passwords, but please stop making me change my 15 f-ing passwords!
--- What?
"... 1,2,3,4,5. That's amazing, I've got the same combination on my luggage."
Under capitalism man exploits man. Under communism it's the other way around.
If you like getting a nice secure password, try a password generator.
Here in school we get our passwords changed whenever the admin feels like it; once every few years. They're all simple six-letter dictionary jobs because, hell, you can't trust kids to remember P2q4Ee4t or something :)
:) had found a file on the server, available for viewing by anyone, which contained a list of everyone's passwords.
:)
Anyway, this morning I came in to find some guy (maybe he's reading this - hi Greg
I kid you not, this was a genuine list which had obviously been left there by some idiot who deserves to be eaten by crocodiles. Needless to say, I now have a different password and the file has vanished
Still, shows you just how useless passwords against my mortal enemy (stupidity).
Forget those silly short letter/number combo's...
C of feeAndJam
I want to see all those stupid MAX #of character limits GONE! Too many systems have a limit of what can be used in a password.
Which is more secure?
MyName01
OR
MyNameAndILikeFrenchBreadPizzasForBreakfastWith
Ok, so that's a little overdone...but the fact remains most easy passwords are that way because they are just words, single words that can be found in a dictionary. Allow longer (non-sense) phrases for passwords and even something like "1989MustangGTwithbluetrim" can be ALOT more secure than "89mustang" not to mention WAY easier for the user to remember.
Having a set of rules for user passwords and seperate ones for admin passwords is another good thing too. You want to cycle the admin passwords fairly often (turnover), but leave the user passwords alone for the most part. (Only remove/change when the user leaves or changes jobs...)
We used to store our root passwords on printouts that the sysadmins kept in their top drawer - obviously not secure.
The solution I came up with was to build a dedicated Linux password server. Each user has a login and is a member of certain UNIX groups. Their "shell" is a custom C program that when the user logs in, prompts for a machine and username combination. This input is only displayed as asterisks (so people looking over the shoulder won't know what machine the user is looking up). The program then tries to read a text file for that machine and user. If the permissions are such that the logged in user is a member of the right group, then the contents are displayed for 5 seconds and then the screen is blanked.
This allows us to restrict who has access to what machines. The password server is pretty secure with no unnecessary daemon processes running, root cannot login through telnet (you need to login using a second account to get a prompt to su), there is a bios password and lilo password and the box is physically secure in the server room.
In the case of fatality, a paper backup is stored in a secured envelope and kept locked away with human resources who have permission to give it to a select few only (managing director, director of operations and IT managers).
It's working well for us and has been live for about three months now.
Every company/ISP/system should enforce password changes/passwd restrictions I'm all in favour of it. However, it IS possible to go the other way, and provide less security. My company is a multi-national and we have a huge network. Forced password changes were implemented around a year ago, because of a hacker wandering around. That's fine to do that, but then we have around 5-9 accounts, (depending on what you're doing), and that's INDIVIDUAL accounts. That's INDIVIDUAL passwords. It's made slightly easier, by not having passwd restrictions. I can tell you that the passwords that are going to be used by users will be something along the lines of 'abcdefgh', then 'bcdefghi'. The forced passwd changes is a monthly grief for everyone. Everyone HATES it. And so they should.
-- main(s){printf(s="main(s){printf(s=%c%s%c,34,s,34
"Your password is the weakest link. Goodbye."
Citibank has a web service called Direct Access. All you need is the account number, and his/her four-digit PIN. You know how easy it would be to crack four digits? At most 10,000 tries, averaging 5,000 tries for the best-chosen PIN's.
The National Highway Safety Institute released a report today that strongly suggests motorists are the cause of most traffic accidents. I know, hard to believe, but there you have it.
Edith Keeler Must Die
Why not write a shell script, with say the most common 1,000 or 10,000 (or even greater) passwords and just have it look at the password when the user changes it, and spit out a printf("that is a common password, for security reasons, please change it something that is harder to crack") or whatever and prompt them again.
At my last firm I was amazed to see everyone using the SAME password on hundreds of machines. I'm a bit nosey so I used to look over the shoulders of my collegues as they typed and almost without exception all of the passwords were a string of asterisks!!!! I changed mine to a string of asterisks too, because I like to fit in.
Code, Hardware, stuff like that.
A hacker who can get the password list...bypassing all the high-tech security erected to keep him out.
This makes me furious! When will the media STOP equating hackers with security breakers. This is what gives open source coders and hackers a bad name.
Sorry </rantmode>, feel free to mod down as a troll.
Hargun
Think nothing is impossible? Try slamming a revolving door.
Why is disabling the account after 3 incorrect guesses (thus requiring a call to some support line with the corresponding 15 minute wait on hold) not the answer?
Would that be Sarah and Gomez from Birmingham, perchance?
Took the NT4 domain controller of a small, but still 20000 workplace university when the 2000
domain controllers arrived, and downloaded some Linux bootdisk to hack them (no cracking tool, no NTFSDOS, nothing), which simply did some l0pht.
Within seconds the 900 accounts without pwd or account=pwd rolled out. Before the dictionary attack even. The pwds were valid. I confronted
some people in my own department, and luckily
they took it well. My boss didn't take it that
well, and ordered me red-hot to immediately wipe
everything. No real repercussions when he cooled
down luckily.
All it took was getting the machine to boot (was a compaq desktop model) from flop and to press
enter a few times.
I actually was more surprised why _nobody_ uses encrypted filesystems (the 2000 controllers also
don't have any).
I know they are scared that some dominant sysadmin
could lock them out of their own system, but
clauses in contracts seem a better way to prevent that. Not even for critical systems like domain controllers.
This widens the wrongdoer category from the few
domain admins (3-5 in our company), to a larger
community of hired people, trainees, trusted student-helps (me) that had regular unescorted access to the server room. (at least 20 people)
And maybe even suppliers (I can e.g. remember engineers from the KVM-vendor being unattended
in the server room for _days_), and other occasional, but often more than once with small (or longer) unattended moments.
The company I work for, does employ a set of password rules ... (I work on a helpdesk) and although many staff complain at the need to change passwords, reading this report would probably be pretty sobering news, especially as a number of the execs here would like using the same password over and over, but cannot, as our system memorieses the last 14+ passwords used, for example...
makes hacking accounts tricky, basically people would have to try social engineering to get results..
One of the key techniques is velocity checking (only able to enter 3 bad PINs), but this really works best with centralized systems (alternative if only local velocity checking is used, find 2500 ATM's and try two trial PINS at each ATM). That is one of the main differences between this system and a UNIX like password (where you can get a password file and perform offline attacks).
There are additional safety measures. For example, a key principle of PIN input/verification is that you should not be able to create PIN-trails purely electronically. The cryptographic weakness of 5000 trails (average to attack a randomly chosen 4-digit number) is not too bad if each trail requires a user punching a PIN into a keypad. So long as the attacker has to punch each trial into a keypad (average of 5000 trials for a randomly chosen 4-digit number). Obviously 5000 is a very weak number from a cryptographic standpoint. For this reason the PIN verification products don't usually accept clear PINs, they only accept PINs that have been encrypted (with something like a key used for the ATM or POS terminal that generated it). One of the classic design issues for a PIN validation system is to make sure PIN trails are O-2^56 (single DES) instead of O-10000.
Throw in physical security like cameras at ATMs and the like, and you get a system that is basically acceptable. Of course there is a whole number of issues in the industry today. The move from single-DES to 3DES is pretty complicated (there are a lot of ways to implement 3DES systems that only have single-DES strength). You also need to worry about internet and phone banking, where the system that generates PINs (or their equivalent) are not trusted hardware devices like an ATM. I've seen naïve internet PIN systems that turn out to be great PIN crackers (i.e. they provide a method of doing O-10000 trials to an adversary).
Dear Mr Egg "egg troll" Troll,
Please inform me - are you Scottish?
Kind regards,
Jack McIntosh
why not use a simple passphrase with substitutions for good passwords..
for e.g take the phrase
"i dont suffer from insanity. I enjoy it!"
take the first character of the sentence to get
"idsfi.iei!"
replace i by 1, and s by 5 to get "1d5f1.1e1!"
now aint that a good password ?
and wasnt it easy ? or am I a genius ??
and btw u only need to derive it the first few times...then..U REMEMBER It.
Once these policies are enforced, the weakest link will be the PDAs and paper pads where people write down all the damned passwords they have to keep up with. I don't know what else we can do but this password stuff is getting out of hand.
Wansu, th' chinese sailor
There are many methods of improving security. Requiring users to change passwords is not one.
Choosing a good password is difficult. You need it to be easy for a user to remember, but hard for anyone else to guess. If it is difficult for the user to remember, it will end up on a PostIt on his monitor. If it is easy to guess, then many methods will work to compromise the account.
Requiring a user to change his password on a regular basis means that the user must come up with more passwords. The average quality of that password will almost always be less than that of a single good password. They are less likely to even try and come up with a good password if they have to change it frequently. So the quality will almost always be less.
The amount of time to crack a password using straight brute force methods is almost always much greater than the expiration period. So attempts to foil such an attempt with password expiration. If a password space would take 10 years to check, having a user's password expire every 10 years is not really useful.
If a user's password is going to be broken, it will almost always happen through means other than brute force. Either through the PostIt method, social engineering, dictionary attacks, using personal information. These attacks take much less time than you could reasonable expire a password. Let's say you require changes every month. The above attacks would take anywhere from a couple minutes to a few hours. The compromise would happen on average with 15 days left before the password would expire. Once compromised, there is little (but not no) value in closing the barn door. Detecting and rectifying these situations are better handled through other means, especially since changing the password never let's anyone know that a compromise ever occured, even though it stops it (though most likely, the person will still have access through other means once they got in).
Expiring passwords not only doesn't improve overall security, it lessens it. The few minor advantages are far outweighed by the downsides of such a policy.
In a place where it was official policy to print out a pretty black-on-clear adhesive label with username and password and put it on the monitor when you changed your password. That way, if you were out, or someone else needed to use your computer, they could just log in on your account. Although, physical security was pretty tight. I had to enter and leave work through a Mardix booth (two doors, I think the outer on locked when the inner one unlocked) and needed both my ID card and my PIN to unlock the door. There was a nuclear weapons guidance system in the next room, so physical security was pretty tough. (IIRC, guidance is one of the main places where China still lags behinthe US.) However, computer secuirty was pretty lax. I don't know why so many places have such a narrow view of security.
It's not that hard to enforce strong password rules at the time of password change .. and consequently
our customers require always-new passwords, enforce dictionary checks, and can even apply regular expression rules.
(psynch.com if you're really curious).
Hi
:)
I've always thought that mandatory password ageing is a surefire way to get insecure passwords !
By making your users change their passwords often they are more likely to make it easy to remember (ie the name of a pet etc) or else they'll write it down !
Enforce good password security by checking passwords as they are entered and running cracking scans over existing passwords. That way your users are more likely to find a good password and commit it to memory !
Just my $0.02
Your password is the weakest link.
Goodbye.
-----
Score 3? For what? Being wrong, at length? - smirkleton
With a Public Key Infrastructure, there is no longer a need for passwords to authenticate to servers.
This makes any password cracking programs irrelevant, because if you try to attack the server, you are up against strong crypto. The 30% of passwords cracked would drop to 0% of strong keys cracked.
Of course, locally, each user most likely will still have a password that will protect their certificate. This is still vulnerable to password-cracking if the certificate is stored in a software device on a hard disk. Still, each user's machine would have to be hacked into, and then each certificate database individually.
However if it is stored in a smartcard, the smartcard would have to be physically stolen and then the password cracked in order for it to be used. But by that time the physical theft would likely have been noticed and therefore the certificate would be marked revoked in a certificate validation system, and services would not accept it anymore, making the theft useless.
-- Julien Pierre http://www.madbrain.com/blog
Take a look at SafeWord:
http://www.securecomputing.com/index.cfm?skey=643
In a nutshell, you install the SafeWord server somewhere, then all your applications/servers/NASes/etc can authenticate against it via Radius, Tacacs, etc.
The one-time passwords are generated via small credit-card-sized tokens; you have to give one token to each user.
If the program can crack the passwords in less than 24 hours then users would have to change passwords multiple times a day to help mitigate the risk of them being guessed with such a program!
Was that a Taco quoe or part of the post? It's hard to tell because the whole damn thing is in italics.
Choosing a random sentence from the individuals life
fits the bill here very well. A dedicated hacker
would never be able to figure out my passwords.
Unless the person has local access to my machine of
course.
Using the first letters of your title is NOT a good
idea.
But if you think about someplace that you went to
and make up a sentence from that using the first
letters with a couple numbers thrown in and noone
will be able to crack it.
We're not talking about obvious examples like
'i went to NYC and had a good time' but maybe
I went to Central park and saw 5 Pigeons die.
IwtCpas5Pd or Itolkdw5se
Easy to remember and safe.
--Completely random passwords are just begging to
be written down.
These cracking programs...how many languages do they tend to have dictionaries for? How many foreign pop cultural references might one find?
I have a tendency to use non-english words for passwords (my current fave is a combination, forming a nonsense word, so it ought to be safe)...how safe is this practice?
Whenever I come across a place that has a keypad for entry with 9 digets I usually try:
..an X ..
7913. Which is a Z.
7931 A box.
7319
Unless there is a single key with the number rubbed off.. Then that's a pretty easy guess.
Human nature being what it is those usually work.
Freedom is merely privilege extended unless enjoyed by one and all.
1) Write a PERL script/Shellscript/whatever that banishes whomever runs them.
2) Create a bunch of users with invalid names and easy password. Assign them the script created in step 1 as default shell. Make sure ONLY the invalid users can run the script!
3) Sit back and watch the fun.
Anything you don't agree with mod it down - /. used to be a nice place now it's just a lockstep groupthink prison.
It should be coupled with a physical key of some kind like a smartcard or iButton. In some cases the physical key may be enough; it's not easy for a hacker to simulate, at least not remotely. And in cases which warrant extra security a key combined with a password would be even better. That way you're not depending entirely on the password for security. This is the method used at ATMs - you bring your card and remember your PIN.
And for the ultimate security you would need 3 things - 1.) bring something (the key) 2.) remember something (the password) 3.) prove something about who you are (biometrics)
Cheap USB or serial iButton readers could be a quick and easy fix for many corporate environments. I heard there is an implementation for Windows to permit logon only by this method.
I wish I had a penny for every admin that assumed the users knew less than he did, I'd literally melt them all down into a club and bash their skull in.
How will you manage to lift it?
Ask me if I've been required to disclose any crypto keys.
A bunch of ppl have replied with suggestions for replacing letters in their passwords with "leetspeak" (e.g. p@55w0rd). John the ripper uses rules that can modify dictionary words by appending numbers, reversing, reflecting, and pretty much anything else you can think of, including translating alphabetic characters to "31337" characters. You have a better chance at evading john by using the last letters of an 8 word passphrase, although those too can fail pretty fast if a username is subjected to dedicated bruteforcing with character frequency rules.