Slashdot Mirror
Passwords May Be Weakest Link
blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"
Did anybody think that passwords wouldn't be the weakest link in security? Remember that, in general, "easy-to-remember" and "secure" are mutually exclusive. And if we forgo "easy-to-remember" for "secure", we will have people writing their passwords on a piece of paper on their desk. There's security for you.
I can't say that I don't give a fuck. I've just run out of fuck to give.
Agreed! What good does the latest, greatest super-whizbang password hashing scheme do when users pick easily guessed usernames? I used to work for a dialup ISP who had approximately 10,000 entries in /etc/passwd. Just for the heck of it not long after I started working there, I ran Crack against it, and in a matter of about 30 minutes I had myself a nice little list of about 1,500 passwords.
-J
Are especially vulnerable when bonehead admins let you remotely dump the registry. I've seen that one a couple of times. They don't let the users change the time or date on their machine, but the users can dump the registry on the servers. One company told me that "of course, we know that could be a problem, but the users are'nt going to know how to exploit it". One of the dumbest examples of security by obscurity that I've ever seen.
My company is a service based company. We're a group of professional sysadmins who contract to large customers to take over network and SysAdmin duties. We are also responsible for security of our systems.
The problem with password policy enforcement is that users want weak passwords. Ordinarily this is no problem, since security often trumps user needs.
However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.
It seems like we're caught between a rock and a hard place here, but since our customers are all senior civil servants, what're we to do? The more we enforce strong passwords, the closer they'll get to looking for someone who won't be so picky.
After dealing with multiple incidents of hacking at my former work, we formed a security policy that included enforced, complex passwords. Luckily we did the same analysis on existing passwords to justify the change because it caused quite an uproar.
Our heuristic was simple (to me)- inlcude one character from each of the following subsets of characters; UPPERCASE, lowercase and Numbers, minimum of 8 digits.
I must have spent at least 10 minutes with most people helping them choose passwords that fit the criteria. The worst ones of course were the executives, one made me sit with them for over a half an hour while they figured it out.
Luckily it was a small company of 40 people or so, I might have gone crazy.
probably 60-75% were cracked within 8 hours.
People do not understand how computers work. If they do not understand how computers work they cannot understand how computer security works. If they do not understand how computer security works, they will likely never ever understand the gravity of a password no matter how much it's explained to them.
To users a password is an annoyance. And they are trained to not be secure with their identities. How many people just give out their SSN? Something that is a definative source of identity, and allows access to tons of things: bank accounts, medical info, home addy. People will just give this to pretty much any customer service Joe.
Why shouldn't they do the same with a password?
You need to have a password policy that encourages better passwords without requiring a specific password makeup.
If I encounter a system where my password must include mixed case and digits and punctuation, I'm going to make up a random string, and then have to write it down.
Some Unices I've encountered had a passwd(1) that would NOT allow you to enter a "bad" password, while others would nag you gently depending on how "bad" it was, but would eventually relent and let you set your password to "flower" if that's what you REALLLY wanted.
The REAL answer is not "password" but "pass phrase" where the text can be lengthy and meaningful to none but the user.
Furthermore Opie is a neat project to avoid keyboard snooping.
How does the Slashdot Effect happen given that no slashdotters ever RTFA?
I just started working for the federal reserve a few weeks ago and was astonished at the password awareness. Every month they try to crack our passwords, and then model that and try to put new policies in the reduce the percentage cracked. (started with 8%, now down to 3%, makes your money feel secure, doesn't it?)
Our passwords change every 30 days and we can't use the same passwords to access our email as the network. Standard stuff really. The amazing thing is during orientation everyone gets an hour lecture about passwords, what is good vs. bad. Then every week we get flyers and emails updating all employees.
The current policies are things like no words, you must use numbers and special characters, lower case and uppercase, etc, etc, etc...
In my view, the real problem lies in the number of web sites which require (free) log in. Say you use 20 services and that they all require logins. Are the punters supposed to remember 20 different name/password combinations? No, they'll often reuse. And what is to stop billg/msft1234 who has logged in at both slashdot and the New York Times being compromised by CmdrTaco to read the NYT for even freer? I personally re-use passwords for sites where there is no risk involved, elsewhere I often create throw-away passwords which I'm happy to have in a cookie but forget before I'm ever asked to use them again (and thus create a new account).
I once work at a research institute where they have very nice policy regarding the passwords.
They constantly run the best available password cracking program and when users password is cracked, he get either the warning or account lockout right away depending how long it takes to crack. No other restrictions were applied.
A good method to create strong password I known is named "passphrase".
;-)
;-)))
People think a phrase (a statement) with 4-6 words and get the first (or latter, as you wish) chars off the words.
For example:
phrase: my linux box is equipped with an athlon 850
Using the first 1 char, you get:
mlbiewaa8
which is a "strong" password but easy to remember.
My 2 cents.
In "Security Engineering" by Ross Anderson (Addison/Wesley), he gives an interesting statistic on password memorability vs. crackability. In the studies he referenced it was found that:
1) Computer-generated passwords were the hardest to guess/crack (had the most entropy), but also the hardest to remember.
2) User-selected passwords were the easiest to crack (had the least entropy), but were easy to remember and,
3) User-selected passwords created by having the user pick a phrase or song lyric and using the first letter of each word; had nearly the same entropy as computer-generated psuedorandom passwords and were nearly as easy to remember as regular user-selected passwords.
Our company's business is shipping medical software on laptops for drug studies. We had to start complying with 21CFR Part 11 for all studies done in the US (has to do with electronic signatures and record-keeping). Fully half of the sites that we have visited for training or orientation on a study have post-it notes with user IDs and passwords either on their screens or on the underside of the laptops...and this is when they KNOW we're coming to train them on this and they KNOW we're gonna holler at them for the violation, because the FDA will do more than holler at them when they show up for an audit and the FDA doesn't have to announce their visit before they show up.
I would be less surprised at this if we forced strong passwords, but we don't. 21CFR Part 11 doesn't specify how strong passwords have to be, so we use fairly weak rules--four to ten characters, not case sensitive, symbols allowed, expire after a year. (And the only reason we went with four characters was because the user ID is three characters and we didn't want the password to match the user ID). Then we had one of our trainers going around suggesting to users that they use their year of birth as their password...nobody knows anyone else's year of birth, right? We actually had a user at one site write THAT one down on a post-it note, too...
We actually had to fight administration here on development of our next software package because the PHBs wanted passwords to be a minimum of one character. I finally convinced them by having the vice-president change his screen-saver password to a one character password and manually hacked it while he was sitting there, but then he just wanted to change it to two characters! We finally got them up to five characters, but it took some doing...and forget about trying to get them to approve case-sensitive or forcing numeric entries too...
Denver Isuzu Suzuki
I use a dissected CueCat for password entry. It allows me to use any bar code found on snack food, coupons, product ID's, etc. as a random sequence of alphanumeric characters of significant length. All I need to do is remember where I kept, stored, tucked, stuck, shoved the item with the code on it, scan it, and I'm logged onto the company network.
People may find a myriad of scannable codes on or near my desk at any given time. The trick is to know which one it is unless I carry it with me. Five attempts at a wrong password locks out the account. Due to the significant amount of digits, the IT department STILL has yet to crack my password using their cracking tools.
We're required (forced) to change our passwords at regular intervals. Since I've been scanning things, I have not found that an inconvenience.
But... how much is too much? My company uses ckpw. Here's a sample session:
$ ckpw ar
Please enter old password:
Enter proposed password:
Insecure Password!
Whole or part of password is found in a dictionary
Enter Selection: new/display/help/quit > d
"ne2511s" was the proposed password that was checked.
The following operations were applied to your password
to detect security:
--> Substitute '2' with 'a'.
--> Substitute '1' with 'i'.
--> Reverse spelling of word.
--> Check for "word + word" combinations.
"sii5aen" was the result after applying the above operation(s) to your
password. The pair of words "sii" and "aen" was found in your
password. Since your password can be guessed by applying the inverse
operation(s) to "sii5aen", your password is considered insecure.
In what dictionary can you find the words "sii" and "aen"? Mirriam-Webster Unabridged has neither sii nor aen defined!
I can't even get a nonsense password to be acceptable!