Users feel Password Rage

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

Password change policies

[Alioth]

The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.

The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.

Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.

Biometrics are hated by real security geeks.

[perry]

I don't understand this "security experts say biometrics will fix the password problem", since I'm a professional security geek and I don't think that and I know of no fellow security geeks who think that. Indeed, most of us make fun of biometrics when they are mentioned as a solution to such problems.

Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.

Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.

In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.

Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.

Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.

Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.

Re:USB keys

[Carmody]

Most of the users in my environment simply write all their passwords on a piece of paper and stick them to their computer.

Problem solved!

You laugh, but in certain contexts, that is the easiest way to go, and not that bad, security-wise.

For example, I post on slashdot. I need a password, so pranky kids don't post under my name, saying rude things. Fine. Now let's say I wrote the password on a piece of paper, taped to my monitor.

Who sees my monitor? The custodian. I know Bernadette - she is a nice lady and isn't going to hack my slashdot account. My colleagues? They haven't the slightest interest in doing such a thing, nor do they have the time.

There are also low-stakes passwords. If my net-flix password got out, you all could ADD AND DELETE MOVIES FROM MY QUEUE! Oh the horror! If someone wanted my net-flix password, they could break into my office and find it in a .txt file on my computer desktop. But once I noticed my queue had been changed, I would alter the password.

Obviously, I am careful with my bank password, etc. But otherwise, I don't see why it's so bad to have low-security when high-security is unwarrented.