Slashdot Mirror
Real Security?
An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"
Come on, who uses passwords like '%33#Gt(;' nowadays.. especially with multiple logins.
Are we increasing security too much, so that the users circumvent it?
Simply increasing security is not the problem: the real problem is knee-jerk reactions that miss the mark and annoy users rather than provide actual security. People (politicians, corporate America, etc) try to look good by implementing new security measures, but fail to put any thought into what is needed to be effective.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.
There is no replacement for displacement.
to security in all fields always has been and always will be the human factor. At a certain point security measures will be so advanced that human nature is the most likely bottleneck.
Social engineering can get you a lot further than being a l33t h4x0r.
I've always tried to balance system security against how much of a pain in the ass it will be to the end user. If the PIA threshold is too high, the more likely the end user will try to navigate around it.
password: ********
(hint: it begins with a p and ends with a d)
So simple even the most consummate hacker could absotively posilutely never guess it!
You can do all sorts of 'security' things and not increase security one little bit. You can also take a secure system, do more 'security' things an utterly destroy the existing security.
Anyone with a working knowledge of security knows how far to take it, where the critical points are, etc... if you let a bunch of amateurs do it then they're not 'increasing security' they're just 'increasing the bloody mess that someone will have to sort out when the company gets a clue and hires someone with some experience;'.
Speaking as a cracker, I say "Yes! Short passwords! The shorter the better!"
As a sysadmin, though, I feel longer passwords are better. If systems supported it, I'd require medium-long sentences for passwords. A full sentence is fairly easy to remember, but not very vulnerable to a dictionary attack.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
My personal solution to this problem has been to create a database with each site a record listing the user name and password chosen. I have a shorthand for my usual password, but all others I'm forced to create are "in the clear," typed in right there for anyone with access to my machine to see.
D'oh!
I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
That sounds a bit contradictory, but I will soon prove my point. Before getting into the proof, however, I would like explain that it is not solely the security people's fault. They have all attended one D'ohLT University or another, where their professors have carefully groomed them for their current state of profound D'ohLTism. That's the problem with being D'ohLTed; you are very likely to turn around and D'ohLT someone else.
My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!
So works the mind of a D'ohLTish security engineer, working feverishly away in his cubicle in the basement next to the steam plant.
Take him out for a walk. Let him see the sunshine for the first time in years. Introduce him to some normal human beings. Be gentle at first; these are creatures with whom he has had no contact since being sucked into the depths of the university system.
Then, when his pallor begins to fade and he begins to take on signs of socialization, take him into the offices in the hospital and let him see the four sets of user names and password clinging to the monitors on yellow stickies (e. g., Post-It Notes) or, for the more security-minded, slid into the top drawer where no one would think to look.
D'oh!
Only a D'ohLT would come up with a security scheme that is so overly complex that it's guaranteed people will write down their passwords. And yet, this kind of D'ohLTishness is par for the course with these guys. They are the most clueless profession I know, and they are showing no signs of getting any better.
Of course, there's always room for more retardation of productivity, and, if it can be found, these guys will do it. After the first six weeks, my wife had received only two of the four sets of usernames/passwords, and she'd had to speak to no fewer than seven people to get them. Two weeks of further extreme effort finally produced the last two sets.
What was she doing in the meantime? Instead of spending full-time repairing people, which is nominally her job, she wasted hours camping out in another doc's offices, using his computer (and passwords--they were right there on the sticky note) to do her work.
Meanwhile, the other doc, bumped from his office, would go and gets an extra cup of coffee. The security D'ohLTs had thus not only opened up your medical records to anyone schooled in the use of sticky notes, they were pouring money down the drain in the form of lost productivity and company-supplied coffee.
D'oh!
Fortunately, of course, this problem is self-limiting. Yes, she only worked at full throttle for the final two weeks of her ten-week stint, but when she returns in December to work for another three weeks, her user names and passwords will all be waiting for her.
Except unused user names and passwords expire after 90 days.
D'oh!
Even constant users have to make up (and post on their computer monitors) new passwords every 90 days, even if they keep their user names. Expiring stuff is the only way these guys can prevent the unthinkable: memorization. Once people memorize the little devils, they don't need their cheatsheets anymore, and then, suddenly, there's real security. They can't let that happen!
Hospitals all over the country now are
I haven't changed my password here on Slashdot since I joined^H^H^H^H^H^H^NO CARRIER
Too much security isn't the issue here at all. It's improperly implemented security. Yes, more passwords can be more secure. But only if the passwords themselves are secure. Which is why it's usually good at some level to let users set their own passwords, so that they might actually remember them. Of course, some will set simple passwords. It's up to you how to filter that. But simply assigning strange passwords to people is not the answer. And not having the secure passwords at all is definitely not the answer.
To bad many sites are disallowing special characters for fear of sql injection attacks. As for to much security? That depends on how important what you are securing is. Is your credit card information worth a little bother to protect? How about the information that the credit card companies use to issue you(or supposedly you) a credit card? Social Security number, Mothers Maiden name, Data of Birth. You can get all that from a DMV database. A system is only to secure until its been compromised, then it wasn't secure enough. Security, should be built in, form day one against a verifyable standards based frame work. Thems my two cents, please keep the change.
I've never seen a solution to the conflicting attributes of a good password. It should be hard to guess, involving a mix of upper and lower case letters and numbers, and involving no personal data. It should be different for each site or system. You should change it often. You shouldn't write it down or put it in a text file. Does anyone really follow these rules? How do you remember all your passwords if you do?
In my case my employer added a re-curring RSA security key to read the outlook webmail, as i have been using evolution for, externally on my laptop for some time this rendered evolution useless, because it did not understand the promts for RSA keys. Then even if i use a web brwser i have to re-login every Hour. Really Annoying.
So a simple ssh tunnel into a work machine, and a modified transparent proxy setup(I had the GPL'ed source), and an iptables rule, and wow the webmail server always thinks i'm inside the firewall.
so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.
Forcing users to change passwords is one example of something that doesn't help security. If there's anything that's going to make the common user write their password on a post-it note and stick it to their monitor, it's being forced to change it at random intervals.
If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.
The goal of all security measures is to make it inconvinient enough to enemies that it's not worth their time and effort to try and break in, while making it *not* inconvinient enough to users that it's not worth their time and effort to actually use the system.
For example, back when I was going to the University and was living in a slummy student complex where everything that could be stolen was, I used to have a shitty car, and I used to leave my car doors unlocked at night. My car wasn't a good candidate for theft, but when it *was* stolen (it happened twice), it was for joyrides and at least the robbers didn't burst the locks.
So I guess, the software equivalent of that would be to not leave expensive data that could interest people on networked box, and make as much as your sensitive data as possible less sensitive, by simply publishing it. GPL code, for example, doesn't have to be protected.
I'm not saying everything should be released, far from it, but there's a lot of "hidden" data that could just be left readable by everybody, by changing some company policies and being a tad more open about everything, thus removing the desire/need to hack the box it's hosted on.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Don't use capslock. Its like yelling
The biggest problem I have with strong passwords for logins is that everyone seems to have a different idea of what a strong password is. Some people require the first 2 characters to be letters, some require length to be greater than 6 chars while others are a max of 6 chars, and so on.
:)
I have developed a password that I use on systems I can control that consists of 13 characters, both letters and numbers, and a & sign in for good measure. It makes perfect sense to me, I will NEVER forget this password, and you would litterally have to be able to read my mind in order to guess it. But most systems wont accept it for whatever reason or another, so I vary it slightly to conform to whatever rules are in effect. This creates a problem of about 5 variations of what I want my password to be.
I think people need to be educated on how to make a strong password. It should be up to the user to provide a strong enough password, because if the user can't remember it, then the entire process is pointless. We're supposed to show photo id at school to have our password retrieved for us, but it happens so often, that the people behind the counter just do it. How many other places do this same thing, because EVERYONE forgets their password?
Sorry for the long rant, but I felt the need to get all this off my chest
----
Squirrel
HE WAS YELLING!
By "increased security", do you mean increased security measures, or the increased security of the resulting system?
If the resulting system is secure because of good security measures, then not every idiot can wander in.
On the other hand, if you mean just increased security measures, which, apparently aren't resulting in a more secure system, then the "security people" are idiots for using weak security mechanisms over and over again, in a hope of increasing the overall security of the system.
Improved security measures may not be large in number, but result in a secure system. You're better off using 1 strong encryption scheme rather than 4 weak ones.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
There was a time when I was upset by the fact that Linux accepts very strange characters in the passwords (the arrow keys for instance) that couldn't be typed into most GUI password fields. Now I realize that that's not a bug, it's an accidental feature. Effectively, root can't log in on a GUI (including gksu), on a machine so configured, which adds to the security of the system. Fake login screens are foiled by that trick.
(UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT A B A B) anyone?
-3Suns
~~~~
The Revolution will be Slashdotted
I have to remember not one, not two, but SIX different passwords, PIN numbers and security questions simply to access my frikin' bank account online. And I currently have about 12 online accounts of various kinds, most of which impose their own rules to what they want for access (some systems allow numbers in passwords, others don't, some have a minimum of 8 characters, others 10, etc. etc.)
So what do I (and presumably everyone else) do? I write them down somewhere. How much LESS secure is that than having one (or maybe three at most) username/password combinations that I never write down or tell anyone?
So I called my bank a few weeks ago and told them that if I signed a disclaimer, would they allow me to go from six pass/PIN/IDs to just a username and password of my choosing? No no no! Far too insecure.
So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!
But nobody can reliably remember SIX things to log in to one account, as well has having to remember all the other usernames/passwords, etc. they might have.
So, I've closed my account with them. Because I think they're too damn insecure.
"And the meaning of words; when they cease to function; when will it start worrying you?"
6 years ago i memorized a 16 character string of random characters, i use it for everything, the first 8 for less important things, just in case. People can choose passwords as neccesary as they see fit. requiring passwords to be so odd isn't really protecting anything, as users will voluntarily do so if it is anything they care about. all that setting these standards does is make people use "master password" apps, (which I for one don't trust for a minute) and cause the "coat-hanger" e-mails to tech-support. ;)
security plans should be beta-tested with non-geek testers over several weeks. after my favorite users forgot their PGP passphrases once or twice, i learned to accept that highly intelligent folks could not remember passwords that they didn't use every day. so, i compromised: i encouraged users who wanted a reminder to put mnemonics in their wallets... and to give me revokation privileges!
Does enforcement matter? I'd be lying if I said it didn't. However, the means in which it is dispensed is the issue. No one enforces a security policy? Don't be surprised when a stranger walks in the door. People enforce security like a police state? Don't be surprised when people in power abuse their abilities and allow their friends to skate around issues. Then, of course, there is the typical knee-jerk reaction when an event happens and everything is locked down to only be forgotten about two months later.
Use common sense, as it isn't common to most people. Tailor the security to the individual company; a meat processor protects their beef, Lockheed Martin protects missile technology--each is deadly in different ways.
--Chag
there you have it, my passwd (not to /. though)
1. The article focusses mainly on passwords, which is only a small part of security.
2. It gets almost philosophical when you argue about rules for passwords. As soon as you define a system or a set of criteria for passwords, you limit the search space for a hacker.
3. Changing passwords every now and then is a good idea, and so is educating people on the creation of passwords. Guessing the password of people you know is usually trivial.
Dude, just buy some scissors.
I've had this sig for three days.
*waiting for permission to speak*
"joshua".
And, yes, I WOULD like to play a game.
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
There's little point in having a security-review once per year and then assuming that you're then ok for the next year. If you don't have an ongoing approach to security, you don't have a secure system.
:-)
Every day I get reports from logwatch and tripwire on all the systems I look after. I look them over and query anything that catches my eye as unusual, or that doesn't correlate with the system-updates downloaded overnight. It takes about 10 minutes, and I do it over the first coffee in the office. It's just part of the routine. I insist on good passwords, and the machines are firewalled as much as possible. Got to leave that damn port 80 open though
I don't have the most-secure servers in the world, but I'll notice pretty quickly if there's something wrong with one of them, and I get an SMS if the chkrootkit program discovers anything...
I have a client who had an annual security-review process, and was hacked into, about 3 months after the review. The attraction was the bandwidth they have, I guess, and the first thing they knew about it was when that 200mbit pipe went crazy spamming people left right and centre... Their attitude changed when they suddenly got charged a lot of money for doing something they didn't even know about!
Simon.
Physicists get Hadrons!
As best I can tell, there's a direct trade-off between security and ease-of-use. So set the level of security you need, no more and no less.
And if your stuff needs high security, hire people that will understand that and not write down their passwords. Sorry; there aren't any magic-bullet solutions that will allow an end run around that requirement. If you need stuff that requires special handling (computer security or otherwise), and you don't think it's worth paying experts to handle it, you need to rethink your business model.
Sheesh, evil *and* a jerk. -- Jade
The guy in the basement office has about as much control over this process as Pvt. Beetle Bailey does over the war in Iraq.
And really - would those same people who tape the password to the monitor tape their garage door key to the doorframe because "it is too much trouble to carry 3 keys around"? I have 15 keys on my keyring, personally, yet no one makes offensive statements about architects and locksmiths re: "door design".
sPh
And the answer is:
:)
No, we shouldn't.
Any other questions I can help you out with
Exercise: Make a drawing on paper of what your system looks like from the point of view of people on the outside. Draw it in a similar fashion to how one might draw a house, or a favorite car.
A) If your picture looks like or includes any of the following objects, proceed to step C:
. A block of swiss cheese
. A large question mark
. A fat mall-cop with powdered sugar around his mouth
. A small child in a corner, crying, holding a security blanket
. A Diebold voting terminal
B) If your picture looks like or includes any of the following objects, proceed to step C:
. Fort Knox
. A medieval castle under siege with the invaders having boiling tar poured on them.
. A resettable Viet-Cong boobytrap with dozens of pigs already skewered on it
. The business end of a
. An illuminated Jesus standing atop an Sun E10K
. A solid, faceless slab of hyperdense radioactive metal extracted from the heart of a neutron star
C) You need to increase your system's security.
Bowie J. Poag
(and at least $3 billion of the 12 billion in losses wound up in India).
The first key to decent security is building a community in which people have at least a degree of trust and respect for their leadership. If you have that, good security practices can go a long way. If management is playing a negative sum game with their staff and the larger community, sooner or later someone more devious and less honest is going to show up and take over that game. Those that live by the sword die by the arrow.
His take is that we are required to remember a lot of hard-to-remember passwords. Which we can't really do well. So the best compromise is, instead of just picking easy passwords, to write the passwords down, and protect the paper fanatically.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
"NO CARRIER" still getting a funny?
... overlords
Interesting... that has to be one of the longest lived funny mod triggers.
Current funny triggers: SCO jokes, Golum speak.
Declining funny triggers: I, for one, welcome our new
Recently deceased funny triggers: Yoda speak
Deceased, but still occasionally funny: All your base..., In Soviet Russia...
Back when people were using Unix systems without shadow password files (or using NIS, which does the same thing), people could get access to the encrypted passwords and do an offline dictionary attack. Simple passwords were bad.
Now with most systems, you can't get at the encrypted passwords unless you've already compramised the system. Hence, any brute-force attack should be detected by the number of failed login attempts, and a full-fledged dictionary attack can be defeated by simply adding a second or two to the response from the authentication server.
So all you should need is a password that won't be guessed on the first few tries.
Set up Tripwire to send 10k volts down the appropriate network port in case something goes wonky!
Hate me!
The obvious answer: It depends on the value of what you are protecting and what it would cost to replace it. The problem is after spending years of learning and loads of money on books, what security analyst is going to say "well, if the web server goes down, it would only take 15 minutes to restore from backup and cannot effect other systems, so there is no need for a $5000 firewall and the administration that goes with it." It is like asking a car dealer if we should replace our reliable sedan.
That said, the only effective way to maintain security when it is required is to keep it usable for lUsers. We all have our keychains for PGP, but how do you make an easy to use yet secure keychain for the end user? An encrypted program on a USB Key? A login on a secured central server? We still protect our own dwellings, the places we keep our most valuable items, with a 50 cent shaped peice of metal. How much more valubale is that forwarded joke sitting on your hard drive at work?
And I have to spend nearly zero brainpower remembering a password. Here's what I do...
Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.
So an example phrase might be: "i love to post on slashdot"
which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:
"iltp05"
That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.
As you layer on more and more security, the organization will start working around the security measures in order to get their jobs done in a timely manner. Any organization that is crippling itself with overly cumbersome security measures becomes very vulnerable to social engineering.
As an example, take forced password rotation. If you make your users change passwords once a month, I guarantee you about a third of them will include the current month in their password, and another third will have a yellow sticky with the password written down either in their wallet or in their desk.
Remain calm! All is well!
These losers know nothing about sex, only masterbation. You'll have better luck asking the goatse.cx guy. At least he knows somthing about accessing openings.
Beyond that, no matter how good the solution, there are allways those people who will try to end run it. Worse still, there are those who encourage others to also end run the system. At the top of the worse still pile, is the manager who somehow or another thinks this person would be a good security pro...
Also blaming the Universities is trite and unsopisticated. Please, folks don't go to University to learn about the real world, they go to learn theorey, and play intellectual games, etc. etc. Where is the problem? Is it the people turned about by the Universities, or is it the people who hire University grads to do work which demands real-world utility? So, there weren't a dozen or so graduates of technical schools, whose training would be centered in the real world, not the theory, available to do the same job, right, at a lower cost?
I find it somewhat in poor taste to hang an entire industry for what more likely is the fault of their managers... I find it more unseemly to attack Universities for what they have allways done, and what we expect them to do, allthough in all fairness, they do turn out the MBAs whose intellectual chauvinism probably has more to do with hiring the wrong qualifications for the job.
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
My bank gave me a random 4-digit PIN for my ATM card. Why isn't this horribly insecure? Because the ATM eats the card after three failed attempts to enter the correct PIN.
Mea navis aericumbens anguillis abundat
Sometimes security trunps useability. Tog is a useability guy, he wants things to be easy. Security is not supposed to be easy, thats the point. Its reality and I hope any information system I trust piles on as much as they can.
The real fancy user names and passwords are "remoteuser1 remoteuser1"...ooooh! Bet that keeps them nasty hacker fiends out! Never thought we'd put a 1 at the end, did ya????
Meanwhile, FTP and telnet are used where SSH could drop right in...without any more hassle.
This has to be nominated for the longestarticlethatcouldhavebeensummedupintwosenten ces award.
Anywho, I purchased a program called Roboform. In comes in a free and a 'pro' version for $30. Its autofills in forms and such. The feature I like is that it includes a random password generator. This has gotten me into the habit of using random passwords for each and every site I log into. Previously I used the same password for many things and if one system gets hacked that would compromise all my passwords. This program stores all your passwords and encrypts them. You can also put them on a USB flash device if you want portability. Mind you, this is a Windows product. But it works for me.
Sometimes there is too much security and it is not proportionate with the risk of the data being protected. I find ING Direct to be annoying. Not only do they require the standard account # and strong password, but each time you visit you are presented with a random question such as first 3 digits of SSN, or last 4, or birthdate, etc. Its a savings account for crying out loud - if someone wants to hack in and deposit money, feel free.
Some other overly secure sites require you to renter passwords multiple times in one session. For example, amazon.com. You can be logged in and goto your 'account status' and have to renter a password despite the fact you just logged in a few moments earlier.
Lastly, if there is no physical security it doesn't really matter does it? If I can reboot the system using a linux/solaris/windows boot cd-rom/disk...
I'm not sure the health care example is a great example. Those security measures are related to a Health privacy (part of HIPPA). Security is taken a bit futher because just because you can logon to a system doesn't mean you have a need-to-know on that patient.
My personal opinion is that we should be using sometype of smartcard which when inserted enables our access in combination with a global PIN #.
Maybe it is time for a new authentication idea. Using a whole sentence instead of a single word/blob makes sense.
How about having users answer 10-X personal questions, like favorite color, maiden name, pets name, etc., and require answers to 3 or for of them to logon to secure environments. Obviously some creative questions would make all the difference. Comments?
Plain "Security" is a matter of rm -rf /home/rsmith/
When Mr. Smith stops storing sensitive information on his home directory, things get so much easier to secure.
Remember, it's at least a triangle: security, availability, and redundancy. The goal is to strike a balance between the three. If you only want security, smash the machine, the drives, and the backups. Very secure as NOBODY can get to it.
On the other hand, real security has to balance with availability and redundancy.
he forgot one point in his Final Thoughts;
If you are a User: don't be so fucking stupid.
Not really appropriate to blame security researchers for other people's idleness. After all, all the new security stuff in the latest BMW may make getting into the car a bit more complicated, but does its owner leave it unlocked in the road? Or tape the keys to the door handle?
The point remains the same as ever; the tightest system in the world is only as secure as the habits of its users. If they can't learn to do it properly, they don't go near the system. Simple as that.
I do this with my spam-trap accounts ... but I don't trust my H.S. techs enough to duplicate that password anywhere. Nor do I (entirely) trust all the members of the LUG I belong to, so I use a unique password there ... so those 2 acc'ts, and others, have unique passwords even though they're non-critical.
I did some work for an internationally renowned company. Their IT department was (with good reason) obsessive about security.
To get your login, a representative of the IT department gave you a sealed envelope in person. Your manager was not allowed to receive it on your behalf under any circumstances.
To reset your password to the current day of the week, however, all you had to do was ring the helpdesk and say "I've forgotten my password, and my name is..."
There's resistence to changing this approach 'cos the complex password requirement and the enforced 30 day password expiration result in multiple daily requests for this.
Nicely illustrates the point, I think.
--- These are not words: wierd, genious, rediculous
As a security feature at work, we've started switching our more important boxes to key-only login. I've done the same to my boxes at home, for good measure. Now, I have 2 keys. One that lives on my box at home, and one at work. They don't exist anywhere else (other than a USB pen drive for backup), and will never be copied off of these drives. I use a relatively long passphrase (19 chars), but since I use ssh agents (and agent forwarding when it's safe enough to do so), I only ever have to type the passphrase once per day (the machine is set to forget the passphrase when I leave work).
Now if only all of those ecommerce type places would work with my public keys...
Do you really need reason for beer? Wingman Brewers
I hate it when stupid systems try to force me to use "better" passwords. many of my internet passwords (not slashdot) are just variations on 'password'. this is for things like forums where I couldn't care less if they got hacked, and would consider it a bigger security risk to give them a "real" password as it would give them an insight into my thinking.
when setting root/user password on SuSE 8.2 I noticed that if you set all lowercase passwords during installation it's fine, but if you try to change it to another all lowercase password later it bitches about it and won't let you.
I hate requirements on passwords. displaying advice about passwords is okay, but when you have bullshit like "must contain at least one capital and number" all you do is potentially force the user into using an unfamiliar password and hence writing it down or making it trivial or something.
I recently read a document proposing an alternative approach to an aspect of password management. I have since adopted this approach.
The paper said that one of the biggest threats to password security was the frequency that changes were required.
It seems that a fairly accepted norm is coming in to being in the form of organisations requiring their users to role their passwords once per month, and requiring that these passwords are unique. The problem with this requirement is that people are asked to remember so many passwords that they are tempted to either use weak passwords, or to write them down and stick them to something. Hence the previously secure password is now compromised.
The document/approach I read/have adopted is to stop requiring users role their passwords every month. I now request users to role their passwords every 3 months (once per quarter). As a result in any year they have to get to know only 4 passwords (instead of 12), and as such can handle better quality passwords more easily.
My users are far more happy with this approach, and now see it as a reasonable compromise. As such they now buy-in to the concept and we find far fewer people breaching the password policy.
So, whenever I am faced with the now dreaded "Please type a new password" prompt, I transpose two letters in my current password, then after entering the site, go back and change my password back.
A pain in the ass, and just gets me annoyed with my bank, I don't feel anymore secure with a new password than the old. So why change it? And for that matter, if they are forcing me to change my password, why let me change it back immediately?
If you are one in a million, then there are six thousand people who are just like you.
I believe in letting the user select their own password, but to a point. Meaning I don't let them do smith1 or johnsmith1. Something *they* can remember. To me, if the user can remember it, it means its not printed anywhere on the workstation or desk.
This is a test. This is a test of the emergency sig system. This has been only a test.
At least you weren't using 12345...
20 January 2017: the End of an Error.
Don't use capslock. Its like yelling
--
--Flatulance is the number one cause of a poor karma.
If you are a designer who must work with a D'ohLT, don't despair. Treat him or her as mildly retarded, in need of help, not criticism, and you will get along fine.
I'm sorry, but the evil is welling up within me. Do you clap and go, "Hooray for the special manager!" when someone actually grasps these concepts? Or do you speak to them in terms like "Pak Chooie Unf" or "Timmah"?
Ugh... the evil is now going away...
--Chag
The simpliest way to lock down your system is to give the users one-time password tokens like SecurID or Cryptocard.
You've got seperate passwords for any forums, any games, any webmail, your ISP email, any school/corporate/home/other logins, any websites, any other services that need a password, right?
Oh, and you don't have any of them recorded anywhere too, right?
Oh, you also change them regularly to something completely different but equally secure, and don't record the new password, right?
I call bullshit. Using secure passwords is all well and good, but being expected to have to keep a seperate PW and login for every single account you have is completely insane. While I hate to say this, what we need is a _trusted_ service to authenticate who you are and then allow access to all your varied accounts.
Either that, or we need a massive push to allow using public/private keys to authenticate identity. Of course, that'd have to be linked to a concrete device to carry a key of any meaningful length. But what's the problem with this I ask, after all, people carry credit cards all the time.
If you use a smartcard to carry the key and perform biometric identification of the user, which then transmits to the {blank} that user X with key Y is logged into computer Z, at which point the {blank} considers "Is the key Y the right key for user X? and is user X authorized to do {blank}?"
All that's needed to allow this to work is a trusted authority that can issue smartcards and keys to people. As for how the authority checks identity, governments issue passports/driver liscences/security clearances all the time, so obviously a mechanism exists to verify that a person is who they say they are.
And don't say that 'for sites that require extra security, they can just use a password for added security' this is wrong, we need to move from a security system which verifies on the service end based on information provided by the client, we need a system which verifies at the client end based on information provided by the service.
The whole discussion is bizarre and seems to be based on frustration that some bozo is unable to use the same password for every context that requires authentication. Hard to believe anyone could be this idiotic: such a practice allows an admin from one context to guess your credentials for access to another. For example, any idiot who uses the same password for some-random-ecommerce-site.com and paypal.com deserves to get his paypal account drained by someone who breaks into (or works at) some-random-ecommerce-site.
Maybe a discussion of the impact of general security measures is warranted, but it's totally inappropriate as a response to a dumb question about password policy, a topic which, by the way, has been discussed to death in security circles. But given that Mr. Tognazzini appears to actively advocate sharing passwords among multiple domains, why are we even bothering to talk about anything he has to say on this issue?
The correct answer is, yes, have a database, yes, encrypt it, yes, use a different password for every domain. For convenience, use a browser that has a decent password manager.
The thing that burns me in this domain is services that require the last four digits of your SSN as a PIN. This is truly brilliant because it allows someone to brute force guess your SSN serial number in only 9999 tries.
actually, you told everyone your password
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
YOU'RE WINNER !
Another lame blog
Here's a simple trick to curing the password problem. Think of a sentence that describes the purpose of using the password. I might use a sentence like "I want to see how much money I have in the bank." to help me remember my banking password, the password then becomes either the first or last letters of the sentence, complete with punctuation. I mentally say the sentence to myself until the password itself is memorized (and even then, I find myself thinking the sentence) and type the appropriate letters. My banking password then becomes" IwtshmmIhitb." I find that it is much easier to remember a sentence than it is to remember some obsure password, and that a strange enough sentence (Wow man! Did you see the size of those CHICKENS? Wm!DystsotC? ) makes for some unusual but easily remembered passwords.
I want a 'USB Key' which contains
1 - Method of selecting a number between 1 & 16
2 - 16*64bytes programmable flash memory
3 - 1 button
Now, I program in all my 64 character passwords (16 of 'em), and when I sit down at any computer, I just select the password I want on the DIP Switches or whatever, press the button, and its sent in through USB as if typed on a keyboard.
If you integrate this with a 'proper' USB Key, too, it gives you a pretty tight security solution. Assuming your computers don't have software keyloggers, and you don't get mugged...
Looking for a decent password?
"apt-get install pwgen" for a program that can produce (among other things) pronouncable passwords.
Or grab some dice and go to: Diceware.
Pretend your job has three computer systems: one holds personal information, one holds company proprietary information, and one holds government information (it could even be classified). What everyone seems to be forgetting is the fact that the system admin of any of these systems can, ultimately, find your password- one of the inherent dangers of the "root" concept. This means that if you use your one password and username for all of these systems, the sysadmin who runs the network with company proprietary information can access not only your personal information on the other network, but also the government network (which, if it's classified, could end up being a crime).
Or to put it simply, do you want the paypal admin to log into your amazon account?
This was a technique to steal accounts back in BBS days- you'd set up your *own* BBS, and wait for the users. Some of them you would recognize, and some of those would use the same password as elsewhere. Statistically effective.
This is almost never a reason to not reuse a password (I have about seven passwords I use, but even there is a whole lot of repetition, and I have some themes I base it on- otherwise, I'd only run about one or two), but it is the reason behind *part* of the mess.
I can't really defend having to change a strong password, and if they want it changed sometimes all they would need to do is just force a change once every year or two- everyone I know at work just has theirpassword1, theirpassword2... and when the system complains about that, you just find a way around it. So the net effect is that a hypothetical cracker takes maybe 10 times as long to check 0..9 postpended, assuming they don't do that already.
"iltp05"? Hey! I have exactly the same password! But my sentence was "i like to pray on sunday".
The point being that your passwords use letters with a biased distribution, and there is a fairly strong correlation between consecutive letters. So the entropy is very low, and a markov-chain attack could crack these quite easily, even with some lame numeric substitutions.
(Posting as AC to prevent someone from guessing my real algorithm.)
I'd like to suggest a method for creating passwords for sites; I'm sure it's not unique to me, but it's effective, more secure than sticky notes, and not very time-consuming.
The technique is to use a simple algorithm to create the password, seeding it with a unique identifier from the location where the password is to be used. This way, you can remember the algorithm (even write most of it down if you like) and yet the password for each site is unique, and if stolen doesn't give the intruder access to any other site. (If your algorithm is good, it would make it hard for someone given 2 or 3 of your passwords to figure it out.)
For example with a site named "acmewidgets.com" my algorithm (modified) is:
My actual algorithm makes it a little harder to see english words in the final, but like the above produces a 8-character password (often one of the boundaries for password limits, e.g. 2-8 characters or 8-15 characters) with both mixed case and digits. It is almost always valid for password security checkers, and (in my opinion) is reasonably secure. And yet I never have to remember my password for various sites, I just recreate it on the fly.
And almost always, if a site is used often, even the complex-looking password it creates is not hard to memorize through the use of mnemonics. (The human mind is a wonderful thing.)
The above algorithm doesn't allow variations for more/less secure sites, or backups when passwords expire. (I hate expiring passwords. If the account is compromised, it's compromised...expiring the account every 6 weeks doesn't undo the damage.)
P4ssw0rd!
You will note that it has all of the elements of a good password such as both upper and lower case letters, numerals as well as characters and punctuation. Its also easy to remember.
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
Mwahaha the infidels attempt to imitate the mighty Kelz, but fail miserably due to the extra --!
Anyone remember this? "My voice is my passport. Verify me."
Security is like Oxygen.
Some is better than none.
Too much and things tend to go up in flames.
Enough security that users do their best to ignore/circumvent it is counter productive
Most people forget CryptoGnomes "Golden Rules of Security":
One day, your security will be compromised.
More than likely, sooner than you think.
Almost certainly in some way you did not (perhaps even could not, reasonably) have expected.
What will you do then?
I'm sure you've all heard it said before security is a process, not a goal. The best you can ever hope to do, is make it harder for someone to breach your security than they think it's worth, and to have a plan for when someone comes along who thinks no effort is too much.
Either that or drop all your computers and networks into a large vat of suitably potent acid, and take up a new career; like basket-weaving.
Visit CryptoGnome in his home.
1. Standard passwords themselves are worthless. SecurID and SmartCards remove the simple password problem. If you're scared about simple passwords(you should be), then use one of these systems. They aren't cheap but then again, the internet doesn't run on Netscape 2(it evovled) and so should your security policy. ... Bad - collecting child pornography. Users should get recurring training to assure they understand the existing systems that they interface with.
2. Any Internet attached system is a critical system. If you don't or can't patch it, you shouldn't own it. You're a risk to everyone else.
3. Security is about taking in the big picture. Note the big picture doesn't include requiring users to be unaware of security policies. If users can't follow policies then those persons have failed as well as the security staff.
4. A secure environment only provides those things someone . Not some stupid disney calendar package, some stupid shareware package, or electronic card games.
5. Wireless networks have very little use in a secure network unless designed.
6. I think the biggest mistake is that most users treat their computer like a VCR even though it is nothing like a VCR. It can be used for good and bad. Good - actual work
7. Security persons should not architect bass ackwards designs that hamstring efficient routing/filtering with unintuitive designs. Poor designs lead to long outages and easier ways to mask behavior.
The upshot of all this is that it allows you to generate good, strong passwords like series of letters, numbers, and special characters that have a high amount of entropy but are too difficult to remember. So long as you have a very strong login password (this was not possible in MacOS X 10.2.x and earlier), they will be protected by the keychain.
This is similar to Bruce Schneier's Password Safe and is more convenient in many respects than his solution of keeping his passwords written down on a piece of paper in his wallet. He argues that we all have a lot of real-world experience at keeping our wallets safe, but I have a lot of passwords. How many do you have? Does anyone else dig around in your wallet, like your wife? What if she found out you had a password to someplace you shouldn't, like... uh... Slashdot?
I like my keychain. I'm surprised Tog never mentioned it. Wasn't he an Apple guru at some time?
Can't you see that everyone is buying station wagons?
Did it ever occur to you that maybe the "human factors" are a "hard problem?"
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
After perusing the article, I didn't see any solution brought forth by the author. If the issue of security was so easily solvable then it would have been done. Why bother reading such trollish drivel?
If this isn't another ultimate security article.
So here is again the ultimate security answer: "Turn that damn ding off!"
A recent article at Ask Tog raised the common argument about how much security is good.
how much security is good??? are we devolving?
is a little bit of security pretty good, a little more gooder, and some more on top of that goodest? or can there be less good security if you add too much?
how much security is enough.
how much security is sufficient.
how much security is right.
how much security is the proper amount.
how much security is too much.
i swear to god, if anyone who is in my employ every writes "how much security is good", i will print out that sentence, attach it to a pink slip, and employ a number 2 pencil to affix the both of them to that person's eyeball.
In light of this recent article, we request that all slashdot readers surrender their passwords in replies to this post, so that we may confirm these findings ourselves and set out some recommendations for increased security.
Thank you,
Slashdot administrators
Security is nothing special in itself, it's just another aspect of a problem: all problems have many aspects and as you suggest, usability is another aspect of a problem. Turn the technical aspects of the security lever the wrong way (e.g. too frequent password changes), and you lose on usability, and this potentially has a negative impact on the social aspects of the security level (e.g. the passwords are written on a post it note).
Really, it is about economics and engineering: using the measured amount of resources to solve the problem holistically: technically and socially - understand where all the impacts and flexibile point are. This is no easy task though. Peter Neumann and RISKS have been teaching us these lessons for many years - so there's nothing new here, but it is important to continually reevaluate.
I've got hundreds of randomly generated passwords stored in Schneier's Password Safe (actually, it is a sourceforge project now). I don't have the faintest idea what any of them are. All I remember is the single password for Password Safe, which happens to be a 20+ digit combination of words, initials, numbers, and a couple of symbols -- all of which are easy for me to remember.
The password db is blowfish encrypted (yes, there are some cracking programs out there for it, but I'm not trying to keep the info from the NSA). Only two requirements: 1) don't forget the main password, 2) backup the Password Safe db to multiple places.
The only passwords I remember now are my ATM PIN number, the Password Safe pwd, and that single pwd that I use for every web site that demands registration to function (where I use a fake name as well).
In addition to me remembering a strong, self-chosen password for the bank, the bank uses a challenge-response system. After entering my password, the system says something like "Enter code #14 on your code-card". That code is found on a card I keep in my wallet, and each code is used only once. When there's just ten codes left, the bank sends a new card. This way, even a person with access to my keystrokes and my screen won't be able to access my account.
There seems to be a few strategies for remebering passwords:
I actually keep a lot of post-it notes and scraps of paper next to my computer, but those are full of level codes, cheat codes and glyphs for games. Almost a hundred of them. Would be funny to see some poor information theif trying all those "passwords"
I am going to take classes on information security next year. The combination of personal password and physical artefact seems to be the best method for high security in industry today. (I.e either password+codecard or password+smartcard.)
My password is easy to remember, it's just eight asterisks:
'********'
Sometimes I forget exactly how many, but I usually get it right the second time.
Most brute-force and dictionary approaches aren't performed on the live system.
Typically the password file is stolen, or the algorithm discovered, or some other means is applied to get a local copy of the system to work on at the cracker's leisure.
Therefore, it doesn't matter if the system stops you from having more than 3 tries or not - it won't actually slow down a cracker, but it will piss off users who have to remember 10 passwords anyway, and might need 5 tries to pick the right one.
All of this talk about real security in the example hospital seting, and how users resorting to sticky notes are less secure than no password at all?
The point is not to be secure from unathorized access. The point is to be secure from liability!
If users resort to stickies then they are the ones violating policy, not the hospital administration. Go ahead and use your associates login while you wait forever for IT to give you access.... as described in the article. But do so and you take responsibility for having violating the rules. Wait until you get your own login (as the company policy probably says you should) and you will not incur such liability.
As long as technologists ignore the real world, we will not have functional IT. It may be painfull to wait for the system to solve its real world problems (just imaging the doctor simply not doing any work until she got her login account several weeks into the job), but unless we let the whole system find and fix its mistakes, we will keep chasing our tails. It is certainly not about whether or not certain passwords are more secure than others.
Honest, I don't know any of my passwords. If someone were to ask me for my password, I'd have to first find a QWERTY keyboard, sit down, place both hands in the right position on the keys and start typing into a text editor. The pattern I type is sort of a rhythm and can be typed very quickly.
;-)
I've been accused (Solaris Sys Ad) of tricking the computer into not needing a password for my login name -- because I type it is so quickly, it seems like I've just typed some random gibberish (which I sort of have). Keeps lookers guessing, too. My typical passwords are 12-18 characters in length -- but they seem a lot shorter
As you've no doubt guessed by now, I love this method. I can also "memorize" dozens of unique passwords and never seem to forget one -- even one I haven't used in many months! When I see passwords like "password7", I just smile; Seems to me, mine are just as easy to remember.
Just hope I don't someday encouter a Dvorak!
that's funny, that's the same combination I've got on my luggage
Hail Scroob!
They will never stop until somebody makes the
Now we just need to find your machine.
-g.
I saw a movie about some guy named Nash who did sort of the same thing with newspaper and magazine clippings.
However, at the moment, passwords can't reasonably be made any more complex without sacrificing the ability for the user to remember them without using some other device, and at that point, what's the point of a password in the first place, all someone needs to do is get their hands on the device and they've got access to all the other person's passwords.
Keys are a good analogy to a system that would work, you don't have to remember the exact contours of a key, just that this is key (a physical object that we can carry around with us) is for this lock. What if it was possible to do the same for account access?
I have the exact same three tiered system (and I actually think a lot of other people do as well) with passwords that are more widespread as the risk of damage from a compromise matters less.
However, I hate expiry. If I already have a good password like xjxuj494o4ol4 that I can really remember and type, I use that. Even if I use a password like that for a few years who is really going to crack it? I have had the same simple password on a number of sites for over ten years now, with no problems - even letting a number of friends and co-workers know what the password is a number of times!
At work they make me change my password once a month. I have given up on anything really secure and write whatever simple password I select (usually something like "gipgip") in pencil on my monitor. I feel a little bad for my company hosing the security like that, but they have made it inconvenient for me to use a real password so I just keep it simple.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Your avg key has about 8 bumps on it. A 128 bit key would have 128. Thats a much longer key. You'd need much better machining tolerances and metals so that it wouldn't bend, and be made unusable, and I'd hate to fall on my keys with that in my pocket.
Yay me!
Should we be allowing simple passwords?
How many Windows virii would have been thwarted by better passwords?
When most people think of security, they're not thinking of someone logging on. They're thinking about malevolent code.
Tog has a point. If smart people bang on a problem for years and years without eliminating it, maybe it's time to look at a different approach.
Consider what might happen if a national ISP laid on draconian and restrictive measures but promised "No Spam! No Viruses! No Worms! No Problems!" and actually delivered it for, say, $75.00 a month.
-- Slashdot: When Public Access TV Says "No"
You change the password.
So this guy makes a database of all his passwords. That's not such a stupid idea - so long as the database itself is encrypted and you have one really good long high-entropy passphrase to unlock the database. Gringotts does something along these lines, so does the password manager in mozilla.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
Only about 20% of the attempts are actually people attempting to use exlpoits, bugs, or brut-force a password. There are measures against this 20%, but the other 80% has to have educated employees or a policy that is followed.
I have seen some people still have access months if not years after leaving or being let go, which is just bad sys management.
Human error is 90% of the security threat...
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
I hear people worry about security on a daily basis and what many of them fail to realise is that is essentially a problem of identity.
Security is the process by which you determine if somebody is allowed to see the information concerned - this hinges on who they are and what they are trying to access.
How to do proof you are who you say you are?
This is actually a very difficult question.
hat aside (for now), all security/identity is built around 3 things:
1) Something you know (usernames, passwords, etc)
2) Something you have (secureid cards, tokens, passes, etc)
3) Something you are (biometrics, fingerprints, retina scans, genetics, etc)
The first two are easily overcome with some creative thinking - read Kevin Mitnick's "The Art of Deception".
The third has the same problems the other two have - how do you establish identity to begin with?
Anyone can claim an identity, all you need is the documentation to "prove" it and these can be forged or obtained with little effort. So how can you ever really know who you are dealing with?
I don't make predictions, and I never will.
This scheme used to work really well for me, until your post. I had to &^$#% change my slashdot password...
The problem is: There is no good keyring for us to store passwords in.
If you have 15 keys and you must carry them all in your hands at all times (no keyring, no pockets, no putting them down) then you get the same kind of problem as walking around remembering 15 different passwords at once (especially when all 15 must be changed every 60 days)
This doesn't understand. The hospital security engineer's job is not making the hospital's systems secure. His job is making them compliant with Federal regulations.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Well, then I guess it's quite simple. The computer eats the user after entering an invalid password three times.
That'd be sweet.
One approach I've been considering is to have an MD5 script locally. Type in a "master password" and some unambigous string identifying the password, and hash.
i.e.
MD5 ("MasterPassword_slashdot.org") = 059d489d8abe157ebfbbf793c3532f07
Simple enough to recreate more-or-less anywhere, and easy to remember.
Hexayurt - open source refugee shelter,
Security on a box, network, intranet, all thin down to a fine line when it comes to this.
For example, a workstation in a restricted room or office would have less security for the end users. In this case you simply don't need to secure the box against its owner. If the security is too heavy, productivity would be sacrificed.
In contrast, a workstation in an easily accessible office or room would have more security. Here, anyone could access the computer, and if the security is too light, the end users would be able to edit, transport, or destroy sensitive corporate files or data.
Same thing for a network or intranet. I wouldn't install the same level of security in a home network as i would in a school or office network. At home, my family needs to access the Internet NOW and not after they've been interrogated by security policies
At a school or office, users should be restricted to a higher level of security because you can't trust everyone the same way as your family, nor do you know the abilities of each fellow employee. ( I cant trust my sister at home, but a password is all I need to detour her efforts elsewhere - simple security for a simple mind ).
You are confusing me with someone who cares.
Every damned time there's any story about security, some asshat has to make this stupid ass joke. Stop modding it funny, its old and retarded.
Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?
If you've 'increased security' then you are not allowing simple passwords! If your users have convinced you that strong passwords are that hard for them, then you have been duped by the legions of laziness, my friend. Any security-minded admin knows that their users are their biggest potential liability. Hasn't 20 or 30 years of witnessing the effects of trivial passwords and social engineering taught us this?
Coddling users to the point that you allow them to become a liability and a target is the equivalent of leaving a key under the door mat. If you and your company can't/won't create a policy that demands individual responsibility, you might as well quit kidding yourself that you truly desire security. And get out, because you're just setting yourself up to be the fall guy when the company wants answers why there was a compromise. They're not gonna say "oh, yes, because we forced you to water down security", they're gonna blame you and hire someone else to be their strawman.
- I am made of meat.
Get yourself a Radius server and use RSA and/or Vasco tokens with it. You can authenticate to the Radius server for VPN connections or for secure web access, et cetera (PHP and Perl can do this, the code is out there).
Your users only have to remember one pin-- the one for their personal token they carry. They punch in their pin, get their one-time-password, passwords expire after 60 seconds or so.
This works well as a compromise-- users seem more willing to carry a token when faced with the asinine alternatives (6+ passwords?).
Or, if you're stuck on the user end, do what Bruce Schneier sez: "You can't memorize good enough passwords any more, so don't bother. Create long random passwords, and write them down. Store them in your wallet... Guard them as you would your cash."
When did the future switch from being a promise to a threat? -C. Palahniuk
Step 1 through step n-2) {blank}
Step n-1) ???
Step n) PROFIT!
While this is not allowed by many websites or by UNIX crypt passwords, Diceware makes for very good passwords that are easy to type and remember.
Basically, you take a list of words indexed by all possible rolls of 5 dice, 11111 through 66666. You roll 5 dice and pick a word, and repeat to desired password length, eg
cleft cam synod lacy yr
Sure, your password is longer this way, but you can memorize it easily and type it quite fast as it is a series of English words.
For my secure passwords, like PGP keys or banking, I use diceware, 7 words. This is some 85-90 bits of entropy and pretty much unbreakable for the forseeable future. For account passwords I use 3-4 words, which is enough that a database thief will break someone else's login first. For crypt shell accounts, I use mixed-case alphanumerics (similarly, about 48 bits of entropy). This adds up to under 10 good passwords to remember, and I don't change them often (no good changing a PGP password anyway, and I only change shell passwords occasionally).
For most websites (/.), I use a family of very weak passwords (a couple random words and symbols, but varies little from account to account), as I don't care much if you hack here and post in my name.
All these are in a heavily backed-up text file in case I forget them, encrypted with my PGP key.
I hereby place the above post in the public domain.
Dude, that's great. Thanks.
I'm a pen tester. I see about 5,000 to 10,000 systems a month.
My top three passwords to test:
""
"password"
"p@ssw0rd"
Welcome to the real world.
That made me grin :) Just listen to all the busy little keyboards as rokzy is tried as a username by 27,000 people at /., buy.com, CompUSA, Newegg, Amazon, and B&N. Someone is getting some free hardware tonight..
Security no longer means security. Security is just another cog in the corporate wheel with budget numbers to satisfy thousands of shareholders who wouldn't know security from a coaster tray. With that in mind then there is no surprise that security has become a useless industry of productivity-killing gadgets directed by people whose certifications on their resume make up for their mediocrity on the job.
Most security departments try to fix security problems by implementing safety nets (netwatchers, redundant firewalls, active real-time scanners) rather than implementing prevention. Prevention means educating people about safe computer practices--like safe sex. The safest sex is abstinence--keep your clothes on, all zippers closed, and don't kiss people who've been around the block. The safest computer use is to view only the documents that you need and don't open documents from people who are frivolous with their computer use. Sex is acceptable (at your own risk) once married. Unsafe computer practices are acceptable (at your own risk) once you're on your home computer.
To illustrate how safe computer use is effective: I run my Debian, LFS, and Win98 all without any firewalls or active virus scanners (I scan once every few months when I get bored). My only remote security measure is a 4-port router connected to the cable modem. Three years since my last complete rebuild I still have no viruses and have not been rooted or compromised even once.
+++ATHZ 99:5:80
All the responses about how/why to select passwords miss the point that if the user doesn't have an incentive to remember them without the use of sticky notes, the password complexity is useless. Same if the rest of the system allows the passwords to be sniffed on the network, sent in clear somehow (by return e-mail for example) or any other weak link in the chain.
The example in the article of the hospital (and note that all in the US are under the same gun) points up the fact to me that either the IT person didn't understand the problem or was trying to cover their butt because they lacked the authority to put in place the policies that would make the users actually follow the policies and I'm betting that it was the latter!
If I'm in charge of security (not just the IT portion of it) and management won't let me put in place a policy that spells out what will happen to employees that subvert the security implementation and back me up when I have to apply the policy's warning and penalty portions, then I'm out of there!
1 - Anyone caught writing their password down on anything will suffer punishment
2 - Anyone allowing anybody else to use their account/password will suffer punishment
3 - Anyone leaving their workstation logged in and not protected with the approved screensave/password will suffer punishment
etc.
Punishment to be:
first offence - note in personnel file and severe dressing down including things to the effect that if they can't remember the passwords then they obviously don't have the necessary skills for the job
second offence - time off without pay or outright firing
if allowed to get to a third offence, it is either them or me - and I'm betting it is them, and damn the unions and labour relations - they're unfit for the job.
And the response to the post about it being a matter of managing the liability - if the employee is still an employee and the above policies are not in place and followed through on, then the liability is on the company/HMO or whatever. The penalties are enough to bankrupt an HMO and nobody will take "it was the employee's fault" as an excuse no matter how onerous the security techniques look on the surface. It is the follow through that proves that the policies are what they need to be - enforced.
I'm just glad that (so far - but Jan 1 is coming) Canada doesn't have the laws that the US has currently.
Been there, done that, paid for the T-shirt
and didn't get it
People typically have a lot of different accounts that need passwords, and this is a problem for several reasons:
- the different sites/accounts have different policies for what a "strong password" is and how often you are forced to change it
- some accounts are more trustworthy than others (your bank will never reveal your PIN... but some random website--slashdot for example--might be hacked and your password might be vulnerable)
- different levels of security are used to protect the different passwords.
So I use the following simple rules:
(1) build all my passwords out of two or three 'building blocks' of random alphanumeric characters.
(2) When changing a password, I change at least one block and leave at least one block the same as it was before.
(3) I mentally assign each account to one of three categories: 'important' (bank PINs and other uses where security is crucial), 'somewhat important' (various work-related passwords, etc) and 'unimportant' (internet e-mail, web sites where I don't use a credit card, etc).
(4) NEVER use a password in more than one category.
(5) EVERY 'important' account must have a UNIQUE password that I don't use for anything else. Some 'important' accounts will allow very long passwords; I have a few that are >20 characters long.
(6) NEVER write down an 'important' password anywhere, unless the loss of the password would be unrecoverable.
(7) Change 'important' passwords every month or two, and 'somewhat important' passwords every 3 or 4 months or so.
(8) 'somewhat important' accounts may use the same password as other 'somewhat important' accounts with a similar purpose (all work accounts, for example). 'unimportant' passwords can all be the same, unless I particularly don't trust the security of the site in which case I usually vary one of the blocks.
I have had good success with this strategy (remembering the 'blocks' is similar to remembering telephone numbers... so remembering a password is like remembering telephone numbers. N.B: *don't actually use* telephone numbers =P)
From my experience working for data security companies this is absolutely true. You can always get more bucks from a client by pointing out possible disasters ... this is of course with people like banks for whom such disasters must never happen.
Personally, although I long ago used to joke that in data security "paranoia is a virtue" I must admit I've come to believe it myself.
In fact .. yeah I'll do this as an AC and then go hide behind my firewall.
At lesat that's what this unregistered guy thought. Ha! free /. access. Wait? It's already free? Damnit?
I get like that also. To the point I have problems giving the password to the trusted, like my wife or boss, over the phone, in cases where I just have to. I cant remember the passwords well without a keyboard in front of me.
The danger for me seems to be a sudden disconnect with the passwords that doesnt happen with absolute memorization of the passwords characters. The passwords I know by "finger/muscle memory" seem susceptible to blanking out of my head if I dont use them for a while, where the memorized passwords are pretty engrained. Your mileage may vary...
Asshole!
Fortune 500 sysadmin here. I got kidnapped and gagged by criminals working for a competing firm. I was instructed to write down our master password. I couldn't, and I couldn't explain why because of the gag. They started to hit with a phone book, went on to electric shocks, and went on and on from worse to horrible.
They were amazed I was so resistant to torture. Normally they "get what they want after the electrochocs", they said. I passed out and woke up in a sleeping bag on the countryside.
So the company password stayed safe, but I still have problems peeing. Maybe that's not what you want.
Funny as hell!
Security is a function of increasing the cost of attack (for the attacker, both internal and external) at the expense of conveniance.
As stated in "secrets and lies", computers were much more convienant before the use of passwords at all.
Passwords are the least cost authentication method, and at the same time the most highly attacked method. In general if the budget can afford it, a stronger form of authentication is used. Most every security person understands
that passwords simply do not scale.
Perhaps random phrase based passwords whould be easier for your users to remember (like most OTP tools generate).
Or even better go to a key/x.509 based system, so users only have to remember one strong password.
There is a much lower cost to this than a hardware solution.
Prosaic demands of use ARE usealy considered in a good security design. However, depending on the security demands of the information protected it may be low on the list. This is why security is a service function and not a drop in blackbox.
Inconvenience is a cost, and it must be addressed.
>The goal of security is not to build a system >that is theoretically securable, but to actually >make it secure!
Besides being somewhat inflammatory, in general what is theoretical today is often used tomorrow.
Examples:
Buffer overflows
Format string bugs
Dictonary password attacks
Man in the middle attacks
You give somebody a specific job title and they then try to make it the center of the universe, to the detriment of everyone else in the universe.
This is standard human nature. Every human is at primate war with every other human. No one - and I mean NO ONE - not your parents, your "friends" (what's that, "friends"?), you spouse, your kids, NO ONE - must be allowed to get ahead of you in any way. The only way to survive - to get the limited amount of life delegated to mere mortals by "the gods" - is to be above and beyond all other humans.
Therefore YOU and YOUR job title MUST be the center of the universe. All other humans and their job titles MUST bow before you and yours.
YOU must make the rules for everyone - or somebody else might make the rules for you.
And Tog says the same thing when he says any security procedure "must be comprehensive" - in other words, MY security procedure MUST rule YOUR life - TOTALLY!
And so it goes.
Which is why the product packaging people seal all sorts of food in such protective packaging that no consumer can get the package open without a jackhammer.
And the product packaging people are proud of this achievement - and they get bonuses for their achievement. And they get written up in product packaging magazines for it. And their methods get used by everyone else.
And everybody starves because you can't get the damn package open.
For the last thirty years, the US Army has not fought a guerrilla war. All the troops in Iraq are trained in SASO - Stabilization And Security Operations - which entails driving around in tanks between two warring factions in order to keep the peace. Except that's not what's going on in Iraq. What's going on in Iraq is guerrilla warfare - and not a single US commander in Iraq has a clue how to deal with it. But all those commanders MADE commander because they got great marks in implementing SASO operations in Kosovo or wherever.
So you want to know what's going on in Iraq? The Peter Principle, that's what. All the US commanders in Iraq have reached their level of incompetence based on their training and the actual situation on the ground.
But they'll KILL you before they admit that their performance of their job title is irrelevant.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
you in sensitive clod!
See my journal for some /. references. :)
--RJ
This fits perfectly with the old security adage of the 3 types. There are only 3 kinds of identification checks you can make on a user - something they have, something they know, and something they are. Using any one by itself is easily twarted, but combining any two is foolproof enough 99% of the time.
Your system uses the "something you have" (iButton) and the "something you know" (password), which is also the same scheme you use at an ATM machine (card + PIN).
The "something you are" is where biometrics come in.. something like a fingerprint scanner combined with a password, for instance.
That you might be shamelessly pimping iButtons to the young, impressionable gentle people here on /.?
This is great, except wait: Was this the site that disallows non-alphanumeric characters, or was it the one that requires all lowercase, or the one with a minimum password length of 10 characters?
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
The idea's for security in terms of passwords are laughable. If you make someone use an alphanumeric password generated randomly most will need to write it down somewhere. If you give them an account with low priveledges and one with higher priveledges they will log on with the higher one just because it annoyes them not having some functionality. If you make the user type in a password when trying to use specific features or documents the user will most likely create all future documents or features with a lower level of security. And you can't have someone increasing security on each little document or design decision. Leave the users with a simple password they can remember. Don't have them change it too often as this will lead to them being nervous about it. Make sure that users know what to do if they lose their password. If you don't have this functionality in place they will use redundancy to protect their password (notepad document on the desktop, peice of scrap paper on their desk etc.) that is a security risk. In the worst case, they might not change their password or contact tech support if they detect suspicious activity or get locked out. Make sure that password loss isn't something they should be embarrased or unduly inconveinienced by.
Oh, and change the combination on my luggage!
In some way, to some degree, all hardware sucks, all software sucks.
So, to stretch the Darwinism metaphor past any reasonable application: in the world of security, that means that the security practice that survives isn't necessarily the one that produces the most realy security. It's the one that produces the greatest sense of security in the people who make the decisions. I.e. managers, often without much understanding of the topic, and Infosec types, who often forget that the reason they are willing to make an effort to protect infosec is it's their job - and if their job were payroll accounting then that's where they would make the effort, and infosec would be a nuisance.
Consider ID checks at airports and the like - they're not going to catch intended suicide bombers. If an attacker plans to die in the attack, he's not going to care if you can identify him to arrest him later. But they make passengers feel safer, because someone in a blue polyester uniform is looking at everyone's ID, which is a security sort of thing to do. And his badge even says "security".
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Now I can finally log in as this mysterious "Anonymous Coward".
I'd suggest you don't use Slashdot as your only news source, or you will suffer permanent brain damage.
Back in 1997, Lucent put up a public proxy (http://www.bell-labs.com/project/lpwa/) which would autogenerate passwords for you. You'd type \p into a form field, and it would hash the URL with your master LPWA password to create a strong, site-specific password. They also anticipated sneakemail.com and dea.spamcon.org by similarly autogenerating forwarding email addresses.
You've probably spotted the major problem, SSL connections. Now, if someone were to put similar functionality into the browser (HINT HINT)it would really be useful.
Let me be contrarian for a moment, too. How much are your passwords worth? If they control assets worth less than a few hundred dollars, why *not* write them down and put them in your wallet? You find your wallet sufficiently secure for your credit cards and your Christmas shopping money.
If you still have money from the boom and have banking passwords worth thousands of dollars, why not write them down and store them like jewelry?
If losing your passwords could cause non-monetary damage, why not write them down and lock up the paper like you would lock up guns, which can also result in non-monetary damage if stolen?
Oh, and does everyone remember the Dilbert cartoon where he worries out loud to Dogbert about what would happen if he forgot all his passwords and PINs?
Passwords are nice and all -- hell, mine come from pwgen -s -- but you need to be thinking HIGHER. Access control, executable space protection, OS fingerprint protection, and functional security to make programs generally behave. Look at GRSecurity. That in itself speaks volumes. I will illustrate this thread, and then go on through grsec: Passwords: - Passwords and password rule circumvention This is where we seem to be stuck. What about the following: PaX: - Total of 1-2% performance overhead - Enforce non-executable pages to block security exploits in programs - Enforce non-writable executable pages to block security exploits - Address Space Layout Randomization to increase difficulty of actually activating security exploits - Privilaged IO blocking to avoid altering the kernel - Blocking of direct writes to ram and kernel memory to avoid altering the running kernel and getting around security systems or inserting malicious code - Hiding of memory mappings to avoid information leaking which would negate the ASLR advantages Grsecurity: - Includes PaX - Blocks many operations from happening inside a chroot() jail, thus increasing security by disallowing programs to try to gain access to devices, processes, and filesystem data that they aren't supposed to access - Imposes an Access Control List system to extend control of file and device access - Hinders OS fingerprinting with several network protections that randomize various ID numbers in various types of packets - Allows user auditing and signal logging to detect attacks How much crap did I list besides password issues? Quite a bit. There's more to consider than "Is root's password 'secure1'?" How about "Can I cause SSH to overflow before I log in, clearing root's password out so I can log in as root and take over the system?"
Support my political activism on Patreon.
>no better system than passwords has yet been devised
Well, I'm partial to having the employee badge be a smart card which also works in the readers that authenticate you to the company computers. Among other virtues, it simplifies doing everything right when someone leaves the company. Kill the smartcard, and you've disabled ex-worker's computer access without having to change some unknown number of passwords.
But your main point was that the utility and solidity of a security system are a function of what top management wants, and you're absolutely right.
Passwords are nice and all -- hell, mine come from pwgen -s -- but you need to be thinking HIGHER. Access control, executable space protection, OS fingerprint protection, and functional security to make programs generally behave. Look at GRSecurity. That in itself speaks volumes. I will illustrate this thread, and then go on through grsec:
Passwords:
- Passwords and password rule circumvention
This is where we seem to be stuck. What about the following:
PaX:
- Total of 1-2% performance overhead
- Enforce non-executable pages to block security exploits in programs
- Enforce non-writable executable pages to block security exploits
- Address Space Layout Randomization to increase difficulty of actually activating security exploits
- Privilaged IO blocking to avoid altering the kernel
- Blocking of direct writes to ram and kernel memory to avoid altering the running kernel and getting around security systems or inserting malicious code
- Hiding of memory mappings to avoid information leaking which would negate the ASLR advantages
Grsecurity:
- Includes PaX
- Blocks many operations from happening inside a chroot() jail, thus increasing security by disallowing programs to try to gain access to devices, processes, and filesystem data that they aren't supposed to access
- Imposes an Access Control List system to extend control of file and device access
- Hinders OS fingerprinting with several network protections that randomize various ID numbers in various types of packets
- Allows user auditing and signal logging to detect attacks
How much crap did I list besides password issues? Quite a bit. There's more to consider than "Is root's password 'secure1'?" How about "Can I cause SSH to overflow before I log in, clearing root's password out so I can log in as root and take over the system?"
Support my political activism on Patreon.
Thank you for pointing out the IButton. I infrequently advise companies about security measures such as you have designed, and was unaware of this product.
[I am actually working on a similar project now. We will probably use Palms so some mobile data entry can be done. If they are carrying an individually-identifiable Palm for other uses, we should be able to use it for security. The links on ibutton.com to products that use Java for computer security suggest that a Palm could do everything that an IButton can do. The IButtons could be used for employees that do not need the data entry capabilities.]
I ask for enough information to be able to judge when this would be a good solution, and approximately how much it would cost based on number of users. I (or my clients) would do our own research if this was seen as a valid solution. I realize you have not implemented your system yet, but you must have a detailed cost analysis if you are presenting to corporate.
One of the receivers is $15, but the IButtons range in price from $2 to $53. Which model will you use?
- Would your system work with systems running non-MS OSes?
- Was the decision to use 4-digit PINs arbitrary, or can other passwords be used? Can the users pick password without telling the administrators?
- How secure is the datastore that verifies the passwords? Does it use one-way encryption for verification? Can the password encryption be bypassed? Or must you trust your administrators?
[I deal with a system that uses one-way encryption before storing passwords. It adds a character to the beginning of every password after it is encrypted. If the encryption routine sees that character, it assumes the password was already encrypted. These encrypted passwords are visible to the administrators. If an administrator sends the entire encrypted password (and the username) to the system, it passes because the "password" will not be mangled by reencryption and will match the encrypted password.]
Was the software you are using prepackaged or did you or your company write it custom? Is there an OSS version? If not, has your company considered releasing it?
[That is the purpose of OSS. You have something cool that others could use. You release it. Others use it. Everybody improves it and you benefit.
- Unless your company is in the software business. Then you package it and license it to others and make much money every year.]
[The web site lists many different proprietary applications. Did you try them? Any advice from your decision-making process?
- The security applications list only mentions Windows, but I am hoping you discovered a product that works with other OSes. The APIs suggest they work with C, C++, and Java as well as VB, so other OSes should be easy.]
What is your security server? Is it hardware intensive? Can it be a Pentium 100 or do we need dual-Xeons? [Not asking about minis or mainframes since it must work with MSWindows.]
- Does it integrate with ActiveDirectory? Could it integrate with LDAP?
- Are you using the standard Windows logins? Does the system protect the computer? Or does it protect access to the network?
Thank you for your time.
I spend my life entertaining my brain.
The top-of-the-line password generation dictionaries these days include phrasal material, like the entire dialog of the Star Wars movies. I wouldn't trust something like L,Iayf or Tantdylf to hold up to a dictionary attack. Single substitutions may not help, either. Password audit programs have handled that for years.
Safety in this approach requires picking some family catchphrase, something from a really obscure work, or something completely original.
are you people taking security advice from a "designer"?
>Security isn't taken seriously where I am.
But what are the risks? If someone got access to a system under your control, would you be court martialed or tried for espionage? Would you or your company be exposed to fines, civil or criminal prosecution? Would your customers or agents be exposed to financial losses? The sort of losses that would lead to serious consequences for you or your company? Would people be killed, or would careers in business or politics be destroyed by the information you control?
If so, you need to be more serious about security, because the natural consequences will catch up to you eventually if you do not change your ways.
If not, why bother with access control at all?
>Its far easier to blame the user than to admit your idea was a bust.
That's insightful, too bad you're only +4 as I write this.
"User error" is a phrase that makes safety engineers cringe. The more detailed an accident investigation, the less likely it is to blame the equipment operator. What usually turns up is that the system doesn't supply the right information (Three Mile Island didn't have an instrument to dislay coolant level in the core) or the system has trained its users to do the wrong thing (like, oh, double-clicking email attachments).
Believe me, there are security people who understand that an overly awkward security measure is worse than useless.
http://www.diceware.com
Roll a set of 5 dice, like you can buy at the drugstore. Read the result as a base-6 number and pick from a list of 6**5 words. Repeat as desired.
I've memorized a 10-word passphrase, 129 bits of entropy, just to be contrary after Schneier wrote that no normal person can memorize enough entropy to match the security of a 128-bit key. Six-word phrases protect my PGP keyring, my Hushmail acccounts, and my root accounts.
You might want to make up your own wordlist, one with more verbs and more emotionally loaded words so that passphrases become more like stories and accordingly easier to memorize.
OS X Keychain uses your system login password by default, but you can use a different passphrase. Just open the Keychain Access app, and choose Edit > [name] Settings. You'll see a button "Change Passphrase" there, so fetch those Dr. Seuss books and get crazy with the gibberish...
One place I worked all the root/admin passwords were foul language. supposedly to prevent one from saying them out loud.
Also, once passphrases become the norm you can put the dictionary away and replace it with a much smaller file full of famous quotes and phrases.
There's nothing wrong with an old fashioned 8 character password, as long as its changed regularly. Making it longer hurts brute force, but brute force is the exception, not the rule. Common passwords are tried first, or in this case common phrases.
The best of both worlds is non-dictionary passwords. The longer you force it the more "to be or not to be" you'll get. Crackers are just waiting for the passphrase revolution.
Also, be nice. Dont set that password filter too agressive. I usually dont allow the user's first name or last name as a pwd, nor their department or the name of the company. It also checks for a few other common stupid passwords (1234, password, etc.), but otherwise its fair game.
I would rather have them using their cat's name than have that damn post-it!
Manipulate the moderator system! Mod someone as "overrated" today.
Five years ago I paid eighty dollars per machine and five dollars per card for a proximity system which would automatically lock and blank the screen on a workstation when the logged in user (actually, their proxcard) moved more than ten feet away. Unlocking when the user returned could be automatic, or require a password.
To keep people from leaving their card at their desk while they step away to get coffee or use the washroom, just make sure that the office is designed such that to get back in from the lunchroom and other facilities involves keycard operated doors, using that same keycard...
I do not deploy Linux. Ever.
That's probably a good idea - I think we may actually have quarterly password expiration, so I might use Q1, Q2 and so on. But your basic idea for defeating evil password systems that don't like cycles is a good one, and makes a nice addition to the standard layered password approach I like.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If people can't discuss bugs and security problems online, the only places it will be done is privately, i.e. in Symantec's and NAI's labs... this is one way to kill your competition--get the government to outlaw it.
this sig limit is too small to put anything good h
I use long phrases for my passwords. (20 chars or more) where I can. With spaces, punctation and everything.
I have no problem remembering all these!!1
(oops, now I must change one...)
The easist way to increase password security is to set the minimum length to 20 chars. I think it's a shame that many systems (and websites) instead LIMIT the password to 10 chars or less.
Whenever I have to sign up for something on the web the first password I always try is "Man, registration sucks reallyyy". But usually I have to revert to the much less robust "fuckyou2".
What a shame..
Security consists of:
(i)Effective policies
(ii) Tools/Techniques to enforce the policies
Both have to be easy to follow and use. You can combine effective policies with the simplest tools like passwords are get better results that combining poor policies with DNA scan!!
Bleh. Are his articles all like this? He has some anecdotes about bad security, with a "D'oh!" in between practically every paragraph---though that slows down after he gets tired of it, a page or two in. Then there's a story about a program called "Tresor" and some guy who had a weird problem with bundles acting like folders instead of application files. The assertion is made point-blank that this is an Apple bug, not a Tresor bug.
:-)
OK. Has this been reported or observed anywhere else? I've never heard of it, or seen it myself, though I've only been using OSX for a little under a year. If anyone can point me to a reference, I'd appreciate it. The article doesn't give any refs. I don't understand how he's so sure it's an Apple bug, unless it's so well-known that, gosh, everyone knows it's an Apple bug without even needing a link to, like, a Knowledge Base article or anything... but if it were that well-known, I hope I would know about it. So I have my doubts about this. If anyone knows one way or the other, I'd like to hear about it.
But really that's not the main point of the article, right? It's just one security flaw in a fairly specific situation. So the article, as far as I can tell, is a few anecdotes and a bunch of "D'oh!"s. Oh yeah, plus some insults and derision for all the programmers and the university professors who taught them. Thanks a lot, Tog.
His thesis---that security needs to be designed to actually make things secure, not theoretically securable---is, well, it's OK I guess. For one thing, he doesn't really argue for it---just provides anecdotes. That's not a coherent logical argument. Worse, it barely even ties in with the anecdotes anyway. So the hospital requires TOO MANY passwords. That does **not** make it theoretically securable, OK? (I can require 200 passwords, but it's not theoretically securable if the computer and fax machine are in the hallway.) He's right that security systems have to aim for real security, but he's wrong in saying that the problem is that people aim for "theoretical securability". Am I wrong here? Is there ANY theory of anything under which these systems are considered theoretically securable?
The only common thread I can think of, apart from inadequate security in general, is that the people who designed the security had an incomplete approach to security; they secured one part of the system (e.g., getting in with a password) way too much, and other parts (e.g., physical security of the fax machine) not enough. Or, they were unnecessarily protective, at the cost of user convenience (as in the VW radio example).
If I'm criticizing the article, maybe I should try to be constructive about it, right? I guess the anecdotes really point towards the two different themes in the previous paragraph: security model should be "complete", and there should be some kind of a balance between security and usability.
I may be wrong about my interpretation of his article. If there's a better way to read this article as it's written, please tell me. I suspect not, but hey. Or just call me a monkey, that's cool too.
Well, to wrap it up, he has a good point, basically, but no argument for it. Just a few isolated anecdotes, not all of which I believe. This is not high-quality writing. Sorry, Tog. I've read of few of your user-interface-design columns, and I liked them a little better. This one just didn't do it for me, I guess.
zach
(UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT A B A B) anyone?
But how do I do (select select start)? Also, you are a clever, clever man.
Carthago delenda est!
I swear, more security measures are overidden by propping doors open with a brick than any other way I've seen. Worst part is, a propped open door is a worse risk than a closed door that's not locked. You have to balance security with convenience, because if the convenience ain't there, the end users will make their own. This is true for more than just doors.
If a job's not worth doing, it's not worth doing right.
Seriously... just get an actual password keyring. They're a bit pricey, but if you have more than one or two important accounts to protect, you'll love it...
If I was in charge of security for some organisation and wanted passwords to actually mean something, I'd be handing them out to employees...
but what about the TPS reports ?
Another escapee from the ISC2 mill. Let me guess, you're also an MCSE!
Just use your SSN. There's no harm in it!
I recently worked at a big company with a huge IT dept. In my office, our laptops all came with a boot-up password that was -- get this -- the first name of the head of the IT dept.
But things were MUCH better for our user login passwords. The default login password for every user was "password" and as I recall the system was set up so that you didn't have to change it.
Around a year ago, after a few waves of "security" "improvements" they started requiring one capital letter and one number in passwords. From then on, the default password was "Password1", but you were strongly encouraged to change it. And every time somebody forgot their password (which was ALL the time for some reason) the IT guys would automatically reset it to "Password1".
I'd bet there are 250 people running around right now with Password1 at that place...
...
Everbody wants newer, better, stronger encryption to backend into the computers with the sticky notes. As far as security systems... I tend to prefer detailed accounting, and abuse monitoring /prevention over excessive passwords for the end user. however, the use of smart card only authorization for low-level users has become acceptable to many companies. Generally, a smart-card and a PIN/Password is used, and in my opinion, offers an element of physical security to the security system, especially since smart cards can be used as more than simple key/id storage.
Admins and Techs, however are completely different... although the usernames are uniform across the system, passwords are required for the various levels of access. However in these facilities, physical security is usually enforced to an extreme measure (guards, concrete, heavy doors with proxim card locks and PIN pads, smart-card required to unlock the console...)
As far as the Security industry is concerned, the incompetence of the majority of the people in the field, while admittedly making us look bad on the surface, make those of us who are competent shine...
erbvyunr5ybvmy tvyttnvnn
erybcyr4yycvvc
tcytytvytnvyn
tyv
tvytvntynnmm
i,ov56b5tycb
is on paper in my desk.
I use it to remember my password.
You can't use it for that purpose.
01
"The Myth of Homeland Security" is on sale at Barnes and Noble -- reminding us that the same
things are true at the airport as on your LAN...
And where is Natalie Portman now? I miss her beowulf cluster of petrified hot grits!
(I just read the reply subtree.)
I can't believe you people. This is the kind of thinking that saddles the rest of us with security nazis. This isn't GURPS, it's real life. There aren't muggers out there gunning for access to your computer system. There aren't Tempest-equipped Secret Agent Persons sniffing your authentication fields. You don't really need that tin-foil hat, and you don't need to make the rest of us wear one, either. Maybe if this was a matter of national security, but it's not.
"Gimme your iButton and PIN or I'll blow your fucking brains out" is *exactly* equivalent to "gimme your password or I'll blow your fucking brains out".
This just made me chortle. "Verbing" used to describe the process of using nouns and adjectives as verbs. I've heard the phrase before, but I laugh each time. Thanks for using that word.
Net result: I wrote down the damn passwords in a file on my desktop named passwords.txt
I felt like the security nazis had this attitude of "We've done what we should do by requiring passwords of between 9-11 characters that have at least five numbers and three special characters and requiring that they be changed every ten days. My ass is covered."
Let's remember that we're here to do business and the very moment password policy makes me (and the company) inefficent, password bullshit becomes financially burdensome and therefore needs to be re-evaluated.
Until then, all you security fanatics need to repeat this mantra:
"The technology is in support of the organization, not the other way around."
If you set up one Microsoft(R) Passport(TM) account, you can login everywhere with it. No need to remember many passwords!
I have little patience from people who complaint about stuff that is easily resolved. If you are not motivated about security at work fine but you should have some level of motivation for your personal email and other information. Try password safe it works really well and its free. For those too lazy to find it on their own
I believe I have a unique method of password selection for passwords I care about.
I read a lot of sci-fi/fantasy books. So, I just choose a secondary or obsure character from the book (usually end up with a name like Thwyrriel). If it needs a number I choose a page the names on, not neccesarily the first one.
Since even if someone else read the book and knows you read it, unless you talk about it they won't know which out of the multiple obscure characters you choose.
Just thought I'd share.
"Secrecy is the keystone of all tyranny. Not force, but secrecy
I always laughed at the idea that we were supposed to change our passwords every week or whatever.
Seriously, the more i change it, the more it's likely to be "bad" and easy to break, and thus more likely to get cracked. If someone gets my password just once, I'm OWNEd. there's no way around it! Why change more than once a year, unless a known breach occurs? you'll remember it better (no sticky notes)...argh! security.
Who is this Anonymous Coward character, how does he post so much, and why is he always such a whore?
Thank you very much. That is what I needed.
I still do not know which model we would need, but if all you are attempting can be done with the lowest model, I am certain there is a model that can do anything I can dream. It seems to have the flexibility to integrate with our systems. We are not using ActiveDirectory, but when the docs seemed to make it useful for only Windows, I got scared.
We already have a distributed environment, so the joys of having one server handle all logins would not affect us.
I am a consultant. Having the other solutions be expensive is good because it means I can charge more for my solutions. It also means that I would develop a solution intead of integrating someone else's, but I find that to be fun. (I am that "capable programmer". Everybody else is involved to market my work.) Our entire package needs to be proprietary because we will be milking the martket for a few years, but I may be able to opensource peripheral pieces like this.
An AC suggested not merging a security system into other applications, but in our case, it is more a timecard system than a security system. We want to be resonable certain that the information (such as time of login) is coming from the correct user, but the system is mostly for input, so the users would not gain access to critical data if they pretended to be someone else.
Even $53 for the Java IButton is within our range. But it would not save much from a bottom-end Palm, which can be bought new for $70, and the Palm would be more useful and integrate better with the rest of our package. Of course, wear-and-tear on the Palms would also require more replacements, so the IButton is worth considering. (It is an accident-likely environment.)
You did not state it, but you imply the 4-digit PIN was arbitrary, so we could use a different standard. I doubt even the lowest IButton is limited to a single 4-digit code.
(I wonder at the users who give you their ATM PINs. Will users never learn that that sharing passwords is bad? Even if they love and trust you, the administrator who replaces you may not be as trustworthy.)
Thank you for providing enough information for me to be able to decided the product is worth researching. Now the fun begins.
I spend my life entertaining my brain.
The article hints at one of my favorite problems with password security:
...?
And speaking of security, don't you just love those websites that continue to ask you to enter in your requested password, all done in 128 bit encryption mode, with the characters blanked out so you can't see what you're writing, only to parrot it back to you in an email
Many websites store passwords in cleartext (hence, they can send it back to you in an email.) They do it for a variety of stupid reasons (a programmer couldn't figure out how to encrypt it, or perhaps customer service likes being able to login as a user, etc.).
So, unfortunately, you can have an extremely clever password, entirely uncrackable, but you give it to a website and it's now immediately compromised. And worst of all, you can't tell if it's stored securely or not.
Thus, I tend to have a password for trivial/unknown systems (ie, Slashdot, chat rooms, etc.) and a password for more secure systems (eTrade, online banking, etc.)
The answer is to forget passwords altogether and adopt biometrics. Biometric security devices are coming down in price to the point where they're practical for widespread use. I saw a USB thumbprint scanner for $200 about a year ago, and I'm sure it's come down since then. I work at a bank doing tech support, and well over half the calls we receive regard forgotten passwords. If my company spent $200 per computer, the ROI would be very quick. Someone in my office calculated that each password call costs the company $15. $15 x 500 calls a day adds up to a LOT of money. With an installed base of around 25K computers, installing these scanners would pay for itself in about a week, and be a fair bit more secure than the conventional eight-character password.
'He who has to break a thing to find out what it is, has left the path of wisdom.' -- Gandalf to Saruman