Real Security?

An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"

Common Sense

[The+Snowman]

Are we increasing security too much, so that the users circumvent it?

Simply increasing security is not the problem: the real problem is knee-jerk reactions that miss the mark and annoy users rather than provide actual security. People (politicians, corporate America, etc) try to look good by implementing new security measures, but fail to put any thought into what is needed to be effective.

Re:Common Sense

[arkanes]

You make an important point, and it's actually relevent to all procedures, not just security. If you want them to be followed and not evaded or ignored, then you need the following:

a) your procedures must make sense to your users. Sometimes this means education, other times (more often, in my experience) it means having intelligent procedures.

b) Your procedures have to generate the minimum amount of work required to be effective. Duplication of work or extra work that people have to do (like forcing a stupid click through quiz) without an obvious benefit will just piss people off. And when you piss people off, they don't feel like following your rules.

This doesn't mean you don't need strong rules, but you have to present them in such a manner that people feel comfortable with them, and not like you're being a bitchy secadmin.

Oh, and you need to remember that your job is to keep the network safe and clean so that it's accessible - just locking everything down so that everything is unusable is NOT a real security policy!

The greatest threat...

[Da+Fokka]

to security in all fields always has been and always will be the human factor. At a certain point security measures will be so advanced that human nature is the most likely bottleneck.

Social engineering can get you a lot further than being a l33t h4x0r.

Enforcing passwords != Increasing security

[Tony+Hoyle]

You can do all sorts of 'security' things and not increase security one little bit. You can also take a secure system, do more 'security' things an utterly destroy the existing security.

Anyone with a working knowledge of security knows how far to take it, where the critical points are, etc... if you let a bunch of amateurs do it then they're not 'increasing security' they're just 'increasing the bloody mess that someone will have to sort out when the company gets a clue and hires someone with some experience;'.

Re:Enforcing passwords != Increasing security

[dgatwood]

Indeed, it is all too common to see people make things less secure when trying to make them more so. Some classic examples of this include:

• Password aging (people pick weaker passwords as a result)
• Airport screeners no longer doing mand checks for computers (with bomb residue tests and verifying that they really are computers)
• Requiring a different password for every system (my birthday, my house number, my phone number, my dog's name, my mother's maiden name... there, that's the first five...)
• Assinine rules that require a number in your password or other highly specific rules (aha, now our dictionary search can skip any choices that don't contain a number! Oh, and his password is now John1. Real improvement.)
• PIN numbers (false sense of security... it doesn't take long to guess one)
• Security digits on the back of credit cards (also false sense of security, as anyone who steals the card number can probably steal this as well)
• No knives on airplanes (now the only people who will have them are the terrorists)
• Arming pilots (terrorist breaks in, surprising the pilot, grabs the pilot's gun off the shelf, and now he has a gun instead of just a box cutter)
• Antivirus software (fix the real problems, or else they will just keep escalating and lead to a false sense of security)

Or, as I've always said, anyone who claims to be an "expert" probably isn't. Beware especially of anyone who claims to be a security expert.

I would If I could ;]

To bad many sites are disallowing special characters for fear of sql injection attacks. As for to much security? That depends on how important what you are securing is. Is your credit card information worth a little bother to protect? How about the information that the credit card companies use to issue you(or supposedly you) a credit card? Social Security number, Mothers Maiden name, Data of Birth. You can get all that from a DMV database. A system is only to secure until its been compromised, then it wasn't secure enough. Security, should be built in, form day one against a verifyable standards based frame work. Thems my two cents, please keep the change.

Forced password changes

[Rex+Code]

Forcing users to change passwords is one example of something that doesn't help security. If there's anything that's going to make the common user write their password on a post-it note and stick it to their monitor, it's being forced to change it at random intervals.

If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.

Re:Forced password changes

[lewko]

This fails however if the time between password changes is greater than the probable time to brute-force (or other wordlist) crack the password file. Don't assume that crackers all use the same 'dictionary' i.e. wordlist.

Did you know that many 31337 hax0r cracking tools will straight away defeat the more lame methods for using complex passwords?

This includes swapping every known integer/alpha replacement (e=3 0=o l=7) e.g. If someone used h3110 as their password (i.e 'hello' in hax0r spelling) it wouldn't take any longer than a standard dictionary attack.

Having a single password changed every 30-60 days is not that difficult. IT becomes a problem where users have to maintain multiple passwords for multiple systems. This is even more dangerous for admins who have to maintain even more, and they are used to protect sensitive systems.

Too many passwords - so I write 'em down!

[gilgongo]

I have to remember not one, not two, but SIX different passwords, PIN numbers and security questions simply to access my frikin' bank account online. And I currently have about 12 online accounts of various kinds, most of which impose their own rules to what they want for access (some systems allow numbers in passwords, others don't, some have a minimum of 8 characters, others 10, etc. etc.)

So what do I (and presumably everyone else) do? I write them down somewhere. How much LESS secure is that than having one (or maybe three at most) username/password combinations that I never write down or tell anyone?

So I called my bank a few weeks ago and told them that if I signed a disclaimer, would they allow me to go from six pass/PIN/IDs to just a username and password of my choosing? No no no! Far too insecure.

So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!

But nobody can reliably remember SIX things to log in to one account, as well has having to remember all the other usernames/passwords, etc. they might have.

So, I've closed my account with them. Because I think they're too damn insecure.

Re:Wait a second

[ePhil_One]

My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

But unfortunately, security people are like PHB's, when they see the reaction to their security measures are circumvention (taping passwords to monitors, etc) they think they need more enforcement, not better ideas. Its far easier to blame the user than to admit your idea was a bust.

Re:password quandry

[thecampbeln]

No shit! At some places I've worked, passwords are required to contain X capital letters, Y numbers, and changed once a month. So what ends up happening? After forgetting the damned thing two or three times, most users (including myself, bad form I know but hey) come up with a pattern to their passwords. So, something like this begins to appear:

Pa55J4n
Pa55F3b
Pa55M4r
Pa55Apr

Sure, now you have 'secure passwords', but once someone recognizes the patter... This, IMHO is counter productive security wise. Have the ultra secure passwords, but don't make you're users change them too often or this shit begins to appear.

I use good passwords, and here's how

[kaan]

And I have to spend nearly zero brainpower remembering a password. Here's what I do...

Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.

So an example phrase might be: "i love to post on slashdot"

which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:

"iltp05"

That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.

Why are we hanging the security folk?

[i_r_sensitive]

Hey I was one, and Tog needs a firm slap across the face. In my experience, more often than not "good" security ideas are stiffled not by the security people, but by the starched colors and ironed ties they have to wheedle the cash out of. Sure, not every security pro is a good one, but for evey poor security pro I've met there are nine good ones working for shitty managers.

Beyond that, no matter how good the solution, there are allways those people who will try to end run it. Worse still, there are those who encourage others to also end run the system. At the top of the worse still pile, is the manager who somehow or another thinks this person would be a good security pro...

Also blaming the Universities is trite and unsopisticated. Please, folks don't go to University to learn about the real world, they go to learn theorey, and play intellectual games, etc. etc. Where is the problem? Is it the people turned about by the Universities, or is it the people who hire University grads to do work which demands real-world utility? So, there weren't a dozen or so graduates of technical schools, whose training would be centered in the real world, not the theory, available to do the same job, right, at a lower cost?

I find it somewhat in poor taste to hang an entire industry for what more likely is the fault of their managers... I find it more unseemly to attack Universities for what they have allways done, and what we expect them to do, allthough in all fairness, they do turn out the MBAs whose intellectual chauvinism probably has more to do with hiring the wrong qualifications for the job.

Moore's Law vs. Evolution

[Detritus]

Long and complex passwords are a waste of time and do little to increase security. Computer speeds have grown at a rate much faster than the user's ability to memorize "secure" passwords. Any system that allows an attacker to use brute force guessing or dictionary attacks is broken.

My bank gave me a random 4-digit PIN for my ATM card. Why isn't this horribly insecure? Because the ATM eats the card after three failed attempts to enter the correct PIN.

Don't know my own password

[soloport]

Honest, I don't know any of my passwords. If someone were to ask me for my password, I'd have to first find a QWERTY keyboard, sit down, place both hands in the right position on the keys and start typing into a text editor. The pattern I type is sort of a rhythm and can be typed very quickly.

I've been accused (Solaris Sys Ad) of tricking the computer into not needing a password for my login name -- because I type it is so quickly, it seems like I've just typed some random gibberish (which I sort of have). Keeps lookers guessing, too. My typical passwords are 12-18 characters in length -- but they seem a lot shorter ;-)

As you've no doubt guessed by now, I love this method. I can also "memorize" dozens of unique passwords and never seem to forget one -- even one I haven't used in many months! When I see passwords like "password7", I just smile; Seems to me, mine are just as easy to remember.

Just hope I don't someday encouter a Dvorak!

But does the website encrypt the password?

[phamlen]

The article hints at one of my favorite problems with password security:

And speaking of security, don't you just love those websites that continue to ask you to enter in your requested password, all done in 128 bit encryption mode, with the characters blanked out so you can't see what you're writing, only to parrot it back to you in an email ...?

Many websites store passwords in cleartext (hence, they can send it back to you in an email.) They do it for a variety of stupid reasons (a programmer couldn't figure out how to encrypt it, or perhaps customer service likes being able to login as a user, etc.).

So, unfortunately, you can have an extremely clever password, entirely uncrackable, but you give it to a website and it's now immediately compromised. And worst of all, you can't tell if it's stored securely or not.

Thus, I tend to have a password for trivial/unknown systems (ie, Slashdot, chat rooms, etc.) and a password for more secure systems (eTrade, online banking, etc.)