Slashdot Mirror

← Back to Stories (view on slashdot.org)

Real Security?

Posted by michael on from the lockdown dept.

An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"

11 of 557 comments (clear)

  1. Common Sense by The+Snowman · · Score: 4, Insightful

    Are we increasing security too much, so that the users circumvent it?

    Simply increasing security is not the problem: the real problem is knee-jerk reactions that miss the mark and annoy users rather than provide actual security. People (politicians, corporate America, etc) try to look good by implementing new security measures, but fail to put any thought into what is needed to be effective.

    --
    24 beers in a case, 24 hours in a day. Coincidence? I think not!
  2. The greatest threat... by Da+Fokka · · Score: 4, Insightful

    to security in all fields always has been and always will be the human factor. At a certain point security measures will be so advanced that human nature is the most likely bottleneck.

    Social engineering can get you a lot further than being a l33t h4x0r.

  3. Enforcing passwords != Increasing security by Tony+Hoyle · · Score: 4, Insightful

    You can do all sorts of 'security' things and not increase security one little bit. You can also take a secure system, do more 'security' things an utterly destroy the existing security.

    Anyone with a working knowledge of security knows how far to take it, where the critical points are, etc... if you let a bunch of amateurs do it then they're not 'increasing security' they're just 'increasing the bloody mess that someone will have to sort out when the company gets a clue and hires someone with some experience;'.

    1. Re:Enforcing passwords != Increasing security by dgatwood · · Score: 4, Insightful
      Indeed, it is all too common to see people make things less secure when trying to make them more so. Some classic examples of this include:

      • Password aging (people pick weaker passwords as a result)
      • Airport screeners no longer doing mand checks for computers (with bomb residue tests and verifying that they really are computers)
      • Requiring a different password for every system (my birthday, my house number, my phone number, my dog's name, my mother's maiden name... there, that's the first five...)
      • Assinine rules that require a number in your password or other highly specific rules (aha, now our dictionary search can skip any choices that don't contain a number! Oh, and his password is now John1. Real improvement.)
      • PIN numbers (false sense of security... it doesn't take long to guess one)
      • Security digits on the back of credit cards (also false sense of security, as anyone who steals the card number can probably steal this as well)
      • No knives on airplanes (now the only people who will have them are the terrorists)
      • Arming pilots (terrorist breaks in, surprising the pilot, grabs the pilot's gun off the shelf, and now he has a gun instead of just a box cutter)
      • Antivirus software (fix the real problems, or else they will just keep escalating and lead to a false sense of security)
      Or, as I've always said, anyone who claims to be an "expert" probably isn't. Beware especially of anyone who claims to be a security expert.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  4. Forced password changes by Rex+Code · · Score: 5, Insightful

    Forcing users to change passwords is one example of something that doesn't help security. If there's anything that's going to make the common user write their password on a post-it note and stick it to their monitor, it's being forced to change it at random intervals.

    If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.

  5. Too many passwords - so I write 'em down! by gilgongo · · Score: 4, Insightful

    I have to remember not one, not two, but SIX different passwords, PIN numbers and security questions simply to access my frikin' bank account online. And I currently have about 12 online accounts of various kinds, most of which impose their own rules to what they want for access (some systems allow numbers in passwords, others don't, some have a minimum of 8 characters, others 10, etc. etc.)

    So what do I (and presumably everyone else) do? I write them down somewhere. How much LESS secure is that than having one (or maybe three at most) username/password combinations that I never write down or tell anyone?

    So I called my bank a few weeks ago and told them that if I signed a disclaimer, would they allow me to go from six pass/PIN/IDs to just a username and password of my choosing? No no no! Far too insecure.

    So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!

    But nobody can reliably remember SIX things to log in to one account, as well has having to remember all the other usernames/passwords, etc. they might have.

    So, I've closed my account with them. Because I think they're too damn insecure.

    --
    "And the meaning of words; when they cease to function; when will it start worrying you?"
  6. Re:Wait a second by ePhil_One · · Score: 4, Insightful
    My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

    But unfortunately, security people are like PHB's, when they see the reaction to their security measures are circumvention (taping passwords to monitors, etc) they think they need more enforcement, not better ideas. Its far easier to blame the user than to admit your idea was a bust.

    --
    You are in a maze of twisted little posts, all alike.
  7. Re:password quandry by thecampbeln · · Score: 5, Insightful
    No shit! At some places I've worked, passwords are required to contain X capital letters, Y numbers, and changed once a month. So what ends up happening? After forgetting the damned thing two or three times, most users (including myself, bad form I know but hey) come up with a pattern to their passwords. So, something like this begins to appear:

    Pa55J4n
    Pa55F3b
    Pa55M4r
    Pa55Apr

    Sure, now you have 'secure passwords', but once someone recognizes the patter... This, IMHO is counter productive security wise. Have the ultra secure passwords, but don't make you're users change them too often or this shit begins to appear.

    --
    "1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
  8. I use good passwords, and here's how by kaan · · Score: 5, Insightful

    And I have to spend nearly zero brainpower remembering a password. Here's what I do...

    Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.

    So an example phrase might be: "i love to post on slashdot"

    which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:

    "iltp05"

    That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.

  9. Moore's Law vs. Evolution by Detritus · · Score: 4, Insightful
    Long and complex passwords are a waste of time and do little to increase security. Computer speeds have grown at a rate much faster than the user's ability to memorize "secure" passwords. Any system that allows an attacker to use brute force guessing or dictionary attacks is broken.

    My bank gave me a random 4-digit PIN for my ATM card. Why isn't this horribly insecure? Because the ATM eats the card after three failed attempts to enter the correct PIN.

    --
    Mea navis aericumbens anguillis abundat
  10. Don't know my own password by soloport · · Score: 4, Insightful

    Honest, I don't know any of my passwords. If someone were to ask me for my password, I'd have to first find a QWERTY keyboard, sit down, place both hands in the right position on the keys and start typing into a text editor. The pattern I type is sort of a rhythm and can be typed very quickly.

    I've been accused (Solaris Sys Ad) of tricking the computer into not needing a password for my login name -- because I type it is so quickly, it seems like I've just typed some random gibberish (which I sort of have). Keeps lookers guessing, too. My typical passwords are 12-18 characters in length -- but they seem a lot shorter ;-)

    As you've no doubt guessed by now, I love this method. I can also "memorize" dozens of unique passwords and never seem to forget one -- even one I haven't used in many months! When I see passwords like "password7", I just smile; Seems to me, mine are just as easy to remember.

    Just hope I don't someday encouter a Dvorak!