Real Security?

An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"

Definitely

[sosume]

Come on, who uses passwords like '%33#Gt(;' nowadays.. especially with multiple logins.

Re:Definitely

[Prof.+Pi]

A pretty easy way to generate passwords that pass most picky password approval checkers is to take a phrase that you can easily remember, and then take the first letter of each word. Include punctiation to get the requisite non-alphanumeric characters. Make at least one numeric substitution if you're required to have a number. For instance:

N4N.Stm.

("News for Nerds. Stuff that matters.")

Re:Definitely

[G-funk]

Oh my god.... I have the exact same password on my luggage!

Re:Definitely

[glenebob]

So... what's your IP address... Just curious :-)

Re:Definitely

Me. But I probably do it in a very unique way.

I have a three tier password system, with passwords "expiring" every 30 days.

Tier 1 passwords are things like root passwords for systems. These are 100% unique to the server they belong to, and are changed without fail.

Tier 2 passwords are passphrases for my ssh keys for non priviliged accounts. These are the same for 2 or 3 boxes, and again change every 30 days. When I expire tier 1 passwords, they are sometimes moved down to tier 2 for ease of remembrance, tho never for the same servers.

Tier 3 passwords are for websites, like this one. Usually most of my website accounts share the same login details, as Im not really bothered if someone logged onto slashdot and stated that im a gay faggot or whatever. Tier 2 passwords are usually passed on when they expire.

I tend to treat passwords as something like special email addresses. You rarely forget an email address because its in a known format: something @ something . something. So therefor I base my passwords on a similar format, one that I can remember or work out, eg AAAA!AA.AA@A# gives me a more memorable password than #@##23$ssDx_ which would be an excellent password except for the fact that it sucks :/ Saying that, I change the format as often as I change the passwords, every 30 days.

Re:Definitely

[xmath]

Come on, who uses passwords like '%33#Gt(;' nowadays..

I do. :-)

The funny thing is, I don't actually remember the character sequence. Maybe it's because I play the piano, but I remember the hand motions of typing the password. So to pick a password I just generate a few random ones until I find one that "feels" okay.

I wonder how many people do this too

Re:Definitely

[calebtucker]

Yeah, I do the same thing. It gets to where I probably couldn't write the password down on paper with a pen just because I only know the motion I do with my fingers on the keyboard.

Re:Definitely

[red+floyd]

Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Definitely

[Teflik]

I do something similar to this: I choose passwords that alternate the left and right hands while typing (typically). That way, I can type the password as quickly as possible. I practice the password over and over for several days until it becomes habit. At which point, I remember them by their feel, not by their content.

Re:Definitely

[AvitarX]

I do something simalar.

I take something easy, like a dictionary word.

and offset all my letters.

so "monkey"
becomes "k0jo47"

Also I shift the first 3 letters/numbers

it becomes very reflexive bu is also easy to remember as a dicionary word.

Re:Definitely

[Broodje]

That's what I do to - it works well. I did get in trouble once doing that at the bank. I had just opened an account and they needed me to key in my pin number. They hand me the atm-keypad thing and I enter a number, fast, without praticing or anything. On a unfamiliar, clunky, shitty-key handheld atm thing. Then the woman goes: "Go ahead and enter the pin number again". I had no idea what I had just entered, and we both agreed I was perhaps a little crazy. Otherwise, that method works well for me :) -B

Re:Definitely

[LetterJ]

The problem with even this is when you're in an environment where all of the passwords expire, but not on the same schedule. If your email password expires every 21 days, your network logon every 45 and they can't be any of the last 6, and they need to be unique and secure, it just encourages things like appending 1, 2, 3, 4, 5, 6 in sequence to a single password or using Post-Its everywhere with their new passwords.

Re:Definitely

[stmfreak]

Come on, who uses passwords like '%33#Gt(;' nowadays..

I do. :-)

Me too.

I also use a three... make that four tiered system.

a. simple (slashdot, new york times, etc.)
b. medium (unpriviledged accounts, e-commerce)
c. banking (banks only)
d. secure (longer and root only)

I only have one simple password. I have two medium passwords, one banking password and one secure password. Other than the simple one, they are all 8+ characters long and random.

I generate them by banging on the keyboard, holding shift and banging some more, releasing shift and banging some more. Then I click-select-drag-drop-repeat a few times and then start deleting characters at random.

I then write the newly christened password down on a small piece of paper and carry it in my wallet for a few days until my fingers have memorized the sequence. I then eat it.

As for changing passwords, what's the point in that? If you have a strong password and you (or your systems admin) are at all alert to long-running brute force attacks on your account, then a hacker has the same chance of guessing your brand new password in X hours as they do of guessing your old password in X hours.

Strong passwords are good security. Rotation discourages strong passwords. QED.

BTW, if one noticed a brute force attack underway in the logs, would one change the password? Or change the account name?

Common Sense

[The+Snowman]

Are we increasing security too much, so that the users circumvent it?

Simply increasing security is not the problem: the real problem is knee-jerk reactions that miss the mark and annoy users rather than provide actual security. People (politicians, corporate America, etc) try to look good by implementing new security measures, but fail to put any thought into what is needed to be effective.

Re:Common Sense

[arnie_apesacrappin]

fail to put any thought into what is needed to be effective

I recently got into an argument with the head of the security program at the university I'm attending over a similar situation.

When resetting my password, which was not expired, I was required to go through a 20 minute online "security training" seminar. It was only 10 questions, but the site was so incredibly slow that clicking through the 10 questions (about 3 pages per question) took 20 minutes. The questions covered the basics of security (don't give out your password, etc.). Two of the "correct" answers were technically wrong.

After expressing my displeasure with the questionnaire and pointing out the technical problems, the administrator chastised me for "not thinking that security education was a good idea." I pointed out that I thought it was necessary, only he did a poor job of it. He missed the same thing that several security programs miss when educating the users:

Security training is useless if the user ignores it.

I was going to add is annoyed by it, but I can think of one security awareness activity that pissed off several people, but was highly effective.

After weeks of notifications about laptops needing to be secured when not attended (i.e. overnight), we went on a laptop finding mission. Any person that left a laptop not physically secured to his/her desk came in the next morning to find a slip of paper telling them where they could claim their laptop. Several people were very upset, but also remembered to lock up their laptops before leaving.

Re:Common Sense

[Snorpus]

"Security training is useless if the user ignores it."

I had a similar experience at the Community College where I teach. After the Sobig, Blaster, etc. attacks of a few months ago, they (Information Technology) installed a McAfee program called "Stinger", which runs every time a user logs into the network, and (apparently) scans the hard drive for virus infected files.

Takes 10-12 minutes to run.

Classes are 50 minutes long.

Stinger responds to the STOP button

---> Illusion of Security!!!

Re:Common Sense

[arkanes]

You make an important point, and it's actually relevent to all procedures, not just security. If you want them to be followed and not evaded or ignored, then you need the following:

a) your procedures must make sense to your users. Sometimes this means education, other times (more often, in my experience) it means having intelligent procedures.

b) Your procedures have to generate the minimum amount of work required to be effective. Duplication of work or extra work that people have to do (like forcing a stupid click through quiz) without an obvious benefit will just piss people off. And when you piss people off, they don't feel like following your rules.

This doesn't mean you don't need strong rules, but you have to present them in such a manner that people feel comfortable with them, and not like you're being a bitchy secadmin.

Oh, and you need to remember that your job is to keep the network safe and clean so that it's accessible - just locking everything down so that everything is unusable is NOT a real security policy!

Re:Common Sense

[Eil]

I'm in the Air Force Reserve and while the military does a lot of things right, even the Air Force is just plain clueless about computers and basic security. Right now, to log into a desktop computer, you use the standard login+password combination. Except that, depending on your job, you might also have anywhere from two to five separate passwords to log you into different applications, databases, and internal web sites. Every application was written by a different contractor, so to even dream of single-signon is insane.

Okay, you might be thinking, that's not so bad. After all, you probably have a similar situation on your home machine. I know I do. But I'll bet your home machine doesn't have a password policy like this:

"Passwords must be at least 8 characters, with at least 2 alphabetic and 1 numeric/special character, must begin with an alphabetic character, must not contain special characters other than _, $, or #, must not be a word found in the English dictionary, and must differ in at least 2 character positions from the old password. Also, passwords must contain at least 5 different characters and cannot have a simple sequence of 4 or more characters (for example, 1234 or edcb)."

That is the actual copied-and-pasted password policy for the networked computers in our wing. After about 10 minutes of trying to come up with something memorable that the machine would accept, I finally gave up and it took me an additional 5 minutes to construct a string of random gibberish that the machine would accept. (I have it written down in a post-it in my notebook, of course.)

The traditional rationale for this nonsense is that the more complex a password is, the harder time an attacker will have brute-forcing it or guessing it. But wait a second... if these passwords are all verified by a server sitting across the network (such as a Windows logon), wouldn't brute-forcing the password be impossible remotely? I would think that any kind of login interface, whether local or remote, would have a simple algorithm that makes brute-forcing impossible such as by exponentially increasing the amount of response time for each invalid logon attempt. As for brute-forcing locally, well, you've got much bigger problems on your hands than a few compromised accounts if an attacker is able to run a cracker on your password database itself either on his machine or yours.

My first instinct, when I first read the password policy above, was to wonder whether such a restrictive policy would actually make it easier for an attacker to brute force because it shouldn't be all that difficult for an attacker to build a password cracker that simply skipped all of the enforced restrictions and only tried valid passwords. My question, for someone more educated in statistics or security than I, is this: would filtering for these password restrictions really result in a significantly smaller average search time before a match is found?

Compromise via a guessed password shouldn't even be very much of a consideration either. Guessing a password is more difficult than many would think. Your guesses would have to be fairly well educated and for that you would need to know the person pretty well. I think I've correctly guessed someone's password only once in my lifetime and that was because she was my wife and I already knew several of her other passwords. :P The other option is social engineering, but the effectiveness of that is on a downward spiral, especially in the Air Force, where unrelenting security training is the standard practice.

So what it seems to boil down to is just what the parent comment states in bold. Increasing security complexity is causing users to simply ignore it, making the resulting system less secure rather than more.

As a side note, the Air Force is moving to public-key encryption with the private key being stored in a chip on our ID cards. This is a good start, but they have yet to implement it beyond the network logon. (I asked where I could ge

Re:Common Sense

[arnie_apesacrappin]

My first instinct, when I first read the password policy above, was to wonder whether such a restrictive policy would actually make it easier for an attacker to brute force because it shouldn't be all that difficult for an attacker to build a password cracker that simply skipped all of the enforced restrictions and only tried valid passwords. My question, for someone more educated in statistics or security than I, is this: would filtering for these password restrictions really result in a significantly smaller average search time before a match is found?

I actually had a discussion about this when the global security counsel of a larGE company (I won't name it here ;-) I formerly worked for announced the new password policy. The policy stated that passwords were to be a minimum of 7 characters containing at least 1 lowercase letter, 1 uppercase letter and 1 number or special character.

If you recall the days of the Lanman password hash, the hash was broken into two 8 byte fields. For passwords less than 8 characters, the second 8 bytes were always the same. Here is where the policy causes problems. According to the policy, the minimum length is 7 characters, so if we know the password is less than eight characters from the hash, we know it is exactly 7 characters.

So now consider the imaginary case that we have a hash for a password that's less than 8 characters. The password policy tells us that we won't need to attempt any passwords 1 to 6 characters in length. It also removes any seven character passwords that don't meet the criteria above.

Please forgive any math mistakes; these are only meant to be rough estimates. Using the character space of 26 lowercase, 26 uppercase and 42 numbers and special characters the entire password space is: 94^7 + 94^6 + 94^5 + 94^4 + 94^3 + 94^2 + 94^1 + 1 which is roughly 6.55 * 10^13. Removing the 1 to 6 character passwords reduces the space by a little more than 1 percent.

Once you remove combinations not allowed by the policy (all lowercase, all uppercase, all numbers and special characters, lowercase plus uppercase, lowercase plus numbers and special characters, uppercase plus numbers and special characters) you take away roughly 1.47 * 10^13 possibilities, leaving about 76.5 percent of the original password space. If the policy implements positional requirements (i.e. must start with a lowercase letter) the space will reduce even further.

On the other hand, the space is still pretty big. Keep in mind that l0phtcrack style dictionary attacks cover more than just standard OED words. If an intruder had access to the password hashes on an NT system of mine, I would be more worried about a modified dictionary attack (even with the policy you mentioned) than the password space that the intruder had to search.

Wait a second

[bossesjoe]

My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

Re:Wait a second

[ePhil_One]

My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

But unfortunately, security people are like PHB's, when they see the reaction to their security measures are circumvention (taping passwords to monitors, etc) they think they need more enforcement, not better ideas. Its far easier to blame the user than to admit your idea was a bust.

Re:Wait a second

[Jeremiah+Blatz]

I don't know what kind of "security people" you deal with, but they're clearly a bunch of snake-oil selling morons. Frankly, I don't think you've ever seen a real security person, I think you see a bunch of programmers who are responding in a disorganized manner to a directive from management to "add security."

The people who "designed" these systems are not people who are used to thinking about security, or even know how to think about security. Criticizing the entire field of security professionals based on these systems is like complaining about doctors being incompetent because the miracle cure you bought off the internet made you sick.

Tog's criticisms are valid, but he aimed wide in directing his ire. Similarly, I suggest that your statement "security people are like PHB's" is incorrect, and you actually mean "security frauds are like PHB's."

The greatest threat...

[Da+Fokka]

to security in all fields always has been and always will be the human factor. At a certain point security measures will be so advanced that human nature is the most likely bottleneck.

Social engineering can get you a lot further than being a l33t h4x0r.

Re:The greatest threat...

[Total_Wimp]

The human factor can screw you in more than just the social engineering scenerio. One of my favorites is personal firewalls. Since normal humans have no idea what *that* program file is or why it might want to talk on *that* port, they just hit 'yes', and let the attack right in, or they hit 'no', and dissallow a perfectly useful application.

My company now wants to deploy these magical devices to all employee computers and can't figure out what I mean when I say they'll make things less secure. I think this article was dead-on.

TW

Re:The greatest threat...

[great_flaming_foo]

The greatest threat to security in all fields always has been and always will be the human factor.

The wetware is always the weakest link because it is the hardest to patch.

Re:The greatest threat...

[cgenman]

Except that security measures necessarily are a human factor. Human nature cannot become the bottleneck in a system designed to work with / thwart human nature. You might as well say that all passwords should be 1MB of random binary culled from decaying atoms, or a 1GB flash disk welded to the spine of the user.

People have a limited memory. They generally remember three or four passwords. Deal with it. Either use biometrics, or a password culled from a sentence (as another poster suggested). Or do a dictionary attack on all user's passwords at signup time, and refuse anything in the OED. Or use one of those nifty word verification challenge-response things that are all the rage in web-facing pages.

People don't change their passwords. Deal with it. Either they're going to write them all down somewhere, or they're going to memorize them. If they write them down, they're succeptable to attack. If you force them to change their passwords, they can't be memorized. But if they are memorized, they can't be compromised with any method that would otherwise catch any login.

And yes, any network can be compromised. You have to reduce the risk, but you also have to work with the way that people work. I worked at a place with randomly generated 8 character ascii passwords. For security's sake, the password system was case-sensitive. For simplicity's sake, the passwords generated were all upper-case. Invariably, new hires were given the password as lower-case (which makes sense to us humans), and then wondered for weeks why it wasn't working yet.

I use a password storage system with 256 blowfish encryption, but the idea that I have to store passwords in a password-protected system is a little scary.

Security is the human factor. How do you give access to one person and not another? How do you verify identity? What can't be faked and / or given away? If by social engineering you mean sneaking into someone's job pretending to be the plant waterer, then stealing the password they have taped to their monitor, then yes, social engineering is part of being a l33t h4x0r. Mitnick's greatest exploits generally involved pretending to be one person to gain enough access to pretend to be another.

Sliding Scale

[the_argent]

I've always tried to balance system security against how much of a pain in the ass it will be to the end user. If the PIA threshold is too high, the more likely the end user will try to navigate around it.

THANKS FOR TELLING EVERYONE MY PASSWORD, ASSHOLE

Enforcing passwords != Increasing security

[Tony+Hoyle]

You can do all sorts of 'security' things and not increase security one little bit. You can also take a secure system, do more 'security' things an utterly destroy the existing security.

Anyone with a working knowledge of security knows how far to take it, where the critical points are, etc... if you let a bunch of amateurs do it then they're not 'increasing security' they're just 'increasing the bloody mess that someone will have to sort out when the company gets a clue and hires someone with some experience;'.

Re:Enforcing passwords != Increasing security

[dgatwood]

Indeed, it is all too common to see people make things less secure when trying to make them more so. Some classic examples of this include:

• Password aging (people pick weaker passwords as a result)
• Airport screeners no longer doing mand checks for computers (with bomb residue tests and verifying that they really are computers)
• Requiring a different password for every system (my birthday, my house number, my phone number, my dog's name, my mother's maiden name... there, that's the first five...)
• Assinine rules that require a number in your password or other highly specific rules (aha, now our dictionary search can skip any choices that don't contain a number! Oh, and his password is now John1. Real improvement.)
• PIN numbers (false sense of security... it doesn't take long to guess one)
• Security digits on the back of credit cards (also false sense of security, as anyone who steals the card number can probably steal this as well)
• No knives on airplanes (now the only people who will have them are the terrorists)
• Arming pilots (terrorist breaks in, surprising the pilot, grabs the pilot's gun off the shelf, and now he has a gun instead of just a box cutter)
• Antivirus software (fix the real problems, or else they will just keep escalating and lead to a false sense of security)

Or, as I've always said, anyone who claims to be an "expert" probably isn't. Beware especially of anyone who claims to be a security expert.

Two minds about it

[Carnildo]

Speaking as a cracker, I say "Yes! Short passwords! The shorter the better!"

As a sysadmin, though, I feel longer passwords are better. If systems supported it, I'd require medium-long sentences for passwords. A full sentence is fairly easy to remember, but not very vulnerable to a dictionary attack.

Re:Two minds about it

[treat]

Most people are not able to type a full sentence without making an error. Now you have to either echo the password, or accept similar passwords as correct, both of which are horribly dangerous.

Those that are, probably also type the password too many times a day to make this practical.

The fact of the matter is that guessed passwords make up far less than a tenth of a percent of all intrusions.

By the way, all reasonable systems support long passwords. There's really no excuse. I don't know what "if systems supported it" is supposed to mean. I can't think of a modern system that doesn't support long passwords.

Re:Two minds about it

[Carnildo]

Voice recognition can by bypassed by a $10 piece of technology known as a "tape recorder".

And it can fail to recognize a valid user if they happen to have a sore throat.

Re:Two minds about it

[segment]

As a sysadmin, though, I feel longer passwords are better. Why would this be better? (longer passwords). Consider the following...

• thisismylongasspassword
• thi!$1smyp4$s

Make your password as long as you want, and experience cracker could splica words together from a dictionary file easily. Regardless of even that, if your network isn't using the proper mediums (VPN's, SSH, SSL), a simple sniffer will grab anything you choose to use, evenifyoumadethisyoursocalledlongpasswordwhichyout hingisgoingtosaveyou.

Shoddy concept of security. Password cracking as we all (hopefully all) know is based on someone's inability to do something different with themselves. People tend to stick with familiarity, and there's nothing wrong with using say your dog's name bowser as a pass, but how about mixing it up !30w$eR ... it's still familiar and most crackers aren't going to spend their time regexp'ing 100mb password files when time isn't on their side.

I would go on, but work calls...

Re:Two minds about it

[treat]

Thanks for providing a classic example of a bad security idea. Your voice is not unique to you. Anyone can record it and play it back.

Also, biometrics are worthless as the sole factor because if copied they can not be changed.

If you care this much about security, use s/key (or OPIE) or any similar algorithm. Let the user carry around a device that calculates the next password. RSA securid is nice if you don't trust your users not to share their passwords, though not as secure as s/key.

All the hard problems are solved. Everything that's left is human factors.

Re:Two minds about it

[RealProgrammer]

If systems supported it, I'd require medium-long sentences for passwords

That was the point of the article, I thought.

What would happen if you did require medium long sentences? Users would find a way to avoid typing them. They would leave their sessions open all the time. Time them out? OK, they'll find a fancy keyboard driver insertion utility that makes the system think they're typing. And so on.

There is a balance between security and usability. You ignore it at your peril.

There is no substitute for training users. Until we see them as our allies and not our enemies or our chattel, we're condemned to these tail-chasing security games.

Re:Two minds about it

[jonadab]

> thisismylongasspassword

That's better than you think. My /usr/share/dict/words has over 45000 words
in it, which is probably typical. The above password is six words long (which
if anything is pretty short, as sentences go). That means you can brute force
it in about (45000^6)/2 tries, on average. Compare that to a typical "strong"
eight-character password (e.g., "bVi-Q*cY"), which can be brute forced in
(N^8)/2 tries, on average, where N is about 100 or 200 or so, depending on
your character set. The sentence starts looking pretty good -- and it's a
*lot* easier to remember.

> thi!$1smyp4$s

Yes, increasing the length to over 12 characters greatly improves the security
of a traditional ugly password. (N^13)/2 is about N^5 times better than
(N^8)/2, so with an N of around 80 characters (upper and lower case letters,
digits, and about 20 common printable punctuation marks) that's about a
three-billion-fold improvement in the time needed to brute-force it.

I personally tend to favour a combination of these approaches. Take your
sentence (say, "I tend to favour a combination of these approaches.", make
a handful of key substitutions, and you get a password like this:
I-t3nd-2-PHavour-a-c0mbinat|on-0f-these-app roacheZ

The sentence is easy to remember. In addition to the sentence, you have in
the above example seven substitutions. That's a total of eight things to
remember, barely (if at all) harder than tB8k^yQp and pretty much impossible
to brute force. (If you do the arithmetic on this sucker, it's impressive.
Even assuming a clever modified dictionary attack, the sentence is nine
words long (nine *words*, not nine chars), and furthermore there are
several possible ways to mangle each word. The mere electricity your CPUs
would use up running the possibilities boggles the mind; whatever the
password is protecting, you could buy it cheaper.) Then you have to worry
about things like sniffers, surveillance, and rubber hose cryptanalysis, if
the password unlocks something worth anyone's trouble to bother with all that.

Re:Two minds about it

[Lumpy]

that's why I am still fighting with corperate for a great security system here at work.

I have a test system that cannot be cracked form the outside. all users' "paswords" are 4 digits in length. They use a iButton to log in, simply insert it in the reciever on the monitor (it's on a keyfob on ther keys.) and type your pin number.

without the iButton you cant get in or access data, without the pin the ibutton is useless, and dont try to crack the code, you have 4 tries and then your ibutton is erased. you have to get it re-encoded before it will work again.

no more taped passwords under keyboards in drawers, on monitors. the users love it. and it integrates with windows NT and 2000 just fine. (ibutton.com if you want to find a link to the software/company that sells what I am using.)

I can make ibuttons that are single use, and we can have those same ibuttons work as the door entry card-key.

if you want more security, you can get java ibuttons and have a program in the ibutton play cryptography with the computer and generate a random access key on every access, or whatever your heart desires...

you want high security? you have to use a security device to reduce the human factor... ibuttons are the cheapest solution.

Re:Two minds about it

[Salamander]

All the hard problems are solved. Everything that's left is human factors.

I don't know if you intended that to be funny, but I almost snorted milk all over my keyboard when I read it. Good one.

Re:Two minds about it

[GlassHeart]

thisismylongasspassword

That's better than you think. My /usr/share/dict/words has over 45000 words in it, which is probably typical. The above password is six words long (which if anything is pretty short, as sentences go). That means you can brute force it in about (45000^6)/2 tries, on average.

I fear not. If the cracker knows that your password is a valid English sentence, then the search space is significantly reduced. For example, you can trivially discard any combination that doesn't include a verb. This observation alone probably takes the search space down to 6v*(45000^5), where v is the number of verbs in the dictionary, presumably much smaller than 45,000. A reasonable guess that one of the words is "password" would make the search space 6*(6v*(45000^4)). More importantly, most of your 45000 words are obscure. An attacker would likely initially try at most 5000 common words (which would cover every word in that password). All of a sudden, we're talking about 6*(6v*(5000^4)).

By making three assumptions, I have narrowed the search space down by maybe eight zeroes - a hundred million times easier - assuming 'v' is in the thousands range. Now, you might say I chose those three assumptions because I already know the password. That is of course true, but what you need to consider is whether the worst password in your entire system satisfies those assumptions (derived entirely from only the knowledge that the password is an English sentence). Crackers can get lucky, too.

In real life, you'd attack such a password by picking strings from the fortunes files, books, and other sources of quotes, and then we're only talking hundreds of thousands of tries. Remember that many crackers only need the weakest password.

Re:Two minds about it

[citog]

You must live in one of the areas with low internet penetration ... I've had the shit kicked out of me several times just for my /. password

Re:Two minds about it

[sjames]

Have you been mugged lately? Now which do you suppose your users are going to give up... Their right ear or their pin # and ibutton?

You're technically correct, but the scenerios are not reasonable.

Unless you have access to very valuable data, nobody is going to mug you for your iButton and pin, they'll take your cash and throw your wallet away. The average mugger won't even know what an iButton is, much less how to use it or that a pin may be necessary.

If you do have access to data or systems valuable enough for rubber hose crypto to be considered, you'll have other measures in place like physical access control and a security officer to call who can lock your account immediatly.

At the same time, surely you realise that in any situation where you might turn over your iButton and pin, you'd also turn over your password.

In most cases, someone sophisticated enough to slip into your work area and use devices that can sniff rf emissions from the cable will have bigger targets in mind. If you are such a bigger target, once again, physical security should be sufficient to keep strangers away from your machine.

The important thing to remember about security is to use an appropriate level. 90% or so (at a guess) have access to rather boring information. If you can keep kiddiez out and avoid random worms and trojans, you'll be fine. I do NOT enjoy boilerplate power point slides nearly enough to actually try to gain access to yours or anyone elses (and risk felony charges).

If you're concerned about industrial espianage, you'll gain a lot more security with an alarm system, a firewall, and careful HR procedures to avoid hiring the competition's spy (and issuing him an iButton and PIN, etc.).

In all areas of security, it's common to see great deals of money and trouble thrown at the 'front door' while ignoring the back door. Things like steel doors with 3 deadbolts next to an unmonitored picture window. Home security systems with pin numbers, sensors, and blinkinlights that can be trivially disabled with a hammer (WHACK, rip) faster than you can enter your pin. If criminals weren't so stupid on average, they'd be worthless.

Consider the billions being spent on nifty new airport security. Consider a deadbolt on the flight deck door.

A big point is that unless security upgrades are very nearly painless for users, they'll find a way to disable it (probably completely disable it) and reduce your security level.

The iButton is good since it defeats MOST intruders while not presenting any great inconvieniance to the user (which is probably made up for by the 'cool factor').

The other big danger in security is pseudo security. That is systems and devices that sound quite secure but are trivially bypassed, like fingerprint scanners that can be tricked by breathing lightly on the pad to 'reactivate' the latent print left by the user. Another is over-estimation of the security provided.

Summary, more is more until it is too much, then it becomes less :-)

mirror

My personal solution to this problem has been to create a database with each site a record listing the user name and password chosen. I have a shorthand for my usual password, but all others I'm forced to create are "in the clear," typed in right there for anyone with access to my machine to see.

D'oh!

I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.

That sounds a bit contradictory, but I will soon prove my point. Before getting into the proof, however, I would like explain that it is not solely the security people's fault. They have all attended one D'ohLT University or another, where their professors have carefully groomed them for their current state of profound D'ohLTism. That's the problem with being D'ohLTed; you are very likely to turn around and D'ohLT someone else.

My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!

So works the mind of a D'ohLTish security engineer, working feverishly away in his cubicle in the basement next to the steam plant.

Take him out for a walk. Let him see the sunshine for the first time in years. Introduce him to some normal human beings. Be gentle at first; these are creatures with whom he has had no contact since being sucked into the depths of the university system.

Then, when his pallor begins to fade and he begins to take on signs of socialization, take him into the offices in the hospital and let him see the four sets of user names and password clinging to the monitors on yellow stickies (e. g., Post-It Notes) or, for the more security-minded, slid into the top drawer where no one would think to look.

D'oh!

Only a D'ohLT would come up with a security scheme that is so overly complex that it's guaranteed people will write down their passwords. And yet, this kind of D'ohLTishness is par for the course with these guys. They are the most clueless profession I know, and they are showing no signs of getting any better.

Of course, there's always room for more retardation of productivity, and, if it can be found, these guys will do it. After the first six weeks, my wife had received only two of the four sets of usernames/passwords, and she'd had to speak to no fewer than seven people to get them. Two weeks of further extreme effort finally produced the last two sets.

What was she doing in the meantime? Instead of spending full-time repairing people, which is nominally her job, she wasted hours camping out in another doc's offices, using his computer (and passwords--they were right there on the sticky note) to do her work.

Meanwhile, the other doc, bumped from his office, would go and gets an extra cup of coffee. The security D'ohLTs had thus not only opened up your medical records to anyone schooled in the use of sticky notes, they were pouring money down the drain in the form of lost productivity and company-supplied coffee.

D'oh!

Fortunately, of course, this problem is self-limiting. Yes, she only worked at full throttle for the final two weeks of her ten-week stint, but when she returns in December to work for another three weeks, her user names and passwords will all be waiting for her.

Except unused user names and passwords expire after 90 days.

D'oh!

Even constant users have to make up (and post on their computer monitors) new passwords every 90 days, even if they keep their user names. Expiring stuff is the only way these guys can prevent the unthinkable: memorization. Once people memorize the little devils, they don't need their cheatsheets anymore, and then, suddenly, there's real security. They can't let that happen!

Hospitals all over the country now are

Passwords?

[R33MSpec]

I haven't changed my password here on Slashdot since I joined^H^H^H^H^H^H^NO CARRIER

I disagree with the article

[HermesHuang]

Too much security isn't the issue here at all. It's improperly implemented security. Yes, more passwords can be more secure. But only if the passwords themselves are secure. Which is why it's usually good at some level to let users set their own passwords, so that they might actually remember them. Of course, some will set simple passwords. It's up to you how to filter that. But simply assigning strange passwords to people is not the answer. And not having the secure passwords at all is definitely not the answer.

Re:I disagree with the article

[dgatwood]

I seriously hope you are kidding.

Password expiry is no better than having no passwords at all, whether user-generated or automatically generated. The first thing that happens after they run a computer-generated password tool is to write it down. Thus, these tend to be much worse than letting the user pick the passwords. At least user-generated passwords can generally be remembered, and thus require at least a little effort to obtain. :-)

However, f the user is choosing them, you'll have most folks either making stupid changes like you describe or rotating between a handful of passwords that they can remember. The rest will write down their new password. Thus, password expiration still buys you nothing, and may still make things worse, but at least it is less likely to do so than with computer-generated expiring passwords.

Besides, if you don't give anyone your password and only send it over encrypted channels (you do turn off telnet, right?), then the password changing can't have any benefit. If someone tries to guess your password, there should be the exact same chance that the new one will be guessed as the old one... except that the human factor means that the passwords will gradually get worse as you expire more passwords.

The only way that the probability might be different is if someone were trying to guess a given account's password with continuous login attempts spread over a period of several months (in which case you might get lucky and change it to something that had already been tried). If that's happening and your network admin hasn't caught on... well, you know where the real security problem lies. On the other hand, someone might check the same set of obvious passwords again, in which case changing the password to something that had already been guessed would make things much worse. The only way that password expiration can improve security is if your password is periodically compromised, in which case the soltution is to prevent the compromise instead.

In short, expiring passwords either has no impact on security or makes your system less secure. It simply isn't practical to expect people to remember a dozen different passwords that change very month, every three months, or even every year.

If you really need high security, use a SecurID system where you have a PIN number that never changes and a constantly changing number generated by a device that fits in your wallet or hangs on your keychain. If $65 every three years is too much to pay for the security of their account, there's nothing in their account worth protecting anyway, so you should relax, let them have Bambi as their password, and repeat to yourself "it doesn't matter".

I would If I could ;]

To bad many sites are disallowing special characters for fear of sql injection attacks. As for to much security? That depends on how important what you are securing is. Is your credit card information worth a little bother to protect? How about the information that the credit card companies use to issue you(or supposedly you) a credit card? Social Security number, Mothers Maiden name, Data of Birth. You can get all that from a DMV database. A system is only to secure until its been compromised, then it wasn't secure enough. Security, should be built in, form day one against a verifyable standards based frame work. Thems my two cents, please keep the change.

Re:I would If I could ;]

[The+Snowman]

To bad many sites are disallowing special characters for fear of sql injection attacks.

This is a shame, since it is a *very* easy fix (store MD5 hashes, not plaintext, or escape the string before storing it) and it only inconveniences users. Oh well. A simple text file on my hard drive fixes that problem :-)

Annoying security leads to circumvention

[Karcaw]

In my case my employer added a re-curring RSA security key to read the outlook webmail, as i have been using evolution for, externally on my laptop for some time this rendered evolution useless, because it did not understand the promts for RSA keys. Then even if i use a web brwser i have to re-login every Hour. Really Annoying.

So a simple ssh tunnel into a work machine, and a modified transparent proxy setup(I had the GPL'ed source), and an iptables rule, and wow the webmail server always thinks i'm inside the firewall.

so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.

Re:Annoying security leads to circumvention

[dasmegabyte]

they just annoyed me and i worked around it...

You sure did. You worked around it by creating a secure tunnel to just your home. I'd say that's quite a bit more secure than the RSA key. Which you have to admit, isn't really DEFEATING the security

Interesting, though, how much work you had to do to get around it, and you KNOW the system. A hacker would have to be pretty fucking determined to to what you did, and pretty sneaky not to get caught doing it.

Re:Annoying security leads to circumvention

[Minna+Kirai]

so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.

Even if ssh is unbreakable, your company's overall security has been reduced. The physical security of your home is probably worse than the office, but now an attacker can burgle your house to reach corporate-wide data.

Of course, if you're allowed to ssh into work, then that vulnerability exists anyhow. But if the workplace blocks inbound ssh and you created the tunnel in the reverse direction, then the danger is your own.

Forced password changes

[Rex+Code]

Forcing users to change passwords is one example of something that doesn't help security. If there's anything that's going to make the common user write their password on a post-it note and stick it to their monitor, it's being forced to change it at random intervals.

If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.

Re:Forced password changes

[lewko]

This fails however if the time between password changes is greater than the probable time to brute-force (or other wordlist) crack the password file. Don't assume that crackers all use the same 'dictionary' i.e. wordlist.

Did you know that many 31337 hax0r cracking tools will straight away defeat the more lame methods for using complex passwords?

This includes swapping every known integer/alpha replacement (e=3 0=o l=7) e.g. If someone used h3110 as their password (i.e 'hello' in hax0r spelling) it wouldn't take any longer than a standard dictionary attack.

Having a single password changed every 30-60 days is not that difficult. IT becomes a problem where users have to maintain multiple passwords for multiple systems. This is even more dangerous for admins who have to maintain even more, and they are used to protect sensitive systems.

Re:Forced password changes

[mo26101]

About a decade ago, I was a software deveopler working in a building with 2000 users. Back then we wrote apps for win 3.1. Most users 10 years ago were even more clueless that users today, so we often had to install software for them. We would show up and tell them that we need to install something, they would then usually say fine and go take a coffee break. Being win 3.1 we almost always had to reboot for one reason or another in the install. This would then leave us needing to log back on the users computer with the user not there. At this company passwords had to be changed every 30 days and include both letter and numbers. Nobody could remember there password, so when we needed to login and the user was not there, we would just open there top desk drawer. 9 times out of 10 the password was written on a sheet of paper in the drawer. It was amazing how many people did this.

Re:Forced password changes

[pipingguy]

If you've done a dictionary search...

Slashdot is a great place to find alternative spelling that one can use as inspiration while thinking up passwords.

Re:Forced password changes

[dasmegabyte]

It shouldn't be amazing. Average people don't give a shit about security, nor should they. It shouldn't be a part of their jobs, or at least it shouldn't be something that interferes with them.

Does this suck? Sure seems to make your job as an admin harder. But the fact is, you can't rely on end users for security anyway. What happens when Joe in accounting finds out he's about to get downsized and takes it out on the network?

If you secured it right, nothing. He deletes some information, and you get it back in a matter of minutes from the awesome backups and transaction logs you maintain. You invalidate his login, and it's like he never existed. That's security: having a way to fix things when they go wrong, not assuming nothing will go wrong because you demand so much.

Security against hackers is no different. Make sure they can't sniff passwords, make sure nobody has too many rights when they come in to the system from the outside world. And when you have to allow them access to something, make sure they never can do more than a day's worth of damage.

We have a lot of customers who are complete idiots. We know there is no way they will maintain useful logins to our system -- most of them use one login (same password as the log in name) on all of the installed computers they have, because it's easier. So, our new products were designed around this. Nothing is ever deleted from the system using the client application. The client's login can only read information on a server, or mark it invisible. The "root" logins are only known by a handful of people, and are only accepted from the console. And just in case, the whole shebang is backed up daily to tape, and the transaction log cloned and packed hourly.

So we can have our customers call and tell us "My login is carl, password carl" and I no longer roll my eyes. Because "carl" doesn't do anything more than peering through the window of an armored car.

Maybe no security at all

[Rosco+P.+Coltrane]

For example, back when I was going to the University and was living in a slummy student complex where everything that could be stolen was, I used to have a shitty car, and I used to leave my car doors unlocked at night. My car wasn't a good candidate for theft, but when it *was* stolen (it happened twice), it was for joyrides and at least the robbers didn't burst the locks.

So I guess, the software equivalent of that would be to not leave expensive data that could interest people on networked box, and make as much as your sensitive data as possible less sensitive, by simply publishing it. GPL code, for example, doesn't have to be protected.

I'm not saying everything should be released, far from it, but there's a lot of "hidden" data that could just be left readable by everybody, by changing some company policies and being a tad more open about everything, thus removing the desire/need to hack the box it's hosted on.

Re:Maybe no security at all

[lkturner]

The problem with that train of thought is you are assuming people are hacking the box to get to the *data*. My guess is 'access to data' is not at the top of the 'reasons to hack' list. It probably falls below 'because it was there', 'bragging rights', 'a node to cover ones tracks', 'zombies for DOS attacks', and the list goes on... Keith

passwords

[Pompatus]

The biggest problem I have with strong passwords for logins is that everyone seems to have a different idea of what a strong password is. Some people require the first 2 characters to be letters, some require length to be greater than 6 chars while others are a max of 6 chars, and so on.

I have developed a password that I use on systems I can control that consists of 13 characters, both letters and numbers, and a & sign in for good measure. It makes perfect sense to me, I will NEVER forget this password, and you would litterally have to be able to read my mind in order to guess it. But most systems wont accept it for whatever reason or another, so I vary it slightly to conform to whatever rules are in effect. This creates a problem of about 5 variations of what I want my password to be.

I think people need to be educated on how to make a strong password. It should be up to the user to provide a strong enough password, because if the user can't remember it, then the entire process is pointless. We're supposed to show photo id at school to have our password retrieved for us, but it happens so often, that the people behind the counter just do it. How many other places do this same thing, because EVERYONE forgets their password?

Sorry for the long rant, but I felt the need to get all this off my chest :)

Re:thanks for telling everyone my password, asshol

[Darthnice]

HE WAS YELLING!

Increasing versus Improving security

[GillBates0]

Are we increasing security too much, so that the users circumvent it?

By "increased security", do you mean increased security measures, or the increased security of the resulting system?

If the resulting system is secure because of good security measures, then not every idiot can wander in.

On the other hand, if you mean just increased security measures, which, apparently aren't resulting in a more secure system, then the "security people" are idiots for using weak security mechanisms over and over again, in a hope of increasing the overall security of the system.

Improved security measures may not be large in number, but result in a secure system. You're better off using 1 strong encryption scheme rather than 4 weak ones.

Passwords in linux

[3Suns]

There was a time when I was upset by the fact that Linux accepts very strange characters in the passwords (the arrow keys for instance) that couldn't be typed into most GUI password fields. Now I realize that that's not a bug, it's an accidental feature. Effectively, root can't log in on a GUI (including gksu), on a machine so configured, which adds to the security of the system. Fake login screens are foiled by that trick.

(UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT A B A B) anyone?

Too many passwords - so I write 'em down!

[gilgongo]

I have to remember not one, not two, but SIX different passwords, PIN numbers and security questions simply to access my frikin' bank account online. And I currently have about 12 online accounts of various kinds, most of which impose their own rules to what they want for access (some systems allow numbers in passwords, others don't, some have a minimum of 8 characters, others 10, etc. etc.)

So what do I (and presumably everyone else) do? I write them down somewhere. How much LESS secure is that than having one (or maybe three at most) username/password combinations that I never write down or tell anyone?

So I called my bank a few weeks ago and told them that if I signed a disclaimer, would they allow me to go from six pass/PIN/IDs to just a username and password of my choosing? No no no! Far too insecure.

So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!

But nobody can reliably remember SIX things to log in to one account, as well has having to remember all the other usernames/passwords, etc. they might have.

So, I've closed my account with them. Because I think they're too damn insecure.

Myth...

[Chagatai]

Having a truly secure environment is impossible. The thing that is critical to remember is that security is about mitigating risk. As I always tell my customers, "It's not a matter of if you have a security issue, but a matter of when." Just like the article says, when too much security is applied to any area people will develop loopholes around them to avoid the "inconvenience." But by the same token without any inkling of security people will give out passwords over the phone. It's trying to find the happy middle that is the problem.

Does enforcement matter? I'd be lying if I said it didn't. However, the means in which it is dispensed is the issue. No one enforces a security policy? Don't be surprised when a stranger walks in the door. People enforce security like a police state? Don't be surprised when people in power abuse their abilities and allow their friends to skate around issues. Then, of course, there is the typical knee-jerk reaction when an event happens and everything is locked down to only be forgotten about two months later.

Use common sense, as it isn't common to most people. Tailor the security to the individual company; a meat processor protects their beef, Lockheed Martin protects missile technology--each is deadly in different ways.

Security is a process

[Space+cowboy]

There's little point in having a security-review once per year and then assuming that you're then ok for the next year. If you don't have an ongoing approach to security, you don't have a secure system.

Every day I get reports from logwatch and tripwire on all the systems I look after. I look them over and query anything that catches my eye as unusual, or that doesn't correlate with the system-updates downloaded overnight. It takes about 10 minutes, and I do it over the first coffee in the office. It's just part of the routine. I insist on good passwords, and the machines are firewalled as much as possible. Got to leave that damn port 80 open though :-)

I don't have the most-secure servers in the world, but I'll notice pretty quickly if there's something wrong with one of them, and I get an SMS if the chkrootkit program discovers anything...

I have a client who had an annual security-review process, and was hacked into, about 3 months after the review. The attraction was the bandwidth they have, I guess, and the first thing they knew about it was when that 200mbit pipe went crazy spamming people left right and centre... Their attitude changed when they suddenly got charged a lot of money for doing something they didn't even know about!

Simon.

Not the source, really

[sphealey]

So works the mind of a D'ohLTish security engineer, working feverishly away in his cubicle in the basement next to the steam plant.

Take him out for a walk. Let him see the sunshine for the first time in years. Introduce him to some normal human beings. Be gentle at first; these are creatures with whom he has had no contact since being sucked into the depths of the university system.

Then, when his pallor begins to fade and he begins to take on signs of socialization, take him into the offices in the hospital and let him see the four sets of user names and password clinging to the monitors on yellow stickies (e. g., Post-It Notes) or, for the more security-minded, slid into the top drawer where no one would think to look.

Besides being offensive, this scenario is, 99.5% of the time, blatently untrue. The security professionals are very much aware that the password systems don't work, and that the userids and passwords are sticky-noted to the monitor. But they have not choice: (1) no better system than passwords has yet been devised (2) they are responding to the demands of UPPER MANAGEMENT for "security NOW, dammit!" (3) upper management in turn is responding to the demands of auditors, regulatory agencies, and ultimately Congress.

The guy in the basement office has about as much control over this process as Pvt. Beetle Bailey does over the war in Iraq.

And really - would those same people who tape the password to the monitor tape their garage door key to the doorframe because "it is too much trouble to carry 3 keys around"? I have 15 keys on my keyring, personally, yet no one makes offensive statements about architects and locksmiths re: "door design".

sPh

Re:Not the source, really

[Have+Blue]

If it was as easy to memorize a 32-character randomly generated password that changes every 30 days as it was to put one more key in your pocket, then no, no one would tape it to the door. But if my garage door key was a 6" half-pound chunk of rebar, damn right I'd find a less secure place to store it.

A Simple Exercise In Self-Auditing

[Bowie+J.+Poag]

Exercise: Make a drawing on paper of what your system looks like from the point of view of people on the outside. Draw it in a similar fashion to how one might draw a house, or a favorite car.

A) If your picture looks like or includes any of the following objects, proceed to step C:

. A block of swiss cheese
. A large question mark
. A fat mall-cop with powdered sugar around his mouth
. A small child in a corner, crying, holding a security blanket
. A Diebold voting terminal

B) If your picture looks like or includes any of the following objects, proceed to step C:

. Fort Knox
. A medieval castle under siege with the invaders having boiling tar poured on them.
. A resettable Viet-Cong boobytrap with dozens of pigs already skewered on it
. The business end of a .357 Magnum
. An illuminated Jesus standing atop an Sun E10K
. A solid, faceless slab of hyperdense radioactive metal extracted from the heart of a neutron star

C) You need to increase your system's security.

Re:password quandry

[thecampbeln]

No shit! At some places I've worked, passwords are required to contain X capital letters, Y numbers, and changed once a month. So what ends up happening? After forgetting the damned thing two or three times, most users (including myself, bad form I know but hey) come up with a pattern to their passwords. So, something like this begins to appear:

Pa55J4n
Pa55F3b
Pa55M4r
Pa55Apr

Sure, now you have 'secure passwords', but once someone recognizes the patter... This, IMHO is counter productive security wise. Have the ultra secure passwords, but don't make you're users change them too often or this shit begins to appear.

Re:Passwords? OT

[SlashdotLemming]

"NO CARRIER" still getting a funny?
Interesting... that has to be one of the longest lived funny mod triggers.

Current funny triggers: SCO jokes, Golum speak.
Declining funny triggers: I, for one, welcome our new ... overlords
Recently deceased funny triggers: Yoda speak
Deceased, but still occasionally funny: All your base..., In Soviet Russia...

Security's Theory of Relativity

The obvious answer: It depends on the value of what you are protecting and what it would cost to replace it. The problem is after spending years of learning and loads of money on books, what security analyst is going to say "well, if the web server goes down, it would only take 15 minutes to restore from backup and cannot effect other systems, so there is no need for a $5000 firewall and the administration that goes with it." It is like asking a car dealer if we should replace our reliable sedan.

That said, the only effective way to maintain security when it is required is to keep it usable for lUsers. We all have our keychains for PGP, but how do you make an easy to use yet secure keychain for the end user? An encrypted program on a USB Key? A login on a secured central server? We still protect our own dwellings, the places we keep our most valuable items, with a 50 cent shaped peice of metal. How much more valubale is that forwarded joke sitting on your hard drive at work?

I use good passwords, and here's how

[kaan]

And I have to spend nearly zero brainpower remembering a password. Here's what I do...

Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.

So an example phrase might be: "i love to post on slashdot"

which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:

"iltp05"

That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.

Re:I use good passwords, and here's how

[Minna+Kirai]

I use that system too, but its not as good as forcing yourself to memorize a randomly-generated string.

"iltpos" or "hthayt" has much less entropy than "ilcpskl" (which a computer gave me). Knowing you use this system, a hacker can download a bunch of ebooks and process them to generate a Markovian model of the English language. That would represent that letters appear at the starts of words with different frequency, and even (with work) that the frequency changes depending on how far you are in the sentence.

Re:I use good passwords, and here's how

[Coryoth]

Probably good enough for general use, but not exactly secure. First letters of words have a biased distribution, and leet speaking up a password is very commonly used method, so most decent passwords crackers have rules to deal with that.

Jedidiah.

Why are we hanging the security folk?

[i_r_sensitive]

Hey I was one, and Tog needs a firm slap across the face. In my experience, more often than not "good" security ideas are stiffled not by the security people, but by the starched colors and ironed ties they have to wheedle the cash out of. Sure, not every security pro is a good one, but for evey poor security pro I've met there are nine good ones working for shitty managers.

Beyond that, no matter how good the solution, there are allways those people who will try to end run it. Worse still, there are those who encourage others to also end run the system. At the top of the worse still pile, is the manager who somehow or another thinks this person would be a good security pro...

Also blaming the Universities is trite and unsopisticated. Please, folks don't go to University to learn about the real world, they go to learn theorey, and play intellectual games, etc. etc. Where is the problem? Is it the people turned about by the Universities, or is it the people who hire University grads to do work which demands real-world utility? So, there weren't a dozen or so graduates of technical schools, whose training would be centered in the real world, not the theory, available to do the same job, right, at a lower cost?

I find it somewhat in poor taste to hang an entire industry for what more likely is the fault of their managers... I find it more unseemly to attack Universities for what they have allways done, and what we expect them to do, allthough in all fairness, they do turn out the MBAs whose intellectual chauvinism probably has more to do with hiring the wrong qualifications for the job.

Moore's Law vs. Evolution

[Detritus]

Long and complex passwords are a waste of time and do little to increase security. Computer speeds have grown at a rate much faster than the user's ability to memorize "secure" passwords. Any system that allows an attacker to use brute force guessing or dictionary attacks is broken.

My bank gave me a random 4-digit PIN for my ATM card. Why isn't this horribly insecure? Because the ATM eats the card after three failed attempts to enter the correct PIN.

Re:Moore's Law vs. Evolution

[balloonhead]

But why is it that I occasionally have a mental blank and can't remember my PIN, having to turn tail and run after two failed attempts until the next day when I can try again, but when I am so blind drunk I can barely walk or speak, I can stagger two miles home, extract 10 pounds from my account (sometimes at two different terminals), get a kebab, navigate through two locked doors, urinate, undress, and get into (or near, sometimes) my bed?

And who can explain the last three ex-girlfriends' phone numbers that I remembered to call at 4am too? I sure as shit can't remember them during the day.

Sure, your bank account first

[Ars-Fartsica]

Sometimes security trunps useability. Tog is a useability guy, he wants things to be easy. Security is not supposed to be easy, thats the point. Its reality and I hope any information system I trust piles on as much as they can.

Re:Sure, your bank account first

[Jerf]

Security is not supposed to be easy, thats the point.

Wrong.

The first priority of security is to raise the cost of breaking the security above the value of the benefits of breaking the security.

If anything about the security makes it fail, then it has failed.

In the vast majority of common cases, security needs to be easy enough to use, or people won't. When it fails that way, it's partially the person's fault and partially the security's fault... but whatever the ratio it's certainly not 100% the person, because it's always a game of probabilities and risk assessment.

Making security hard decreases the value of the secured item for the people who are supposed to be using it. Make it hard enough and it will exceed the value of the thing being secured. Then it's not just pointless, but of negative value. Making security easy is a high priority unless the secured item is of high enough value to make devaluation not enough of a concern to be worth worrying about.

The idea that security should be hard is unfortunately a very poisonous one, because people then assume if it's hard, it must be security. Then we end up with shitty systems like "airport security" that decrease the value of the airline system while doing nothing to increase true security. The best way to attack this problem is to remove the false idea that "security is not supposed to be easy", i.e., security should be hard.

Your password has been reset to "Duh"

[MythMoth]

I did some work for an internationally renowned company. Their IT department was (with good reason) obsessive about security.

To get your login, a representative of the IT department gave you a sealed envelope in person. Your manager was not allowed to receive it on your behalf under any circumstances.

To reset your password to the current day of the week, however, all you had to do was ring the helpdesk and say "I've forgotten my password, and my name is..."

There's resistence to changing this approach 'cos the complex password requirement and the enforced 30 day password expiration result in multiple daily requests for this.

Nicely illustrates the point, I think.

ssh keys + long passphrase

[forevermore]

Since the replies seem to be taking a heavily pasword-oriented approach, I'll put in my $.02.

As a security feature at work, we've started switching our more important boxes to key-only login. I've done the same to my boxes at home, for good measure. Now, I have 2 keys. One that lives on my box at home, and one at work. They don't exist anywhere else (other than a USB pen drive for backup), and will never be copied off of these drives. I use a relatively long passphrase (19 chars), but since I use ssh agents (and agent forwarding when it's safe enough to do so), I only ever have to type the passphrase once per day (the machine is set to forget the passphrase when I leave work).

Now if only all of those ecommerce type places would work with my public keys...

Re:different levels of importance

[rokzy]

I hate it when stupid systems try to force me to use "better" passwords. many of my internet passwords (not slashdot) are just variations on 'password'. this is for things like forums where I couldn't care less if they got hacked, and would consider it a bigger security risk to give them a "real" password as it would give them an insight into my thinking.

when setting root/user password on SuSE 8.2 I noticed that if you set all lowercase passwords during installation it's fine, but if you try to change it to another all lowercase password later it bitches about it and won't let you.

I hate requirements on passwords. displaying advice about passwords is okay, but when you have bullshit like "must contain at least one capital and number" all you do is potentially force the user into using an unfamiliar password and hence writing it down or making it trivial or something.

Password management

[montey]

I recently read a document proposing an alternative approach to an aspect of password management. I have since adopted this approach.

The paper said that one of the biggest threats to password security was the frequency that changes were required.

It seems that a fairly accepted norm is coming in to being in the form of organisations requiring their users to role their passwords once per month, and requiring that these passwords are unique. The problem with this requirement is that people are asked to remember so many passwords that they are tempted to either use weak passwords, or to write them down and stick them to something. Hence the previously secure password is now compromised.

The document/approach I read/have adopted is to stop requiring users role their passwords every month. I now request users to role their passwords every 3 months (once per quarter). As a result in any year they have to get to know only 4 passwords (instead of 12), and as such can handle better quality passwords more easily.

My users are far more happy with this approach, and now see it as a reasonable compromise. As such they now buy-in to the concept and we find far fewer people breaching the password policy.

Re:Password management

[harborpirate]

Here's my take: The more often your force users to change passwords, the simpler the passwords will get. And if you force them to create tough new passwords frequently, they'll write them down or otherwise store them insecurly. When users store passwords insecurly, it increases the likeliness that the password will become available to someone you don't want it to, without them having to resort to technical techniques, such as keyloggers or brute force cracking.

Technical techniques are detectable. They may be difficult to detect, but they are detectable. The "bad guys" seeing a password on a desk (or trash or whatever) is not detectable, and now you've now opened yourself up to the nastiest password leak of all. Even most stupid passwords are going to take more than 10 attempts to crack, unless it happens to be "password" which almost every cracker guesses first. If you have a worthwhile system to defend, you'll be aware of attempts to brute force your system, and you can take action.

Now, I know what your thinking: "What if they brute force against my password file/database?". Listen, if someone has access to your password file or database, you are screwed, whether you force your users to change their passwords or not.

Normal users create dumb passwords. What really needs to be done, in my opinion, is when you hire someone, they should go through a secure password training course. They should be given some techniques for creating a tough password that they can remember, and then informed that they should never, ever give out their password to anyone else, or write it down, or store it on a computer.

There is one final piece to the puzzle. You need to run a cracking program against your own password list once every few months. (Or more often for a system where security is paramount) Be sure that the cracking machine is not on a network! Move the file or database to the machine via sneakernet. Run the cracker on the list, and anyone it comes up with quickly should be told to come up with a new password. Frequent offenders should be required to attend the secure password training course again.

I think this would result in the most secure system possible. Sure, people are still going to write down passwords. They'll still have dumb passwords. They'll still give out their passwords to other people. But, you'll have limited how often that happens, and at least the majority of your users will have somewhat difficult passwords. Those people who have very difficult passwords can keep them, making for a secure system where users are more happy.

Rotating passwords...heh

[Johnathon_Dough]

I have two banking sites that make me rotate passwords on some random pattern I can not figure out (time? number of entries to site? don't care enough to really figure it out).

So, whenever I am faced with the now dreaded "Please type a new password" prompt, I transpose two letters in my current password, then after entering the site, go back and change my password back.

A pain in the ass, and just gets me annoyed with my bank, I don't feel anymore secure with a new password than the old. So why change it? And for that matter, if they are forcing me to change my password, why let me change it back immediately?

My experiences

[bigjnsa500]

We rotate our passwords every 60 days, 8 characters or more, uppercase/lowercase, #s and symbols. What I see are lots of post it notes hanging on monitors with the various server passwords, not only mine but everybody else's. Its getting to the point where anybody can *see* the passwords.

I believe in letting the user select their own password, but to a point. Meaning I don't let them do smith1 or johnsmith1. Something *they* can remember. To me, if the user can remember it, it means its not printed anywhere on the workstation or desk.

Too many passwords

[Atragon]

Using a different password for every login is all well and good, so...

You've got seperate passwords for any forums, any games, any webmail, your ISP email, any school/corporate/home/other logins, any websites, any other services that need a password, right?

Oh, and you don't have any of them recorded anywhere too, right?

Oh, you also change them regularly to something completely different but equally secure, and don't record the new password, right?

I call bullshit. Using secure passwords is all well and good, but being expected to have to keep a seperate PW and login for every single account you have is completely insane. While I hate to say this, what we need is a _trusted_ service to authenticate who you are and then allow access to all your varied accounts.

Either that, or we need a massive push to allow using public/private keys to authenticate identity. Of course, that'd have to be linked to a concrete device to carry a key of any meaningful length. But what's the problem with this I ask, after all, people carry credit cards all the time.

If you use a smartcard to carry the key and perform biometric identification of the user, which then transmits to the {blank} that user X with key Y is logged into computer Z, at which point the {blank} considers "Is the key Y the right key for user X? and is user X authorized to do {blank}?"

All that's needed to allow this to work is a trusted authority that can issue smartcards and keys to people. As for how the authority checks identity, governments issue passports/driver liscences/security clearances all the time, so obviously a mechanism exists to verify that a person is who they say they are.

And don't say that 'for sites that require extra security, they can just use a password for added security' this is wrong, we need to move from a security system which verifies on the service end based on information provided by the client, we need a system which verifies at the client end based on information provided by the service.

Simple way to remember passwords

[plnrtrvlr]

Here's a simple trick to curing the password problem. Think of a sentence that describes the purpose of using the password. I might use a sentence like "I want to see how much money I have in the bank." to help me remember my banking password, the password then becomes either the first or last letters of the sentence, complete with punctuation. I mentally say the sentence to myself until the password itself is memorized (and even then, I find myself thinking the sentence) and type the appropriate letters. My banking password then becomes" IwtshmmIhitb." I find that it is much easier to remember a sentence than it is to remember some obsure password, and that a strange enough sentence (Wow man! Did you see the size of those CHICKENS? Wm!DystsotC? ) makes for some unusual but easily remembered passwords.

Good methods

[ax_42]

Looking for a decent password?

"apt-get install pwgen" for a program that can produce (among other things) pronouncable passwords.

Or grab some dice and go to: Diceware.

Password Algorithms

(Posting as AC to prevent someone from guessing my real algorithm.)

I'd like to suggest a method for creating passwords for sites; I'm sure it's not unique to me, but it's effective, more secure than sticky notes, and not very time-consuming.

The technique is to use a simple algorithm to create the password, seeding it with a unique identifier from the location where the password is to be used. This way, you can remember the algorithm (even write most of it down if you like) and yet the password for each site is unique, and if stolen doesn't give the intruder access to any other site. (If your algorithm is good, it would make it hard for someone given 2 or 3 of your passwords to figure it out.)

For example with a site named "acmewidgets.com" my algorithm (modified) is:

• Take the name of the site/company/whatever ("acmewidgets").
• Write down the last three letters, in reverse order, with the first capitalized. ("Ste")
• Count the number of letters in the name. (11)
• Use some favorite phrase/poem that you know well, and find the 11th word. (e.g. Robert Frost's "The Road Not Taken", the 11th word is "could"). Add the first four letters of that word to the string. ("Stecoul")
• Finally, add up the digits of the number of letters until they're a single digit, and put it on the end. ("Stecoul2")

My actual algorithm makes it a little harder to see english words in the final, but like the above produces a 8-character password (often one of the boundaries for password limits, e.g. 2-8 characters or 8-15 characters) with both mixed case and digits. It is almost always valid for password security checkers, and (in my opinion) is reasonably secure. And yet I never have to remember my password for various sites, I just recreate it on the fly.

And almost always, if a site is used often, even the complex-looking password it creates is not hard to memorize through the use of mnemonics. (The human mind is a wonderful thing.)

The above algorithm doesn't allow variations for more/less secure sites, or backups when passwords expire. (I hate expiring passwords. If the account is compromised, it's compromised...expiring the account every 6 weeks doesn't undo the damage.)

My personal favorite

[DaveAtFraud]

P4ssw0rd!

You will note that it has all of the elements of a good password such as both upper and lower case letters, numerals as well as characters and punctuation. Its also easy to remember.

Re:My personal favorite

[Frymaster]

i tell users to do this for passwords:

- one of the three digit sets of your license plate
- the first three letters of your mother's maiden name
- the numbe of fillings you have

stick em together and you have a seven or eight character password that looks like garbage but still can be remembered by the user.

of course it's possible for someone to reconstruct this but it would definitely have to be an inside job - probably by a dentist.

Re:My personal favorite

[NamShubCMX]

(r00t)(iZ)(g0d)

:)

Re:My personal favorite

[DarthTaco]

- one of the three digit sets of your license plate
- the first three letters of your mother's maiden name
- the numbe of fillings you have

stick em together and you have a seven or eight character password that looks like garbage but still can be remembered by the user.

That is the most cryptographically weak password I've ever heard of. Maybe not the most, but it's even worse than "password" or "sneakers" because people probably think they are doing good.

That's like asking someone to use their birthdate with their initials tacked on. Just because something looks random...

I think most license plates have 6 characters on them? So now I can just watch which car a target drives in. Mother's maiden name? a little social engineering or a spammy e-mail. And good grief, the number of fillings they have? Even if I didn't want to just take a couple pot shots (how many people have more than 10 fillings? 20?), that's not exactly a state secret.

You might do well to read a book or two by Bruce Schneier

Re:My personal favorite

[jfdawes]

Your post is obviously a troll, but what the hell.

Authentication systems typically rely on three things: Something you are, something you know, something you have. Password authentication is weak in that it only uses one of these three. But when it comes down to it, who cares if the secret is the algorithm you use to pick your pass phrase instead of the pass phrase itself?

If it can be made, it can be broken

[Crypto+Gnome]

Anyone remember this? "My voice is my passport. Verify me."

Security is like Oxygen.
Some is better than none.
Too much and things tend to go up in flames.

Enough security that users do their best to ignore/circumvent it is counter productive

Most people forget CryptoGnomes "Golden Rules of Security":

One day, your security will be compromised.
More than likely, sooner than you think.
Almost certainly in some way you did not (perhaps even could not, reasonably) have expected.
What will you do then?

I'm sure you've all heard it said before security is a process, not a goal. The best you can ever hope to do, is make it harder for someone to breach your security than they think it's worth, and to have a plan for when someone comes along who thinks no effort is too much.

Either that or drop all your computers and networks into a large vat of suitably potent acid, and take up a new career; like basket-weaving.

MacOS X : Use the keychain

[tbmaddux]

Actually, you can use it in MacOS 9 as well. The keychain is an encrypted store of anything, but mainly passwords, that is unlocked by your user login. Browsers like Camino and Safari will save your website passwords to it, and Mail.app will save your email passwords to it, and the OS will use it to store passwords for encrypted disk images, or filesharing mounts, or your .Mac account. In MacOS X 10.3, the system will recognize login passwords of lengths greater than 8 characters.

The upshot of all this is that it allows you to generate good, strong passwords like series of letters, numbers, and special characters that have a high amount of entropy but are too difficult to remember. So long as you have a very strong login password (this was not possible in MacOS X 10.2.x and earlier), they will be protected by the keychain.

This is similar to Bruce Schneier's Password Safe and is more convenient in many respects than his solution of keeping his passwords written down on a piece of paper in his wallet. He argues that we all have a lot of real-world experience at keeping our wallets safe, but I have a lot of passwords. How many do you have? Does anyone else dig around in your wallet, like your wife? What if she found out you had a password to someplace you shouldn't, like... uh... Slashdot?

I like my keychain. I'm surprised Tog never mentioned it. Wasn't he an Apple guru at some time?

hard problems ... human factors

[jeko]

Did it ever occur to you that maybe the "human factors" are a "hard problem?"

security is about economics

[sir_cello]

Security is nothing special in itself, it's just another aspect of a problem: all problems have many aspects and as you suggest, usability is another aspect of a problem. Turn the technical aspects of the security lever the wrong way (e.g. too frequent password changes), and you lose on usability, and this potentially has a negative impact on the social aspects of the security level (e.g. the passwords are written on a post it note).

Really, it is about economics and engineering: using the measured amount of resources to solve the problem holistically: technically and socially - understand where all the impacts and flexibile point are. This is no easy task though. Peter Neumann and RISKS have been teaching us these lessons for many years - so there's nothing new here, but it is important to continually reevaluate.

Password Safe

I've got hundreds of randomly generated passwords stored in Schneier's Password Safe (actually, it is a sourceforge project now). I don't have the faintest idea what any of them are. All I remember is the single password for Password Safe, which happens to be a 20+ digit combination of words, initials, numbers, and a couple of symbols -- all of which are easy for me to remember.

The password db is blowfish encrypted (yes, there are some cracking programs out there for it, but I'm not trying to keep the info from the NSA). Only two requirements: 1) don't forget the main password, 2) backup the Password Safe db to multiple places.

The only passwords I remember now are my ATM PIN number, the Password Safe pwd, and that single pwd that I use for every web site that demands registration to function (where I use a fake name as well).

Re:Password Safe

[WayTooOldForThis]

I use Password Safe and like it. I keep my encrypted PW file and the app on one of those USB flash-memory devices.

Since Password Safe allows long passphrases, I use the DiceWare method to choose the master passphrase.

http://world.std.com/~reinhold/diceware.html

BTW, the Source Forge developer says he hopes to port to Linux.

asterisk^8

[meowsqueak]

My password is easy to remember, it's just eight asterisks:

'********'

Sometimes I forget exactly how many, but I usually get it right the second time.

Not applicable! Think about it!

[holygoat]

Most brute-force and dictionary approaches aren't performed on the live system.

Typically the password file is stolen, or the algorithm discovered, or some other means is applied to get a local copy of the system to work on at the cracker's leisure.

Therefore, it doesn't matter if the system stops you from having more than 3 tries or not - it won't actually slow down a cracker, but it will piss off users who have to remember 10 passwords anyway, and might need 5 tries to pick the right one.

is everyone missing the point?

[pohzer]

All of this talk about real security in the example hospital seting, and how users resorting to sticky notes are less secure than no password at all?

The point is not to be secure from unathorized access. The point is to be secure from liability!

If users resort to stickies then they are the ones violating policy, not the hospital administration. Go ahead and use your associates login while you wait forever for IT to give you access.... as described in the article. But do so and you take responsibility for having violating the rules. Wait until you get your own login (as the company policy probably says you should) and you will not incur such liability.

As long as technologists ignore the real world, we will not have functional IT. It may be painfull to wait for the system to solve its real world problems (just imaging the doctor simply not doing any work until she got her login account several weeks into the job), but unless we let the whole system find and fix its mistakes, we will keep chasing our tails. It is certainly not about whether or not certain passwords are more secure than others.

Don't know my own password

[soloport]

Honest, I don't know any of my passwords. If someone were to ask me for my password, I'd have to first find a QWERTY keyboard, sit down, place both hands in the right position on the keys and start typing into a text editor. The pattern I type is sort of a rhythm and can be typed very quickly.

I've been accused (Solaris Sys Ad) of tricking the computer into not needing a password for my login name -- because I type it is so quickly, it seems like I've just typed some random gibberish (which I sort of have). Keeps lookers guessing, too. My typical passwords are 12-18 characters in length -- but they seem a lot shorter ;-)

As you've no doubt guessed by now, I love this method. I can also "memorize" dozens of unique passwords and never seem to forget one -- even one I haven't used in many months! When I see passwords like "password7", I just smile; Seems to me, mine are just as easy to remember.

Just hope I don't someday encouter a Dvorak!

Re:Don't know my own password

[Megaslow]

I've been accused (Solaris Sys Ad) ... My typical passwords are 12-18 characters in length

That's pretty pointless, since only the first 8 characters of your password are significant in Solaris unless you've replaced your authentication mechanism....

Re:Don't know my own password

[hazem]

I'd have to first find a QWERTY keyboard, sit down, place both hands in the right position on the keys and start typing into a text editor.

I had a hell of a time in France once (I'm a USian). I couldn't log into my e-mail and I kept carefully typing my password many times. After about 15 minutes and a whole lot of profanity, I typed my password in a text editor only to realize that on that keyboard the numbers are shifted and the corresponding punctuation is non-shifted.

I'm sure it was just some fiendish French plot or something.

Re:THANKS FOR TELLING EVERYONE MY PASSWORD, ASSHOL

[bechthros]

that's funny, that's the same combination I've got on my luggage

Hail Scroob!

Re:THANKS FOR TELLING EVERYONE MY PASSWORD, ASSHOL

[Dhar]

Now we just need to find your machine.

-g.

Re:password quandry

[CoolGuySteve]

I had the same problem with my computer account at school. We weren't even allowed to use permutations of words that could be found in the dictionary.

So instead of thinking of some random combination I just found a pattern on the qwerty keyboard that met the requirements. This is far less secure than what I would have chosen since anyone who catches me typing in my pass can instantly recognize it.

The whole thing is retarded anyways. I, the user, should be allowed to chose my password and its appropriate level of security. The system runs Unix and I have no permissions to anything but my own stuff. There's not really much damage that could be done aside from whiping out my personal things, so why bother with such strict securty?

Most hacking are inside jobs

[ducomputergeek]

About 80% of the hacking attempts have had some sort of inside help. About half, in my 3 years of consulting on security, of the attempts are by disgruntled employees. Some sell passwords to competors, or at least try too, or someone calls on the phone saying, "This is Jeff Smith from branch office X and we can't log in. Can you provide a new password to my account".

Only about 20% of the attempts are actually people attempting to use exlpoits, bugs, or brut-force a password. There are measures against this 20%, but the other 80% has to have educated employees or a policy that is followed.

I have seen some people still have access months if not years after leaving or being let go, which is just bad sys management.

Human error is 90% of the security threat...

Security is just passwords

[askegg]

I hear people worry about security on a daily basis and what many of them fail to realise is that is essentially a problem of identity.

Security is the process by which you determine if somebody is allowed to see the information concerned - this hinges on who they are and what they are trying to access.

How to do proof you are who you say you are?
This is actually a very difficult question.

hat aside (for now), all security/identity is built around 3 things:

1) Something you know (usernames, passwords, etc)
2) Something you have (secureid cards, tokens, passes, etc)
3) Something you are (biometrics, fingerprints, retina scans, genetics, etc)

The first two are easily overcome with some creative thinking - read Kevin Mitnick's "The Art of Deception".

The third has the same problems the other two have - how do you establish identity to begin with?

Anyone can claim an identity, all you need is the documentation to "prove" it and these can be forged or obtained with little effort. So how can you ever really know who you are dealing with?

Diceware!

[wirelessbuzzers]

While this is not allowed by many websites or by UNIX crypt passwords, Diceware makes for very good passwords that are easy to type and remember.

Basically, you take a list of words indexed by all possible rolls of 5 dice, 11111 through 66666. You roll 5 dice and pick a word, and repeat to desired password length, eg

cleft cam synod lacy yr

Sure, your password is longer this way, but you can memorize it easily and type it quite fast as it is a series of English words.

For my secure passwords, like PGP keys or banking, I use diceware, 7 words. This is some 85-90 bits of entropy and pretty much unbreakable for the forseeable future. For account passwords I use 3-4 words, which is enough that a database thief will break someone else's login first. For crypt shell accounts, I use mixed-case alphanumerics (similarly, about 48 bits of entropy). This adds up to under 10 good passwords to remember, and I don't change them often (no good changing a PGP password anyway, and I only change shell passwords occasionally).

For most websites (/.), I use a family of very weak passwords (a couple random words and symbols, but varies little from account to account), as I don't care much if you hack here and post in my name.

All these are in a heavily backed-up text file in case I forget them, encrypted with my PGP key.

Good one!

[Saiai+Hakutyoutani]

Dude, that's great. Thanks.

Re:different levels of importance

[gregfortune]

That made me grin :) Just listen to all the busy little keyboards as rokzy is tried as a username by 27,000 people at /., buy.com, CompUSA, Newegg, Amazon, and B&N. Someone is getting some free hardware tonight..

Missing the point of the article

[rcpitt]

It appears to me that the point of the article is that many times (most times?) the technical security tools/techniques are too much of a hassle for the employees so are subverted in many (not so) subtle ways to the point where in fact the system ends up with less real security than might have been achieved with less onerous tools/techniques.

All the responses about how/why to select passwords miss the point that if the user doesn't have an incentive to remember them without the use of sticky notes, the password complexity is useless. Same if the rest of the system allows the passwords to be sniffed on the network, sent in clear somehow (by return e-mail for example) or any other weak link in the chain.

The example in the article of the hospital (and note that all in the US are under the same gun) points up the fact to me that either the IT person didn't understand the problem or was trying to cover their butt because they lacked the authority to put in place the policies that would make the users actually follow the policies and I'm betting that it was the latter!

If I'm in charge of security (not just the IT portion of it) and management won't let me put in place a policy that spells out what will happen to employees that subvert the security implementation and back me up when I have to apply the policy's warning and penalty portions, then I'm out of there!

1 - Anyone caught writing their password down on anything will suffer punishment

2 - Anyone allowing anybody else to use their account/password will suffer punishment

3 - Anyone leaving their workstation logged in and not protected with the approved screensave/password will suffer punishment

etc.

Punishment to be:

first offence - note in personnel file and severe dressing down including things to the effect that if they can't remember the passwords then they obviously don't have the necessary skills for the job

second offence - time off without pay or outright firing

if allowed to get to a third offence, it is either them or me - and I'm betting it is them, and damn the unions and labour relations - they're unfit for the job.

And the response to the post about it being a matter of managing the liability - if the employee is still an employee and the above policies are not in place and followed through on, then the liability is on the company/HMO or whatever. The penalties are enough to bankrupt an HMO and nobody will take "it was the employee's fault" as an excuse no matter how onerous the security techniques look on the surface. It is the follow through that proves that the policies are what they need to be - enforced.

I'm just glad that (so far - but Jan 1 is coming) Canada doesn't have the laws that the US has currently.

Re:Missing the point of the article

[dvdeug]

If I'm in charge of security (not just the IT portion of it) and management won't let me put in place a policy that spells out what will happen to employees that subvert the security implementation and back me up when I have to apply the policy's warning and penalty portions, then I'm out of there!

The doctor is one of twelve people in the world with a degree in orthorhinocolonoscopy. He makes $120,000 a year. You really think they're going to let you punish him?

More to the point, discouraging employees from writing down passwords may be a good idea in some places, but these people are trying to get their jobs done. If they can't get their jobs done, you don't get paid. Every time they forget their password and have to wait for an IT person to fix it, every time they have to run five flights of stairs to check their data, the less likely the department turns a profit and the more likely you get fired.

if allowed to get to a third offence, it is either them or me - and I'm betting it is them, and damn the unions and labour relations - they're unfit for the job.

Who cares if they have a 172 IQ, two doctorates and know more about their field then any other person in the world? If they can't jump through your hoops, then of course they aren't fit for the job.

Re:Obvious

You get a cavity.

my password scheme

People typically have a lot of different accounts that need passwords, and this is a problem for several reasons:
- the different sites/accounts have different policies for what a "strong password" is and how often you are forced to change it
- some accounts are more trustworthy than others (your bank will never reveal your PIN... but some random website--slashdot for example--might be hacked and your password might be vulnerable)
- different levels of security are used to protect the different passwords.

So I use the following simple rules:

(1) build all my passwords out of two or three 'building blocks' of random alphanumeric characters.

(2) When changing a password, I change at least one block and leave at least one block the same as it was before.

(3) I mentally assign each account to one of three categories: 'important' (bank PINs and other uses where security is crucial), 'somewhat important' (various work-related passwords, etc) and 'unimportant' (internet e-mail, web sites where I don't use a credit card, etc).

(4) NEVER use a password in more than one category.

(5) EVERY 'important' account must have a UNIQUE password that I don't use for anything else. Some 'important' accounts will allow very long passwords; I have a few that are >20 characters long.

(6) NEVER write down an 'important' password anywhere, unless the loss of the password would be unrecoverable.

(7) Change 'important' passwords every month or two, and 'somewhat important' passwords every 3 or 4 months or so.

(8) 'somewhat important' accounts may use the same password as other 'somewhat important' accounts with a similar purpose (all work accounts, for example). 'unimportant' passwords can all be the same, unless I particularly don't trust the security of the site in which case I usually vary one of the blocks.

I have had good success with this strategy (remembering the 'blocks' is similar to remembering telephone numbers... so remembering a password is like remembering telephone numbers. N.B: *don't actually use* telephone numbers =P)

YES!

[IndependentVik]

Now I can finally log in as this mysterious "Anonymous Coward".

Try this again, formatted.

[bluefoxlucid]

Passwords are nice and all -- hell, mine come from pwgen -s -- but you need to be thinking HIGHER. Access control, executable space protection, OS fingerprint protection, and functional security to make programs generally behave. Look at GRSecurity. That in itself speaks volumes. I will illustrate this thread, and then go on through grsec:

Passwords:
- Passwords and password rule circumvention

This is where we seem to be stuck. What about the following:

PaX:
- Total of 1-2% performance overhead
- Enforce non-executable pages to block security exploits in programs
- Enforce non-writable executable pages to block security exploits
- Address Space Layout Randomization to increase difficulty of actually activating security exploits
- Privilaged IO blocking to avoid altering the kernel
- Blocking of direct writes to ram and kernel memory to avoid altering the running kernel and getting around security systems or inserting malicious code
- Hiding of memory mappings to avoid information leaking which would negate the ASLR advantages

Grsecurity:
- Includes PaX
- Blocks many operations from happening inside a chroot() jail, thus increasing security by disallowing programs to try to gain access to devices, processes, and filesystem data that they aren't supposed to access
- Imposes an Access Control List system to extend control of file and device access
- Hinders OS fingerprinting with several network protections that randomize various ID numbers in various types of packets
- Allows user auditing and signal logging to detect attacks

How much crap did I list besides password issues? Quite a bit. There's more to consider than "Is root's password 'secure1'?" How about "Can I cause SSH to overflow before I log in, clearing root's password out so I can log in as root and take over the system?"

Safety engineers have known this for decades

[Beryllium+Sphere(tm)]

>Its far easier to blame the user than to admit your idea was a bust.

That's insightful, too bad you're only +4 as I write this.

"User error" is a phrase that makes safety engineers cringe. The more detailed an accident investigation, the less likely it is to blame the equipment operator. What usually turns up is that the system doesn't supply the right information (Three Mile Island didn't have an instrument to dislay coolant level in the core) or the system has trained its users to do the wrong thing (like, oh, double-clicking email attachments).

Believe me, there are security people who understand that an overly awkward security measure is worse than useless.

What a snoozer of an article

[mrgeometry]

Bleh. Are his articles all like this? He has some anecdotes about bad security, with a "D'oh!" in between practically every paragraph---though that slows down after he gets tired of it, a page or two in. Then there's a story about a program called "Tresor" and some guy who had a weird problem with bundles acting like folders instead of application files. The assertion is made point-blank that this is an Apple bug, not a Tresor bug.

OK. Has this been reported or observed anywhere else? I've never heard of it, or seen it myself, though I've only been using OSX for a little under a year. If anyone can point me to a reference, I'd appreciate it. The article doesn't give any refs. I don't understand how he's so sure it's an Apple bug, unless it's so well-known that, gosh, everyone knows it's an Apple bug without even needing a link to, like, a Knowledge Base article or anything... but if it were that well-known, I hope I would know about it. So I have my doubts about this. If anyone knows one way or the other, I'd like to hear about it.

But really that's not the main point of the article, right? It's just one security flaw in a fairly specific situation. So the article, as far as I can tell, is a few anecdotes and a bunch of "D'oh!"s. Oh yeah, plus some insults and derision for all the programmers and the university professors who taught them. Thanks a lot, Tog.

His thesis---that security needs to be designed to actually make things secure, not theoretically securable---is, well, it's OK I guess. For one thing, he doesn't really argue for it---just provides anecdotes. That's not a coherent logical argument. Worse, it barely even ties in with the anecdotes anyway. So the hospital requires TOO MANY passwords. That does **not** make it theoretically securable, OK? (I can require 200 passwords, but it's not theoretically securable if the computer and fax machine are in the hallway.) He's right that security systems have to aim for real security, but he's wrong in saying that the problem is that people aim for "theoretical securability". Am I wrong here? Is there ANY theory of anything under which these systems are considered theoretically securable?

The only common thread I can think of, apart from inadequate security in general, is that the people who designed the security had an incomplete approach to security; they secured one part of the system (e.g., getting in with a password) way too much, and other parts (e.g., physical security of the fax machine) not enough. Or, they were unnecessarily protective, at the cost of user convenience (as in the VW radio example).

If I'm criticizing the article, maybe I should try to be constructive about it, right? I guess the anecdotes really point towards the two different themes in the previous paragraph: security model should be "complete", and there should be some kind of a balance between security and usability.

I may be wrong about my interpretation of his article. If there's a better way to read this article as it's written, please tell me. I suspect not, but hey. Or just call me a monkey, that's cool too. :-)

Well, to wrap it up, he has a good point, basically, but no argument for it. Just a few isolated anecdotes, not all of which I believe. This is not high-quality writing. Sorry, Tog. I've read of few of your user-interface-design columns, and I liked them a little better. This one just didn't do it for me, I guess.

zach

Re:I do the same, with no expiration...

[runlvl0]

However, I hate expiry. If I already have a good password like xjxuj494o4ol4 that I can really remember and type, I use that. Even if I use a password like that for a few years who is really going to crack it?

Okay, I'll byte:

1. Anyone with physical access to your machine. You don't use this on your notebook, do you?
2. Anyone with a copy of John, access to your /etc/shadow, and a little free time :^)
3. On a Windows machine, anyone with access to your network, its precious SMB packets, and a copy of L0phtcrack (or John, or... ), and a little free time...
4. Anyone running a kernel rootkit on your machine - "it could never happen", I know, and the gun was always unloaded
5. If it's also your POP3 email account password ("I have had the same simple password on a number of sites for over ten years now, with no problems - even letting a number of friends and co-workers know what the password is a number of times!" So I'm guessing it's not your high-security password...), anyone attached to and sniffing your network, perhaps just running dsniff, to make it extra easy
6. Assuming the above, if you're wireless, anyone within 802.11 (call it 300 feet for casual use) range of you
7. If you're using it on websites, whatever script kid who comprimises THAT e-commerce server, Hotmail, etc., etc., etc.

It's an aphorism, but it's still true: "security" isn't a product (like a password), it's a process. Just because you have strong passwords, and decent newtork security (firewalls, NAT, etc.), never assume that you're invulnerable or too small to attack. I don't mean to sound snarky, but I think that you should always assume that passwords will be comprimised somehow, given enough time.

Not all security jobs are in trouble

[atriel]

Everbody wants newer, better, stronger encryption to backend into the computers with the sticky notes. As far as security systems... I tend to prefer detailed accounting, and abuse monitoring /prevention over excessive passwords for the end user. however, the use of smart card only authorization for low-level users has become acceptable to many companies. Generally, a smart-card and a PIN/Password is used, and in my opinion, offers an element of physical security to the security system, especially since smart cards can be used as more than simple key/id storage. Admins and Techs, however are completely different... although the usernames are uniform across the system, passwords are required for the various levels of access. However in these facilities, physical security is usually enforced to an extreme measure (guards, concrete, heavy doors with proxim card locks and PIN pads, smart-card required to unlock the console...) As far as the Security industry is concerned, the incompetence of the majority of the people in the field, while admittedly making us look bad on the surface, make those of us who are competent shine...

Security idiots

[jlusk4]

(I just read the reply subtree.)

I can't believe you people. This is the kind of thinking that saddles the rest of us with security nazis. This isn't GURPS, it's real life. There aren't muggers out there gunning for access to your computer system. There aren't Tempest-equipped Secret Agent Persons sniffing your authentication fields. You don't really need that tin-foil hat, and you don't need to make the rest of us wear one, either. Maybe if this was a matter of national security, but it's not.

"Gimme your iButton and PIN or I'll blow your fucking brains out" is *exactly* equivalent to "gimme your password or I'll blow your fucking brains out".

But does the website encrypt the password?

[phamlen]

The article hints at one of my favorite problems with password security:

And speaking of security, don't you just love those websites that continue to ask you to enter in your requested password, all done in 128 bit encryption mode, with the characters blanked out so you can't see what you're writing, only to parrot it back to you in an email ...?

Many websites store passwords in cleartext (hence, they can send it back to you in an email.) They do it for a variety of stupid reasons (a programmer couldn't figure out how to encrypt it, or perhaps customer service likes being able to login as a user, etc.).

So, unfortunately, you can have an extremely clever password, entirely uncrackable, but you give it to a website and it's now immediately compromised. And worst of all, you can't tell if it's stored securely or not.

Thus, I tend to have a password for trivial/unknown systems (ie, Slashdot, chat rooms, etc.) and a password for more secure systems (eTrade, online banking, etc.)