Real Security?

An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"

Definitely

[sosume]

Come on, who uses passwords like '%33#Gt(;' nowadays.. especially with multiple logins.

Re:Definitely

[Prof.+Pi]

A pretty easy way to generate passwords that pass most picky password approval checkers is to take a phrase that you can easily remember, and then take the first letter of each word. Include punctiation to get the requisite non-alphanumeric characters. Make at least one numeric substitution if you're required to have a number. For instance:

N4N.Stm.

("News for Nerds. Stuff that matters.")

Re:Definitely

[G-funk]

Oh my god.... I have the exact same password on my luggage!

Re:Definitely

Me. But I probably do it in a very unique way.

I have a three tier password system, with passwords "expiring" every 30 days.

Tier 1 passwords are things like root passwords for systems. These are 100% unique to the server they belong to, and are changed without fail.

Tier 2 passwords are passphrases for my ssh keys for non priviliged accounts. These are the same for 2 or 3 boxes, and again change every 30 days. When I expire tier 1 passwords, they are sometimes moved down to tier 2 for ease of remembrance, tho never for the same servers.

Tier 3 passwords are for websites, like this one. Usually most of my website accounts share the same login details, as Im not really bothered if someone logged onto slashdot and stated that im a gay faggot or whatever. Tier 2 passwords are usually passed on when they expire.

I tend to treat passwords as something like special email addresses. You rarely forget an email address because its in a known format: something @ something . something. So therefor I base my passwords on a similar format, one that I can remember or work out, eg AAAA!AA.AA@A# gives me a more memorable password than #@##23$ssDx_ which would be an excellent password except for the fact that it sucks :/ Saying that, I change the format as often as I change the passwords, every 30 days.

Re:Definitely

[xmath]

Come on, who uses passwords like '%33#Gt(;' nowadays..

I do. :-)

The funny thing is, I don't actually remember the character sequence. Maybe it's because I play the piano, but I remember the hand motions of typing the password. So to pick a password I just generate a few random ones until I find one that "feels" okay.

I wonder how many people do this too

Re:Definitely

[red+floyd]

Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Definitely

[AvitarX]

I do something simalar.

I take something easy, like a dictionary word.

and offset all my letters.

so "monkey"
becomes "k0jo47"

Also I shift the first 3 letters/numbers

it becomes very reflexive bu is also easy to remember as a dicionary word.

Common Sense

[The+Snowman]

Are we increasing security too much, so that the users circumvent it?

Simply increasing security is not the problem: the real problem is knee-jerk reactions that miss the mark and annoy users rather than provide actual security. People (politicians, corporate America, etc) try to look good by implementing new security measures, but fail to put any thought into what is needed to be effective.

Re:Common Sense

[arnie_apesacrappin]

fail to put any thought into what is needed to be effective

I recently got into an argument with the head of the security program at the university I'm attending over a similar situation.

When resetting my password, which was not expired, I was required to go through a 20 minute online "security training" seminar. It was only 10 questions, but the site was so incredibly slow that clicking through the 10 questions (about 3 pages per question) took 20 minutes. The questions covered the basics of security (don't give out your password, etc.). Two of the "correct" answers were technically wrong.

After expressing my displeasure with the questionnaire and pointing out the technical problems, the administrator chastised me for "not thinking that security education was a good idea." I pointed out that I thought it was necessary, only he did a poor job of it. He missed the same thing that several security programs miss when educating the users:

Security training is useless if the user ignores it.

I was going to add is annoyed by it, but I can think of one security awareness activity that pissed off several people, but was highly effective.

After weeks of notifications about laptops needing to be secured when not attended (i.e. overnight), we went on a laptop finding mission. Any person that left a laptop not physically secured to his/her desk came in the next morning to find a slip of paper telling them where they could claim their laptop. Several people were very upset, but also remembered to lock up their laptops before leaving.

Re:Common Sense

[Snorpus]

"Security training is useless if the user ignores it."

I had a similar experience at the Community College where I teach. After the Sobig, Blaster, etc. attacks of a few months ago, they (Information Technology) installed a McAfee program called "Stinger", which runs every time a user logs into the network, and (apparently) scans the hard drive for virus infected files.

Takes 10-12 minutes to run.

Classes are 50 minutes long.

Stinger responds to the STOP button

---> Illusion of Security!!!

Re:Common Sense

[arkanes]

You make an important point, and it's actually relevent to all procedures, not just security. If you want them to be followed and not evaded or ignored, then you need the following:

a) your procedures must make sense to your users. Sometimes this means education, other times (more often, in my experience) it means having intelligent procedures.

b) Your procedures have to generate the minimum amount of work required to be effective. Duplication of work or extra work that people have to do (like forcing a stupid click through quiz) without an obvious benefit will just piss people off. And when you piss people off, they don't feel like following your rules.

This doesn't mean you don't need strong rules, but you have to present them in such a manner that people feel comfortable with them, and not like you're being a bitchy secadmin.

Oh, and you need to remember that your job is to keep the network safe and clean so that it's accessible - just locking everything down so that everything is unusable is NOT a real security policy!

The greatest threat...

[Da+Fokka]

to security in all fields always has been and always will be the human factor. At a certain point security measures will be so advanced that human nature is the most likely bottleneck.

Social engineering can get you a lot further than being a l33t h4x0r.

Re:The greatest threat...

[Total_Wimp]

The human factor can screw you in more than just the social engineering scenerio. One of my favorites is personal firewalls. Since normal humans have no idea what *that* program file is or why it might want to talk on *that* port, they just hit 'yes', and let the attack right in, or they hit 'no', and dissallow a perfectly useful application.

My company now wants to deploy these magical devices to all employee computers and can't figure out what I mean when I say they'll make things less secure. I think this article was dead-on.

TW

Re:The greatest threat...

[cgenman]

Except that security measures necessarily are a human factor. Human nature cannot become the bottleneck in a system designed to work with / thwart human nature. You might as well say that all passwords should be 1MB of random binary culled from decaying atoms, or a 1GB flash disk welded to the spine of the user.

People have a limited memory. They generally remember three or four passwords. Deal with it. Either use biometrics, or a password culled from a sentence (as another poster suggested). Or do a dictionary attack on all user's passwords at signup time, and refuse anything in the OED. Or use one of those nifty word verification challenge-response things that are all the rage in web-facing pages.

People don't change their passwords. Deal with it. Either they're going to write them all down somewhere, or they're going to memorize them. If they write them down, they're succeptable to attack. If you force them to change their passwords, they can't be memorized. But if they are memorized, they can't be compromised with any method that would otherwise catch any login.

And yes, any network can be compromised. You have to reduce the risk, but you also have to work with the way that people work. I worked at a place with randomly generated 8 character ascii passwords. For security's sake, the password system was case-sensitive. For simplicity's sake, the passwords generated were all upper-case. Invariably, new hires were given the password as lower-case (which makes sense to us humans), and then wondered for weeks why it wasn't working yet.

I use a password storage system with 256 blowfish encryption, but the idea that I have to store passwords in a password-protected system is a little scary.

Security is the human factor. How do you give access to one person and not another? How do you verify identity? What can't be faked and / or given away? If by social engineering you mean sneaking into someone's job pretending to be the plant waterer, then stealing the password they have taped to their monitor, then yes, social engineering is part of being a l33t h4x0r. Mitnick's greatest exploits generally involved pretending to be one person to gain enough access to pretend to be another.

THANKS FOR TELLING EVERYONE MY PASSWORD, ASSHOLE

Enforcing passwords != Increasing security

[Tony+Hoyle]

You can do all sorts of 'security' things and not increase security one little bit. You can also take a secure system, do more 'security' things an utterly destroy the existing security.

Anyone with a working knowledge of security knows how far to take it, where the critical points are, etc... if you let a bunch of amateurs do it then they're not 'increasing security' they're just 'increasing the bloody mess that someone will have to sort out when the company gets a clue and hires someone with some experience;'.

Re:Enforcing passwords != Increasing security

[dgatwood]

Indeed, it is all too common to see people make things less secure when trying to make them more so. Some classic examples of this include:

• Password aging (people pick weaker passwords as a result)
• Airport screeners no longer doing mand checks for computers (with bomb residue tests and verifying that they really are computers)
• Requiring a different password for every system (my birthday, my house number, my phone number, my dog's name, my mother's maiden name... there, that's the first five...)
• Assinine rules that require a number in your password or other highly specific rules (aha, now our dictionary search can skip any choices that don't contain a number! Oh, and his password is now John1. Real improvement.)
• PIN numbers (false sense of security... it doesn't take long to guess one)
• Security digits on the back of credit cards (also false sense of security, as anyone who steals the card number can probably steal this as well)
• No knives on airplanes (now the only people who will have them are the terrorists)
• Arming pilots (terrorist breaks in, surprising the pilot, grabs the pilot's gun off the shelf, and now he has a gun instead of just a box cutter)
• Antivirus software (fix the real problems, or else they will just keep escalating and lead to a false sense of security)

Or, as I've always said, anyone who claims to be an "expert" probably isn't. Beware especially of anyone who claims to be a security expert.

Two minds about it

[Carnildo]

Speaking as a cracker, I say "Yes! Short passwords! The shorter the better!"

As a sysadmin, though, I feel longer passwords are better. If systems supported it, I'd require medium-long sentences for passwords. A full sentence is fairly easy to remember, but not very vulnerable to a dictionary attack.

Re:Two minds about it

[Carnildo]

Voice recognition can by bypassed by a $10 piece of technology known as a "tape recorder".

And it can fail to recognize a valid user if they happen to have a sore throat.

Re:Two minds about it

[treat]

Thanks for providing a classic example of a bad security idea. Your voice is not unique to you. Anyone can record it and play it back.

Also, biometrics are worthless as the sole factor because if copied they can not be changed.

If you care this much about security, use s/key (or OPIE) or any similar algorithm. Let the user carry around a device that calculates the next password. RSA securid is nice if you don't trust your users not to share their passwords, though not as secure as s/key.

All the hard problems are solved. Everything that's left is human factors.

Re:Two minds about it

[jonadab]

> thisismylongasspassword

That's better than you think. My /usr/share/dict/words has over 45000 words
in it, which is probably typical. The above password is six words long (which
if anything is pretty short, as sentences go). That means you can brute force
it in about (45000^6)/2 tries, on average. Compare that to a typical "strong"
eight-character password (e.g., "bVi-Q*cY"), which can be brute forced in
(N^8)/2 tries, on average, where N is about 100 or 200 or so, depending on
your character set. The sentence starts looking pretty good -- and it's a
*lot* easier to remember.

> thi!$1smyp4$s

Yes, increasing the length to over 12 characters greatly improves the security
of a traditional ugly password. (N^13)/2 is about N^5 times better than
(N^8)/2, so with an N of around 80 characters (upper and lower case letters,
digits, and about 20 common printable punctuation marks) that's about a
three-billion-fold improvement in the time needed to brute-force it.

I personally tend to favour a combination of these approaches. Take your
sentence (say, "I tend to favour a combination of these approaches.", make
a handful of key substitutions, and you get a password like this:
I-t3nd-2-PHavour-a-c0mbinat|on-0f-these-app roacheZ

The sentence is easy to remember. In addition to the sentence, you have in
the above example seven substitutions. That's a total of eight things to
remember, barely (if at all) harder than tB8k^yQp and pretty much impossible
to brute force. (If you do the arithmetic on this sucker, it's impressive.
Even assuming a clever modified dictionary attack, the sentence is nine
words long (nine *words*, not nine chars), and furthermore there are
several possible ways to mangle each word. The mere electricity your CPUs
would use up running the possibilities boggles the mind; whatever the
password is protecting, you could buy it cheaper.) Then you have to worry
about things like sniffers, surveillance, and rubber hose cryptanalysis, if
the password unlocks something worth anyone's trouble to bother with all that.

Re:Two minds about it

[Lumpy]

that's why I am still fighting with corperate for a great security system here at work.

I have a test system that cannot be cracked form the outside. all users' "paswords" are 4 digits in length. They use a iButton to log in, simply insert it in the reciever on the monitor (it's on a keyfob on ther keys.) and type your pin number.

without the iButton you cant get in or access data, without the pin the ibutton is useless, and dont try to crack the code, you have 4 tries and then your ibutton is erased. you have to get it re-encoded before it will work again.

no more taped passwords under keyboards in drawers, on monitors. the users love it. and it integrates with windows NT and 2000 just fine. (ibutton.com if you want to find a link to the software/company that sells what I am using.)

I can make ibuttons that are single use, and we can have those same ibuttons work as the door entry card-key.

if you want more security, you can get java ibuttons and have a program in the ibutton play cryptography with the computer and generate a random access key on every access, or whatever your heart desires...

you want high security? you have to use a security device to reduce the human factor... ibuttons are the cheapest solution.

Re:Two minds about it

[citog]

You must live in one of the areas with low internet penetration ... I've had the shit kicked out of me several times just for my /. password

I disagree with the article

[HermesHuang]

Too much security isn't the issue here at all. It's improperly implemented security. Yes, more passwords can be more secure. But only if the passwords themselves are secure. Which is why it's usually good at some level to let users set their own passwords, so that they might actually remember them. Of course, some will set simple passwords. It's up to you how to filter that. But simply assigning strange passwords to people is not the answer. And not having the secure passwords at all is definitely not the answer.

I would If I could ;]

To bad many sites are disallowing special characters for fear of sql injection attacks. As for to much security? That depends on how important what you are securing is. Is your credit card information worth a little bother to protect? How about the information that the credit card companies use to issue you(or supposedly you) a credit card? Social Security number, Mothers Maiden name, Data of Birth. You can get all that from a DMV database. A system is only to secure until its been compromised, then it wasn't secure enough. Security, should be built in, form day one against a verifyable standards based frame work. Thems my two cents, please keep the change.

Annoying security leads to circumvention

[Karcaw]

In my case my employer added a re-curring RSA security key to read the outlook webmail, as i have been using evolution for, externally on my laptop for some time this rendered evolution useless, because it did not understand the promts for RSA keys. Then even if i use a web brwser i have to re-login every Hour. Really Annoying.

So a simple ssh tunnel into a work machine, and a modified transparent proxy setup(I had the GPL'ed source), and an iptables rule, and wow the webmail server always thinks i'm inside the firewall.

so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.

Forced password changes

[Rex+Code]

Forcing users to change passwords is one example of something that doesn't help security. If there's anything that's going to make the common user write their password on a post-it note and stick it to their monitor, it's being forced to change it at random intervals.

If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.

Re:Forced password changes

[lewko]

This fails however if the time between password changes is greater than the probable time to brute-force (or other wordlist) crack the password file. Don't assume that crackers all use the same 'dictionary' i.e. wordlist.

Did you know that many 31337 hax0r cracking tools will straight away defeat the more lame methods for using complex passwords?

This includes swapping every known integer/alpha replacement (e=3 0=o l=7) e.g. If someone used h3110 as their password (i.e 'hello' in hax0r spelling) it wouldn't take any longer than a standard dictionary attack.

Having a single password changed every 30-60 days is not that difficult. IT becomes a problem where users have to maintain multiple passwords for multiple systems. This is even more dangerous for admins who have to maintain even more, and they are used to protect sensitive systems.

Re:Forced password changes

[mo26101]

About a decade ago, I was a software deveopler working in a building with 2000 users. Back then we wrote apps for win 3.1. Most users 10 years ago were even more clueless that users today, so we often had to install software for them. We would show up and tell them that we need to install something, they would then usually say fine and go take a coffee break. Being win 3.1 we almost always had to reboot for one reason or another in the install. This would then leave us needing to log back on the users computer with the user not there. At this company passwords had to be changed every 30 days and include both letter and numbers. Nobody could remember there password, so when we needed to login and the user was not there, we would just open there top desk drawer. 9 times out of 10 the password was written on a sheet of paper in the drawer. It was amazing how many people did this.

Re:Forced password changes

[pipingguy]

If you've done a dictionary search...

Slashdot is a great place to find alternative spelling that one can use as inspiration while thinking up passwords.

Re:Forced password changes

[dasmegabyte]

It shouldn't be amazing. Average people don't give a shit about security, nor should they. It shouldn't be a part of their jobs, or at least it shouldn't be something that interferes with them.

Does this suck? Sure seems to make your job as an admin harder. But the fact is, you can't rely on end users for security anyway. What happens when Joe in accounting finds out he's about to get downsized and takes it out on the network?

If you secured it right, nothing. He deletes some information, and you get it back in a matter of minutes from the awesome backups and transaction logs you maintain. You invalidate his login, and it's like he never existed. That's security: having a way to fix things when they go wrong, not assuming nothing will go wrong because you demand so much.

Security against hackers is no different. Make sure they can't sniff passwords, make sure nobody has too many rights when they come in to the system from the outside world. And when you have to allow them access to something, make sure they never can do more than a day's worth of damage.

We have a lot of customers who are complete idiots. We know there is no way they will maintain useful logins to our system -- most of them use one login (same password as the log in name) on all of the installed computers they have, because it's easier. So, our new products were designed around this. Nothing is ever deleted from the system using the client application. The client's login can only read information on a server, or mark it invisible. The "root" logins are only known by a handful of people, and are only accepted from the console. And just in case, the whole shebang is backed up daily to tape, and the transaction log cloned and packed hourly.

So we can have our customers call and tell us "My login is carl, password carl" and I no longer roll my eyes. Because "carl" doesn't do anything more than peering through the window of an armored car.

Maybe no security at all

[Rosco+P.+Coltrane]

For example, back when I was going to the University and was living in a slummy student complex where everything that could be stolen was, I used to have a shitty car, and I used to leave my car doors unlocked at night. My car wasn't a good candidate for theft, but when it *was* stolen (it happened twice), it was for joyrides and at least the robbers didn't burst the locks.

So I guess, the software equivalent of that would be to not leave expensive data that could interest people on networked box, and make as much as your sensitive data as possible less sensitive, by simply publishing it. GPL code, for example, doesn't have to be protected.

I'm not saying everything should be released, far from it, but there's a lot of "hidden" data that could just be left readable by everybody, by changing some company policies and being a tad more open about everything, thus removing the desire/need to hack the box it's hosted on.

passwords

[Pompatus]

The biggest problem I have with strong passwords for logins is that everyone seems to have a different idea of what a strong password is. Some people require the first 2 characters to be letters, some require length to be greater than 6 chars while others are a max of 6 chars, and so on.

I have developed a password that I use on systems I can control that consists of 13 characters, both letters and numbers, and a & sign in for good measure. It makes perfect sense to me, I will NEVER forget this password, and you would litterally have to be able to read my mind in order to guess it. But most systems wont accept it for whatever reason or another, so I vary it slightly to conform to whatever rules are in effect. This creates a problem of about 5 variations of what I want my password to be.

I think people need to be educated on how to make a strong password. It should be up to the user to provide a strong enough password, because if the user can't remember it, then the entire process is pointless. We're supposed to show photo id at school to have our password retrieved for us, but it happens so often, that the people behind the counter just do it. How many other places do this same thing, because EVERYONE forgets their password?

Sorry for the long rant, but I felt the need to get all this off my chest :)

Passwords in linux

[3Suns]

There was a time when I was upset by the fact that Linux accepts very strange characters in the passwords (the arrow keys for instance) that couldn't be typed into most GUI password fields. Now I realize that that's not a bug, it's an accidental feature. Effectively, root can't log in on a GUI (including gksu), on a machine so configured, which adds to the security of the system. Fake login screens are foiled by that trick.

(UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT A B A B) anyone?

Too many passwords - so I write 'em down!

[gilgongo]

I have to remember not one, not two, but SIX different passwords, PIN numbers and security questions simply to access my frikin' bank account online. And I currently have about 12 online accounts of various kinds, most of which impose their own rules to what they want for access (some systems allow numbers in passwords, others don't, some have a minimum of 8 characters, others 10, etc. etc.)

So what do I (and presumably everyone else) do? I write them down somewhere. How much LESS secure is that than having one (or maybe three at most) username/password combinations that I never write down or tell anyone?

So I called my bank a few weeks ago and told them that if I signed a disclaimer, would they allow me to go from six pass/PIN/IDs to just a username and password of my choosing? No no no! Far too insecure.

So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!

But nobody can reliably remember SIX things to log in to one account, as well has having to remember all the other usernames/passwords, etc. they might have.

So, I've closed my account with them. Because I think they're too damn insecure.

Myth...

[Chagatai]

Having a truly secure environment is impossible. The thing that is critical to remember is that security is about mitigating risk. As I always tell my customers, "It's not a matter of if you have a security issue, but a matter of when." Just like the article says, when too much security is applied to any area people will develop loopholes around them to avoid the "inconvenience." But by the same token without any inkling of security people will give out passwords over the phone. It's trying to find the happy middle that is the problem.

Does enforcement matter? I'd be lying if I said it didn't. However, the means in which it is dispensed is the issue. No one enforces a security policy? Don't be surprised when a stranger walks in the door. People enforce security like a police state? Don't be surprised when people in power abuse their abilities and allow their friends to skate around issues. Then, of course, there is the typical knee-jerk reaction when an event happens and everything is locked down to only be forgotten about two months later.

Use common sense, as it isn't common to most people. Tailor the security to the individual company; a meat processor protects their beef, Lockheed Martin protects missile technology--each is deadly in different ways.

Re:Wait a second

[ePhil_One]

My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

But unfortunately, security people are like PHB's, when they see the reaction to their security measures are circumvention (taping passwords to monitors, etc) they think they need more enforcement, not better ideas. Its far easier to blame the user than to admit your idea was a bust.

Security is a process

[Space+cowboy]

There's little point in having a security-review once per year and then assuming that you're then ok for the next year. If you don't have an ongoing approach to security, you don't have a secure system.

Every day I get reports from logwatch and tripwire on all the systems I look after. I look them over and query anything that catches my eye as unusual, or that doesn't correlate with the system-updates downloaded overnight. It takes about 10 minutes, and I do it over the first coffee in the office. It's just part of the routine. I insist on good passwords, and the machines are firewalled as much as possible. Got to leave that damn port 80 open though :-)

I don't have the most-secure servers in the world, but I'll notice pretty quickly if there's something wrong with one of them, and I get an SMS if the chkrootkit program discovers anything...

I have a client who had an annual security-review process, and was hacked into, about 3 months after the review. The attraction was the bandwidth they have, I guess, and the first thing they knew about it was when that 200mbit pipe went crazy spamming people left right and centre... Their attitude changed when they suddenly got charged a lot of money for doing something they didn't even know about!

Simon.

Not the source, really

[sphealey]

So works the mind of a D'ohLTish security engineer, working feverishly away in his cubicle in the basement next to the steam plant.

Take him out for a walk. Let him see the sunshine for the first time in years. Introduce him to some normal human beings. Be gentle at first; these are creatures with whom he has had no contact since being sucked into the depths of the university system.

Then, when his pallor begins to fade and he begins to take on signs of socialization, take him into the offices in the hospital and let him see the four sets of user names and password clinging to the monitors on yellow stickies (e. g., Post-It Notes) or, for the more security-minded, slid into the top drawer where no one would think to look.

Besides being offensive, this scenario is, 99.5% of the time, blatently untrue. The security professionals are very much aware that the password systems don't work, and that the userids and passwords are sticky-noted to the monitor. But they have not choice: (1) no better system than passwords has yet been devised (2) they are responding to the demands of UPPER MANAGEMENT for "security NOW, dammit!" (3) upper management in turn is responding to the demands of auditors, regulatory agencies, and ultimately Congress.

The guy in the basement office has about as much control over this process as Pvt. Beetle Bailey does over the war in Iraq.

And really - would those same people who tape the password to the monitor tape their garage door key to the doorframe because "it is too much trouble to carry 3 keys around"? I have 15 keys on my keyring, personally, yet no one makes offensive statements about architects and locksmiths re: "door design".

sPh

Re:Not the source, really

[Have+Blue]

If it was as easy to memorize a 32-character randomly generated password that changes every 30 days as it was to put one more key in your pocket, then no, no one would tape it to the door. But if my garage door key was a 6" half-pound chunk of rebar, damn right I'd find a less secure place to store it.

A Simple Exercise In Self-Auditing

[Bowie+J.+Poag]

Exercise: Make a drawing on paper of what your system looks like from the point of view of people on the outside. Draw it in a similar fashion to how one might draw a house, or a favorite car.

A) If your picture looks like or includes any of the following objects, proceed to step C:

. A block of swiss cheese
. A large question mark
. A fat mall-cop with powdered sugar around his mouth
. A small child in a corner, crying, holding a security blanket
. A Diebold voting terminal

B) If your picture looks like or includes any of the following objects, proceed to step C:

. Fort Knox
. A medieval castle under siege with the invaders having boiling tar poured on them.
. A resettable Viet-Cong boobytrap with dozens of pigs already skewered on it
. The business end of a .357 Magnum
. An illuminated Jesus standing atop an Sun E10K
. A solid, faceless slab of hyperdense radioactive metal extracted from the heart of a neutron star

C) You need to increase your system's security.

Re:password quandry

[thecampbeln]

No shit! At some places I've worked, passwords are required to contain X capital letters, Y numbers, and changed once a month. So what ends up happening? After forgetting the damned thing two or three times, most users (including myself, bad form I know but hey) come up with a pattern to their passwords. So, something like this begins to appear:

Pa55J4n
Pa55F3b
Pa55M4r
Pa55Apr

Sure, now you have 'secure passwords', but once someone recognizes the patter... This, IMHO is counter productive security wise. Have the ultra secure passwords, but don't make you're users change them too often or this shit begins to appear.

I use good passwords, and here's how

[kaan]

And I have to spend nearly zero brainpower remembering a password. Here's what I do...

Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.

So an example phrase might be: "i love to post on slashdot"

which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:

"iltp05"

That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.

Why are we hanging the security folk?

[i_r_sensitive]

Hey I was one, and Tog needs a firm slap across the face. In my experience, more often than not "good" security ideas are stiffled not by the security people, but by the starched colors and ironed ties they have to wheedle the cash out of. Sure, not every security pro is a good one, but for evey poor security pro I've met there are nine good ones working for shitty managers.

Beyond that, no matter how good the solution, there are allways those people who will try to end run it. Worse still, there are those who encourage others to also end run the system. At the top of the worse still pile, is the manager who somehow or another thinks this person would be a good security pro...

Also blaming the Universities is trite and unsopisticated. Please, folks don't go to University to learn about the real world, they go to learn theorey, and play intellectual games, etc. etc. Where is the problem? Is it the people turned about by the Universities, or is it the people who hire University grads to do work which demands real-world utility? So, there weren't a dozen or so graduates of technical schools, whose training would be centered in the real world, not the theory, available to do the same job, right, at a lower cost?

I find it somewhat in poor taste to hang an entire industry for what more likely is the fault of their managers... I find it more unseemly to attack Universities for what they have allways done, and what we expect them to do, allthough in all fairness, they do turn out the MBAs whose intellectual chauvinism probably has more to do with hiring the wrong qualifications for the job.

Moore's Law vs. Evolution

[Detritus]

Long and complex passwords are a waste of time and do little to increase security. Computer speeds have grown at a rate much faster than the user's ability to memorize "secure" passwords. Any system that allows an attacker to use brute force guessing or dictionary attacks is broken.

My bank gave me a random 4-digit PIN for my ATM card. Why isn't this horribly insecure? Because the ATM eats the card after three failed attempts to enter the correct PIN.

Re:Moore's Law vs. Evolution

[balloonhead]

But why is it that I occasionally have a mental blank and can't remember my PIN, having to turn tail and run after two failed attempts until the next day when I can try again, but when I am so blind drunk I can barely walk or speak, I can stagger two miles home, extract 10 pounds from my account (sometimes at two different terminals), get a kebab, navigate through two locked doors, urinate, undress, and get into (or near, sometimes) my bed?

And who can explain the last three ex-girlfriends' phone numbers that I remembered to call at 4am too? I sure as shit can't remember them during the day.

Your password has been reset to "Duh"

[MythMoth]

I did some work for an internationally renowned company. Their IT department was (with good reason) obsessive about security.

To get your login, a representative of the IT department gave you a sealed envelope in person. Your manager was not allowed to receive it on your behalf under any circumstances.

To reset your password to the current day of the week, however, all you had to do was ring the helpdesk and say "I've forgotten my password, and my name is..."

There's resistence to changing this approach 'cos the complex password requirement and the enforced 30 day password expiration result in multiple daily requests for this.

Nicely illustrates the point, I think.

ssh keys + long passphrase

[forevermore]

Since the replies seem to be taking a heavily pasword-oriented approach, I'll put in my $.02.

As a security feature at work, we've started switching our more important boxes to key-only login. I've done the same to my boxes at home, for good measure. Now, I have 2 keys. One that lives on my box at home, and one at work. They don't exist anywhere else (other than a USB pen drive for backup), and will never be copied off of these drives. I use a relatively long passphrase (19 chars), but since I use ssh agents (and agent forwarding when it's safe enough to do so), I only ever have to type the passphrase once per day (the machine is set to forget the passphrase when I leave work).

Now if only all of those ecommerce type places would work with my public keys...

Password management

[montey]

I recently read a document proposing an alternative approach to an aspect of password management. I have since adopted this approach.

The paper said that one of the biggest threats to password security was the frequency that changes were required.

It seems that a fairly accepted norm is coming in to being in the form of organisations requiring their users to role their passwords once per month, and requiring that these passwords are unique. The problem with this requirement is that people are asked to remember so many passwords that they are tempted to either use weak passwords, or to write them down and stick them to something. Hence the previously secure password is now compromised.

The document/approach I read/have adopted is to stop requiring users role their passwords every month. I now request users to role their passwords every 3 months (once per quarter). As a result in any year they have to get to know only 4 passwords (instead of 12), and as such can handle better quality passwords more easily.

My users are far more happy with this approach, and now see it as a reasonable compromise. As such they now buy-in to the concept and we find far fewer people breaching the password policy.

Simple way to remember passwords

[plnrtrvlr]

Here's a simple trick to curing the password problem. Think of a sentence that describes the purpose of using the password. I might use a sentence like "I want to see how much money I have in the bank." to help me remember my banking password, the password then becomes either the first or last letters of the sentence, complete with punctuation. I mentally say the sentence to myself until the password itself is memorized (and even then, I find myself thinking the sentence) and type the appropriate letters. My banking password then becomes" IwtshmmIhitb." I find that it is much easier to remember a sentence than it is to remember some obsure password, and that a strange enough sentence (Wow man! Did you see the size of those CHICKENS? Wm!DystsotC? ) makes for some unusual but easily remembered passwords.

Good methods

[ax_42]

Looking for a decent password?

"apt-get install pwgen" for a program that can produce (among other things) pronouncable passwords.

Or grab some dice and go to: Diceware.

Password Algorithms

(Posting as AC to prevent someone from guessing my real algorithm.)

I'd like to suggest a method for creating passwords for sites; I'm sure it's not unique to me, but it's effective, more secure than sticky notes, and not very time-consuming.

The technique is to use a simple algorithm to create the password, seeding it with a unique identifier from the location where the password is to be used. This way, you can remember the algorithm (even write most of it down if you like) and yet the password for each site is unique, and if stolen doesn't give the intruder access to any other site. (If your algorithm is good, it would make it hard for someone given 2 or 3 of your passwords to figure it out.)

For example with a site named "acmewidgets.com" my algorithm (modified) is:

• Take the name of the site/company/whatever ("acmewidgets").
• Write down the last three letters, in reverse order, with the first capitalized. ("Ste")
• Count the number of letters in the name. (11)
• Use some favorite phrase/poem that you know well, and find the 11th word. (e.g. Robert Frost's "The Road Not Taken", the 11th word is "could"). Add the first four letters of that word to the string. ("Stecoul")
• Finally, add up the digits of the number of letters until they're a single digit, and put it on the end. ("Stecoul2")

My actual algorithm makes it a little harder to see english words in the final, but like the above produces a 8-character password (often one of the boundaries for password limits, e.g. 2-8 characters or 8-15 characters) with both mixed case and digits. It is almost always valid for password security checkers, and (in my opinion) is reasonably secure. And yet I never have to remember my password for various sites, I just recreate it on the fly.

And almost always, if a site is used often, even the complex-looking password it creates is not hard to memorize through the use of mnemonics. (The human mind is a wonderful thing.)

The above algorithm doesn't allow variations for more/less secure sites, or backups when passwords expire. (I hate expiring passwords. If the account is compromised, it's compromised...expiring the account every 6 weeks doesn't undo the damage.)

My personal favorite

[DaveAtFraud]

P4ssw0rd!

You will note that it has all of the elements of a good password such as both upper and lower case letters, numerals as well as characters and punctuation. Its also easy to remember.

If it can be made, it can be broken

[Crypto+Gnome]

Anyone remember this? "My voice is my passport. Verify me."

Security is like Oxygen.
Some is better than none.
Too much and things tend to go up in flames.

Enough security that users do their best to ignore/circumvent it is counter productive

Most people forget CryptoGnomes "Golden Rules of Security":

One day, your security will be compromised.
More than likely, sooner than you think.
Almost certainly in some way you did not (perhaps even could not, reasonably) have expected.
What will you do then?

I'm sure you've all heard it said before security is a process, not a goal. The best you can ever hope to do, is make it harder for someone to breach your security than they think it's worth, and to have a plan for when someone comes along who thinks no effort is too much.

Either that or drop all your computers and networks into a large vat of suitably potent acid, and take up a new career; like basket-weaving.

MacOS X : Use the keychain

[tbmaddux]

Actually, you can use it in MacOS 9 as well. The keychain is an encrypted store of anything, but mainly passwords, that is unlocked by your user login. Browsers like Camino and Safari will save your website passwords to it, and Mail.app will save your email passwords to it, and the OS will use it to store passwords for encrypted disk images, or filesharing mounts, or your .Mac account. In MacOS X 10.3, the system will recognize login passwords of lengths greater than 8 characters.

The upshot of all this is that it allows you to generate good, strong passwords like series of letters, numbers, and special characters that have a high amount of entropy but are too difficult to remember. So long as you have a very strong login password (this was not possible in MacOS X 10.2.x and earlier), they will be protected by the keychain.

This is similar to Bruce Schneier's Password Safe and is more convenient in many respects than his solution of keeping his passwords written down on a piece of paper in his wallet. He argues that we all have a lot of real-world experience at keeping our wallets safe, but I have a lot of passwords. How many do you have? Does anyone else dig around in your wallet, like your wife? What if she found out you had a password to someplace you shouldn't, like... uh... Slashdot?

I like my keychain. I'm surprised Tog never mentioned it. Wasn't he an Apple guru at some time?

security is about economics

[sir_cello]

Security is nothing special in itself, it's just another aspect of a problem: all problems have many aspects and as you suggest, usability is another aspect of a problem. Turn the technical aspects of the security lever the wrong way (e.g. too frequent password changes), and you lose on usability, and this potentially has a negative impact on the social aspects of the security level (e.g. the passwords are written on a post it note).

Really, it is about economics and engineering: using the measured amount of resources to solve the problem holistically: technically and socially - understand where all the impacts and flexibile point are. This is no easy task though. Peter Neumann and RISKS have been teaching us these lessons for many years - so there's nothing new here, but it is important to continually reevaluate.

Password Safe

I've got hundreds of randomly generated passwords stored in Schneier's Password Safe (actually, it is a sourceforge project now). I don't have the faintest idea what any of them are. All I remember is the single password for Password Safe, which happens to be a 20+ digit combination of words, initials, numbers, and a couple of symbols -- all of which are easy for me to remember.

The password db is blowfish encrypted (yes, there are some cracking programs out there for it, but I'm not trying to keep the info from the NSA). Only two requirements: 1) don't forget the main password, 2) backup the Password Safe db to multiple places.

The only passwords I remember now are my ATM PIN number, the Password Safe pwd, and that single pwd that I use for every web site that demands registration to function (where I use a fake name as well).

asterisk^8

[meowsqueak]

My password is easy to remember, it's just eight asterisks:

'********'

Sometimes I forget exactly how many, but I usually get it right the second time.

Don't know my own password

[soloport]

Honest, I don't know any of my passwords. If someone were to ask me for my password, I'd have to first find a QWERTY keyboard, sit down, place both hands in the right position on the keys and start typing into a text editor. The pattern I type is sort of a rhythm and can be typed very quickly.

I've been accused (Solaris Sys Ad) of tricking the computer into not needing a password for my login name -- because I type it is so quickly, it seems like I've just typed some random gibberish (which I sort of have). Keeps lookers guessing, too. My typical passwords are 12-18 characters in length -- but they seem a lot shorter ;-)

As you've no doubt guessed by now, I love this method. I can also "memorize" dozens of unique passwords and never seem to forget one -- even one I haven't used in many months! When I see passwords like "password7", I just smile; Seems to me, mine are just as easy to remember.

Just hope I don't someday encouter a Dvorak!

Re:Obvious

You get a cavity.

Try this again, formatted.

[bluefoxlucid]

Passwords are nice and all -- hell, mine come from pwgen -s -- but you need to be thinking HIGHER. Access control, executable space protection, OS fingerprint protection, and functional security to make programs generally behave. Look at GRSecurity. That in itself speaks volumes. I will illustrate this thread, and then go on through grsec:

Passwords:
- Passwords and password rule circumvention

This is where we seem to be stuck. What about the following:

PaX:
- Total of 1-2% performance overhead
- Enforce non-executable pages to block security exploits in programs
- Enforce non-writable executable pages to block security exploits
- Address Space Layout Randomization to increase difficulty of actually activating security exploits
- Privilaged IO blocking to avoid altering the kernel
- Blocking of direct writes to ram and kernel memory to avoid altering the running kernel and getting around security systems or inserting malicious code
- Hiding of memory mappings to avoid information leaking which would negate the ASLR advantages

Grsecurity:
- Includes PaX
- Blocks many operations from happening inside a chroot() jail, thus increasing security by disallowing programs to try to gain access to devices, processes, and filesystem data that they aren't supposed to access
- Imposes an Access Control List system to extend control of file and device access
- Hinders OS fingerprinting with several network protections that randomize various ID numbers in various types of packets
- Allows user auditing and signal logging to detect attacks

How much crap did I list besides password issues? Quite a bit. There's more to consider than "Is root's password 'secure1'?" How about "Can I cause SSH to overflow before I log in, clearing root's password out so I can log in as root and take over the system?"

What a snoozer of an article

[mrgeometry]

Bleh. Are his articles all like this? He has some anecdotes about bad security, with a "D'oh!" in between practically every paragraph---though that slows down after he gets tired of it, a page or two in. Then there's a story about a program called "Tresor" and some guy who had a weird problem with bundles acting like folders instead of application files. The assertion is made point-blank that this is an Apple bug, not a Tresor bug.

OK. Has this been reported or observed anywhere else? I've never heard of it, or seen it myself, though I've only been using OSX for a little under a year. If anyone can point me to a reference, I'd appreciate it. The article doesn't give any refs. I don't understand how he's so sure it's an Apple bug, unless it's so well-known that, gosh, everyone knows it's an Apple bug without even needing a link to, like, a Knowledge Base article or anything... but if it were that well-known, I hope I would know about it. So I have my doubts about this. If anyone knows one way or the other, I'd like to hear about it.

But really that's not the main point of the article, right? It's just one security flaw in a fairly specific situation. So the article, as far as I can tell, is a few anecdotes and a bunch of "D'oh!"s. Oh yeah, plus some insults and derision for all the programmers and the university professors who taught them. Thanks a lot, Tog.

His thesis---that security needs to be designed to actually make things secure, not theoretically securable---is, well, it's OK I guess. For one thing, he doesn't really argue for it---just provides anecdotes. That's not a coherent logical argument. Worse, it barely even ties in with the anecdotes anyway. So the hospital requires TOO MANY passwords. That does **not** make it theoretically securable, OK? (I can require 200 passwords, but it's not theoretically securable if the computer and fax machine are in the hallway.) He's right that security systems have to aim for real security, but he's wrong in saying that the problem is that people aim for "theoretical securability". Am I wrong here? Is there ANY theory of anything under which these systems are considered theoretically securable?

The only common thread I can think of, apart from inadequate security in general, is that the people who designed the security had an incomplete approach to security; they secured one part of the system (e.g., getting in with a password) way too much, and other parts (e.g., physical security of the fax machine) not enough. Or, they were unnecessarily protective, at the cost of user convenience (as in the VW radio example).

If I'm criticizing the article, maybe I should try to be constructive about it, right? I guess the anecdotes really point towards the two different themes in the previous paragraph: security model should be "complete", and there should be some kind of a balance between security and usability.

I may be wrong about my interpretation of his article. If there's a better way to read this article as it's written, please tell me. I suspect not, but hey. Or just call me a monkey, that's cool too. :-)

Well, to wrap it up, he has a good point, basically, but no argument for it. Just a few isolated anecdotes, not all of which I believe. This is not high-quality writing. Sorry, Tog. I've read of few of your user-interface-design columns, and I liked them a little better. This one just didn't do it for me, I guess.

zach

But does the website encrypt the password?

[phamlen]

The article hints at one of my favorite problems with password security:

And speaking of security, don't you just love those websites that continue to ask you to enter in your requested password, all done in 128 bit encryption mode, with the characters blanked out so you can't see what you're writing, only to parrot it back to you in an email ...?

Many websites store passwords in cleartext (hence, they can send it back to you in an email.) They do it for a variety of stupid reasons (a programmer couldn't figure out how to encrypt it, or perhaps customer service likes being able to login as a user, etc.).

So, unfortunately, you can have an extremely clever password, entirely uncrackable, but you give it to a website and it's now immediately compromised. And worst of all, you can't tell if it's stored securely or not.

Thus, I tend to have a password for trivial/unknown systems (ie, Slashdot, chat rooms, etc.) and a password for more secure systems (eTrade, online banking, etc.)