Real Security?

An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"

Two minds about it

[Carnildo]

Speaking as a cracker, I say "Yes! Short passwords! The shorter the better!"

As a sysadmin, though, I feel longer passwords are better. If systems supported it, I'd require medium-long sentences for passwords. A full sentence is fairly easy to remember, but not very vulnerable to a dictionary attack.

Re:Two minds about it

[Carnildo]

Voice recognition can by bypassed by a $10 piece of technology known as a "tape recorder".

And it can fail to recognize a valid user if they happen to have a sore throat.

Re:Two minds about it

[jonadab]

> thisismylongasspassword

That's better than you think. My /usr/share/dict/words has over 45000 words
in it, which is probably typical. The above password is six words long (which
if anything is pretty short, as sentences go). That means you can brute force
it in about (45000^6)/2 tries, on average. Compare that to a typical "strong"
eight-character password (e.g., "bVi-Q*cY"), which can be brute forced in
(N^8)/2 tries, on average, where N is about 100 or 200 or so, depending on
your character set. The sentence starts looking pretty good -- and it's a
*lot* easier to remember.

> thi!$1smyp4$s

Yes, increasing the length to over 12 characters greatly improves the security
of a traditional ugly password. (N^13)/2 is about N^5 times better than
(N^8)/2, so with an N of around 80 characters (upper and lower case letters,
digits, and about 20 common printable punctuation marks) that's about a
three-billion-fold improvement in the time needed to brute-force it.

I personally tend to favour a combination of these approaches. Take your
sentence (say, "I tend to favour a combination of these approaches.", make
a handful of key substitutions, and you get a password like this:
I-t3nd-2-PHavour-a-c0mbinat|on-0f-these-app roacheZ

The sentence is easy to remember. In addition to the sentence, you have in
the above example seven substitutions. That's a total of eight things to
remember, barely (if at all) harder than tB8k^yQp and pretty much impossible
to brute force. (If you do the arithmetic on this sucker, it's impressive.
Even assuming a clever modified dictionary attack, the sentence is nine
words long (nine *words*, not nine chars), and furthermore there are
several possible ways to mangle each word. The mere electricity your CPUs
would use up running the possibilities boggles the mind; whatever the
password is protecting, you could buy it cheaper.) Then you have to worry
about things like sniffers, surveillance, and rubber hose cryptanalysis, if
the password unlocks something worth anyone's trouble to bother with all that.

Annoying security leads to circumvention

[Karcaw]

In my case my employer added a re-curring RSA security key to read the outlook webmail, as i have been using evolution for, externally on my laptop for some time this rendered evolution useless, because it did not understand the promts for RSA keys. Then even if i use a web brwser i have to re-login every Hour. Really Annoying.

So a simple ssh tunnel into a work machine, and a modified transparent proxy setup(I had the GPL'ed source), and an iptables rule, and wow the webmail server always thinks i'm inside the firewall.

so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.

Forced password changes

[Rex+Code]

Forcing users to change passwords is one example of something that doesn't help security. If there's anything that's going to make the common user write their password on a post-it note and stick it to their monitor, it's being forced to change it at random intervals.

If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.

Re:Forced password changes

[mo26101]

About a decade ago, I was a software deveopler working in a building with 2000 users. Back then we wrote apps for win 3.1. Most users 10 years ago were even more clueless that users today, so we often had to install software for them. We would show up and tell them that we need to install something, they would then usually say fine and go take a coffee break. Being win 3.1 we almost always had to reboot for one reason or another in the install. This would then leave us needing to log back on the users computer with the user not there. At this company passwords had to be changed every 30 days and include both letter and numbers. Nobody could remember there password, so when we needed to login and the user was not there, we would just open there top desk drawer. 9 times out of 10 the password was written on a sheet of paper in the drawer. It was amazing how many people did this.

Re:Definitely

[Prof.+Pi]

A pretty easy way to generate passwords that pass most picky password approval checkers is to take a phrase that you can easily remember, and then take the first letter of each word. Include punctiation to get the requisite non-alphanumeric characters. Make at least one numeric substitution if you're required to have a number. For instance:

N4N.Stm.

("News for Nerds. Stuff that matters.")

Re:Definitely

[G-funk]

Oh my god.... I have the exact same password on my luggage!

Re:The greatest threat...

[Total_Wimp]

The human factor can screw you in more than just the social engineering scenerio. One of my favorites is personal firewalls. Since normal humans have no idea what *that* program file is or why it might want to talk on *that* port, they just hit 'yes', and let the attack right in, or they hit 'no', and dissallow a perfectly useful application.

My company now wants to deploy these magical devices to all employee computers and can't figure out what I mean when I say they'll make things less secure. I think this article was dead-on.

TW

Re:Common Sense

[arnie_apesacrappin]

fail to put any thought into what is needed to be effective

I recently got into an argument with the head of the security program at the university I'm attending over a similar situation.

When resetting my password, which was not expired, I was required to go through a 20 minute online "security training" seminar. It was only 10 questions, but the site was so incredibly slow that clicking through the 10 questions (about 3 pages per question) took 20 minutes. The questions covered the basics of security (don't give out your password, etc.). Two of the "correct" answers were technically wrong.

After expressing my displeasure with the questionnaire and pointing out the technical problems, the administrator chastised me for "not thinking that security education was a good idea." I pointed out that I thought it was necessary, only he did a poor job of it. He missed the same thing that several security programs miss when educating the users:

Security training is useless if the user ignores it.

I was going to add is annoyed by it, but I can think of one security awareness activity that pissed off several people, but was highly effective.

After weeks of notifications about laptops needing to be secured when not attended (i.e. overnight), we went on a laptop finding mission. Any person that left a laptop not physically secured to his/her desk came in the next morning to find a slip of paper telling them where they could claim their laptop. Several people were very upset, but also remembered to lock up their laptops before leaving.

Re:Definitely

Me. But I probably do it in a very unique way.

I have a three tier password system, with passwords "expiring" every 30 days.

Tier 1 passwords are things like root passwords for systems. These are 100% unique to the server they belong to, and are changed without fail.

Tier 2 passwords are passphrases for my ssh keys for non priviliged accounts. These are the same for 2 or 3 boxes, and again change every 30 days. When I expire tier 1 passwords, they are sometimes moved down to tier 2 for ease of remembrance, tho never for the same servers.

Tier 3 passwords are for websites, like this one. Usually most of my website accounts share the same login details, as Im not really bothered if someone logged onto slashdot and stated that im a gay faggot or whatever. Tier 2 passwords are usually passed on when they expire.

I tend to treat passwords as something like special email addresses. You rarely forget an email address because its in a known format: something @ something . something. So therefor I base my passwords on a similar format, one that I can remember or work out, eg AAAA!AA.AA@A# gives me a more memorable password than #@##23$ssDx_ which would be an excellent password except for the fact that it sucks :/ Saying that, I change the format as often as I change the passwords, every 30 days.

Re:password quandry

[thecampbeln]

No shit! At some places I've worked, passwords are required to contain X capital letters, Y numbers, and changed once a month. So what ends up happening? After forgetting the damned thing two or three times, most users (including myself, bad form I know but hey) come up with a pattern to their passwords. So, something like this begins to appear:

Pa55J4n
Pa55F3b
Pa55M4r
Pa55Apr

Sure, now you have 'secure passwords', but once someone recognizes the patter... This, IMHO is counter productive security wise. Have the ultra secure passwords, but don't make you're users change them too often or this shit begins to appear.

Re:Definitely

[xmath]

Come on, who uses passwords like '%33#Gt(;' nowadays..

I do. :-)

The funny thing is, I don't actually remember the character sequence. Maybe it's because I play the piano, but I remember the hand motions of typing the password. So to pick a password I just generate a few random ones until I find one that "feels" okay.

I wonder how many people do this too

I use good passwords, and here's how

[kaan]

And I have to spend nearly zero brainpower remembering a password. Here's what I do...

Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.

So an example phrase might be: "i love to post on slashdot"

which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:

"iltp05"

That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.

Re:Definitely

[red+floyd]

Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Password Safe

I've got hundreds of randomly generated passwords stored in Schneier's Password Safe (actually, it is a sourceforge project now). I don't have the faintest idea what any of them are. All I remember is the single password for Password Safe, which happens to be a 20+ digit combination of words, initials, numbers, and a couple of symbols -- all of which are easy for me to remember.

The password db is blowfish encrypted (yes, there are some cracking programs out there for it, but I'm not trying to keep the info from the NSA). Only two requirements: 1) don't forget the main password, 2) backup the Password Safe db to multiple places.

The only passwords I remember now are my ATM PIN number, the Password Safe pwd, and that single pwd that I use for every web site that demands registration to function (where I use a fake name as well).