Slashdot Mirror
Passwords - 64 Characters, Changed Daily?
isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"
"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.
What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"
password1 password2 password3 password4 based on the month that you are in.
Wasn't there a joke that if users are required to change password every second, hackers just need to keep on trying the same password until users themselves changed to match the hacker's password?
Uselessful technology (Air-Charged
SecurID and its like are your friends.
While you maintain a reasonably secure password you're not logging in without the token.
Even if some one steals your :Cat, they can't get in, and if someone steals your copy of "Learning the VI Editor" that you've used for the barcode without stealing your :Cat, again they can't get in.
Yeah, right.
I could see a password of substantial length made of a phrase. Say, 64+ characters, changed every two weeks might be fine. Especially if you have a well-read workforce, which might enjoy making note of significant passages.
You might want to [optionally] be able to use the first letter of each word as a "shorthand" password for re-verification moments, because typing in a 64+ character phrase everytime you lock your station could become tedious if you are away from your desk often.
Alternately, if you have a number of services at work that should have different password, some sort of secure password comparison tool could be employed to at least ensure that employees aren't using the same password for everything. Not sure about an architecture for that, though.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
The harder a password is to remember, and the more frequently it is changed, the more likely people are going to forget it, and resort to insecure tricks such as writing it on a post-it note stuck to their monitor.
I can't see any good reason to change passwords frequently, other than to limit the damage done from a succesful intrusion. And then, is one month any worse than three months? All your data is 0wned regardless.
Please read my Canon EOS tech blog at http://www.everyothershot.com
just because a computer can crack a 32 char password in 10 seconds
And will all software in the future not have any kind of delay to prevent this sort of attack? Even now, we have login/ssh services that delay a couple of seconds between failed attempts.
Every time you add another character onto an alphanumeric, case-sensitive password, the total number of possibilities is multiplied by 62. CPU throughput takes a very long time to increase 62-fold. So going from 8 to 10 characters increases the passwordspace 3844 times, and that's assuming only uppercase, lowercase, and numbers.
There's nothing to worry about until quantum computers can handle problems like this AND are available by someone you don't want accessing your data.
You're assuming we won't have a better, harder-to-crack hashing mechanism by then.
This has been a process of incremental improvements - first crypt(), then shadow passwords, then MD5 hashes, and so on. We will certainly have something harder to crack in the future.
Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".
Oops, except that's often now how the password is cracked. You don't try the password on the machine over and over, you get a hold of the encrypted password and check against that. This is much faster, as it involves no network activity for each try, only getting a hold of the encrypted password information.
The solution to the problem you are trying to solve is already in place on most systems, anyhow. When you fail to provide the correct password, you are punished by having to wait some amount of time (usually seems to be about 3 seconds). This way, instead of being able to test millions of combinations a minute, you can try 20. This way, your "friend" can't lock you out by typing your password wrong 3 times. Practical jokes are commonplace where I work.. don't need to make it easier on 'em..
At what point in time do employees spend more time (= money) creating, remembering and retreiving inscutable passwords than they spend recovering from hacker incursions. An employee's ability to handle rapidily changing, complex passwords is fixed by evolution whereas, hackers abilities to break or phish passwords is only going to increase. At some point the curves will cross and organizations will spend more to keep things locked than they lose with leaky passwords.
Two wrongs don't make a right, but three lefts do.
In my opinion as a Sysadmin, it doesn't matter what device[s] you bring in to try to 'secure' users and passwords.
They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.
Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.
T = N/(PG)
In this:
So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly.
Read more on Anderson's formula by googling.
If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.
"The price good men pay for indifference to public affairs is to be ruled by evil men." -Plato
it's restricted on most/all systems already that way and besides the throughput limitations on bruteforcing a live system would prove quite troublesome.
generally you would sniff the datastream and try to crack that I imagine(because that's the only thing you could do).
(insecure software with flaws proves the biggest security problem for the foreseeable future anyways, there's always possibility of using single use passwords which are _already_ in use on sensitive/important systems)
world was created 5 seconds before this post as it is.
you get a hold of the encrypted password and check against that
:)
The days when anyone on a system could just get all the encrypted passwords are long-gone. Getting encrypted passwords requires a root compromise these days. We not in the 90s anymore.
Not a perfect system, but is something which can help people come up with something more secure than 'password' while incorporating numbers and punctuation marks.
makemeapassword.com
creation science book
Windows XPs new password policy manager: "Im sorry, that password has already been taken by user john, please choose another"
This comment does not represent the views or opinions of the user.
If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.
That is why it is better to use both: a good pass-phrase that you change from time to time, which is hashed together with your retinal scan, finger print, etc.
It doesn't really matter how fast computers get. If a system only allows you a few wrong password attempts and makes you wait between each attempt, a simple password would take years to get cracked. The audit logs should be sending off alarms before that anyways.
You can't compare what the user has to remember to an encrypted password hash. Of course, someone with root or administrator privs can grab the shadow/SAM file and perform offline hacking with a powerful computer and crack the password quickly. If this is a problem trusting the sysadmins, then the password encrypting would need to become stronger, not the original password.
Luckily I have Gator for remembering all my passwords!
Note to self: get smarter troll to guard door.
I was reading a textbook about this very issue just a couple days ago at work (I was bored, and there it was in lost and found pile). Don't recall the name, but it was basically about biometrics for security purposes.
The book stated near the very beginning that, basically, passwords are useless because the really secure ones are hard to remember, and that little problem causes people to do other things that mostly destroy the security of a "secure" password anyways (such as the infamous post-it note on the monitor).
The book's solution was fairly common-sense: implement different layers of security. That is to say, a password on its own is bad, but a token+password (say, USB memory stick with accesss code) can actually be a lot better.
The best stated was "bio+token+password". Seems reasonable to me, at least.
-Erwos
Plausible conjecture should not be misrepresented as proof positive.
Good grief, people. The size of the password space determines the ratio of the time it takes to check the *entire* password space vs checking only the correct password (normal logon).
The *absolute* time taken to crack the password space is therefore a function of how long it takes to check a *single* password. This can be any length of time the password validation system wishes to implement (relative to a fixed processing resource).
There's no reason at all why passwords need to evolve to greater lengths as computers become faster. However, this inflation happens by default if the authentication system does not compensate by implementing constant time password validation as systems become faster.
A modern computer can validate a password in one microsecond that would have taken one millisecond back in the VAX days. This is one case where increased speed is not, in fact, a good thing.
To quote Bruce Perens, if security really matters, you should base it on three things:
* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)
This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)
Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.
For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.
James
Biometrix is just like passwords, just you cant change your fingerprint/iris scan/voice pattern after someone has exploided/stolen/copied yours.
Great.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
As computers get faster, simply use more difficult and time consuming algorithims to verify passwords. If you use a verification step that takes 256 times a long [even for the same old 6-character password], when computers get eight times faster, they are worse off then they were before in trying to brute-force the password.
---
the pen is mightier than the sword, the sword is mightier than the court, the court is mightier than the pen.
has anyone thought of comparing the current use to statistical past use? for example, as i sit here typing on my workstation, there are certain keyboard commands i consistently use. there are certain words i consistently misspell, and even how i fix the mistakes. do i backspace all the way? do i highlight the typo, delete, then correct, or do i highlight and correct. there are many nuances that could be tracked, which might include simple thigns like using an application to open a file vs. using a file system browser (i prefer the latter).
;)
tracking this sort of statistical information could be useful in verifying that the current user is who they should be. there is no password to remember or forget. after the computer is statistically "sure" that the user isn't who it should be, there are several steps that could be taken. one of such would be to simply notify an admin. another would be to immediately lock the user out. or, what i think is the best idea - offer a challange question: "What month were you born in?" If they cannot answer the question correctly with a fair amount of rapidness, lock them out.
I think this sort of toll could be the ubercool way to ensure the user is who they say they are. Of course the possible downsides to this is not being able to have someone login and check something for you (maybe a good thing?)
Has this been tried, developed, or thought of? If not, I call prior art on anyone who patents it
Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".
Holy great hell, I'd love to see the social engineer that can convince somebody to chop off a finger voluntarily. They would put Mitnick to shame!
The only way hackers can check passwords quickly enough to matter is if they manage to obtain access to the file that contains the checksums for the users' passwords. In Linux, at least, this is /etc/shadow, which can only be accessed by root. If a hacker has access to the files owned by root then you have much bigger problems than a hacker trying to guess at users' passwords.
This raises another good point, where if you're properly controlling the methods to access whatever it is you're protecting, you can cut off someone that's trying to brute force (ie, wrong password 3 times in a row). Then your length isn't going to matter as much.
You could also go farther, and 'silently' lock them out - no matter what happens, it won't accept the password. Meanwhile, your IDS flags a security event and someone can respond, perhaps while they're still connected.
Speak before you think
Bad idea because of the obvious exploit... an attacker could DOS the entire user base in a handful of minutes by trying/failing each ID.
Of course, any BOFH might enjoy the "lockout the boss" feature included.
Interestingly, Lotus Domino uses a feature where as each attempt fails, the password prompt is delayed by a number of seconds. The delay increases exponentially, but never completely locks the user out. After a set period (minutes), the delay goes away and you start again. VERY effective in blocking brute force attacks...
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I happened to remember this study which compares passphrases and random passwords.
I found it interesting that passphrases are just as secure as random passwords, and as easy to remember as dictionary based passwords.
A 10 character passphrase based password is very hard to brute force.
A human only needs to type in their password so fast. Login delays are the perfect solution to this.
If someone sees your encrypted password file, that is already a huge security breach.
Where to begin?
First off, the root password for the main application server is a straight alpha password that hasnt changed in about 5 years and is known by most of the operators and developers.
Second, there are trust relationships between most of the hardware in the company such that gaining root on one server effectively grants root on all of them.
Thirdly, many of the important infrastructure pieces (routers and stuff) have been given identical admin passwords that are well known (this was at least recently changed for the routers).
Fourth, much of the software we use to perform infrastructure functions is hopefully out of date, such that there are many published root level vulnerabilities for nearly every service running on our network.
And we are a medical device company under FDA regulation. No audit has ever turned up a single discrepency. How's that for reassuring?
Why chop off fingers or pluck eyeballs when
"Scraped up my fingers this weekend in a bicycle accident, and the stupid scanner doesn't recognize me. Can you open the door for me?"
or
"'Contacts have been irritating my eyes lately so the damn machine won't validate, can you buzz me in?"
work just as well?
Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".
No need for that. I saw a presentation at AsiaCrypt a couple of years ago where a guy sucessfully managed to create an artificial fingerprint good enough to fool pretty much all the commercial fingerprint scanners tested using only a fingerprint left begind on a glass, and pretty much commodity hardware (he did use one somewhat obscure device but that was still only a couple thousand dollars). This wasn't spy movie crap - this was an actual research project. Current fingerprint scanners are, quite simply, complete crap.
Jedidiah.
Craft Beer Programming T-shirts
Use visual passwords rather than mnemonic ones. My standard-prescribed solution is to teach this to all new users; I set them next to a computer and give them some strips of coloured paper (not necessary but helpful with complete newbs). They'll get the gist fast and be able to be pretty savvy shortly -and changing a password is exceedingly easy.
Here's a visualization for the letter A starting from the key V:The plain password is: vgy7ujmh
Using alternate shift: VgY7UjMh or vGy&uJmH
This can easily be expanded to even more secure ones by adding more letters. A good scheme for variant passwords is to use something that identifies with the realm -for example for Slashdot, a password could be made from letters 'slash' (on a dvorak here, sorry):
qJkU.#4%kUp$xBjUy^fDbIxBmHf^7*xIy%mHg&f
Variation made easy. Try it.
Marxist evolution is just N generations away!
Why not have a pgp processor storing a private-key in a non readable register?
Put the processor in a USB device and have some biometrics verification on the device.
This raises another good point, where if you're properly controlling the methods to access whatever it is you're protecting, you can cut off someone that's trying to brute force (ie, wrong password 3 times in a row). Then your length isn't going to matter as much.
That's the key here folks.
Passwords should only be used in circumstances where you can control the number of attempts.
If you CANNOT cut off access after N failed attempts, you should be using a full-fledged lots-of-bits crypto key. An example would be using PGP on an email.
A lot of people are looking at the situation in terms of Moore's law. Moore's law should have no effect on how many logins per minute you allow me to attempt. That is a config option.
In sort, it doesn't matter how fast your computer is. If ebay only lets you try 3 logins per minute, that's all you get.
If you're letting people try 1,000+ password per minute on your system, THAT's the problem, not that some guy only had a 6 character random password as opposed to 8.
So to sum up:
Passwords should not be used in case where somebody else is going to have >100 attempts to break it. At that point you should be using >1KB crypto keys.
This is not a password policy problem, it's human somewhere not understanding what passwords are good for.
Life is too short to proofread.
There is so many things wrong with this that it is hard to know where to start. I'll just chose a couple.
First, forcing passwords on users is dumb. What might be an easy combination of words and number s for you to remember might be completely impossible for me to remember if the word means nothing to me. And if I can't remember I am going to write it down. It is much better to allow people to chose their own passwords to that they can make a combination that they can remember.
Second, accountability for your password goes out the window when someone else knows and controls the password. If the adminstrator knows all the passwords, they can logon as the user without the user knowing. Alternatively, the user can suggest that the administrator did the action which the user is being accused of.
More intelligent password checking rules is a much simpler and more effective solution.
>hoose easy-to-remember (and hence, likely easy-to-crack) passwords
Not necessarily. I mean depending on what the max character limit is he could be using pass-phrases. The password is becoming obselete and the pass-phrase will be the next step. That is if the next step isn't smart card keys, challenge response you can do on a PDA, etc.
Of course the pass-phrase has its flaws too like using famous quotes, but that could be screened out the same way common words are. There might be some side benefits to this. Personally, I find phrases easier to remember than words, even if they have numbers or odd characters in them.
I think passphrases and encrypting communications will go a long way towards security. A lot of good that killer password does you when you send it in plain-text when you use FTP or POP3. In fact , a lot of password policies are based on the fact that you will use ftp or pop or something and eventually you will be sniffed so changing your password more often is a long term fix before they can roll out ssh, sftp, and ssl-pop/imap or whatever. If they're even planning it. Eventually we're going to look back to the 90s and early 21st century and think "whoa, I sent all that crap unencrypted?"
We used to have to change our password every month to a new 10 char (it remembered last 5). I used to just run this VB script:
YOURDOMAIN = domain 'need to change this
user = InputBox("Enter username")
pass = InputBox("Enter password")
Set ns = GetObject("WinNT:")
Set usr = ns.OpenDSObject("WinNT://" & YOURDOMAIN & "/" & user & ",user", user, pass, ADS_SECURE_AUTHENTICATION)
usr.ChangePassword pass, "qazwsxedc1"
usr.ChangePassword "qazwsxedc1", "plmoknijb2"
usr.ChangePassword "plmoknijb2", "owidcjdcd3"
usr.ChangePassword "owidcjdcd3", "iojcdswdo4"
usr.ChangePassword "iojcdswdo4", "vownmdicm5"
usr.ChangePassword "vownmdicm5", pass
MsgBox("Password Changed (not really)")
Note to mods...these 'In Soviet Russia' remarks are never, ever funny. Even if you remember a time
In Soviet Russia, time remembers you!
Do you or your partner snore? - Visit www.snoring.com.au
Every computer needs either a smart-card slot or an iButton reader, and by logging in with that, you ought to be able to do challenge-response or rolling-code authentication on every system to which you are allowed access, with the key doing the computations on board. Passwords ought to be obsolete by now, or supplementary in ultra-high-security systems only. Certainly by the time the sysadmins decide that they have to be so long and changed so often, that you haven't a prayer of remembering them, then it's high time to replace them with something else.
First of all, they could put their passwords on post-its in the locking drawers most desks have. Almost as convenient, but MUCH more secure.
Also, there are plenty of ways to have greater security than completely out-in-the-open Post-It notes with passwords. For guys, keeping the password list in a wallet, purse, or at least desk drawer that could be locked would at least add some physical security.
Actually, keeping the passwords on the monitor wouldn't be too bad if the passwords were obscured some way. For example, list the passwords incorrectly, but make the first letter of each incorrect password be the first password, the second letter of each in order the second password, etc. Reasonably easy to look up, but not obvious enough to be tempting. A slightly more complex scheme would probably be useful, perhaps hiding the password in seemingly legitimate post-it notes. Making the password the second letter of each word in a fake Post-It note would be better. This would allow routine password changes with just a little work, without being quite so blatant about having them out in the open.
Security, for most workers, needs to be balanced with usability. Truly random alphanumeric passwords are not reasonable to memorize. A better route would be to teach each user a mnemonic method of choosing a password (i.e. password from initial letters of words in chorus of song or famous quote -- if numbers are required convert every other one to numbers as if it were a phone number [ABC -> 2, DEF -> 3, etc., which is easy to convert in an office environment because everyone has a phone readily accessible]. If each person has a slightly different scheme, this can be a very easy way of getting hard to crack passwords that are very easily memorable.
Robert Hensing (MS Security Response) has an interesting article on this in his newly-created blog. His basic assertion is that we should all forget password complexity and just go for something long but simple to type. The spacebar opens a whole new dimension in uncrackable passwords, apparently. Robert's blog is at http://blogs.msdn.com/robert_hensing/
This leads me to the conclusion though that there are probably much fewer intuituve keyboard patterns then there are characters in the passwords. If someone created a dictionary based on keyboard patterns, I expect that it would be a significant way to overcome a lot of complex passwords.
First of all, they could put their passwords on post-its in the locking drawers most desks have. Almost as convenient, but MUCH more secure.
You mean those locking drawers where the key number is stamped on the lock?
I usually place a sticky note with a ramdom number of characters under my keyboard. It looks like a password, and may even BE someones password.
But it is not MY password and is it not close to my password. This entertains whoever is trying to break into my computer for hours....
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Who do you think will be behind that change? At some point, someone will come up with an idea that will be the start of this new system. It could be a slashdot reader. The idea could come today. The people behind Google must have come up with an idea one day a few years ago, and at the time it was probably nothing more than an idea that started with, "what if there was a search engine that could..."
Slashdot might be the kind of environment where a new idea for the future of authentication could be born. So go ahead and panic, spleculate, and worry. If that leads to a new idea, do something with it. That is how we come up with new stuff.
Oh, and do something with it that protects yourself from lawsuits from the big companies in the future, while still allowing open source software to someday implement it.
I really hate signatures, but go to my website.
Recent research supports the belief that one well chosen password will defeat most intruders and that enforced rotation leads to weak passwords.
Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
Passwords:
* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously
In addition we encourage users to pick strong passwords:
Good Passwords contain:
* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!
Bad Passwords contain:
* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen
I recently conducted an audit using the excellent @stake LC5. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.
It got many "strong passwords" chosen using the above methodology which is similar to the previous post. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.
The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.
I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer and evidently vindictive successive OSX disclosure campaign.
Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.
Someone I work with asked about how he should protect a key to a secured area, and the response was "How often do you lose your car or house keys? Keep it with those." I'd say the same applies to your wallet and keeping passwords in it, if worse comes to worse and you can't remember them.
Considering I've never lost my wallet, keep everything shy of my birth certificiate in it, and will know instantly if it's gone and can report it, I'd say that's pretty secure. I carry it so consistently I feel noticeably strange if it's not in my pocket.