Slashdot Mirror
Passwords - 64 Characters, Changed Daily?
isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"
"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.
What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"
password1 password2 password3 password4 based on the month that you are in.
Wasn't there a joke that if users are required to change password every second, hackers just need to keep on trying the same password until users themselves changed to match the hacker's password?
Uselessful technology (Air-Charged
SecurID and its like are your friends.
While you maintain a reasonably secure password you're not logging in without the token.
Even if some one steals your :Cat, they can't get in, and if someone steals your copy of "Learning the VI Editor" that you've used for the barcode without stealing your :Cat, again they can't get in.
Yeah, right.
I could see a password of substantial length made of a phrase. Say, 64+ characters, changed every two weeks might be fine. Especially if you have a well-read workforce, which might enjoy making note of significant passages.
You might want to [optionally] be able to use the first letter of each word as a "shorthand" password for re-verification moments, because typing in a 64+ character phrase everytime you lock your station could become tedious if you are away from your desk often.
Alternately, if you have a number of services at work that should have different password, some sort of secure password comparison tool could be employed to at least ensure that employees aren't using the same password for everything. Not sure about an architecture for that, though.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
The harder a password is to remember, and the more frequently it is changed, the more likely people are going to forget it, and resort to insecure tricks such as writing it on a post-it note stuck to their monitor.
I can't see any good reason to change passwords frequently, other than to limit the damage done from a succesful intrusion. And then, is one month any worse than three months? All your data is 0wned regardless.
Please read my Canon EOS tech blog at http://www.everyothershot.com
Every time you add another character onto an alphanumeric, case-sensitive password, the total number of possibilities is multiplied by 62. CPU throughput takes a very long time to increase 62-fold. So going from 8 to 10 characters increases the passwordspace 3844 times, and that's assuming only uppercase, lowercase, and numbers.
There's nothing to worry about until quantum computers can handle problems like this AND are available by someone you don't want accessing your data.
You're assuming we won't have a better, harder-to-crack hashing mechanism by then.
This has been a process of incremental improvements - first crypt(), then shadow passwords, then MD5 hashes, and so on. We will certainly have something harder to crack in the future.
Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".
Oops, except that's often now how the password is cracked. You don't try the password on the machine over and over, you get a hold of the encrypted password and check against that. This is much faster, as it involves no network activity for each try, only getting a hold of the encrypted password information.
The solution to the problem you are trying to solve is already in place on most systems, anyhow. When you fail to provide the correct password, you are punished by having to wait some amount of time (usually seems to be about 3 seconds). This way, instead of being able to test millions of combinations a minute, you can try 20. This way, your "friend" can't lock you out by typing your password wrong 3 times. Practical jokes are commonplace where I work.. don't need to make it easier on 'em..
In my opinion as a Sysadmin, it doesn't matter what device[s] you bring in to try to 'secure' users and passwords.
They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.
Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.
T = N/(PG)
In this:
So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly.
Read more on Anderson's formula by googling.
If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.
"The price good men pay for indifference to public affairs is to be ruled by evil men." -Plato
it's restricted on most/all systems already that way and besides the throughput limitations on bruteforcing a live system would prove quite troublesome.
generally you would sniff the datastream and try to crack that I imagine(because that's the only thing you could do).
(insecure software with flaws proves the biggest security problem for the foreseeable future anyways, there's always possibility of using single use passwords which are _already_ in use on sensitive/important systems)
world was created 5 seconds before this post as it is.
Not a perfect system, but is something which can help people come up with something more secure than 'password' while incorporating numbers and punctuation marks.
makemeapassword.com
creation science book
Windows XPs new password policy manager: "Im sorry, that password has already been taken by user john, please choose another"
This comment does not represent the views or opinions of the user.
Luckily I have Gator for remembering all my passwords!
Note to self: get smarter troll to guard door.
I was reading a textbook about this very issue just a couple days ago at work (I was bored, and there it was in lost and found pile). Don't recall the name, but it was basically about biometrics for security purposes.
The book stated near the very beginning that, basically, passwords are useless because the really secure ones are hard to remember, and that little problem causes people to do other things that mostly destroy the security of a "secure" password anyways (such as the infamous post-it note on the monitor).
The book's solution was fairly common-sense: implement different layers of security. That is to say, a password on its own is bad, but a token+password (say, USB memory stick with accesss code) can actually be a lot better.
The best stated was "bio+token+password". Seems reasonable to me, at least.
-Erwos
Plausible conjecture should not be misrepresented as proof positive.
To quote Bruce Perens, if security really matters, you should base it on three things:
* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)
This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)
Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.
For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.
James
Biometrix is just like passwords, just you cant change your fingerprint/iris scan/voice pattern after someone has exploided/stolen/copied yours.
Great.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
As computers get faster, simply use more difficult and time consuming algorithims to verify passwords. If you use a verification step that takes 256 times a long [even for the same old 6-character password], when computers get eight times faster, they are worse off then they were before in trying to brute-force the password.
---
the pen is mightier than the sword, the sword is mightier than the court, the court is mightier than the pen.
Where to begin?
First off, the root password for the main application server is a straight alpha password that hasnt changed in about 5 years and is known by most of the operators and developers.
Second, there are trust relationships between most of the hardware in the company such that gaining root on one server effectively grants root on all of them.
Thirdly, many of the important infrastructure pieces (routers and stuff) have been given identical admin passwords that are well known (this was at least recently changed for the routers).
Fourth, much of the software we use to perform infrastructure functions is hopefully out of date, such that there are many published root level vulnerabilities for nearly every service running on our network.
And we are a medical device company under FDA regulation. No audit has ever turned up a single discrepency. How's that for reassuring?
Use visual passwords rather than mnemonic ones. My standard-prescribed solution is to teach this to all new users; I set them next to a computer and give them some strips of coloured paper (not necessary but helpful with complete newbs). They'll get the gist fast and be able to be pretty savvy shortly -and changing a password is exceedingly easy.
Here's a visualization for the letter A starting from the key V:The plain password is: vgy7ujmh
Using alternate shift: VgY7UjMh or vGy&uJmH
This can easily be expanded to even more secure ones by adding more letters. A good scheme for variant passwords is to use something that identifies with the realm -for example for Slashdot, a password could be made from letters 'slash' (on a dvorak here, sorry):
qJkU.#4%kUp$xBjUy^fDbIxBmHf^7*xIy%mHg&f
Variation made easy. Try it.
Marxist evolution is just N generations away!
This raises another good point, where if you're properly controlling the methods to access whatever it is you're protecting, you can cut off someone that's trying to brute force (ie, wrong password 3 times in a row). Then your length isn't going to matter as much.
That's the key here folks.
Passwords should only be used in circumstances where you can control the number of attempts.
If you CANNOT cut off access after N failed attempts, you should be using a full-fledged lots-of-bits crypto key. An example would be using PGP on an email.
A lot of people are looking at the situation in terms of Moore's law. Moore's law should have no effect on how many logins per minute you allow me to attempt. That is a config option.
In sort, it doesn't matter how fast your computer is. If ebay only lets you try 3 logins per minute, that's all you get.
If you're letting people try 1,000+ password per minute on your system, THAT's the problem, not that some guy only had a 6 character random password as opposed to 8.
So to sum up:
Passwords should not be used in case where somebody else is going to have >100 attempts to break it. At that point you should be using >1KB crypto keys.
This is not a password policy problem, it's human somewhere not understanding what passwords are good for.
Life is too short to proofread.
There is so many things wrong with this that it is hard to know where to start. I'll just chose a couple.
First, forcing passwords on users is dumb. What might be an easy combination of words and number s for you to remember might be completely impossible for me to remember if the word means nothing to me. And if I can't remember I am going to write it down. It is much better to allow people to chose their own passwords to that they can make a combination that they can remember.
Second, accountability for your password goes out the window when someone else knows and controls the password. If the adminstrator knows all the passwords, they can logon as the user without the user knowing. Alternatively, the user can suggest that the administrator did the action which the user is being accused of.
More intelligent password checking rules is a much simpler and more effective solution.
Note to mods...these 'In Soviet Russia' remarks are never, ever funny. Even if you remember a time
In Soviet Russia, time remembers you!
Do you or your partner snore? - Visit www.snoring.com.au
First of all, they could put their passwords on post-its in the locking drawers most desks have. Almost as convenient, but MUCH more secure.
You mean those locking drawers where the key number is stamped on the lock?
I usually place a sticky note with a ramdom number of characters under my keyboard. It looks like a password, and may even BE someones password.
But it is not MY password and is it not close to my password. This entertains whoever is trying to break into my computer for hours....
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.