Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

Stupid Policies, Not Stupid Users.

[Hank+Reardon]

What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.

For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.

I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.

The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.

What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.

I wish we'd switch to RADIUS.

Re:Integrate the pin with securid

[gioan]

Your example has to be the worst use of SecurID (if you're referring to the RSA product) imaginable. Whoever paid for that equipment and implemented it so poorly should be fired for spending money and achieving no benefit.

The whole point to SecurIDs is that they provide you with easily manageable two-factor security, including for legacy applications without needing a hardware re-outfit of biometrics, smart cards, redesigning custom prompts, readers, etc. They have agents for most popular things you'll integrate to it if Radius or native SecurID isn't compatible. They have a stable, documented API.

You do however need to use your brain while deploying it. Specifically, you must inform the user they should pick a unique pin/password (which the admin has no access to by the way) to use with the code on the card that changes every 60 seconds. This ensures anyone logging in has either PIN+card code, or Pin + live video feed to fob, (insert other unrealistic scenarios here). The fact the PIN doesn't require frequent/regular changes allows the user to actually use something complex that they end up remembering.

For what it's worth, the system is based on public/private key encryption and timesyncs between the servers and fobs. No, you can't hack it, not unless you have access to the SecurID server and then your actions are likely to be more obvious. There is no realistic server-side known exploit for it that doesn't involve somehow stealing the fob keys from the server, then guessing the user's pin in order to make a similar one-way hash and response to the challenge from the system requesting login validation. Finding a card/fob gives you access to nothing. Keylogging the pin is useless without stealing the card. It's secure. It's easy to use. It does require work on the admin's side to integrate various authentication systems to the SecurID architecture, but then that's a lot more fun than complaining about users, right? There is a reason it's been used in the banking industry for a long time.

Of course, if the admin does the right thing, it also assumes the user isn't stupid enough to put their username, login URL (or relevant), and Pin on a Postit note on the back of the SecurID fob. But then, that's what HR departments and involuntary separations are for.

And no, I (no longer) sell the stuff. Simply a knowledgeable user.