Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Security Not Easy

Posted by michael on from the duh dept.

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

25 of 674 comments (clear)

  1. Just get rid of them... by danielrm26 · · Score: 3, Insightful

    Asking users to learn to create and manage complex passwords is not realistic; user education and/or "awareness" just isn't all that viable. The way the password problem is going to be solved is very simple - they aren't going to be used anymore.

    Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.

    --
    dmiessler.com -- grep understanding knowledge
    1. Re:Just get rid of them... by Neil+Watson · · Score: 2, Insightful

      Jane: 1111
      John: 0000

      If there is a easy way they will take it.

      --
      UNIX/Linux Consulting
  2. Known for quite some time... by Omniscientist · · Score: 3, Insightful

    No matter how complex our security systems get, no matter how secure we can encrypt passwords to prevent brute force cracking of them, there will always be that human element of weakness. There will always be that one person who can be easily tricked over the phone to give out a password. There will always be that one person who will use their first name and last initial (ahem...half life 2 forum admin) as their password. So we really can't get top notch security without excellent education to these people on what to do in these situations.

  3. Special Characters != More Secure by Anonymous Coward · · Score: 3, Insightful

    I can't remember how may IT admins thought by requiring a password with special characters and numbers would make the system more secure. Sure it will add an extra 12 hours on a brute force attack, but if you don't notice a 8 hour running brute force attack you really are not a good admin.

    1. Re:Special Characters != More Secure by jdunn14 · · Score: 2, Insightful

      Note that not all brute force attacks take place against the online system. Through a bug in some service, a poorly configured database, or a single compromised username (plus a privalege escalation) an attacker may be able to send the passwd (hopefully shadow) file to another machine where they can brute force at their leisure. Much smaller chance of detection this way.

      Also note that requiring special characters does far more than add "an extra 12 hours". In most cases the brute force attack would be many *times* longer when you increase the possible characters by 1, let alone a bunch of special characters. Of course, users tend to just append the characters, so brute forcing may take advantage of that, but at that point you're getting away from what a "brute force" attack implies.

  4. If the required dongle is a note under your kb... by FreeUser · · Score: 4, Insightful

    ... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

    It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.

    --
    The Future of Human Evolution: Autonomy
  5. Yes. by captnitro · · Score: 2, Insightful

    Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

    Absolutely it is. This is one of those examples of culture clash: the tech-inclined, and not. Absolutely it's too much to ask, just like asking mom or dad to "just open the command line.. it's so easy!" Yeah, it is too much.

    1. Re:Yes. by Spudley · · Score: 2, Insightful

      Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

      Absolutely it is. Just like asking mom or dad to "just open the command line.."

      I've got to agree with you there. It is the non-techies that have the most problems with this, but how old is the internet culture among non-techies? Five years? Maybe less? The point is that until the internet made everything accessible from a single computer, you didn't need a dozen different passwords. Before that, the only people who needed to even think about the possibility of keeping multiple passwords were sys admins.

      The general public simply isn't comfortable yet either with passwords or computer security in general, and it'll probably take another ten years for it to truly get ingrained. In the meanwhile, the criminally inclined will continue to have an easy time of things.

      --
      (Spudley Strikes Again!)
  6. Re:I only have 2 passwords by Kiryat+Malachi · · Score: 2, Insightful

    I have 5, now. Each time I rotate passwords (once per year, usually), the highest security one moves down a notch, and everything below it gets bumped down by one.

    --

    ---
    Mod me down, you fucking twits. Go ahead. I dare you.
    (I read with sigs off.)
  7. I noticed that the article mentions... by gandell · · Score: 2, Insightful
    ...the Sarbanes-Oxley act. Many financial institutions required to follow these regulations also are liable for the FFIEC regs. I believe that the FFIEC regs. DO require alphanumeric, 8 digit passwords.

    Whether they do or not, the FDIC auditors emphasize this policy strongly. If it's not written in stone yet, it will be.

    To be honest, I approve such a measure. It disturbs me to think that our local bank's security policy might be more lax than Yahoo's.

    --
    Mercy was given to me by Christ...I must give the same to others.
  8. Re:I only have 2 passwords by ifdef · · Score: 5, Insightful

    I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

  9. The problem isn't so simple by Slick_Snake · · Score: 2, Insightful

    Current security models require passwords to be changed every three months or so. On top of that the password cannot be one last 5 or so used. On top of that it must be different than the last password by x number of characters. On top of that the user must remember x number of passwords of which he/she only uses one on a regular basis. To complicate matters the passwords must contain numbers, letters (upper and lower case), and sometimes special characters (but only certain ones). The expectations placed on the worker are unrealistic and that is what leads to poor password management. Simple password with dongle (smart card, usb device, RFID chip, etc...) is a better solution.

  10. Re:Biometrics by wfberg · · Score: 3, Insightful

    Passwords are always going to be flawed. Biometrics are the wave of the near future/present.

    Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.

    You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).

    Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.

    (As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)

    --
    SCO employee? Check out the bounty
  11. Re:Biometrics by Jucius+Maximus · · Score: 4, Insightful
    "Passwords are always going to be flawed. Biometrics are the wave of the near future/present."

    There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

  12. Re:Biometrics by Haydn+Fenton · · Score: 2, Insightful

    We will still need passwords even if we have biometrics.
    Fingers can be cut off (ok, new ones are supposed to detect if there's blood circulating), or you could leave your fingerprint on something, then someone comes along and takes it, wouldn't be too hard to make fake fingertips which you could use. Your retina 'metrics' would be harder to steal, maybe contact lenses, I dunno. But whatever technology we can come up with, crackers can find a way to break or exploit it. Biometrics by themselves are probably far more dangerous than having just passwords, imo at least.
    But.. a mix of things;
    something you are (biometrics),
    something you have (dongle),
    something you know (password)
    would be a much safer combination.

  13. Re:I only have 2 passwords by prgrmr · · Score: 2, Insightful

    I've successfully fought against mandatory password changes at my company, but it rears its head again every few months, as some bright spark in management (usually in our parent company) thinks it would be a good idea

    Of course it's a good idea. But like everything else in life, it, too, is subject to the "Too Much of a Good Thing" syndrome. The trick is to change passwords often enough to maintain security and protect against those who will, inevitably, give-away there passwords in exchange for trinkets or favors, and to balance that against not making the change so often as to be more trouble than it is worth. Depending on the environment, 2-5 times a year is sufficient.

    Remember, a login/password scheme is there to ensure limited access to a limited number of systems (usually one) is granted to a known, limited number of individuals (usually just one per login). As soon as you don't have this, you don't have security. The best firewall in the world won't save you from the dumbass user who calls the vendor directly and gives their login & password to the tech support drone on the phone.

  14. Does anybody crack passwords any more? by Chemisor · · Score: 2, Insightful

    Is it even possible to crack passwords any more? With shadow passwords, you simply can't get the password string to crack, and you can't just brute force at the login prompt, since it waits five seconds between tries. To get /etc/shadow you have to be root anyway, so what's the big deal with creating "non-guessable" passwords? It's not like any hacker would actually try more than a dozen at the login prompt. If he does, he'll just be locked out and reported. If you look at the descriptions of how computers are hacked these days, it's never by guessing passwords. It's usually done through a poorly written web page, where a buffer overflow can get you in (why don't they run the webserver on a chroot?).

  15. Re:My take : three zones by Anonymous Coward · · Score: 1, Insightful

    Well, then you're foolish. Using the same password for an online shopping site as for your email means one bent admin can read your email and go on a shopping spree on your card whilst deleting the "order confirmation" notices.

    You should treat ANY user account that includes your bank details as requiring high security - unique passwords for each; or else the folks at xyzonlineshop can log into your amazon account and get themselves some nice xmas presents.

    -J

  16. Re:My take : three zones by ballpoint · · Score: 2, Insightful

    You can answer these questions with unrelated data, encrypted and kept elsewhere.

    Look at it as a backup password, in case the original broke into bits by some strange mishap.

    --
    Flourescent (adj): smelling like ground wheat.
  17. Re:Picture Passwords by greed · · Score: 2, Insightful

    Those are great for shoulder-surfing, I can spot a "picture password" from across the room. Or across the Home Depot....

  18. Re:I only have 2 passwords by Anonymous Coward · · Score: 1, Insightful
    They remember ALL passwords you have used here. And they make you change it every 60 days. And you need a certain ratio of letters to numbers. And only a certain percentage of characters can be the same as your last password. This last is a vain attempt to prevent password01 -> password02 type things, but of course, the determined can just do password01 -> myxlpyk01 -> password02 etc.

    So I do one of the following:


    • Keep it written down nearby my computer on a slip of paper
    • Use an easy to remember pattern on the qwerty keyboard like: 1qaz2wsx or 2wsx3edc or 3edc4rfv etc

    People who put security policies in place don't give a rats ass whether what they are securing gets broken into. They only care that in the event of a breakin, they can't be blamed for being too lax. Being so strict about passwords that users are *practically* if not actually limited to a tiny keyspace in choosing their passwords is better than leaving open a channel through which blame can find them.

  19. Re:Biometrics by Roogna · · Score: 2, Insightful

    Human guards better? I wouldn't count on it.
    Not to say biometrics are great, but humans aren't actually that hot at it.

    At one company I worked we had a security guard who was notoriously bad at remembering anybody. Seriously, the entire staff would discuss this fact. He saw all of us every single day, but damned if he seemed to be able to remember that fact. He also wasn't too hot at comparing IDs and more than once people on the staff would swap IDs just to test this theory. He always let them in.

    Plus, above and beyond people who are just bad at facial recognition... you still have the problem that passwords, biometrics, or even human guards with big guns can all be gotten by if the right person is handed a $10 bill. This fact hasn't changed since ancient times and despite all the technology we throw at it, never will.

  20. Re:I only have 2 passwords by baadfood · · Score: 3, Insightful
    See, its twits like fubar1971 that demonstrate why we are in this situation.

    The problem is caused by a complete and utter lack of grip on reality. A total inability to understand human nature, and worse, expect people to bend to the system, rather than designing the system to facilitate its use by people.

    Ill say this in capital letters so you get it this time.

    CHANGING PASSWORDS EVERY 60 DAYS IS TOO HARD YOU DICKFUCK!

    And if you arsehole IT fucks cant get your brains around that, and design a system the recognises that fact then you shoudl really get a job shovelling manure or something.

    If you really think that something is easy, merely because its easy to write an algorithm to solve it, you need help. People are not computers, and something as trivial as generating a password becomes an onerously difficult task when asked to perform repeatedly.

    Rather than cursing the l-users, get off your fat arse, and start doign your Job - provide them with the tools to do their jobs.

  21. Re:Science Tables and Lookup Values by Gyorg_Lavode · · Score: 2, Insightful

    Passphrases need to be random though. Lyrics, quotes, and scripts can all be loaded into a passphrase dictionary and used the same way dictionary attacks are used against passwords. If you are going to use non-random passphrases, you need to use dictionary checking to make sure someone didn't use, "I am your father luke"

    --
    I do security
  22. Re:I only have 2 passwords by ifoxtrot · · Score: 4, Insightful
    That is why my organisation has implemeted password policies require at least 8 characters, at least 1 uppercase letter, 1 number, and one special character, or it will not let you change it, and will lock out your account. We then run security audits to ferret out the l-users like you that make them to simple. If we find a password that is to simple, or easy to crack, we force you to change it. If you do not, then your account will be locked out.

    When I read this, I seriously started thinking this was great sarcasm.
    Unfortunately I've since changed my mind.

    There has been a lot of research in the area of password usability here is a short summary:
    Fact 1: human memory is fallible
    Fact 2: people cannot forget on demand
    Fact 3: non meaningful things (i.e. random) are amongst the hardest things to remember
    Fact 4: items in human memory interfere with each other making 100% recall very hard
    Fact 5: unaided (no prompts) recall is much harder than providing prompts (which becomes a recognition exercise - passfaces is an interesting technology for example)
    Fact 6: ambushing a user to change their passwords stops them from doing their work (which they get paid for) and encourages them to bypass the system as quickly as possible - i.e. write the password down

    CONGRATULATIONS you are following rules which were laid out in the original FIPS guidelines (1985) for password management... Maybe you ought to revisit their document, they have updated it and it makes a LOT more sense now (check out FIPSPUB112)... I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.