Slashdot Mirror


Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

10 of 674 comments (clear)

  1. Integrate the pin with securid by stecoop · · Score: 4, Interesting

    required dongle is a note under your keyboard

    There are more advanced security schemas. I know some places I have worked use securids where if you get possession of the key chain and know their userid, then you can become them. This isn't any good.

    A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

    The best password schema I have seen so far is where the securid and pin are integrated so that the seed in the random number generator for synced securids is the pin - the securids are just random numbers where the next number is based on some fixed patter and the number is only good for 60 seconds. But this still this has a few holes, I could figure out the pattern in securid and brute force the pin then re-add the pin as the seed. But for nowadays, this is best I have.

    1. Re:Integrate the pin with securid by wfberg · · Score: 5, Interesting

      The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

      The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

      My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.

      --
      SCO employee? Check out the bounty
  2. I only have 2 passwords by xyeeyx · · Score: 3, Interesting

    2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?

    1. Re:I only have 2 passwords by 99BottlesOfBeerInMyF · · Score: 3, Interesting

      anyone else have a few standard passwords?

      For low security operations, like your online accounts, using a standard password is not too unreasonable. With just a hair more effort, however, you can use a standard password scheme. For example, instead of using "8dogs8food" as your password for all of the random online accounts you have, prepend or append the first letter of the web site you are accessing. For Amazon.com you can have "a8dogs8food" and for slashdot you can have "s8dogs8food." This gives you a better idea if your password is leaked, and keeps insiders from using your userid/passwd on other consumer sites. I think that a password scheme like this strikes a good balance of security and ease of use.

  3. My take : three zones by Ars-Fartsica · · Score: 4, Interesting
    My approach is to separate passwords into three zones: low, medium, high security. I always use an eight char passphrase with numbers and letters mixed. My zones work as follows:

    Low: content sites like slashdot. I don't care if you get this passphrase, I will never change it.

    Medium: logins for machine accounts, email and online shopping sites. I care somewhat if this is known, and I will change it yearly.

    High: financial sites - bank and brokerage. I care deeply that this phrase is secure, and it is changed once a month no matter what.

  4. Even "good" passwords are bad by bitslinger_42 · · Score: 3, Interesting

    Between Moore's Law and modern cracking techniques (dictionary attacks, hybrid attacks using both dictionary and brute force, and hash precalculation), nearly any 7-8 character password that will be easy for Joe User to remember is crackable in a very short period of time. Rather than blaming the users for security failure, we should be looking to improving the overall system.

    There are a number of things that can be done. First, and most importantly, eliminate the use of protocols that pass usable credentials (password, reversable password hashes, etc.) across the network in the clear. This means no longer using telnet and FTP (except for kerberized versions), doing something with/about Microsoft's NTLM/LanMan hashes, and probably using client certificates as well as server certs for encrypted web traffic.

    Beyond that, there are proven techniques that aren't too hard for users to understand. Time sequence tokens (i.e. RSA's SecurID) have been around for a long time and have yet to be broken except for when the attacker has access to the critical seed records. There was an article a while back (sorry, can't remember where) about a bank using a short list of PINs that they mail to the customers. Each time the customer logs in, they use one and cross it off. The system keeps track of it and automatically send a new list before the old one is exhausted.

    The point here is that unless we get rid of the users, we will never be able to educate all users all the time. The best way to get the security levels that appear to be needed is to take the human element out of the process as much as possible.

  5. Picture Passwords by spun · · Score: 4, Interesting

    One method I like is to pick a simple figure: a wavy line, a j shape, a box, a star or whatever. Then pick a starting character and 'draw' the password on the keyboard. For example, lets use a wavy line and start on e. Our 8 character pasword would be e4rft6yj. Or a box starting on f: fr456yhg. These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  6. Re:If the required dongle is a note under your kb. by nizo · · Score: 5, Interesting
    Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:
    a E9 b ?p c &m
    d 6K e aY f eP
    g !S h gn i D=
    j Hd k vw l Cb
    m W5 n 4$ o R3
    p x% q 7M r NF
    s +2 t s* u Ay
    v fL w zG x Zu
    y cX z Qr
    I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
    Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).
  7. Stupidity finds a way by jdfox · · Score: 4, Interesting

    I used to be on the networks team at a very large corporation, where we implemented SecurID and PIN for offsite dial-in.

    We did everything right, got the clock sync working, got all the managers to buy lots of pricey SecurID cards, found and forcibly removed insecure dial-in boxes scattered around, did all the right audit and test of firewalls, etc.

    But the sales group had a bunch of pooled laptops, which sales people used to take out to customer sites. So they would store a SecurID card in the bag, along with a yellow PostIt note showing the PIN code for that SecurID.

    That way, not only was the SecurID compromised, but since they were effectively using shared SecurIDs and PINs, we wouldn't even know which idjit sales droid had compromised it.
    Doooo, ya stupid idjit rabbit!

    State-of-the art tech is no match for the apparently limitless stupidity of users.

    In the end, we did the only sensible thing, and revoked offsite dial-in for that group.

  8. Or just use a Palm Pilot by Dr.+Manhattan · · Score: 3, Interesting
    There are tons of encrypting password apps for handhelds. At various times I've used:

    Lots easier to work with multiple places (home, work, web, etc.)

    --
    PHEM - party like it's 1997-2003!