Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

Integrate the pin with securid

[stecoop]

required dongle is a note under your keyboard

There are more advanced security schemas. I know some places I have worked use securids where if you get possession of the key chain and know their userid, then you can become them. This isn't any good.

A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

The best password schema I have seen so far is where the securid and pin are integrated so that the seed in the random number generator for synced securids is the pin - the securids are just random numbers where the next number is based on some fixed patter and the number is only good for 60 seconds. But this still this has a few holes, I could figure out the pattern in securid and brute force the pin then re-add the pin as the seed. But for nowadays, this is best I have.

Re:Integrate the pin with securid

[wfberg]

The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.

Re:Integrate the pin with securid

[gioan]

Your example has to be the worst use of SecurID (if you're referring to the RSA product) imaginable. Whoever paid for that equipment and implemented it so poorly should be fired for spending money and achieving no benefit.

The whole point to SecurIDs is that they provide you with easily manageable two-factor security, including for legacy applications without needing a hardware re-outfit of biometrics, smart cards, redesigning custom prompts, readers, etc. They have agents for most popular things you'll integrate to it if Radius or native SecurID isn't compatible. They have a stable, documented API.

You do however need to use your brain while deploying it. Specifically, you must inform the user they should pick a unique pin/password (which the admin has no access to by the way) to use with the code on the card that changes every 60 seconds. This ensures anyone logging in has either PIN+card code, or Pin + live video feed to fob, (insert other unrealistic scenarios here). The fact the PIN doesn't require frequent/regular changes allows the user to actually use something complex that they end up remembering.

For what it's worth, the system is based on public/private key encryption and timesyncs between the servers and fobs. No, you can't hack it, not unless you have access to the SecurID server and then your actions are likely to be more obvious. There is no realistic server-side known exploit for it that doesn't involve somehow stealing the fob keys from the server, then guessing the user's pin in order to make a similar one-way hash and response to the challenge from the system requesting login validation. Finding a card/fob gives you access to nothing. Keylogging the pin is useless without stealing the card. It's secure. It's easy to use. It does require work on the admin's side to integrate various authentication systems to the SecurID architecture, but then that's a lot more fun than complaining about users, right? There is a reason it's been used in the banking industry for a long time.

Of course, if the admin does the right thing, it also assumes the user isn't stupid enough to put their username, login URL (or relevant), and Pin on a Postit note on the back of the SecurID fob. But then, that's what HR departments and involuntary separations are for.

And no, I (no longer) sell the stuff. Simply a knowledgeable user.

I only have 2 passwords

[xyeeyx]

2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?

Re:I only have 2 passwords

[ifdef]

I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

Re:I only have 2 passwords

[99BottlesOfBeerInMyF]

anyone else have a few standard passwords?

For low security operations, like your online accounts, using a standard password is not too unreasonable. With just a hair more effort, however, you can use a standard password scheme. For example, instead of using "8dogs8food" as your password for all of the random online accounts you have, prepend or append the first letter of the web site you are accessing. For Amazon.com you can have "a8dogs8food" and for slashdot you can have "s8dogs8food." This gives you a better idea if your password is leaked, and keeps insiders from using your userid/passwd on other consumer sites. I think that a password scheme like this strikes a good balance of security and ease of use.

Re:I only have 2 passwords

[baadfood]

See, its twits like fubar1971 that demonstrate why we are in this situation.

The problem is caused by a complete and utter lack of grip on reality. A total inability to understand human nature, and worse, expect people to bend to the system, rather than designing the system to facilitate its use by people.

Ill say this in capital letters so you get it this time.

CHANGING PASSWORDS EVERY 60 DAYS IS TOO HARD YOU DICKFUCK!

And if you arsehole IT fucks cant get your brains around that, and design a system the recognises that fact then you shoudl really get a job shovelling manure or something.

If you really think that something is easy, merely because its easy to write an algorithm to solve it, you need help. People are not computers, and something as trivial as generating a password becomes an onerously difficult task when asked to perform repeatedly.

Rather than cursing the l-users, get off your fat arse, and start doign your Job - provide them with the tools to do their jobs.

Re:I only have 2 passwords

[ifoxtrot]

That is why my organisation has implemeted password policies require at least 8 characters, at least 1 uppercase letter, 1 number, and one special character, or it will not let you change it, and will lock out your account. We then run security audits to ferret out the l-users like you that make them to simple. If we find a password that is to simple, or easy to crack, we force you to change it. If you do not, then your account will be locked out.

When I read this, I seriously started thinking this was great sarcasm.
Unfortunately I've since changed my mind.

There has been a lot of research in the area of password usability here is a short summary:
Fact 1: human memory is fallible
Fact 2: people cannot forget on demand
Fact 3: non meaningful things (i.e. random) are amongst the hardest things to remember
Fact 4: items in human memory interfere with each other making 100% recall very hard
Fact 5: unaided (no prompts) recall is much harder than providing prompts (which becomes a recognition exercise - passfaces is an interesting technology for example)
Fact 6: ambushing a user to change their passwords stops them from doing their work (which they get paid for) and encourages them to bypass the system as quickly as possible - i.e. write the password down

CONGRATULATIONS you are following rules which were laid out in the original FIPS guidelines (1985) for password management... Maybe you ought to revisit their document, they have updated it and it makes a LOT more sense now (check out FIPSPUB112)... I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.

Just get rid of them...

[danielrm26]

Asking users to learn to create and manage complex passwords is not realistic; user education and/or "awareness" just isn't all that viable. The way the password problem is going to be solved is very simple - they aren't going to be used anymore.

Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.

As an admin...

[0racle]

I hate people that put their password under their keyboard. Like damn people, on the underside of the desk, is that so much to ask.

Re:As an admin...

[Barlo_Mung_42]

I write mine on the yellow note paper taped to the pull out section above the top right drawer.
I change it every week. This week it is 'Pencil'. Don't tell anyone though.

Known for quite some time...

[Omniscientist]

No matter how complex our security systems get, no matter how secure we can encrypt passwords to prevent brute force cracking of them, there will always be that human element of weakness. There will always be that one person who can be easily tricked over the phone to give out a password. There will always be that one person who will use their first name and last initial (ahem...half life 2 forum admin) as their password. So we really can't get top notch security without excellent education to these people on what to do in these situations.

Special Characters != More Secure

I can't remember how may IT admins thought by requiring a password with special characters and numbers would make the system more secure. Sure it will add an extra 12 hours on a brute force attack, but if you don't notice a 8 hour running brute force attack you really are not a good admin.

If the required dongle is a note under your kb...

[FreeUser]

... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.

My Password

[Greenisus]

My password is weu@$9JKcpw34.

No one has ever guessed it.

Re:My Password

[Spudley]

I use my dog's name as my password.

My dog is called Pchg65Lb, but he changes his name every few weeks. :-D

Spaceballs Password

[vivin]

Best password/pin ever:

[King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
King Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
King Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
King Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
King Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
King Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!

My take : three zones

[Ars-Fartsica]

My approach is to separate passwords into three zones: low, medium, high security. I always use an eight char passphrase with numbers and letters mixed. My zones work as follows:

Low: content sites like slashdot. I don't care if you get this passphrase, I will never change it.

Medium: logins for machine accounts, email and online shopping sites. I care somewhat if this is known, and I will change it yearly.

High: financial sites - bank and brokerage. I care deeply that this phrase is secure, and it is changed once a month no matter what.

Easy trick...

[GillBates0]

Get someone to kick you in the nuts everytime you forget your password.

You'll be surprised by how dramatically your capacity to remember passwords will improve once this becomes a regular feature of your workday.

For added effect, construct horribly complex and impossible to remember passwords a few times every day. Over time, basic survival instincts and the urge to avoid the inevitable kick in the balls will overcome the limitations posed by your poor memory.

Even "good" passwords are bad

[bitslinger_42]

Between Moore's Law and modern cracking techniques (dictionary attacks, hybrid attacks using both dictionary and brute force, and hash precalculation), nearly any 7-8 character password that will be easy for Joe User to remember is crackable in a very short period of time. Rather than blaming the users for security failure, we should be looking to improving the overall system.

There are a number of things that can be done. First, and most importantly, eliminate the use of protocols that pass usable credentials (password, reversable password hashes, etc.) across the network in the clear. This means no longer using telnet and FTP (except for kerberized versions), doing something with/about Microsoft's NTLM/LanMan hashes, and probably using client certificates as well as server certs for encrypted web traffic.

Beyond that, there are proven techniques that aren't too hard for users to understand. Time sequence tokens (i.e. RSA's SecurID) have been around for a long time and have yet to be broken except for when the attacker has access to the critical seed records. There was an article a while back (sorry, can't remember where) about a bank using a short list of PINs that they mail to the customers. Each time the customer logs in, they use one and cross it off. The system keeps track of it and automatically send a new list before the old one is exhausted.

The point here is that unless we get rid of the users, we will never be able to educate all users all the time. The best way to get the security levels that appear to be needed is to take the human element out of the process as much as possible.

Re:Biometrics

[wfberg]

Passwords are always going to be flawed. Biometrics are the wave of the near future/present.

Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.

You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).

Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.

(As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)

Re:Biometrics

[Jucius+Maximus]

"Passwords are always going to be flawed. Biometrics are the wave of the near future/present."

There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

Picture Passwords

[spun]

One method I like is to pick a simple figure: a wavy line, a j shape, a box, a star or whatever. Then pick a starting character and 'draw' the password on the keyboard. For example, lets use a wavy line and start on e. Our 8 character pasword would be e4rft6yj. Or a box starting on f: fr456yhg. These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

Re:If the required dongle is a note under your kb.

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a E9 b ?p c &m
d 6K e aY f eP
g !S h gn i D=
j Hd k vw l Cb
m W5 n 4$ o R3
p x% q 7M r NF
s +2 t s* u Ay
v fL w zG x Zu
y cX z Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Stupid Policies, Not Stupid Users.

[Hank+Reardon]

What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.

For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.

I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.

The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.

What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.

I wish we'd switch to RADIUS.

Stupidity finds a way

[jdfox]

I used to be on the networks team at a very large corporation, where we implemented SecurID and PIN for offsite dial-in.

We did everything right, got the clock sync working, got all the managers to buy lots of pricey SecurID cards, found and forcibly removed insecure dial-in boxes scattered around, did all the right audit and test of firewalls, etc.

But the sales group had a bunch of pooled laptops, which sales people used to take out to customer sites. So they would store a SecurID card in the bag, along with a yellow PostIt note showing the PIN code for that SecurID.

That way, not only was the SecurID compromised, but since they were effectively using shared SecurIDs and PINs, we wouldn't even know which idjit sales droid had compromised it.
Doooo, ya stupid idjit rabbit!

State-of-the art tech is no match for the apparently limitless stupidity of users.

In the end, we did the only sensible thing, and revoked offsite dial-in for that group.

Or just use a Palm Pilot

[Dr.+Manhattan]

There are tons of encrypting password apps for handhelds. At various times I've used:

• Strip
• Keyring
• Cryptopad

Lots easier to work with multiple places (home, work, web, etc.)

Re:If the required dongle is a note under your kb.

[TheMadRedHatter]

>a E9 b ?p c &m
>d 6K e aY f eP
>g !S h gn i D=
>j Hd k vw l Cb
>m W5 n 4$ o R3
>p x% q 7M r NF
>s +2 t s* u Ay
>v fL w zG x Zu
>y cX z Qr

So what does the output of that Perl script look like? ;-)

-- TheMadRedHatter