Slashdot Mirror
Are Often-Changed Long Passwords Really Secure?
Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?"
"I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?
Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"
My password is password. (keep it quiet!)
things like SecurID were invented.. 2-factor authentification eliminates most of these special requirements.
As long as they don't check the post-it note under your desk - the password is secure!
But seriously, does a policy like this do anything but encourace people to write down their passwords?
In case you don't know, your "navy-colored corp." sells a fingerprint reader that automatically puts the correct password in whichever field you need it..
;)
You just set it, make the program learn it, and you're done. You don't _HAVE_ to remember them all.
Passwords can be saved on crypted files (not word please, as we all know that they can be cracked open in milliseconds), and your access to your corporate thinkpad can be granted at the BIOS level with the embedded fingerprint reader.
Go T42! GO!
cheers
Of course, it's kind of a single point of failure in terms of security, if you don't take into account the need to use a boot password and Windows login. Also, if your laptop dies... and you haven't backed up the password file...
verify me.
"Well Ranger Brad, I'm a scientist. I don't believe in anything." - Dr. Roger Fleming
I, like everyone else on the planet, work to make things easier for me and to hell with security. A new password every 90 days means people will design a password that passes the requirements but is easy to remember when you have to change it. For example, my last job required at least an 8 character password with at least two numbers and one case change, and you could not reuse passwords for at least 5 changes. So my first password was Th1s1smE. Anyone want to guess what my next password was after the first 90 days?
Anybody with half a mind (and you KNOW who you are) would run through the likely possibilities quickly enough.
My opinion: It would be better to provide a tool that would allow a user to rate a password which would let them come up with a password that passes a minimum quality requirement, a password that they could remember without writing it down, and then require it to be changed less frequently (like once per year). And, equally important, provide a second, different authentication mechanism to support the password security (a hardware token system would be one example, biometrics would be another, a prearranged "callback" mechanism would be a third, there are many others).
Beside, my experience with gaming a requirement like this is that users tend to mess up their password frequently and end up with their password set back to a known default (assuming the admins provide such a default, which in of itself is a very bad security decision). And so sometimes a policy like this will actually provide less security, because at any given time there will be a relatively high percentage of user accounts which are set to a known password. Years ago, I personally demonstrated this situation with one of the VP's of the company I worked for by going through the ID's of the senior managers until we found one using the default password.
So, long story short, changing passwords frequently does not automatically mean better security. But we all knew that, right?
The NSA: The only part of the US government that actually listens.
Is the problem not that your password has very strict complexity requirements but that there are too many of them?
/. last month I posted 10 times" this fulfils all requirements for complexity and is changeable and easy to remember.
I did read a paper (I think from Microsoft not sure) about how passwords were essentially redundant as you could pre compute the hashes of all alphnumeric combinations and then run a dictionary attack against a file pretty quickly. They suggested a pass phrase as the way forward. Perhaps something along the lines of "I love
The other solution I often tell people is make your passwords a personal acronym, who would guess "Il/mIp10t" as a password, yet it is easy for me to remember.
The only reason some people get lost in thought is because it's unfamiliar territory.
"A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*"
So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones.
I have solved the problem of memorizing these passwords by using source code as a password. For example: "printf("Hello, World!");" should be complex enough and it is relatively easy to remember.
To your question: No, I don't know if the longer, more complex passwords are actually more secure / cost efficient than shorter ones, because of the side effects caused by difficult to remember passwords. But at least this kind of policy prevents the most trivial dictionary attacks. It's a completely different story, how else the security is taken care of (ie. educating the personnel, so there will not be any post-it notes laying around and other forms of security, because it's all about layers).
There was an internal badging initiative about a year ago that was looking at moving away from mag stripes for door access. If we bought the right cards for physical access we could leverage that investment for logical.
Lasers Controlled Games!
Navy-colored company, but I'm staying cloaked.)
The Italians enacted some sort of privacy-oriented legislation which required these password rules. Because the Navy-colored company does business in Italy, and wants uniform rules throughout the company, they propagated this change throughout the company.
Like it or not, secure or not, that's where it came from.
Don't focus on this as the single point of security stupidity - there are far worse. We won't mention them, however.
Longer harder to remember passwords require more human intervention (IT helpdesk reset passwords to 'monday' when you forget it).
:-)
You also are tempted to write them down, or use consequtive patterns as passwords:
qwer789456123
0ok9ij8uh
Things like that. A simple phrase password, with a one time algorithm (give me the 4th, 5th, 7th and 10th letters) take longer to work out in your head, but eavesdroppers (video, shoulder surfing, finger prints (national treasure) and electronic) have a harder time.
Of course, if you store all your new 8 digita alpha numeric passwords in an access file which is shared in a public folder, that woud make any attempt of l33t passwords a bit redundant.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
Is silly, if you stop brute force... with intrusion detection systems, if a password does get lost, why give yourself a 45 day (average) allowance? so it is ok for someone to have a password for 45 days, but not longer.
;-)
Also, the root password for my laptop is 'swordfish' (oh halle... I love your baps, but when the line 'it isn't just a multi-monitor system' comes up, I really have to kill nearby carbon based lifeforms.) but noone has hacked it yet for 3 reasons:
1: It is linux, therefore unhackable, even with r00t password
2: It has no networking capability
3: It no longer actually works, and after the drop I gave it, I suspect even the parked heads might not have stopped platter axle damage...
So have some auditing and heuristic behaviour analysis. Use one time passwords, rigorously check all intrusions based on internal/external. Follow up a failed pssword attempt with a human call (SOMETIMES computers can be the weak link in security)
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
1.
Changing passwords is ofcourse to reduce impact when a password is stolen/cracked. 90 days sounds a bit long -- is this policy based on evaluating what's *needed* or just based on vague assumptions ?
If it is expected that keyloggers, bruteforcing or some other form of password-theft is likely, 30 days might be more apropriate.
2.
According to various textbooks on computer security, forming a password from 1st (or some'th) letter in a sentence forms passwords which in general terms are as hard to brute-force as "truly" random passwords:
madly typing at keyboard: 32nfia.-!
I once saw four naked girls dancing in the moonlight: I1s4ngditm!
The latter form *may* be slightly more open to guessing the frequency of letters -- but bruteforcing a password with 12 alpha-numeric characters takes a *lot* of effort.
The main point is that passwords "generated" like that is *much* easier to remember. They may also be more "random" than just typing at the keyboard...
Some punctation and variations in capitalization should be encouraged/enforced.
3.
If you are authenticating against Active Directory -- just use pass phrases. Harder to bruteforce -- and prevents the ntlm-hash (16 chars, one case) being accepted by some braindead system.
4.
I personally think single-sign on is an important part of a good security strategy because it allows for more frequently changing of passwords -- admins would typically still need 2-3 accounts (normal user, admin role, testing role), but more managble than 10+
5.
Just because a password is written down does *not* mean it's compromised! If security really is so important that everyone needs 5 or more 8 letter "random" and uniqe passwords, I would *strongly* recommend that arangements be made for all passwords to be kept in escrow in a safe.
That way employees won't have an excuse to keep the password somewhere insecure. Everyone should be able to get their password during work-hours easily (for instance the receptionist that either knows everyone, or is instructed to _demand_ id, could have access to the safe).
The downside with any kind of escrow, is ofcourse, that one is forced to trust the few people with access to all passwords completly. This is a tradeoff -- but so are all security decisions.
6.
You mention bios boot passwords. Is that truly neccessary ? Bios configuration password sounds more reasonable to me. But either one is of rather limited use, unless you are using some form of fortified pc case.
If you do mean configuration passwords, that is a primary candidate for writing down, and locking in a safe IMHO. Normally all admins would have access to this, so that seems reasonable.
Isn't this the point of things like kerberos. ie to provide single sign on in you network. so you don't have to remember lists of passwords.
integrate it with pam, and then you'll get a ticket when you log in, that will be used to authenticate you when you access things like ftp or mail server.
Ofcourse this wont help with off site login, but at the point you use them you have access to the already mentioned password safes or security managers (eg mozilla's psm or kde's wallet)
as to the oringinal point, the more checks you can do for good password the better, but a 3 month life undermines any effort made to generate a good password.
I dont see the point of changing passwords, unless you can't keep it to your self. most methods of gaining your password are not effected by its age (eg sniff the wire, brute force, social engineering(is subsequent password going to be any less dependant on your frame of mind then the last?)). Then, once 'they' have it, they're likely to install another method of access asap and then no longer dependant on knowing your password.
Policies like this typically result in more people breaking the rules and writing down their passwords, which in turn reduces security.
Bruce Tognazzini has covered this kind of stupidity before.
. Better yet, have the people who are implementing this policy read it. Point out it's by one of the leading usability experts in the world. Odds are it won't change anything, but hey at least you tried...
"I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
(...)
My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!"
Read it: http://asktog.com/columns/058SecurityD'ohlts.html
My company just upped the ante for anyone trying to guess one of our passwords...min of 10 characters of which at least one each of UPPER CASE , special, numeric and lowercase are required...Its hard to produce a memorable password under these conditions. I have about a dozen passwords to remember between the various OSes, LAN security, Mail, and then there is my firewall and systems at home.
One way to handle it all is to write a script that can deterministically convert some string that you can remember into a password conforming to a parametrically sellected rule [e.g. 12 chars, mixed case and numerics, no specials] I wrote one of these generators in AWK since I have unix boxes at work and run a cygnus shell at home...it even takes account of the date [per GMT] so that I get a fresh PSWD every 3 months but can always reconstruct past passwords in a pinch with override date. I only have to remember my "open sesame" and nothing is ever written down or stored.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Is there any research to support whether such requirements actually increase security?
Translation: I can't be bothered changing my password and am too dumb to come up with arguments against this policy to give to my boss on my own.
Where I work, that's been the requirement for years. Users are used to it, so it's not a big deal. You don't find stickies lying on the desk either (well, you do, but only passwords for additional systems -- we don't have SSO yet). Actually, our requirements are harsher because you can't reuse a password that's less that two years old. Also, they run a password cracker against everyone's passwords every once in a while, just to make sure people really are making good passwords.
I like to use mathematical formulae. I memorized them years ago -- might as well make use of them now.
It's always a long day... 86400 doesn't fit into a short.
Every 90 days has been the standard everywhere I've worked. For us Sysadmin types it's every 30 days. I can keep up with it, but many end users with the 90 day restriction do exactly as you describe. They write them down, they use the same repetitive patterns, whatever. One user I used to support had a page of passwords in a little notepad he kept in his desk.
All I can really do is tell them the truth: If anyone gets on the network with their credentials they will be held responsible for what happens. It's hard enough just getting people to lock their screens when they go to lunch. One user got reamed out pretty badly when someone used her email account to send a scathing note to the CEO. The only reason she didn't get fired is that she was at lunch with several people who could vouch for her whereabouts at the moment the email was sent.
"An unarmed man can only flee from evil, and evil is not overcome by fleeing from it." Col. Jeff Cooper
And the master password to this file hasn't ever changed... heh
Avantslash: low-bandwidth mobile slashdot.
Never underestimate the power of human ingenuity. We had the same problem at one of my ex-employer - there was a policy to change passwords every month. Initially, you could not 'recycle' a used password until ten entirely new passwords were used. Later on this was increased to 24 unique passwords before you could reuse the original password. People started forgetting passwords (3 failed login attempts and you are locked out) and started to write them down on post-it notes, etc. Some folks came up with an easy to use "formula" to generate unique passwords - crack the "formula" and you can easily find out the password.
The whole exercise of frequently changing passwords for security got compromised because it became cumbersome and annoying for people to keep remembering unique passwords. The policy looks good on paper - but as long as the human element is not factored in, it will not be effective.
Just use the Diceware method and stop whining.
To cash in more often for chocolate bars!!!
Try using a different subset of characters of pi encoded in hex.
Just. Like. That.
At MyCorp we tend to move haltingly and staggeringly towards greater security and inconvenience. [No, we're not quite up to military standards where no security policy, no matter how stupid and ineffective, would ever be rejected on the grounds that it caused inconvenience:)]
There's a well-known tradeoff between security and convenience, but it's possible to not be on the maximum locus of that curve: i.e., it's possible to have incredibly inconvenient security policies that provide very little actual security.
Anyway, given that 8 character gobbledygook passwords can be brute-forced in increasingly shorter time intervals which, at some point, make it tough on users to remember new passwords, we're moving towards SecureID.
"Provided by the management for your protection."
"I forgot my password! It changes too often."
You've gotta do what everyone else does and write it down. Stick a copy in your wallet, under your keyboard, on the side of your monitor, etc. Now I'll just use my admin login to reset your password and you'll be on your way.
change your os to linux and not have to worry that much about security in the first place?
I'm actually not allowed to use two consecutive letters in my password to one government system. Every letter must be followed by a number. It also must be 8 characters, no more, no less, and can't contain any punctuation or special symbols. It changes every 90 days. And you can't reuse old passwords, either. Ever.
So, my first password was A1A1A1A1. Guess what my next one was?
There is always a bigger risk. 8 character random alphanumeric is a around 40-48 bits of protection, depending on if you mix upper and lowercase (harder to remember). I've written a strong password generator here. While 8 character alphanumeric is breakable, especially at 40 bits, it's unlikely you'll encounter such perserverance. A 90 day rotation will ensure that password crackers need to re-sniff your network for login hashes every 90 days, and limit their time to take advantage of a broken password, but beyond that it's just going to ensure that more users will write down their passwords. There is no set amount of time needed to break a random password. They could break it in a day or never. A rotation isn't going to have the effect of making them start over or anything.
There are plenty of bigger risks to worry about than someone bruteforcing a password. They could get passwords by other means. They could walk up to a pc that's already logged in, and either use it immediately or install a trojan for later use. They could sniff your network. File sharing and email are usually unencrypted. They could hack your dns server so that requests go through them. An employee with priveledges could steal or alter data.
And just change your damn password. In fact, I'm calling your admins right now and telling them it should be 16 chars and changed every 2 weeks, just because your password right now is "pussy13".
I work at a medium, mango-hued company and we had to implement the same policy for "security reasons." I get about three calls a week asking for passwords to be reset.
The 90-day, eight character line-noise password policy has nothing to do with security: it's required for our security certification by a security company who has a good reputation. Either we comply with whatever such a company tells us to do, or banks and merchants and credit companies will refuse to do business with us. Oh, and we have to pick the right company so that we don't have to pay another >$10,000 to get re-certified by another expensive name.
Sucks, but c'est l'entreprise.
The bank I worked for implemented a "change your password every 60 days" rule the same year they handed us one of those motivational desktop calendars that had a word of the month like "teamwork", "integrity", and so on. The password checker would not let you repeat your previous passwords, but it did NOT check for dictionary words! So whenever it nagged me to change words I would just reach up to the desk calendar, flip over to the next month, and type in the word of the month. Certainly solved the "where can I write it down" problem. Anybody walking into my office would just think that I did not keep the calendar up to date.
www.HearMySoulSpeak.com
just use a paperback book, change the book occassionaly. All you have to remember is the page number, paragraph number and line number, those are your random digits that preface or follow the letters. They refer to the phrase or sentence in that location, where you get your letters. Interposing can be your choice of course, straight ahead or rotating backwards to forwards, etc. Example page *237(insert first word)*, paragraph *5(insert first word)*, line *4(insert first word)*. Ton of variations on that theme, and in this example you only need to remember *23754* in case you forget the entire passphrase sequence. The book can be an ebook for that matter on your PDA or any other stealthy/innocent written thing you have handy. Throw in some special characters and it gets even more difficult of course, or instead of inserting a word, do several words that you find there within the number and special characters. You can add an additional wildcard to help stop a dictionary attack on the word, add a 4th digit, that reminds you to remove every 4th letter from every word for example, or add a special character at that place. So then you would only have to remember in this example *237544(insert special character to remember this cycle)* for your hint. One more number added to the initial memorized number is an additional hint as to where to look if you forget the whole thing, example, 2375448 would be a hint to look at book 8 for the other hints on your shelf of tech books perhaps.
.45, a bag of cash in well used bills, several gold pieces, and a really fast motorcycle. Might as well have fun during your escape I always say;) Oh and don't forget the self destruct key for your cubicle....
One time pads especially when it's only you using them and not two or more people are a good thing. Of course it won't beat a boss injected keylogger someplace in the mix. In this example, even if joe bad guy has your book,and knows you are using it, those sorts of combinations are immense, especially with the special characters on the keyboard to use. And if it's gotten that far you are most likely cooked anyway, so time for plan B to avoid the rubber hoses, heh. I recommend a
Don't want to use a book, you can use something like the playlist and metadata for the song on your music player gadget. Example song 909, beatles, heyjude, something minutes and seconds or something KB in song length,etc. You only need to rember one song title per 90 day period then, along with the original placement number in the menu.
Ton of ways to do a one time pad variant easily, you just want it stealthy so no one realises that's where your passphrase hint is stored. Do you get any quarterly journals of the dead trees variety? You can use that, fits the 90 day rule too, and an excuse to have that journal kicking around already. You could do it optically with random "things" that are around your office. Look up, you might have a calendar, some houseplant, a picture in a frame, the color of the wall, how many tiles on the ceiling between x place and y place in the office, etc. Just rotate your junk around, then all you have to do is look at the placements, along with that quarters number sequence you remember. Example number 48910(wildcard character), this quarters passphrase might be january4*spiderplant8*mom9*cream10*
have fun
IMO, 8 chars, complex, changed every 90 days is the absolute minimum for password strength for any system beyond generic webmail or /. accounts.
Linux: The world's best text-adventure game.
DOD mandate.
And I work in the HMO world, but one of our customers does work for the DOD and thus we have to comply with the standard.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
My company has a password policy like that, and it requires longer than 8 characters, checks similarity, forces changes every 90 days, etc. There are a bunch of systems that require passwords, and they started to unify them, but in the process made it harder--we're left with a number of passwords that have similar names, plus random other systems with passwords that aren't unified.
You're not supposed to use any keychain type thing like what's found in macs or various browsers.
I checked recently on the IT web page (because I had forgotten my password) and there was a little note in the corner that said it was now "acceptable to write down your password as long as you keep it hidden in a file cabinet" or something to that effect.
The net effect is much lower security. It would be much better to enforce selection of strong passwords (and teach people how to choose strong password with mnemonics so they don't forget) and not require such frequent changes.
(posted anon to avoid any chance of identifying the employer)
... a small, spiral bound notebook, and write 'em down. At least that's what I did...
The paper's also good for keeping you warm when you get sick of working there & quit. So's the navy blue sweatshirt I got 2 days after I left.
Yes it sucks, suck it up and write them down. Lock it in your drawer. Bring your key home with you, and your secure. (At least that was the company policy when I was there. God, I hated those workstation security audits.... if it wasn't labeled 'Non-Confidential', you failed.)
-beaker
are very handy. I have about 45 passwords stored in mine.
;-)
My password app includes a utility to generate random but pronounceable passwords (which I don't generally use). My coworker told me one of these a year ago. I haven't used it in 9 months, and I still remember it. Oh $%^*, the system probably expired it.
I get *SO* pissed at these password fascists, particularly when their
3 27&cid =11054456 for
rules reduce my password security.
I use secure, easy to type, and easy remember passwords (see
http://ask.slashdot.org/comments.pl?sid=132
details on that).
I never reuse passwords except in a few rare circumstances (on
different Linux computers I personally control I reuse some
passwords).
To keep track of all those passwords I bought a (relatively
inexpensive) Palm Zire 31. On it I run Gnu Keyring
(gnukeyring.sourceforge.net). I have one significantly secure
password that I then use to encrypt all my other passwords. I backup
this Palm using an SD card. I also back up to via IR to my Linux
notebook where there is a client that can decrypt the data.
I also have a Palm-based phone (Samsung i330) that can run Gnu
Keyring--but I don't trust it. It makes mysterious 10-second data
calls that bother a paranoid such as me. Yes, I don't have any good
reason to trust the Zire 31 either, but I keep it nearly incommunicado, I
don't need to trust it so much.
I recommend Gnu Keyring.
-kb
Pick a certian book off your shelf.
Third word down (left hand, first word) on page 51.
Suppose the word is "broken". Capitalize first/last letter, and password is...
B51roke3N
All I have to remember is which book, page, how many words down. This is often easy, because you can remember what the page looks like, especially if you pick a page with pictures on it.
Now return the book back to your shelf.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
The problem here is not that the security people are stupid. It's just that they're trying to secure an authentication system that's obsolete and fundamentally flawed. It's past time to ditch password-based authentication. If I had to secure a big network, I'd get everybody smart cards. Essentially impossible to forge, and if they're stolen you can cancel them immediately. But the crucial detail with a physical authentication device is that when it's stolen, you know it's stolen -- not true with passwords.
Of course this is not a cheap solution. Which motivates security people to try patchwork solutions like this one, even though the "solutions" often make the problem worse.
Passwords, as evil as they are, will not go away any time soon. So I might as well mention the product that I use to generate and store passwords: RoboForm.
The Securid and Cryptocard tokens are a cool way to make a system a
lot more secure, but they have their downsides: High cost, and they
become cumbersome if there are multiple instances to carry around.
I have a poor man's alternative that accomplishes a lot of their
benefits. A Securid/cryptocard that never changes! Seriously, login
with three factors:
* Who you are (username)
* something you know (a not terribly secure password)
* something you have (long written "user code")
This way knowing who the person is (or his/er user name) isn't
sufficient, knowing the password is sufficient. And knowing both
isn't sufficient--you also need to have the user's wallet or purse
where the user code is stored. But finding the wallet or purse alone
isn't sufficient because the (short enough to remember) password isn't
written down.
It is just as good as the Securid/Cryptocard except it doesn't change.
Not changing means that keyboard sniffers are still a risk, but a
written card is way cheap to produce and rather compact to carry
around.
Too bad there isn't a PAM module available to implement this.
-kb
I use secstore, I don't have to remember my passwords and they can be as long and as random as I like.
All I need is the password to secstore, which, in my case, is on the LAN.
secstore client - man page - for non-plan9 systems is now available as part of the Plan 9 from User Space project.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Don't even bother researching into this as you won't be able to change company policy. Unless your the one who oversees Sarbanes-Oxley and can tell them that the 1 paragraph on IT doesn't mean all of this.
It will do one thing. Increase calls to tech support for locked accounts. Both from the 90 day expiration that was missed and for locked accounts from forgetting passwords.
Depends on who you want to keep your stuff secure from. A collegue and me keep some of our passwords to computers on a sheet of paper posted on our cubical wall. The kicker is this. Most of the computers are accesible only by modem (and the #'s are not there) or are on our VPN (the VPN IPs are listed, though). These machines are not mission critical. The only people we have to worry about stealing the passwords are other employees or people who can get access into the building (hint: not many). Our main concern is not someone inside getting access, but someone from the outside. If someone on the inside wanted to do something, we figure there is nothing we should do, so why bother. Thats our logic for our shared passwords. As for our personal passwords? I use 9 characters that would take a while to brute force. Anyone on the outside is going to have trouble. Anyone on the inside, it's too late to do anything about it.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
You can either spend a few months creating your own Rainbow Tables http://www.antsight.com/zsl/rainbowcrack/, or you can buy the 64GB tables for $640, http://www.antsight.com/zsl/rainbowcrack/rt_price. txt.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
I have Password Safe installed on my PDA, as well as my USB Flash drive. I use that to manage my passwords. It's a bit of a pain to keep the two in sync, but not too bad. I used Diceware to generate a fairly secure master passphrase.
IMHO, more important is correct systems security policies. Slow response/lockout to eliminate dictionary attacks. Strength is _NOT_ needed if the cost of guessing wrong is high (ie not /etc/passwd with hashes). Changing passwords is perhaps more justifiable, but better still is disabling unneeded user accounts. Weaker passwords are less likely to "leak", so won't need changing as often.
There are Unix/Linux versions of PasswordSafe that works quite well and use the same file formats as the original windows program (although check the version number for compatibility ...). Maybe not as convenient as that list of passwords in your wallet - but reassuring that there is at least a list of encrypted passwords stored somewhere safe!
http://passwordsafe.sourceforge.net/
Qt-based version
http://www.semanticgap.com/myps/
command-line only version
http://nsd.dyndns.org/pwsafe/
My recommendation is to use shocking nonsense for passphrase. They can be easily remembered because of the emotionally "shocking" part and cannot be guessed easily since they don't reflect a factual state of affairs that someone could easily guess. Finally, it's OK to be really "shocking" since passphrases by their nature are not public.
For example, huskynutsdriveanenomerapage. I am sure you can come up with far more shocking examples.
What does changing your password frequently do? If some one already hacked your password they probably had time to change it to lock you out entirely, Or put a trojan to tell them the new password once it is changed if they wanted to be stealthy about it.
With rainbow table projects out there and online interfaces 8characters just isnt enough. There are 300+gig table collections for NTLM, LM and MD5 that cover upper, lower and special chatacters upto 8chars.
1) If Bob always connects from the office, why allow his account access from Czechoslovakia?
2) http://www.lavasoftware.com/passwordvault.html or similar. Nice product tho... pc mac linux palm and flash drive compatible, with export and synch.
Literalism isn't a form of humor, it's you being irritating.
What a coincidence!
Citi Bank and Sun Trust sent me dozens of emails to correct my account numbers/ SSN and passwords. They are SOOO security conscious! If I had accounts at those banks I'd sure be chaning my password all the time.
Seriously. consider my approach I have all the same password challenges in spades: when you work with a $ecurity clarence, you can be shown the door for writing down a password...and yet there are typically MORE passwords involved in your work-a-day routines [stuff like you HAVE to have a max of 15 minute timeout on the screen saver and it must lock the screen.] My way, I only have to remember one MEMORABLE phrase and know the rules for each kind of password...my hash mechanism does the rest including periodic password change.
NOTE: you DO NOT set your shell to save history, you EXIT your shell when you have gen'ed the PSWD and type, don't paste the PSWD unless you know how to ####^H^H^H^HEEEE^H^H^H^H0000 out the clipboard.
Also, if you've gotten infected by a keylogger, they can see what you type but they don't have access to stdout so they still don't know your pswd until you type it in...they'd have to really break in and get your hasher app to know what the other passwords might be. But a user in that situation has already demonstrated a level of stupidity from which nothing will protect them and which earns them no sympathy from me.
Don't trust the computer, don't trust your memory, don't trust your boss, never put it in writing.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
While in theory this will work, the only thing I've ever known it to do is to cause a rainbow-colored explosion of sticky notes with user name and password information on them to be applied to the upper right corner. It makes the cube farm look like a paririe after a rain - all the little flowers blossoming....
2 cents,
Queen B
HDGary secures my bank
The force that blew the Big Bang continues to accelerate.
Kelvinator?
Westinghouse?
FisherAndPaykel?
All of them >= 8 chars, none in the dictionary.
Got time? Spend some of it coding or testing
Can anyone tell me why simple time delays aren't a big part of a solution. Eg. simply giving a five second delay every time a password is guessed wrong, and notifying the admin if someone guesses their own password wrong say twenty times in an hour. Three tries is not enough in this world these days (given that I have more than three passwords to remember at all times). With a five second delay between attempts, brute forcing your way into an account would take too long, and would have an easily identifiable pattern (eighty log in attempts in a row, time to call the user). The user is a little annoyed by a delay but probably wouldn't be put back much more than a minute tops by a bad spell of poor memory, less than a call for a password reset. Even the easiest to guess passwords are very likely to take at least a few hundred tries, something no user will have patience for. If however the cracker can get access to the password, sniff a password, etc. who cares how complex the password was to begin with? Its been compromised. If they are trying to guess it using an encrypted document on their own time, an eight character password may slow them down a little, but how long does that take these days, a day even? Another poster estimated it at around 43bits worth of complexity, and 40 bit keys are routinely broken these days right?
On another note... why isn't it routine policy to have a followup check of accounts post reset to make sure the default password isn't still in use? Typically these are the easiest to guess (know anyone at a company who's had a password reset and you can probably guess what collection they are using, possibly allowing guessing in less than 100 attempts. Case in point, IR at the school/hospital I work resets passwords to things like September etc.. Know a disgruntled secretary who's had her password reset a few times, you can probably come up with 100-200 pretty damn good guesses by inference. If they've reset the account, then a day or so later it should be changed and they only have to test one password.
At the navy company the poster describes, not only are the new password requirements as described, but the intranet still relies upon unencrypted communications. Many servers don't even have an encrypted way to log in!
Strong password requirements are all fine and good, but your 256 kilobyte password rotated hourly doesn't mean anything when you have to telnet or ftp to a box to log in.
Honestly this whole password thing is idiotic. Companies are finally answering to the security risks of ten years ago. At this rate by 2010 they will be fixing sql queries based directly off user input. when it comes to cracking/stealing a persons password the best method now days is always to steal. It doesn't matter if your password is 3 pages long if you give it to me I will be able to log in as you. strong passwords are only as good as the minds of those who use them. Add to that the fact that the longer and more complex a single password is, the more likely the employee is to use that password in multiple places. Lets say I want access to a companies VPN, even if I don't know how strong the passwords are, connecting and trying a bunch of easy ones would be pretty dumb. Instead 5 minutes on google will tell me the name f Joe Blow who works there, what his email address is, and a whole bunch of things that he is interested in. So I email Boe Blow with targeted spam, tell him about this amazing new website that just happens to be a community of people with exactly the same interests as him. He goes there and finds out that he needs to set up an account to view the forum. So he has this 10 page password from work that he has already memorized anyway (he wouldn't want anyone breaking into his forum account) so he goes ahead and puts it in the password field. Turns out the forum kind of sucks so he promptly forgets about the site. TADA VPN access, and it only took 20 minutes. This works more than 50% of the time, and the average company has a few more than 2 employees. Watch 90% of the people who see this change their slashdot passwords. :)
Crawl This - http://darkry.net/test/test.php
I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times.
Whaaaaat? Why the hell would you have more than one password?
...played Uplink.
To anybody who wants the joke explained: this is what you would have to say to get into a bank. You buy the voice recorder program, check the administrator's voice number at the bank's public site, call them, open voice recorder, it changes their mutterings of "hello? hello?" to "my voice is my passport. Verify me". Then you connect to the bank and wheeeeee!
First, when you Ask Slashdot for actual research or empirical evidence to support a widely-accepted hypothesis (such as changing passwords often improves security), you get a bunch of anecdotal drivel. I know this from experience...
f /index_fil es/sachas_transfer_report.pdf
l AuthSecuri ty.pdf
t tp://contra costa.edu/hpc/FaST/2003/Bonnie/passwd_sec.pdf
That being said, here's at least one academic paper on the subject:
http://www.cs.ucl.ac.uk/staff/S.Brostof
An interesting quote:
"forced password changing causes password problems. The result was highly significant." followed by actual statics demonstrating the significance.
Here's a white paper that seems to argue that complex passwords only provide real protection if you're able to reduce the number of passwords needed (this may just be a marketing pitch for a single-signon product)
http://www.protocom.com/whitepapers/Eva
Most opinions that complex passwords and often changed passwords are more secure are probably based on the presumption that such policies increase the time required to crack a password:
http://scholar.google.com/url?sa=U&q=h
However, as far as I can tell, no one has really gone out of their way to scientifically compare the effective security provided by various types of password policies in "real world" situations like you describe.
This should be done by the programmers. Easiest ways: Salting and Stretching.
Stretching means doing hashing the password repeatedly. Hashing is fairly expensive, so the complete operation should take about 1-1.5 seconds of CPU time. This is fine for a user logging in, but will stop anyone trying to do a dictionary attack with 2^30 different passwords.
Salting is having a, say, 256-bit value stored which is appended to your password when you try to login. The salt is not kept secret, but everyone must have a different one. This means that a dictionary attack will collapse when all the passwords have to be re-hashed in order to test them against a different users hash.
Because people can then afford to use worse passwords, the number of Post-Its will decrease and security will increase.
A far prettier alternative is KeePass. It uses AES-256, can run off a USB drive, and you'll find it easier to get others to start using it, due to its ease of use and lack of a butt-ugly interface.
Use ISO 8601 dates [YYYY-MM-DD]
I work for the HP Corporate Solutions subdivision of the company I work at and currently we are doing an order of about 4000 Pcs Australia-wide for a automotive company, but the thing is on every single computer the password is either going to be 1 out of the 3 possibilities depending on what kind of branch it is... Thats just stupid i think.... and IF the password is different to one of the 3 official ones we have it reset to an offical one.... not only that but all the users on the computers have admin rights on the computer.....
Accept any challenge, No matter the odds.
I think that the project was begun by Bruce Schneier, of "Applied Cryptography", "Secrets and Lies" and "Cryptgram" fame. But now the utility is open-source and multi-platform.
Note to ACs: I won't mod you up, even if you are being funny or insightful. So take a chance! It's not real life!
Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But the suggestion that system security admins and developers need to make deeper security mechanisms such as "suspision engines" that compare traffic on your account against profile of "normal" usage strike me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user.
The timing of the art. is unfortunate as noone is going to be reading comments this late in the posting cycle.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
In which case, changing passwords periodicially is still a good practice for providing a degree of protection relative to a password that's never been changed.,P>
Requiring you to have distinct, different-schedule passwords on all those systems is dumb. Obviously, you'll write them down or otherwise store them someplace.
... caveat emptor), and it can enable you to have *one* *good* password that changes periodically.
While requiring strong, hard-to-guess, periodically changing passwords makes sense, it also makes sense to help you keep one password everywhere, and ensure that systems are not individually easy to compromise (creating a system whose compromise could be leveraged to attack others).
Password synchronization is a mature technology, there are lots of vendors who make working products (I work at one
I wouldn't be surprised to see the help desk volume spike at your organization once this policy comes into effect, because real users can't remember 10 different passwords...
Just about every IT person I've ever talked to (not to slam IT, 10+ years of my career have been IT) seems to take it as gosepel that users must be forced to change passwords every X days, unless you want hoards of hackers in your network.
The step nobody ever does is ask "Why?". Um, it's obvious isn't it? I don't want hackers breaking into the network!
Why force password changes? Either A) you're assuming a password has been compromised, in which case you should pay more attention to auditing so you really know when, and fix the leak, or B) you're assuming brute force attacks, in which case you need to actually measure the median attack time, and possibly increase it (delay between attempts, salt passwords, etc)
If someone has actually done B), great, force password changes. But implementing a security measure just because it gives you a warm fuzzy feeling just leaves you warm and fuzzy, and ignorant.
I'm not so sure you're right. I think that post-it notes may be the way to go these days. As much as I loathe making "war on terror" references, one big point illustrated in that whole struggle is that one of the best ways to defeat a high-tech giant is to go uber-low-tech. The NSA's ability to hack into any system on Earth didn't do a bit of good when the enemy didn't use computers. We've forgotten how to be low-tech spies.
I think the analogy here is obvious -- password theives are freaking good today against your average Joe (who, admittedly, is a tech-wise moron... he would type his same password into a hot new web group). One thing they don't do too often, though, is actual footwork. Finding the post-it note requires actually going to your desk and physically stealing your stuff (or just looking at it). For a hacker, this is freaking hard.
I think a handwritten page of passwords kept in a relatively secure location in the average Joe's office would be tons more secure than these lame password rules that companies implement that end up having the problems discussed here.
The biggest advantage is that even tech morons understand how to keep a secret list! Also, if physical documents are compromised by an entreprenurial janitor or officemate, they tend to leave physical evidence. I suspect that cyber-criminals are not very good at covering their actual tracks, CSI-style.
I think the most secure thing companies and organizations could do to fight against the kind of talented amateur hackers that are all too prevalent today is to secure their data as much as possible without computers. Personally, I think it would be sweet-assed to see a return to some Cold War-era steganographic techniques, esp. considering that they are relatively cheap now and give us all the chance to feel a little like James Bond.
What I've suggested makes you less secure against a hypothetical enemy with huge resources, like if you might be investigated by the government, but makes you very powerful against the nameless horde of zombies roaming the internet and snatching everything they can get a hold of. If you keep your most secure codes in the real world, nobody in the matrix can get you. Can you dig it?
So, print out a big-assed page of weekly passwords... if you want to be really secure, type the bitch on a typewriter! You don't have to remember jack, it's easy to list on the paper where you've used each one, and if you do the proper 1990's era password safety that companies are using now, you'll be pretty damn secure.
Using passwords which are correct English sentences isn't much better.
Correct English sentences have about 1.2 bits per character. That means that for 10 words of 5 characters each, you have 50 characters which are 60 entropic bits (~7.5 entropic bytes).
That is as strong as a 10-character password, or so, but much much longer.
Not sure this is the solution.
I think that whatever is easy to remember, is easy to remember because it has low entropy and is easy to attack.
The solution might be to use non-human memory? USB disk-on-keys containing crypto keys?
I really wonder, when crackers are trying to hack passphrases, wherever generators with language-rulesets will arrise trying to construct valid "likely used" sentences.
Once you get that, you'll have the same problem once again... (but perhaps some nice grammar-tech out of it coded up by kiddies)
(Or ofcourse databases with silly but catchy punchlines.)
I think we can keep recursing like this until someone returns 1
are retrieved on presentation of a thumb
Do you get the thumb back, at least?
paintball
Job security for IS drones, that is.
paintball
The solution is:
Engrish!!!
Anyway, there on the monitor of the computer used to calculate the firing solutions for the nuclear missiles was
Now, before you get worried, door to said control room is constantly guarded inside and outside by people with guns, and is located inside the center of a secure area inside a naval base, behind two security checkpoints....so I guess the screensaver password or whatever the Post-It note went to just isn't part of the big picture plan. (Also there is a very specific process involved in the missile launch obviously, the computer really wouldn't help you.)
But anyway, I thought the irony involved was pretty good. Even in the (theoretically) most secure areas in the world, people are still finding ways around security measures that are obnoxious and not perceived as useful. I would have gotten a photo, if I'd been able, just for fun
If there's a lesson here, it's that your users will find ways to get around security that isn't both useful and convenient.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Funny, and so true. -- Moderate parent UP.
Keyloggers!
2 minutes alone with an XP/2000/NT/3.1/DOS box in a conference room allows me time to add a software keylogger that will email me the longest passphrase you can type.
How?
1) boot (CD/Floppy/USB Key) to a freely avail linux distribution with tool to reset local admin password
2) install key logger as local administrator
2A) Wait for (sysadmin,manager,developer...)
3) read email logger sent with all the passwords
Or a hardware keylogger if i'm in a hurry or they have a linux desktop.
Depressing!
Forget passXXXXXXX! Time for 2factor (with time dependency). Anything less and you're kidding yourself and lying to your CIO.
Cheers.
(If you can prevent this attack - Please post!)
I don't change my passwords that often but they seem pretty secure to me.
Typically, they'll be 10-20 characters long, refer to extremely personnal events, include digits that relate to the event and a few character replacements that make sense to me but not necessarily to other people.
For instance, I've used the pillow name I gave an ex with the last 2 digits of her birthdate and adding in a couple typing errors I commonly make.
That kind of password is easy to remember, can't be found in a dictionary and can take years to crack on large system.
Another scheme I'm thinking about is semi-randomly mixing character codings in the same password, like ANSI and Unicode.