Slashdot Mirror
Password Security Panned
museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which
Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."
is "god", because I heard from a good source that only the most "1337" admins use that!
If thou see a fair woman pay court to her, for thus thou wilt obtain love
...but when my mother comes over I thank god that my machine sets up passwords and partitions off users pretty well.
Beep beep.
Sound like the combination to some idiots luggage...
"Nature bats last..."
i don't understand this. can someone elaborate please?
... it's easier for the user to remember his/her own password than somebody who never knew the password in the first place?
Seems to me that's the main point of a password. They may not be the end-all of security, but they sure make a decent first line of defense.
Sounds like a great idea. I'll also throw away the keys to my house and just install video cameras that track the movements of people approaching my home. If those movements are consistent with my routine behavior (come home from work, slam car door, pick up mail, etc etc) the door unlocks. Otherwise, my house becomes tighter than Fort Knox.
Those keys were starting to be a bother in my pocket.
Of course passwords and keys can be bypassed, just as a locked door can be. But it's the fact that there's a locked door there that keeps a good percentage of casual villians out of your life.
-Teiresias
There are lots of alternatives to passwords that have really been around a long time. Lots of companies, for instance, offer products like USB security keys. IMO, what the world needs is a really good key standard to get behind, and a killer ap to champion it. If MSN, Yahoo! and Google all supported a new key standard for authentication, it would go a long way towards universal adoption.
MakePassword.com Mp3 Blog
Maybe I'm missing something. If you are going to compare usage of the system to see if the user is doing something unusual, don't you have to let them use the computer for a little while before you can make that call? If a malicious user was logged into someone elses account, they would still have plenty of time to do harm before an algorithm could definitively say they weren't who they said they were. Am I wrong?
-dave
http://millionnumbers.com/ - own the number of your dreams
There are several systems we have, each with different passwords, and with different protection schemes. Users have a hard enough time remembering easy passwords, and don't remember how many times an incorrect leg in will lock them out, either indefinitely until they call the help desk, or temporarily. Most of our systems are behind a firewall, and we haven't had too many intrusion problems, but It still could be out there.
In other words, people get locked out by stupidity. Something that looks for abnormal behavior would be great, esp when people have idiotic passwords, and suddenly a methodical password attempt to login occurs.
"This is you left and that's your left. This is your right and that's your right. You're gonna die!
Why permit reusable passwords when you can use hardware tokens or free one-time password systems such as OPIE (formerly Bellcore's S/Key project).
Most free Unix systems ship with SHA-1 capable S/Key support included.
In the future, we'll have smart cards that will act like our Social Security numbers/national IDs work today. Cash, credit, verification and signing will all be possible using one card or perhaps even an embedded chip, and we can once and for all eliminate this nonsense about having to remember a different password for each service or the concern about identity theft.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
If they are so weak why use them? I bet that Michael Shrage has a passowrd on his computer. I guess i better listen to him and get rid of my passwords
Passwords will always be beneficial in helping to establish accountability.
Passwords are less about keeping people out and more about making people accountable.
Sigs? We don't need no stinking sigs!
The user will always be in the security chain. Ergo, no security chain can be made stronger than the user; ergo, having the user be the weakest link is a good thing. The key question is what aspect of the user is the weakness predicated on-- their memory? Their gullibility? The uniqueness, identifiability, and irreproducability of biometric data?
//Information does not want to be free; it wants to breed.
Passwords are only good security for the average user if a malicious person doesn't have physical access to someones machine- anyone can read a sticky-note on the monitor with all of the user's passwords on it!
Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user.
/. =)
While I value my rights to privacy as much as the next person, how is this an invasion of privacy? If I am browsing a site, and it thinks I am a fraudulent user, and it makes me perform something to validate myself, how is that an invasion of privacy?
Seriously, are you afraid Amazon's tracking of your browsing habits are wrong? Should they not do that? I mean, your willing to hand out your credit card to them, but please, don't let them track you!
Okay, calming down now. I just find it wrong that we will jump all over a these security measures as an invasion of privacy because it could possibly be used for illegal things, but are very protective of various music downloading technologies because they could be used for legal things.
Welcome to
Jason Lotito
So what you're saying is passwords are a crappy form of security, but other forms of security suck just as much or worse?
Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.
Passwords are also superior to things such as biometric scanning on things like Internet sites, because they place a limit on how much trust you have on that site. Unlike biometrics, passwords can be easily changed if, say, you use the same password on multiple sites but find out that one of them has been using peoples' passwords to crack into their accounts on other sites.
These days, if you have a well chosen password, you're far more likely to get cracked because of some other undetected vulnerability in your system rather than someone guessing your password.
It's inherently immoral to deny access to your data to anyone who wants to see it. All that information wants to be free! How dare you lock it behind passwords, and try to find even more oppressive methods of keeping it in chains?
Don't blame me; I'm never given mod points.
I went to help a user this morning with their voicemail. I push the "Voice Mail" button on their phone and it asks their password. He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.
I couldn't believe my eyes...
Then some of my other users have started using "asdfg" and "qwerty" because I make them change it too often (every 90 days). I guess that's a little better than using their last name.
I agree that passwords ARE useless.
"but that's the combantion to my luggage"
as quoted by any Mel Brooks film
When Mr. Joe Sixpack opens the house door, he doesn't have to remember, "tumbler one is 13, tumbler 2 is 25, tumbler three is 10, etc.". He just puts a key in an moves on. Same with car, bank safe deposit box, etc. That's the way it will have to be with IT, a key card, something physical they carry around for access. Sure there are people who lose keys, lock them in their car, etc, but it's a 'metaphor' any adult can relate to. You go to work, they hand you a key-card to access your account, you don't have it you can't get in and it'll cost extra for someone to help you if you lose it, just like for the real thing. Fingerprints are for criminals and can spread illness, voice prints and retina scans are weird sci-fi stuff. Just give 'em a key.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Ivanova: Peekaboo?
Garibaldi: Would you have guessed it?
that monitors usage activities and alerts suspicious activity seems like a good idea...
But think about it. How often do your usage patterns change. I might be an atypical user, but my network packets don't keep the same pattern for now; I have a meta pattern that shifts every new project. This week I've been exchanging a lot of packets with our file server, talking with source safe, access databases, and collaborative UML modelling.
Last week nearly all my packets were terminal services to the production environment for one of my clients.
The week before that I was almost pure database.
I think if you tried to monitor usage activities, there would be enough users like me to break the security model completely...
I am disrespectful to dirt! Can you see that I am serious?!
It is so easy to steal accounts, and I don't mean with a password either. I don't believe they fixed it yet.
There is that cartoon somewhere on the net:
"Please enter your new password"
- {snigger} "PENIS" [OK]
"Your password is too small."
- {cowers}
I think that sums up users and passwords...
I would prefer to see research on the effectiveness of behaviour monitoring.
I believe the credit card companies use this type of technology. Why not see what their real usage yields in effectiveness?
No password length can match a biometric, especially mine.
Help me out, are you dissing the security of your own password, or are you bragging about the size of your biometric?
Accountability on the heads of the powerful.
Power in the hands of the accountable.
It would certainly be easy for any on-line system to recognize a dictionary attack and distinguish it from user error or just a user who had forgotten his password. For example, a large number such as 25-30 hits against a small dictionary of vastly different but common words or passwords, without ever coming close to the actual password, should certainly trigger recognization of an attempt to break into an account and take appropriate steps (perhaps imposing a delay on the account, perhaps locking out the offending IP address, perhaps locking the account until there was human action, or some other action appropriate to the particular circumstances).
Users should always be advised of any failed attempts to gain access to the account after a sucessful login, a feature that is lacking from most current systems.
I'm an American. I love this country and the freedoms that we used to have.
From TFA:
Somehow, the world's ATM banking systems have managed to get by with a bare minimum of fraud for more than 20 years by relying upon only four-digit codes. So what do the banking geeks grasp about password management?
While the article continues to say that simple passwords are good, it overlooks the other half of the equation: the ATM card. Without both, no access is granted which seems to be the strength of the ATM.
The prevelence of password only authentication seems to be a hardware problem. Everyone has a keyboard, but almost no one has ( for instance ) a securid token.
A USB dongle might be the easiest solution, although standardization is obviously a problem. Gawd knows I wouldn't want to have one USB dongle for yahoo, one for NYTimes, one for my bank, et. al.
A Human Right
I find that the following passwords are virtually foolproof and keep my Gibson purring like a kitten to do exchanges with oil ships:
1. Love
2. God
3. 28.8_baud_modem
Yes! I listen to NYC Speedcore and do math at 3AM. I suggest you try it too.
As soon as everyone in the office knows everyone else's password, you have no more accountability than if they signed in with user name alone.
I've had to ask somebody for their account name, and they tell me: my account name is .... and my password is . . . . .
Or, how many passwords I've found on the backs of keyboards, or on post it notes stuck to the desktop or monitor.
The author of the article compares complicated and difficult passwords to 4 digit pins for ATM machines and points to the lack of fraud in the ATM situation. There is a significant difference between the two scenarios - with ATM access you need a card in addition to your pin - this is referred to as two-factor authentication.
Sidebar
Factors are things you need to prove your identity and there are three types -
"what you know" - typically a password
"what you have" - typically a card, token, key fob, or digital certificate
"what you are" - typically biometrics
End Sidebar
The ATM example is 2-factor, which is inherently more secure than a password which is single factor
A far more secure approach would be to implement a two-factor authentication mechanism, however this increases cost and overhead (AOL is now offering this as an option - for a fee or course). Some other options are one-time password schemes where the password changes after each use, or graphical based passwords.
While in theory and practice passwords are not very secure, it must be pointed out that the other options are more expensive and more difficult to manage. Imagine having to carry 20-30 key fobs or a disk with a digital certificate everywhere you go.
Where oh where has my Underdog gone?
Look at this small device for your passwords:
d .html
http://www.netchilds.com/product_password_keyboar
Calm down. Warning : RTFA : Developers at play : Roundtable discussion regurgitated as ruminant principles. This is standard bassackward engineering. Take sound tested principles and piss all over them in favour of the next big thing. Lets wander past engineering before we start the marketing engines.
Yes, i know. Silly me, its not boring. Its New, Improved and with [Insert Trademark here]. Oh wow, you actually have a shipping product? Version 1.0? Nah, ProductX _is_ mature and the, eh, the flaws are readily apparent, eh, flaws, guys, u see this? Hold up! No worries, Version 2.0 is here! Yay!
No wait, DeveloperX just had a brainfart, lets got with the original plan. Its the bestest! Hmmm, unemployment is fun! I like feeding my family Raman.
I'll bite, right after the Fortune 1000.
In the future only elderly Korean people will use passwords.
Since we already know that anyone who has physical access to a machine, particularly a Windows machine, can go right through the passwords...
Why NOT write it on a sticky note? Naturally you'll want to be a little more discreet than that... put it in your filing cabinet labelled "Dental Receipts" or something like this. By the time someone's in your cabinet looking through your dental receipts, you're already toast.
The result of us telling people to not write their passwords down and mocking them for it is that now people put them in files on their hard drives, nested a couple of directories deep. Good for dealing with people who have physical access to your machine, bad for dealing with hackers.
My normal usage patterns at work might very well be exactly the usage patterns that someone unautorized would use. So what is the actual point of such an excercise? Surely it must be impossible to predict what I need to use the computer for, and if someone else is using it for the same thing?
Biometrics should always be optional.
First, Internet accounts need to have unlimited character lengths for passwords. For example, I believe Hotmail only allows 16 characters.
Second, once we have unlimited character lengths for passwords, we then could store biometrically generated passwords easily.
Biometrics in required situations, create problems. One, there is a privacy concern regarding biometrics, especially with the government. But more importantly, it creates the problem of what happens when someone gets both hands cut off in some freak accident.
Concerning microchips, I don't like the idea of being tagged like cattle. And it's not really removable once it's in.
I think everytime you logon you should get information regarding how many logon attempts where made to your user account and a breakdown of times. It would help improve password safety by allowing users to know when someone is attempting to hit their account.
Jeoin
As products like this http://www.targus.com/us/product_details.asp?sku=P A460U/ become more prevalent (I saw one @ Fry's for 50 bucks) I hope this becomes less of a problem. A USB fingerprint reader that stores all of your passwords would be great. In order to access them you must
Use your fingerprint which brings up a dialog box where you can
Enter a pin number Thats something I would buy (and trust)
Make your passwords cryptographically secure, protect the card with a "good" normal password. That way you need your card stolen and they need to crack the PW before you cancel out your smart card.
Of course, revoking privilage from a compromised card can be tricky business. But on the up side you really need the card itself stolen for it to be an issue. Not just your account number or some such.
anyone see post-it notes around their office with things "puppy13" or "john1" written on them?
Knowing some of our people, they'd just tape their secutiy key to the monitor
JB
Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user.
You ever seen an Apache log file Taco? All the information's already there - all you have to do is parse it.
We're continually looking at ways to improve security without making the UI less intuitive (admin system for 300,000+ domain shared hosting accounts). We're considering adding security preferences to allow users to lock down when accounts are available and where they can be accessed from.
What exactly is the problem with having a user state that they will only access their account between 9am-5pm on Monday-Friday, and that they will always log in from a machine within the USA - or in California - or in Los Angeles, etc.
As long as the process is transparent, and optional for users, do you really need that tin foil hat?
.02
cLive ;-)
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
HA! I know your SSN now! Oh, wait...CRAP!!!
my password is inspired ( http://www.download.com/Password-Inspiration/3000- 2092_4-10351879.html?tag=lst-0-1 ) by Tolkein and others ...generated from a dictionary of their works.
I don't know about you, but what I infer from the tidbits given, this sounds pretty useless. Here's my understanding, and why I think the way I do:
Assumably, the suspicion engine compares normal patterns of activity with the current patterns. Now, there's two things about this that strike me as not too good... First, a pattern is a given set of occurences in a span of time. That span of time has to be small enough to catch and stop harmful activity, but large enough to be useful. Second, "normal" varies for each user, and so would probably have to be learned (bayesian-style?) by the software.
Experience with Bayesian Spam filters have taught us that they need a lot of user intervention at first, and reduced (but non-zero) amounts later on. You have to train it, basically, explicitly saying what's good and what's bad. Since we're talking about security vulnerabilities, what's to stop Joe Hacker from just running the little script or program that validates the current activity as valid? A password?
I think the best security available right now is biometrics, but I don't know that's been implemented in an affordable, relatively easy-to-use, and generic format.
Also, if anybody knows of any affordable (Say, $75) biometric (probably thumb) solutions that work under Linux with PAM, give me a shout.
That's total bullshit. Computer passwords have a long tradition and they work extremely well, in particular together with simple mechanisms that disable the account after a few tries. If you have many passwords, keep them in an electronic wallet.
The biggest problem with passwords is that companies don't use secure network communications, but that's a problem in general. If we made all TCP streams encrypted by default, then that problem would go away.
As for banks, their password and card security is usually a lot weaker than that of even regular computer systems. It's not that those passwords don't get out, it's that the costs of the frequent fraud that occurs is just passed on to other users of the system.
From the blurb: Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user
Huh? OK I can see some of the false alarms but invasion of privacy? Would you, as the owner of the machine using this technology, monitor yourself? And if someone else monitored you, such as the company you're working for, you have no granted rights to said privacy.
Dedicated Cthulhu Cultist since 4523 BC.
Web _servers_ have been ussing SSL certs since day one. They are commonplace for web users verifying the identity of a web server.
But they can also be used for identifying the identify of the web _user_.
If client certs were more widely used by users, and more widely supported by web sites (a catch-22 situation I guess) then we can bypass usernames/passwords completely if we wish. And rely on the client certificate for identification purposes.
Then I won't have to keep coming up with unique passwords for the billion and one web sites I am a member at.
Speaking of which:
echo "example.com:mypassword" | md5sum | cut -c1-6
That will generate a unique password per site. And you still let you easily recall what password you used. s/example.com/whateverdomainyouaresigningonat/ig
--
Linux VPS Hosting for geeks
What I would like to use is pass-sentences rather than passwords. An eight word sentence is going to be more secure than an eight letter password, and it's probably easier to remember (and not so hard to type if you're a good typist). The difficulty arises when password lengths are restricted, or when whitespace is prohibited. (I've tried pass-sentences with dashes between words, but it's much more awkward to type.)
Would the system help me find even better Armadillo porn?
"the tougher rules only make them harder for users to remember, not harder for hackers to guess"
So it's not harder to guess complex passwords like "Sh!t32" or "Dinner5pm" rather than simple passwords like "pencil" and "double"? How does that work? Most brute force programs first run through a list of the most common passwords, then do a dictionary attack, username backwards, etc. and only if those fail do they start doing character iteration.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Well, there's always a question of intent...
Sometimes you're trying to ensure that the person on the computer is who that person says they are.
Sometimes you're trying to make sure that the person on the computer isn't doing anything they shouldn't be doing.
Sometimes you're doing both. Passwords are pretty decent with the first case, but bad with the second. Suspicion engines don't really care about the first, and deal only with the second.
So, do passwords suck? Depends on what you're trying to ensure.
~S
This sig has been enciphered with a one-time pad. It could say almost anything.
Use Bruce Schneier's Password Safe if you cannot remember passwords, but saying that passwords are useless when they are hard to guess because they are hard to remember, so we should use no passwords at all so there won't be anything to guess in the first place is the most stupid thing I have ever heard. If not using secrets that people can remember than what? Biometrics? Oh please... From the article: "79 percent of people questioned on the streets of London revealed such desirable security-sensitive data as mother's maiden name and birth date." Really? People revealed such secrets as their birth date? Let us all stop using passwords then! This is just laughable.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
But too smart for the TSA, they still cut the lock so they could play with your vibrator in the bag.!
It depends on how easy it is to get hold of that password file. If I walk over to someone's Windows machines, reboot it and lift the SAM file, I now have the opportunity to brute force that password file at my leisure without the owner being any the wiser. Once I have obtained the passwords with l0phtcrack or whatever, I have free access to that system.
Now physical access to a machine is an easy way to get the needed information. For most secure systems, that not possible so then it is extremely important that the passwords are kept in a user-unreachable location. Hence the reason that the shadow password file on Unix is only readable by root. The golden rule is that if obfuscated information can be read, it can be eventually compromised.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
...deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."
This would need to be something akin to AI wouldn't it? I mean what happens if I suddenly need remote access to my secured machine/account. There might be any number of movements, protocols, etc that acted/looked different enough to throw the suspicion engine and suddenly my data is locked from me. Add to this that the idea of a suspicion engine learning about me means that somehow it must contain data about my habits/behaviors that then become a whole other data set that is now a different/new level of security risk.
You can have my cynical agnosticism when you pry it from my cold, dead logic.
Biometrics are obviously the answer, but - and I'm not being facetious - in the future when we've got an increasing command on cloning it's not beyond the realm of possibility that somebody could grow a finger or an eye to get around some authentication. As bad as passwords supposedly are in this article, everybody uses them and you pretty well never hear about people's security being subverted (where the authentication was the weakpoint). Limit attempts to three...this makes a brute force attack essentially impossible. And in regards to people posting their passwords on a piece of paper on their desk, well you can't anticipate all levels of stupidity; If the gatekeeper is making free copies of keys for people he shouldn't be working in that position. It's hard to protect people from themselves and the only way to truly do it is to not allow access to anything.
T'is the nature of secret keeping. What you want to do is make it harder for someone who doesn't know the password from finding it out. The bigger the possible keyspace and the harder it is to brute force it, the harder it would be.
A simple single offset cipher has 26 possible keys (25 if you want to discount 0), so if you don't know the key, it only takes 25 times longer to try everything out.
Back on topic, if your users limit their password space to what they can remember, average joe will pick one he could guess, or write it down. If a user can rely on guessing for password recovery, crackers can too. Remembering the password makes for much better security. But fat chance of that if you have to change it every month.
What a user does to undermine security policies just so they will still have access shouldn't astound you. It should scare you.
I don't see how a suspicion engine would be effective against many forms of intrusion... Take a high-level exec in a company... Works late frequently, and accesses sensitive material, prints it off to take home, etc.
Janitor comes in late, exec isn't there. Opens the sensitive information, prints it off to sell to a competitor... Behaviorally, very similar.
A password is good protection against this kind of thing, but a suspicion engine would probably let it happen.
To find the holy grail of protection, you need to be sure that the users are who they say they are, and the actions they're taking are appropriate (which usually involves context). Have fun!
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
Was PassFaces., unfortunatly its a propritary product, but a pretty good idea. Not without its faults though.
I believe it would be more easy and effective if we kind of take the best of both worlds (like ATM, password and card), since it would be a really pain in the ass to have a card for all your IM services, e-mail, other accounts I think it would be better if we, use our traditional password, a online certificate (for our machines) and another password for the certificate in case we surf the Internet, Intranet or any other network service, the 2 passwords should be different, which will make it even less vulnerable to cracking than todays passwords methods.
WARNING: DO NOT LET DR. MARIO TOUCH YOUR GENITALS. HE IS NOT A REAL DOCTOR!
The lessons of Microsoft's Passport system crack/failures shouldn't be so easily forgotten. One system across the world makes ONE single point of failure.
If ever other corporation has one of several dozen different security/authentication systems, then most businesses would be protected, if one system was cracked.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
Has anyone set up a Linux/Windows or other system so that you don't have to use passwords (only as a last resort of the admin howerver) but rather had a usb thumbdrive (keychain drive, whatever) so that when you plugged it in, it automatically mounted & authenticated you with a private "sub-key" that was signed by your private key with an "unlock" flag from your gpg keyring?
Or something similar. I'm looking to get rid of passwords altogether on my systems with something that's tested to work.
Any ideas if something like this works at all or anything like it that might be of some use?
The boffins at Bletchley Park cracked the Enigma code partly (perhaps mostly) as the German operators of Enigma machines got lazy.
The idea was that each day a new code was dialled into the machine, so no message from one day to the next was the same - even if the same message was sent.
After a few months, they got lazy as 'nobody will crack this' attitude crept in.
It was this illogical flaw that allowed the crew at Bletchley Park to start to see regular patterns in the encoded messages that lead to the cracking of it.
So, yes, the bloke is right - sometimes (read like what we are talking here, users and computers) is/are useless, because humans can't do it!
It could encode every single piece of information about you, your body and your life into one all-purpose machine-readable card that you could then carry around in your wallet. We can call it the Ident-i-Eeze!
If webmail accounts had only a four-digit PIN, then it would be very easy for a script kiddie to throw random PINs at random accounts. Three thousand accounts tested(figure you get locked out after three failed attempts) and you've almost certainly got access. It's entirely a different problem, and the author should know better.
~Idarubicin
On their phone system they ask for your account #, date of birth, and 3 digits from your security number. I've always been impressed by their system.
On a side note, I love how you never have to start telling the story from the top whenever they pass you on to another service representative. As soon as they pick up the phone it's "Hello Mr ______, how can I help?" I never thought I'd say this about a bank but the HSBC rocks!
Drill baby drill - on Mars
What could they be doing that would disallow a number as the first character?
$making $all $passwords $into $perl $variables??
Ironically, the word ironically is often used incorrectly.
Then how do new starters (eg new employees, new students, etc) gain access to the system? Or is it like a game - use the system without (apparently) abusing it for long enough and your access "levels up"?
What about new admins - are they useless for 6 months while the machine learns to trust them? Are new programmers unable to code until they earn compiler privileges?
I'll stick to my passwords, thanks.
It's official. Most of you are morons.
These simple rules are easily explained, and generally result in a password that is easily remembered (won't need to be written down), is of reasonable length, and much less suceptible to dictionary attack. That's about as secure as is reasonable to expect, for most systems. Don't force the useres to change passwords arbitrarily. If you are protecting truly sensitive information, fine, but does access to one's own corporate email really require passwords to be changed every month?
If more security is required, you're better off adding something like an RSA token generator to your security scheme, than to depend on extreme passwords.
It's supposed to be completely automatic, but actually you have to press this button.
There aren't any commonly accepted password *standards*. In the absence of such consensus, password restrictions end up being whatever the admin decides, which generally means whatever requires the least work.
Special characters require special coding, which means less time to read Slashdot. So, letters and numbers it is!
a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user.
simple. reconfigure the phone switch to drop all calls destined for the helpdesk number.
next problem!
kerberos exists for every system on the planet, as does USB. that way it could be a slowly implemented standard. if web sites or OSs started allowing either traditional passwords or these stronger "keys", people could upgrade slowly, or even stick with passwords if they're not paranoid.
and i know it would still be just a sequence of bits, but it could be, say, 1MB long instead of 4kB. plus, once it's in kerberos' domain, ain't nobody can touch it (as I understand it).
I should mention, though, that I would probably not use a system like this...just because I don't want to have to reach into my pocket each time I need to authenticate...
I would rather get beaten up till I cough up my password than have someone cut off my thumbs so they can get my password.
It's not as is there aren't already many alternative methods of authentication. It's just that many of them (such as biometrics) aren't reliable enough yet.
Gamingmuseum.com: Give your 3D accelerator a rest.
The way I understood it, the gadget was about the size of one of the old common pocket pagers and, I think, had some access to cell signals (possibly for time signal announcements). When he clicked on the button, it dynamically generated a password that was good for 6 seconds. If you didn't use it within the time window, it was useless. I have no idea who makes this, but it sounded like one of the more secure methods I've ever heard about.
This msg is brought to you by the letter 'W'.. for Worthless Wuss
So what you're saying is passwords are a crappy form of security, but other forms of security suck just as much or worse?
The problem is that passwords for most end users tend to be a difficult process. They tend to forget and/or wrtie the down on little sticky notes on their monitors.
Secondly, (I don't know the url, but it was on Novell's site) there an estimated few million dollars lost by companies for the fact of time wasted by locked out systems and people calling IT help (when IT peeps could be doing something better).
Personally, passwords work great for me. I don't get spyware on my PC either because of good practices... But unfortunatley there isn't a few million of me to be employed by a work force or at least I'm not the majority "user".
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Toyota has cars that have keys with RFID's in them. When you get in the car, you just press the start button. The car automatically read the RFID from the key in your pocket, unlocked the doors, and unlocked the ignition.
Why can't it be that easy on a PC? A PC could know;
#1) WHO YOU ARE, from the RFID unique ID
#2) YOU ARE YOU -- if you use active RFID, encryption is possible as is RFID passwords
#3) You are not trying to get into another PC? Well, a CAR is tied one car per one key. This removes the possibility of another car unlocking for you. However there could be 3 PC's right next to each other. So only PC's that are not already signed in would respond to the key. Maybe prompt the user to select to sign in. If no response on the keyboard, then timeout.
Anyway, if a car can open it's doors and let you drive away with it via a key in my pocket, a PC should allow me onto it by the same methods.
The banking ATM system had this figured out decades ago - use two authentication systems: Something you know (PIN), and something you have (ATM Card). This increases the security by orders of magnitude. Were you to add to this Something you Are (biometrics), it would further reduce the chances of a compromise.
Someone would have to trick you into divulging your pin, pick your pocket, and replicate your thumb in order to withdraw money from your account. Then they're faced with a $500/day withdrawal limit no less (yet another security layer).
But then again, most attacks don't involve authentication compropmises - they simply bypass the authentication system completely (like robbing a bank in person, using a gun).
A couple of years ago a friend of mine was backpacking in the middle east. Like a lot of backpackers, she had travellers cheques for emergencies but relied on her credit card for everything else.
Then all of a sudden, it stopped working. On the weekend.
When Monday finally rolled around she rang up the credit card company to find out what was wrong and was informed that her card had been used in a number of suspicious places - several different countries in a short space of time in a dodgy part of the world, and had automatically been stopped.
Yes she said - I'm doing a whirlwind backpacking tour of said dodgy part of the world. All that usage is legitimate. The card was re-enabled - but the process would take a couple of days during which she had to borrow money from her travelling companions.
A week later, now in some other middle eastern country (I forget where), the same thing happened.
My point? People don't always behave consistently. Life is not always stable. The real kicker is that usually when people are behaving differently than they normally do it's because they are outside of their comfort zone and really need as many things as possible to go smoothly.
A suspicion engine can prevent legitimate use of a system in these situations.
In that a good security mechanism should not rely on a Rube Goldbergian set of circumstances to work properly.
"Suspicion engines" are exactly that though: Subjective, cantankerous attempts at building a better mousetrap.
Since for example Solaris 8 (at least, more recent versions may be better, but AFAIK many Unices do this) pays attention only to the first 8 characters of a password, how easy is it to brute force my password? Not to mention all the web sites done by MORONS that allow only 4-character numeric PINS - at least some lock you out after repeated attempts - but what if I have a list of thousands of known-good SSNs - odds are at least one random guess will be good. Or raise your hands if you've ever guess the CEO's password with crack (my sympathies if you wee fired or prosecuted for it).
Personally as a sysadmin for over 100 different boxes run by different departments who has no control over the stupidity of a root password but has to have root for the boxes anyway - I *have* to keep a list of passwords somewhere - at least it's encrypted on a PDA - others keep the list in their Exchange Mail folder, fer chrissakes.
At least I can use a SecurID fob - as long as I'm in charge of setting up security, which most of the time I'm not.
Now, the subject of the article has something he's trying to sell us (which is only as secure as the machine it's installed on) but hey, anything helps. Although the fob thing is really pretty cheap and easy to use in large quantities,
I'd like to only have to remember one password, and I'd rather not tell anyone else what it is. Even banks, or shopping sites.
I have an OpenPGP key. It strikes me that there mist be some way to register my public key with a site, and then have that site challenge me to decrypt a random string. This can only be done using my private key + my password.
Could this use of OpenPGP keys form the basis of a single sign-on model (well, single password model)?
Passwords are hard to remember, that's easy to solve: store passwords encrypted under a proper-strength password. But it doesn't remove the fundamental security-problem with passwords: to prove you know the secret, you must reveal the secret.
Zero Knowledge Proofs remedy this problem (google that), and public/private key challenge authentication (properly seeded from both participants) are zero-knowledge assuming the cryptographic operation is secure.
So lets scrap passwords and have a standard protocol for zero-knowledge proofs instead, used in everything from the web to car-keys to win32, with helper libraries for accessing the required key-data using a proper master-password, so we don't have to send secret data to untrusted code.
SLOGEN [ http://ungdomshus.nu : Sebastian cover music]
I feel critics of good passwords are missing the picture. Security is not just a single layer but multiple layers used to thwart nefarious persons from accessing your systems. Security is to be layered such as complex passwords, reducing/removing unnecessary services, firewalls, A/V programs, anti-spam protection, etc etc I personnaly don't want any of my users logging into the system with out a solid password and a whole lot of additional security.
Yeah it totally sucks. My favorite memorized password starts with a NULL, but I can't get any sites to accept it!
Way back when I ran a BBS I looked over the user's passwords and only 1 of my users had a really good password. It was something like "!@$#%^*&()". Personally, I rarely use english language passwords. I tend to use translations of words from other languages that use different alphabets so that even if someone happens to guess the correct word, the spelling isn't fixed so they could still guess wrong.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Good password (or passphrase) + salt + Good hash algorithm = good authentication system + public key encryption at login = even better.
You could very well try bruteforce attacks, but if the authentication is based on a salt, then you'd have to eavesdrop the conversation, and THEN reverse-engineer the hash algorithm or try a fully brute force attack to find out someone's password.
Try encryptedPW = hash(hash(hash(salt)+hash(hash(PW))))
If you're dealing with a strong hash (like SHA1, or even better, SHA256), specially when the hash is applied twice (no collision-cracking possible) the only way to crack this is with a brute-force attack. The salt gets rid of the possibility of "replay attacks", and bruteforcing will take much longer.
Of course, changing the password often (like every 4 or 6 months) is precisely suggested so that bruteforce or dictionary attacks (which are possible with a limited password length) won't have an effect.
Security can also be increased by making all logins use public-key encryption (SSL). This way, eavesdroppers can't sniff passwords (hashed or not) so the possibility for a bruteforce/dictionary attack is practically zero (we're assumming a limited number of logins per salt). How can you bruteforce something which you don't know?
If ATM's don't rely on salting and having a limited number of retries per card insertion, then they're flawed.
So what's wrong with having passwords and making people change them? Obviously you should let people choose their own passwords, so they can remember them. And allow them to reset their passwords if they ever forget them.
Trying to separate the password protection from the authentication system, is simply ridiculous.
...but I think one of the things that would aid in password security is increasing the max possible length of passwords. I can come up with a very long nonsensical phrase (even with nonsense words and numbers) that's easy to remember, but most password systems won't allow me to use a password longer than about 20 characters. In my opinion if you want users to use difficult to guess passwords, you should give them the ability to embed mnemonics in the passwords - 20 characters is usually too short for this.
Biometrics are naturally flawed. Biology was meant for self-replication, not security.
Biometrics are strong only in combination with passwords, perhaps in an even stronger combination with a smart card.
i.e.
1) the smartcard will fail to work for anyone but you.
2) The smartcard has its private key to transfer
3) the password that you enter.
1) Something you are
2) Something you have
3) Something you know.
Of course, 1) is added only for convenience.
Wouldn't using two passwords, that must be entered in order, effectively enhance security?
We are one consciousness experiencing itself subjectively. Back to you with the weather, Bob!
The point of the article is that passwords are good but that long passwords aren't better. The idea is that your security system should be logging each attempt to authenticate (ie: don't provide public access to the encrypted string). Any brute force attack immediately triggers an alert against that account.
It's not that passwords are bad, but rather that relying on ever-longer passwords instead of having any intrusion/irregular behaviour detection. Theres a diminished return to strong passwords - if brute force gets too hard, determined attackers will get passwords another way: social engineering, phishing or trojens. Once password complexity is "good enough" (a 4-digit pin number for banks), security resources are better spent reacting to odd events.
We sysadmin types see the world in terms of root, where "monitoring" all possible events is neigh impossible. But for most of the world, passwords are for updating databases where transactions are logged and reversable (eg: slashdot spamming with a hacked accout).
Where it is mandatory to fill in a question to answer, (if you forget the real password,) I ALWAYS use a minimum 8-digit random value as the answer (for double security), and NEVER fill in dates and such; follow my practice! --'s too easy to guess those kind of things, especially where max input-retries are infinite..
A horse can't be sick, you know, even if he wants to.
As porn is the depiction of sex, "armadillo porn" refers to drawings, photos, movies, or textual descriptions of armadillo sex. Here, armadillo is a conjunction of "arm" and "dildo." Some experts are of the opinion that this is a direct reference to fisting, but most prefer the more common practice of female stimulation with an artificial phalus, a "dildo," applied with gusto using powerful arm movements, usually by a partner. Note: generous amounts of lubricant are required. Sex Wax sounds ideal, but surprisingly, many wome rate it poorly.
Gary Dunn
Open Slate Project
This is why I no longer carry a Credit Card. As an American living in a foreign country, I used my card frequently in multiple countries. Well, the "security" group at the Credit Card company "detected" that the card was being used illegally. They shut it down 2 or 3 different times. I was so pissed at having to explain to them that I nearly blew up over the phone. This last time they forwarded me to all sorts of people, including their security group. I swear they were going to report *me* to authorities or something.
Anyway, let's just say after this experience, I ripped up my Credit Card and will never do business with FirstUSA or affiliated banks again. (AT&T credit cards too, but that's a different, longer story.)
So, basically, these "detection" systems do nothing but risk false-positives and pissing off a bunch of people.
The nice thing about passwords is that *everyone* has access to them, and they are *immediately* available.
Biometric readers, smart cards, and even "suspicion engines" (which take time to build up a profile) won't ever take off unless they somehow solve this fundamental problem. And there's a huge chicken-and-egg problem there.
Someone help me out here. Changing passwords on a regular basis is a 'generally accepted' security procedure. I don't understand why. The common rationale is that it makes passwords harder to guess, but I don't believe it does. If an attacker is working through a dictionary attack on an account, a password change is just as likely to make it easier to guess as harder.
Now if an account is compromised, a password change by the user would lock out the intruder. It's unlikely this would happen before damage was done. It's more likely that forced password changes would result in passwords written down and posted on stickies.
So - why force password changes?
Possibly because most ATM networks require hardware (the ATM card) and the password (PIN)?
No, it's not uncrackable, but it's a damn site better than password alone.
Seriously, that was crap. He bitched about how idiotic passwords are for 95% of the article without ever explaining why. He mentioned keyboard attacks and lazy administrators, and hinted at ATM security, but it was essentially and angry man venting at a hypothetical IT department.
How about some facts or something we can do to improve the issue, or some background, rather than crying for two screens worth of html.
https://www.accountkiller.com/removal-requested
http://shit.slashdot.org/article.pl?sid=05/02/03/1 855258
You wind up with excellent fry-basket-handling skills.
Distributes a series of passwords in a table.
Every time you do a transaction one of those is requested plus your own password.
Inconvenient because you need a piece of papaer but safe since a thief needs both to succeed.
1. Find a stupid bank.
2. Your user name is: fhsgfdsgsfg" OR current_funds > 1000000000
3. Your password is: gsfdbgchgfhd" OR 1==1
4. ???
5. Profit!
Personally I think that people are way getting lazy when it comes to remembering passwords. Granted I work in IT, but I can remember 20 digit passwords pretty quickley. All it takes is a number of times having to type it in by memory to get it into your system. People get all scared now when they are asked to remember a 5 digit passwords with numbers in it. It not that hard.
Use your memory or loose it.
I spent some years working in system security, and I found the biggest single factor was the humble post-it note. 3M have a lot to answer for.
Hardware keys are very nice, and have the advantage of considerably more "power" as an access code than any memorable password, but they also have the disadvantage of being easily lost or misappropriated. I have had many clients whose users lost their access cards on average twice a week.
Given the time in which it is possible to do some serious damage on a computer, that means any attempt at maintaining security is shot to hell.
At this stage, the best compromise seems to be a password that is simple enough to be memorable, but complex enough not to be bruteforced in a given number of attempts, in combination with simple vigilance. After all, it isn't that hard to put in routines to pull the plug on a line which is showing multiple failed login attempts.
The magic number is 47.
So, if passwords are baaad (mmmkay?) then why not start using public key cryptography. I'm sure people wouldn't object to carrying a card with a 2048-bit (or higher) key on it, replacing it every 2-3 years. It'd be stored on the chip on the card (similar to the one on credit cards) and could be easily cancelled if it was stolen. The interface for PC's could be really easily designed. Obviously, someone could design a dodgy interface that would copy the code, so maybe a small microprocessor should be on the chip encoding the timestamp of the machine, with the private key, so that the previously stored public key could be verified against. This would also make the sys-admins life easier, as if the password file were compromised by a read request (although obviously not a write attempt) then the data is useless - it's a public key!
Three major problems with this:
1) Making a card that can not only store the 2048-bit private key, but also the 4096-bit public key with a _standard_ interface allowing for much stronger cryptography to be used in the future. It _must_ have an onboard computer, although it can be powered by the host device. RFID could be used, but that may be a privacy risk if you carry it around.
2) Making a standard interface. Sure, you can easily design one, but getting everyone to adopt the same one? It didn't happen with smart cards, it won't work with key cards unless everyone agrees on the approach.
3) Must be cheap to manufacture. Preferably a dollar/euro/pound, so that if it's lost it isn't a big deal to get a new one, and thrifty people don't feel bad about it.
Is this so bad an idea? Sure, it won't become commonplace for home usage etc, but surely in corporate and/or small business environments, it must be a way forward?
Unfortunately, if we don't have complex "Don't start with a number, the new one must not be similar to the last, do this, don't do that" rules, users will tend to take the easy way out and use "password" if given the option. It seems today that the only way to ensure something random is to reduce the number of allowable permutations. Dictionary cracks become meaningless when the user has no statistical preference for leaning on dictionary words. Given the choice, I would just as likely use "A2jj*Z,L" as "dictionary" for a password, but Joe Average goes and spoils it...
You won't be secure until you educate end users, and get them to buy in to the idea of security. The weak link is rarely the hashing algorithm or the PRNG, it's the people. If you've got a bank vault with a huge steel door and a glass window, you find a rock. As long as people keep leaving passwords written down on stickies attached to the monitor, passwords won't be worth crap.
Instituting monitoring of accounts may or may not be a good idea, depending on your particular circumstances. But calling a security mechanism useless because some people don't know how to use it right is shortsighted.
This post expresses my opinion, not that of my employer. And yes, IAAL.
There's also the fact that the banks are paying attention to your transactions and will likely act on unusual behaviour - this is close to the "suspicion engine" he describes.
7 Character Limit means they are using NT based authentication, as the password field, while allowing more than 7 characters is broken up into 7 character chunks, and because of this, some amazing thing mathematically happens (I don't remember the algorithm) that makes it even easier to break the longer password...I think it causes the hash to be more easily guessed because of a higher repetition in hash values.
1) pick any two words from the dictionary
2) remember them
3) separate them with a random string that
you can remember, like nilmdts (Now I Lay Me Down To Sleep, I hope my new password's 1337.
Like "DucknilmdtsSoup"
And then don't use crappy operating systems like MS windows where any doofus can crack passwords by brute force. Use Password Safe for the 100 passwords to different systems you have to use that you can't remember. Don't use the same password on any two systems that you care about. Use the "DucknilmdtsSoup" like password for Password Safe.
Use a one time pad scheme for systems you really care about. Have the one-time pad written on rice paper. Include the password above in the scheme, and don't write it down. Eat the rice paper if they catch you. This isn't hard. Remember they are trying to catch you.
And the guy's example of ATMs as "getting by" for the past 20 years isn't a very good indictment of having longer, more random passwords. ATMs don't just rely on 4-digit PINs, for Christ's sake. You have to have a card, which is another layer of security. And there's also a camera at the ATM machine. I'd love to see how good ATM security turned out to be if there was no camera and a total reliance on a 4-digit PIN.
The problem here isn't that passwords are ineffective; it's user ignorance and stupidity. If companies started enforcing a strict standard of making their employees memorize a 12-digit sequence of random characters, then weak passwords in corporations wouldn't be a problem. It takes all of 15 minutes to memorize a random password through muscle memory alone.
Users need to be made aware of the repercussions of having a weak password to a network. A lot of students at my university will constantly bitch and moan about our policy of making everyone change their passwords every 60 days. We tell them it's for security. They say, "Well I don't care if someone gets into my e-mail." It's not just the student's e-mail that's at risk. It's the network. If someone obtains a legitimate username and password for an account at my school, they have access to all of our site-licensed software as well as the VPN server. With access to the VPN server comes access to the SMTP server, which means that our SMTP server could be used as a spam relay, and that hurts everyone.
... who wrote that article. I have seen it more often: some guy needs to boost his credit with his superiors, and - wihtout knowing anything about tech - he writes an article with a few bold phrases, then gets it published.
There is one thing, though, that caught my attention as an engineer: must be really interesting to design & develop a proto for a "suspicion engine".
Hanc amavi & dilexi a ivventvte mea
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
I did some work at a telco in the UK working ofn the CTI (computer telephony integration) for a CRM (Customer Relationship Management system) implementation.
What you're impressed with is call hand-off with context. This involves the integration of the phone system with the CRM or other applications. Baiscally you have to work out a way that when your telphone call is switch from Operator A to Operator B the information on what you are talking about (eg current address deatils) is displayed on Operator B's PC.
Its not as esay as you might think, and really depends on the Phone System and the CRM. As VoIP is used more and more, the integration is easier. However conversly as web-based CRMs are used, the problem gets harder, as it can be tricky to know link the CRM session on the server to the address of the phone, mainly as the IP address of the terminal user isn't constant, and those pesky security guys keep masking it.
Anyhoo, I agree that hand-off with context is cool, and I really appreciate it when it happens too, but a lot of companies don't do it because its an integration nightmare with little obvious return.
Here endith the random rant - now must get coffee.
McGh6+JyDt7
The user can't change this - as the department feels that they'd change it to something more easily 'cracked', i.e., 'memorable'!! Of course, users in this department usually carry their password around with them in 'written form'!
However, there are two other schemes used around the same university that I feel are far better - yet neither allows the user to change their password once it's been issued (for the same reason as given above).
Alternate scheme number 1: The user is give a password that consists of a two randomly chosen words from a lexicon, and each is separated by a random punctuation character, e.g.:
Tractor~Pickle
Alternate scheme number 2: The user is given a machine generated word that is pronounceable (quite often the word also contains intentional misspellings) - the composite word is not listed in any dictionary (except the table that contains user's passwords in encrypted form of course), e.g.:
FlowourPowar
Alternates 1/2 are easy to remember, yet, IMHO, offer a greater level of security. I just wish that the original department I mentioned did something similar!
Biometrics work fine when the identifying equipment is in the control of the entity that is granting access, and there is human oversight of the process.
Assuming that there are multiple mechanism, that might be true in some cases. Lets look at the 4 places I have seen biometrics thus far:
Login mechanism to a home PC: this is pretty well just a false sense of security, but since PC's are by and large insecure anyway, this will serve just as well to stop a 4 year old as a password. Should a PC be in a corporate environment, this is a step down from a password.
Access to lockers at a public place: No oversight, still easily bypass-able. Worse than a password.
Grocery store checkout: Supervised by minimum wage clerks, who could not care less. Think of the gummi-bears! Less secure than using a card.
Home security door lock: No oversight.
In all four instances that I have seen biometrics in use, they result in less secure systems than those they replace. What evidence or reason do you have to believe that those who implement biometrics will stop using them for these applications and start using human oversight on all applications? What makes you think that the human oversight will not just rely upon the biometric? What makes you think that a human watching people put their fingerprints on a pad will be able to notice a 1mm film of latex on someone's finger?
Biometrics are here, and making security worse. They will probably continue to be used because they are "cool" and easier to use and because most people don't actually give a rat's ass about security.
People try to create passwords they think they can remember most easily. To do this they use words in their native language. If they are security- conscious, they will insert or substitute numerals and symbols for letters or use acronyms or whatever. But most passwords are typed into a starmask, so that the person looking over your shoulder won't see the password. While that person over your shoulder can see the hunt-and-peck typing of the password at ease, the person who needs to remember the password to do work never sees it in print. So they write it down to help them remember it. Then they keep the paper in case they forget.
But spelling a word isn't the only way to remember a password. A password is a string of keystrokes. Essentially all you have to remember is the keys and the order in which they are struck. If all you need is 8 characters that don't match a dictionary word and include numerals, why not just walk your fingers right up and down the keyboard, as in '4rfvbgt5'? With so many patterns available, is it really that easy to guess? Ironically, Joe User thinks "That's too easy, the system will never accept that lousy password". If you really need to write it down, all you have to do is note the starting character and then the shape, as in '4||' or '4U'.
If a user can't remember a password, should they be trusted to remember security for confidential information?
A long time ago I used to work someone whose CICS password was seven spaces, "7Spaces".
A few years back I seriously considered making "I'm sorry, I can't remember" the pass phrase for my PGP key ring.