Slashdot Mirror
Password Security Panned
museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which
Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."
... it's easier for the user to remember his/her own password than somebody who never knew the password in the first place?
Seems to me that's the main point of a password. They may not be the end-all of security, but they sure make a decent first line of defense.
Maybe I'm missing something. If you are going to compare usage of the system to see if the user is doing something unusual, don't you have to let them use the computer for a little while before you can make that call? If a malicious user was logged into someone elses account, they would still have plenty of time to do harm before an algorithm could definitively say they weren't who they said they were. Am I wrong?
-dave
http://millionnumbers.com/ - own the number of your dreams
I thought the exact same thing. It sound kneejerk to me. I would assume that I, as root, would be setting up these "normalcy" filters and not some government agency.
Not that I think it's a good idea, just that I don't think it has anything to do with privacy.
Pulp Audio Weekly - Geek News and Reviews
So what you're saying is passwords are a crappy form of security, but other forms of security suck just as much or worse?
Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.
Passwords are also superior to things such as biometric scanning on things like Internet sites, because they place a limit on how much trust you have on that site. Unlike biometrics, passwords can be easily changed if, say, you use the same password on multiple sites but find out that one of them has been using peoples' passwords to crack into their accounts on other sites.
These days, if you have a well chosen password, you're far more likely to get cracked because of some other undetected vulnerability in your system rather than someone guessing your password.
When Mr. Joe Sixpack opens the house door, he doesn't have to remember, "tumbler one is 13, tumbler 2 is 25, tumbler three is 10, etc.". He just puts a key in an moves on. Same with car, bank safe deposit box, etc. That's the way it will have to be with IT, a key card, something physical they carry around for access. Sure there are people who lose keys, lock them in their car, etc, but it's a 'metaphor' any adult can relate to. You go to work, they hand you a key-card to access your account, you don't have it you can't get in and it'll cost extra for someone to help you if you lose it, just like for the real thing. Fingerprints are for criminals and can spread illness, voice prints and retina scans are weird sci-fi stuff. Just give 'em a key.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
To paraphrase Bruce Schneier, a system can authenticate you with one of three things: something you know, something you have, something you are, or some combination of those somethings. The author of that article says we should wean ourselves from passwords, but doesn't offer any realistic alternatives other than "suspicion engines", which don't meet any of Schneier's criteria, although they sound like a weak attempt to add a new one: "Something you do". Would anyone here feel comfortable trusting their bank account or Paypal account to a suspicion engine? Thanks, but no thanks.
It would certainly be easy for any on-line system to recognize a dictionary attack and distinguish it from user error or just a user who had forgotten his password. For example, a large number such as 25-30 hits against a small dictionary of vastly different but common words or passwords, without ever coming close to the actual password, should certainly trigger recognization of an attempt to break into an account and take appropriate steps (perhaps imposing a delay on the account, perhaps locking out the offending IP address, perhaps locking the account until there was human action, or some other action appropriate to the particular circumstances).
Users should always be advised of any failed attempts to gain access to the account after a sucessful login, a feature that is lacking from most current systems.
I'm an American. I love this country and the freedoms that we used to have.
The author of the article compares complicated and difficult passwords to 4 digit pins for ATM machines and points to the lack of fraud in the ATM situation. There is a significant difference between the two scenarios - with ATM access you need a card in addition to your pin - this is referred to as two-factor authentication.
Sidebar
Factors are things you need to prove your identity and there are three types -
"what you know" - typically a password
"what you have" - typically a card, token, key fob, or digital certificate
"what you are" - typically biometrics
End Sidebar
The ATM example is 2-factor, which is inherently more secure than a password which is single factor
A far more secure approach would be to implement a two-factor authentication mechanism, however this increases cost and overhead (AOL is now offering this as an option - for a fee or course). Some other options are one-time password schemes where the password changes after each use, or graphical based passwords.
While in theory and practice passwords are not very secure, it must be pointed out that the other options are more expensive and more difficult to manage. Imagine having to carry 20-30 key fobs or a disk with a digital certificate everywhere you go.
Where oh where has my Underdog gone?
I don't think I should be prevented from using a system if I can't sleep and want to ssh at 3AM for example. It's not just a privacy problem, it's just stupid.
The main problem with biometrics is that once a hacker gets past it once, they've gotten past it forever. You can't change your thumbprint like you can your password, and your retinal scan is definitely permanent. So the security works great until someone figures out a way to fake your thumbprint. Then they can get into any of your thumbprint-protected resources anywhere in the world. Not only that, they have all the time in the world to come up with a perfect way to fake the print because they know it won't be changing in 30 (or 90, or 5) days.
What do you do when you realize that even one of them has been breached? How do you change your security settings to lock out the intruder from the vulerable resources while allowing you to retain access?
I wish that my inferiority complex were as good as yours.
-RenderHead
Use something you have and something you know.
Changeable keys are better than unchangeable. If I break up with my girlfriend, I can change the locks to my house. If I think a online site may actually have been a russian mob front, I can change the password on all my other sites. If my fingerprints get lifted from a glass at the bar, I'm fucked forever. Biometrics are a bad idea. If my fingerprints, or DNA, or retina scan are put in one database that is hacked, and we rely upon those biometrics, I'm fucked forever.
Biometrics are easy to use, but unreliable. If they come into common use, they will be relied upon. This will introduce a false sense of security. It's sort of like having a doorman at your building who will look the other way for $5. You feel more secure. Maybe you don't bother to lock your door inside. Then you wake up dead.
One last thing. If some car jacker wants my car, they can jump me in the parking lot and take my keys. They need no real knowledge. They don't even need to know how to hotwire a car. If my car had a biometric key, they could still jump me and take it. I'd just be missing a body part. No thanks.
And if your system's security is ever compromised, then the *attacker* will know about it, too. This would result in two things:
This statement sounds very tinfoil hattish to me. There are many people who believe that a computer creating any sort of trace log is a violation of privacy. Personally, I find it good practice to record information about computer usage. For example, I usually record the incoming IP address of everyone who logs into a system. When dealing with critical information such as financial records or personnel files, I will keep a robust history of everyone who accessed a given record.
In one case, I designed a program for a call center. The call center would allow customer service agents access to a customer's credit card number. I recorded every time a customer service rep accessed a card number along with information on the call they were handling. The computer would report any abnormal behavior in the credit card number access to a supervisor.
Often the best way to improve your security is simply to provide your auditing information to your end users. For example, let's say I see a change in a behavior of a user...such as logging in from a different IP. I might make a program that informs the end user of this event. For example, if a person who usually logs in from Albany logs in from Kuala Lumpur, then I inform them of the event. IF they cannot remember traveling abroad recently, the change in behaviour just might be a security breach, requiring further investigation.
Imagine if your work computer reported the time from your last log in each time you accessed the system. So, you come in Monday morning and the system warns that you logged in during the weekend. Most workers would take something like this seriously as it implies someone was stealing their identity. Tin foil hatters would be livid that the system recorded the activities of the person who stole their identity.
On their phone system they ask for your account #, date of birth, and 3 digits from your security number. I've always been impressed by their system.
On a side note, I love how you never have to start telling the story from the top whenever they pass you on to another service representative. As soon as they pick up the phone it's "Hello Mr ______, how can I help?" I never thought I'd say this about a bank but the HSBC rocks!
Drill baby drill - on Mars
What could they be doing that would disallow a number as the first character?
$making $all $passwords $into $perl $variables??
Ironically, the word ironically is often used incorrectly.
A couple of years ago a friend of mine was backpacking in the middle east. Like a lot of backpackers, she had travellers cheques for emergencies but relied on her credit card for everything else.
Then all of a sudden, it stopped working. On the weekend.
When Monday finally rolled around she rang up the credit card company to find out what was wrong and was informed that her card had been used in a number of suspicious places - several different countries in a short space of time in a dodgy part of the world, and had automatically been stopped.
Yes she said - I'm doing a whirlwind backpacking tour of said dodgy part of the world. All that usage is legitimate. The card was re-enabled - but the process would take a couple of days during which she had to borrow money from her travelling companions.
A week later, now in some other middle eastern country (I forget where), the same thing happened.
My point? People don't always behave consistently. Life is not always stable. The real kicker is that usually when people are behaving differently than they normally do it's because they are outside of their comfort zone and really need as many things as possible to go smoothly.
A suspicion engine can prevent legitimate use of a system in these situations.
Passwords are hard to remember, that's easy to solve: store passwords encrypted under a proper-strength password. But it doesn't remove the fundamental security-problem with passwords: to prove you know the secret, you must reveal the secret.
Zero Knowledge Proofs remedy this problem (google that), and public/private key challenge authentication (properly seeded from both participants) are zero-knowledge assuming the cryptographic operation is secure.
So lets scrap passwords and have a standard protocol for zero-knowledge proofs instead, used in everything from the web to car-keys to win32, with helper libraries for accessing the required key-data using a proper master-password, so we don't have to send secret data to untrusted code.
SLOGEN [ http://ungdomshus.nu : Sebastian cover music]
I'm still not sorry I submitted it. but you have a point...he suggests things that he does not describe well enough to support analysis pro or con. and it turns out he misused the term "suspicion engine"...look it up with google and the first thing on the list will be ibm/tivoli's product of that name.
just the suggestion that security could be improved by burying challenges to the identity and access for a user somewhere deeper in the system than the UI/passsword mechanism we are familiar with was still a provocative if totally sick suggestion. 300+ comments tells me it hits a nerve.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
You won't be secure until you educate end users, and get them to buy in to the idea of security. The weak link is rarely the hashing algorithm or the PRNG, it's the people. If you've got a bank vault with a huge steel door and a glass window, you find a rock. As long as people keep leaving passwords written down on stickies attached to the monitor, passwords won't be worth crap.
Instituting monitoring of accounts may or may not be a good idea, depending on your particular circumstances. But calling a security mechanism useless because some people don't know how to use it right is shortsighted.
This post expresses my opinion, not that of my employer. And yes, IAAL.
There's also the fact that the banks are paying attention to your transactions and will likely act on unusual behaviour - this is close to the "suspicion engine" he describes.
The article itself, and a lot of these "users need to be made aware" replies, I find very irritating.
In the U.S., at least, the attitude of everyone, everywhere is, the user is never accountable for learning anything, no matter how much training is given. Since the managers are all at least as inept and lazy as everyone working for them, they think that's a reasonable attitude to take.
I've had users delete critical files and blame me for their poor training. "I don't even know what files ARE. You should give me training if you want this to work." My response is, "It's not my job to give you training. You were supposed to know how to use this software before you started working here. This is like you smashed your car into other cars in an intersection, and when the cops arrive, you yell at them for not teaching you to drive."
Of course, management doesn't support us disabling such users' accounts until they can prove they can "drive".
Remember, too, that MOST people fall into the "have to pee on the electric fence" group, and no amount of training will help them see the light. They'll have to lose their life savings to password-stealing crooks before they'll begin to think any of this is important.
As for the article, you can tell the author doesn't do IT for a living. Otherwise, he wouldn't be blaming bad security admins. He'd know that no matter how good the security admin guy is, he can't get support from management to pay for a secure authentication system. Especially when you work for a large enterprise, such systems can't be put in piecemeal, and piecemeal systems aren't practical.
When you try to explain to management why we need better authentication methods, they just look at you like you're a tinfoil-hat-wearing lunatic. Even if you manage to get it into your budget, all the pointy-headed bastards can see is a line item that can be cut, more money to go into the board of directors' pockets.
The article is like some bad "How to do Stuff" TV show. "How to cure cancer...First, create a marvelous cure for cancer. Then have a party."
"How to solve the password problem...first, put in a wonderful authentication system. Then have a party."