Password Security Panned

museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."

Might not be useful to you

[Realistic_Dragon]

...but when my mother comes over I thank god that my machine sets up passwords and partitions off users pretty well.

Sounds like a great idea.

[teiresias]

Sounds like a great idea. I'll also throw away the keys to my house and just install video cameras that track the movements of people approaching my home. If those movements are consistent with my routine behavior (come home from work, slam car door, pick up mail, etc etc) the door unlocks. Otherwise, my house becomes tighter than Fort Knox.

Those keys were starting to be a bother in my pocket.

Of course passwords and keys can be bypassed, just as a locked door can be. But it's the fact that there's a locked door there that keeps a good percentage of casual villians out of your life.

Re:Sounds like a great idea.

[generic-man]

An IDS that tracks your usage patterns is not intended to replace passwords; it is intended to supplement them. Once you're in your house, to continue your analogy, there are certain things you do and certain ways in which you do them. For example, let's say you have cable television but you never watch Fox News. If someone who used your key comes into your living room and watches the Fox News channel for hours on end, that's a red flag.

Red flags do not trigger an immediate lockdown. They just suggest to an administrator that someone may be behaving in a way that you wouldn't, and that further investigation may be warranted.

IDSes are a great way to supplement the absolute uselessness of passwords, as long as administrators know how to use them effectively.

Password alternative

[dilvie]

There are lots of alternatives to passwords that have really been around a long time. Lots of companies, for instance, offer products like USB security keys. IMO, what the world needs is a really good key standard to get behind, and a killer ap to champion it. If MSN, Yahoo! and Google all supported a new key standard for authentication, it would go a long way towards universal adoption.

Password Lockout

[djtripp]

There are several systems we have, each with different passwords, and with different protection schemes. Users have a hard enough time remembering easy passwords, and don't remember how many times an incorrect leg in will lock them out, either indefinitely until they call the help desk, or temporarily. Most of our systems are behind a firewall, and we haven't had too many intrusion problems, but It still could be out there.
In other words, people get locked out by stupidity. Something that looks for abnormal behavior would be great, esp when people have idiotic passwords, and suddenly a methodical password attempt to login occurs.

He's right.

[Sheetrock]

No password length can match a biometric, especially mine. The level of detail a good scanner can pick up well exceeds a memorizable password, with of course the understanding that too perfect a read will make it impossible to scan twice the same way, and the technology is only getting better.

In the future, we'll have smart cards that will act like our Social Security numbers/national IDs work today. Cash, credit, verification and signing will all be possible using one card or perhaps even an embedded chip, and we can once and for all eliminate this nonsense about having to remember a different password for each service or the concern about identity theft.

Re:He's right.

[johnnyb]

The problem w/ biometrics is that it will wind up being way too easy to bypass (by just recording someone else's bits and replaying them to the hardware, or it will require too much money to secure the biometrics device.

I had heard of a password mechanism once that was based on facial recognition which seemed interesting. You chose a sequence of faces, and the computer asks you to choose a face from a selection. It sounded interesting. If anyone knows where the article is, I'd like to re-read on that topic.

Re:He's right.

[jcims]

Yeah, they talked about this a long time ago...

Revelation 13:16-18, "And he causes all, both great and small, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And no man might buy or sell, save he that had the mark." :P

Re:He's right.

[johnnyb]

"Also, to nitpick a bit on his point, to be able to replay the bits, you first do have to record them, which equates to a man-in-the-middle attack. This should be able to be avoided by some simple public/private cryptography built in to the device."

Not really. You will _always_ have a stage where the stuff is not encoded. If you can get my bioinformatic data once, I'm totally screwed, because I can't change my password to something else. My security will be forever broken.

Think about the current issues with ATM cards. People put in their own devices on top of the ATM machines, and just read the contents of the ATM card. In fact, with bioinformatics, I don't even need to get that close, because your eyes and fingerprints are on everything. All I need to do is be able to shortcut the reader and I'm all set. The security moves from being in the software (which is often remote) to being in the hardware, which is local.

Passwords are a treatment, not a cure.

[stephenisu]

Passwords will always be beneficial in helping to establish accountability.

Passwords are less about keeping people out and more about making people accountable.

Re:can you elaborate?

[rackhamh]

In order to compare current usage against "normal" usage, the system has to record what "normal" usage is.

So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.

But do you really want the system to record the fact that you browse armadillo porn?

But I wrote down all of my passwords...

[Eclipse5302]

I went to help a user this morning with their voicemail. I push the "Voice Mail" button on their phone and it asks their password. He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.

I couldn't believe my eyes...

Then some of my other users have started using "asdfg" and "qwerty" because I make them change it too often (every 90 days). I guess that's a little better than using their last name.

I agree that passwords ARE useless.

Yahoo! is horrible

It is so easy to steal accounts, and I don't mean with a password either. I don't believe they fixed it yet.

Password keyboard anyone?

Look at this small device for your passwords:

http://www.netchilds.com/product_password_keyboard .html

Re:Surely...

[tdemark]

My biggest beef with passwords is the myriad of different "rules" as to what makes a valid password at different sites.

I have a few great passwords ... no one is going to get them short of brute forcing (or, God forbid, key logging). However, every site seems to have different (read: REDICULOUS) parameters for passwords:

- must not start with a number
- must have both letters and numbers (symbols don't count)
- can only be [a-z][A-Z][0-9]

I would love to meet the asshats that come up with these randomly applied "rules" just so I could kick them squarely in the nuts.

I used to only need two passwords for EVERYTHING (one "weak" password for discussion sites (eg - Slashdot) and one "strong" password for the important stuff). Alas, that was too easy. Now I have to maintain around 10 passwords that, IMNSHO, are far weaker that the ones they replaced (not by my choice).

For example, one large credit card company recently changed its password policy. Since my old password didn't "fit" in their new policy, they simply set it to something else without telling me. Mind you, the new password I had to choose is orders of magnitude easier to crack than the old password because they removed a number of possible characters.

Which brings up a point, what's the point in LIMITING the characters that can be used in passwords? How horrible are these designers that their apps choke on '&Dkf*l,@a', but 'b4dp4ass' is OK? What could they be doing that would disallow a number as the first character?

In close, if you have anything to do with the authentication process of a website, before you start throwing on random rules for passwords, do us all a favor and DON'T.

- Tony

Guessable Keys

T'is the nature of secret keeping. What you want to do is make it harder for someone who doesn't know the password from finding it out. The bigger the possible keyspace and the harder it is to brute force it, the harder it would be.

A simple single offset cipher has 26 possible keys (25 if you want to discount 0), so if you don't know the key, it only takes 25 times longer to try everything out.

Back on topic, if your users limit their password space to what they can remember, average joe will pick one he could guess, or write it down. If a user can rely on guessing for password recovery, crackers can too. Remembering the password makes for much better security. But fat chance of that if you have to change it every month.

What a user does to undermine security policies just so they will still have access shouldn't astound you. It should scare you.

USB - gpg key?

[zoloto]

Has anyone set up a Linux/Windows or other system so that you don't have to use passwords (only as a last resort of the admin howerver) but rather had a usb thumbdrive (keychain drive, whatever) so that when you plugged it in, it automatically mounted & authenticated you with a private "sub-key" that was signed by your private key with an "unlock" flag from your gpg keyring?

Or something similar. I'm looking to get rid of passwords altogether on my systems with something that's tested to work.

Any ideas if something like this works at all or anything like it that might be of some use?

Re:Passwords are fine, the systems that are broken

[Beryllium+Sphere(tm)]

OK, even if the dictionary attack is happening online instead of offline --

What happens when an intruder gets hold of a company directory, tries each username in sequence, and makes *one* login attempt to each using the password "password"?

Good security is not "complex"

In that a good security mechanism should not rely on a Rube Goldbergian set of circumstances to work properly.

"Suspicion engines" are exactly that though: Subjective, cantankerous attempts at building a better mousetrap.

Getting to the point that passwords are no good

Since for example Solaris 8 (at least, more recent versions may be better, but AFAIK many Unices do this) pays attention only to the first 8 characters of a password, how easy is it to brute force my password? Not to mention all the web sites done by MORONS that allow only 4-character numeric PINS - at least some lock you out after repeated attempts - but what if I have a list of thousands of known-good SSNs - odds are at least one random guess will be good. Or raise your hands if you've ever guess the CEO's password with crack (my sympathies if you wee fired or prosecuted for it).

Personally as a sysadmin for over 100 different boxes run by different departments who has no control over the stupidity of a root password but has to have root for the boxes anyway - I *have* to keep a list of passwords somewhere - at least it's encrypted on a PDA - others keep the list in their Exchange Mail folder, fer chrissakes.

At least I can use a SecurID fob - as long as I'm in charge of setting up security, which most of the time I'm not.

Now, the subject of the article has something he's trying to sell us (which is only as secure as the machine it's installed on) but hey, anything helps. Although the fob thing is really pretty cheap and easy to use in large quantities,

OpenPGP Single Sign-on?

[bwbadger]

I'd like to only have to remember one password, and I'd rather not tell anyone else what it is. Even banks, or shopping sites.

I have an OpenPGP key. It strikes me that there mist be some way to register my public key with a site, and then have that site challenge me to decrypt a random string. This can only be done using my private key + my password.

Could this use of OpenPGP keys form the basis of a single sign-on model (well, single password model)?

Passwords are good, long passwords aren't better

[Fractal+Dice]

The point of the article is that passwords are good but that long passwords aren't better. The idea is that your security system should be logging each attempt to authenticate (ie: don't provide public access to the encrypted string). Any brute force attack immediately triggers an alert against that account.

It's not that passwords are bad, but rather that relying on ever-longer passwords instead of having any intrusion/irregular behaviour detection. Theres a diminished return to strong passwords - if brute force gets too hard, determined attackers will get passwords another way: social engineering, phishing or trojens. Once password complexity is "good enough" (a 4-digit pin number for banks), security resources are better spent reacting to odd events.

We sysadmin types see the world in terms of root, where "monitoring" all possible events is neigh impossible. But for most of the world, passwords are for updating databases where transactions are logged and reversable (eg: slashdot spamming with a hacked accout).

Credit Card Companies

[bruthasj]

This is why I no longer carry a Credit Card. As an American living in a foreign country, I used my card frequently in multiple countries. Well, the "security" group at the Credit Card company "detected" that the card was being used illegally. They shut it down 2 or 3 different times. I was so pissed at having to explain to them that I nearly blew up over the phone. This last time they forwarded me to all sorts of people, including their security group. I swear they were going to report *me* to authorities or something.

Anyway, let's just say after this experience, I ripped up my Credit Card and will never do business with FirstUSA or affiliated banks again. (AT&T credit cards too, but that's a different, longer story.)

So, basically, these "detection" systems do nothing but risk false-positives and pissing off a bunch of people.

Users predictable if you let them get away with it

[Meetch]

Probably 10 years ago I went to a security talk, which mentioned a few passwords that users seem to like using, and always seems to get picked up by apps like crack... at the time, on the ISP I was using there were no rules for the customers' passwords - why make life hard for paying customers anyway? About a week later, I was logged onto the SCO Xenix box at my ISP, which got someone else's (UUCP feed) dialup TTY mixed up with mine, and dumped a copy of all their traffic to my session. I saw their login and password, and a copy of their data stream; The password was one of the top few mentioned at the talk. No surprises: mypass.

Unfortunately, if we don't have complex "Don't start with a number, the new one must not be similar to the last, do this, don't do that" rules, users will tend to take the easy way out and use "password" if given the option. It seems today that the only way to ensure something random is to reduce the number of allowable permutations. Dictionary cracks become meaningless when the user has no statistical preference for leaning on dictionary words. Given the choice, I would just as likely use "A2jj*Z,L" as "dictionary" for a password, but Joe Average goes and spoils it...

how to have a good password you can remember

1) pick any two words from the dictionary
2) remember them
3) separate them with a random string that
you can remember, like nilmdts (Now I Lay Me Down To Sleep, I hope my new password's 1337.

Like "DucknilmdtsSoup"

And then don't use crappy operating systems like MS windows where any doofus can crack passwords by brute force. Use Password Safe for the 100 passwords to different systems you have to use that you can't remember. Don't use the same password on any two systems that you care about. Use the "DucknilmdtsSoup" like password for Password Safe.

Use a one time pad scheme for systems you really care about. Have the one-time pad written on rice paper. Include the password above in the scheme, and don't write it down. Eat the rice paper if they catch you. This isn't hard. Remember they are trying to catch you.

Harder to remember != Harder to guess?

[Durandal64]

the tougher rules only make them harder for users to remember, not harder for hackers to guess

I don't see how this makes any sense. If we assume that the hardest passwords to remember are randomly-generated ones, then wouldn't it follow that they'd be the hardest to "guess"? If your password is just a series of random digits, then it's very highly improbable for any hacker to guess it, and it takes a lot longer for it to be brute-forced.

And the guy's example of ATMs as "getting by" for the past 20 years isn't a very good indictment of having longer, more random passwords. ATMs don't just rely on 4-digit PINs, for Christ's sake. You have to have a card, which is another layer of security. And there's also a camera at the ATM machine. I'd love to see how good ATM security turned out to be if there was no camera and a total reliance on a 4-digit PIN.

The problem here isn't that passwords are ineffective; it's user ignorance and stupidity. If companies started enforcing a strict standard of making their employees memorize a 12-digit sequence of random characters, then weak passwords in corporations wouldn't be a problem. It takes all of 15 minutes to memorize a random password through muscle memory alone.

Users need to be made aware of the repercussions of having a weak password to a network. A lot of students at my university will constantly bitch and moan about our policy of making everyone change their passwords every 60 days. We tell them it's for security. They say, "Well I don't care if someone gets into my e-mail." It's not just the student's e-mail that's at risk. It's the network. If someone obtains a legitimate username and password for an account at my school, they have access to all of our site-licensed software as well as the VPN server. With access to the VPN server comes access to the SMTP server, which means that our SMTP server could be used as a spam relay, and that hurts everyone.