Slashdot Mirror
Password Security Panned
museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which
Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."
is "god", because I heard from a good source that only the most "1337" admins use that!
If thou see a fair woman pay court to her, for thus thou wilt obtain love
...but when my mother comes over I thank god that my machine sets up passwords and partitions off users pretty well.
Beep beep.
Sound like the combination to some idiots luggage...
"Nature bats last..."
... it's easier for the user to remember his/her own password than somebody who never knew the password in the first place?
Seems to me that's the main point of a password. They may not be the end-all of security, but they sure make a decent first line of defense.
Sounds like a great idea. I'll also throw away the keys to my house and just install video cameras that track the movements of people approaching my home. If those movements are consistent with my routine behavior (come home from work, slam car door, pick up mail, etc etc) the door unlocks. Otherwise, my house becomes tighter than Fort Knox.
Those keys were starting to be a bother in my pocket.
Of course passwords and keys can be bypassed, just as a locked door can be. But it's the fact that there's a locked door there that keeps a good percentage of casual villians out of your life.
-Teiresias
There are lots of alternatives to passwords that have really been around a long time. Lots of companies, for instance, offer products like USB security keys. IMO, what the world needs is a really good key standard to get behind, and a killer ap to champion it. If MSN, Yahoo! and Google all supported a new key standard for authentication, it would go a long way towards universal adoption.
MakePassword.com Mp3 Blog
Maybe I'm missing something. If you are going to compare usage of the system to see if the user is doing something unusual, don't you have to let them use the computer for a little while before you can make that call? If a malicious user was logged into someone elses account, they would still have plenty of time to do harm before an algorithm could definitively say they weren't who they said they were. Am I wrong?
-dave
http://millionnumbers.com/ - own the number of your dreams
There are several systems we have, each with different passwords, and with different protection schemes. Users have a hard enough time remembering easy passwords, and don't remember how many times an incorrect leg in will lock them out, either indefinitely until they call the help desk, or temporarily. Most of our systems are behind a firewall, and we haven't had too many intrusion problems, but It still could be out there.
In other words, people get locked out by stupidity. Something that looks for abnormal behavior would be great, esp when people have idiotic passwords, and suddenly a methodical password attempt to login occurs.
"This is you left and that's your left. This is your right and that's your right. You're gonna die!
Why permit reusable passwords when you can use hardware tokens or free one-time password systems such as OPIE (formerly Bellcore's S/Key project).
Most free Unix systems ship with SHA-1 capable S/Key support included.
In the future, we'll have smart cards that will act like our Social Security numbers/national IDs work today. Cash, credit, verification and signing will all be possible using one card or perhaps even an embedded chip, and we can once and for all eliminate this nonsense about having to remember a different password for each service or the concern about identity theft.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
I thought the exact same thing. It sound kneejerk to me. I would assume that I, as root, would be setting up these "normalcy" filters and not some government agency.
Not that I think it's a good idea, just that I don't think it has anything to do with privacy.
Pulp Audio Weekly - Geek News and Reviews
In order to compare current usage against "normal" usage, the system has to record what "normal" usage is.
So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.
But do you really want the system to record the fact that you browse armadillo porn?
So what you're saying is passwords are a crappy form of security, but other forms of security suck just as much or worse?
Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.
Passwords are also superior to things such as biometric scanning on things like Internet sites, because they place a limit on how much trust you have on that site. Unlike biometrics, passwords can be easily changed if, say, you use the same password on multiple sites but find out that one of them has been using peoples' passwords to crack into their accounts on other sites.
These days, if you have a well chosen password, you're far more likely to get cracked because of some other undetected vulnerability in your system rather than someone guessing your password.
It's inherently immoral to deny access to your data to anyone who wants to see it. All that information wants to be free! How dare you lock it behind passwords, and try to find even more oppressive methods of keeping it in chains?
Don't blame me; I'm never given mod points.
I went to help a user this morning with their voicemail. I push the "Voice Mail" button on their phone and it asks their password. He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.
I couldn't believe my eyes...
Then some of my other users have started using "asdfg" and "qwerty" because I make them change it too often (every 90 days). I guess that's a little better than using their last name.
I agree that passwords ARE useless.
When Mr. Joe Sixpack opens the house door, he doesn't have to remember, "tumbler one is 13, tumbler 2 is 25, tumbler three is 10, etc.". He just puts a key in an moves on. Same with car, bank safe deposit box, etc. That's the way it will have to be with IT, a key card, something physical they carry around for access. Sure there are people who lose keys, lock them in their car, etc, but it's a 'metaphor' any adult can relate to. You go to work, they hand you a key-card to access your account, you don't have it you can't get in and it'll cost extra for someone to help you if you lose it, just like for the real thing. Fingerprints are for criminals and can spread illness, voice prints and retina scans are weird sci-fi stuff. Just give 'em a key.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
No password length can match a biometric, especially mine.
Help me out, are you dissing the security of your own password, or are you bragging about the size of your biometric?
Accountability on the heads of the powerful.
Power in the hands of the accountable.
It would certainly be easy for any on-line system to recognize a dictionary attack and distinguish it from user error or just a user who had forgotten his password. For example, a large number such as 25-30 hits against a small dictionary of vastly different but common words or passwords, without ever coming close to the actual password, should certainly trigger recognization of an attempt to break into an account and take appropriate steps (perhaps imposing a delay on the account, perhaps locking out the offending IP address, perhaps locking the account until there was human action, or some other action appropriate to the particular circumstances).
Users should always be advised of any failed attempts to gain access to the account after a sucessful login, a feature that is lacking from most current systems.
I'm an American. I love this country and the freedoms that we used to have.
From TFA:
Somehow, the world's ATM banking systems have managed to get by with a bare minimum of fraud for more than 20 years by relying upon only four-digit codes. So what do the banking geeks grasp about password management?
While the article continues to say that simple passwords are good, it overlooks the other half of the equation: the ATM card. Without both, no access is granted which seems to be the strength of the ATM.
The prevelence of password only authentication seems to be a hardware problem. Everyone has a keyboard, but almost no one has ( for instance ) a securid token.
A USB dongle might be the easiest solution, although standardization is obviously a problem. Gawd knows I wouldn't want to have one USB dongle for yahoo, one for NYTimes, one for my bank, et. al.
A Human Right
I don't mind that, I just don't want it to know I read /.
So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.
But do you really want the system to record the fact that you browse armadillo porn?
More importantly do you want to feel compelled to compulsively look at armadillo porn daily out of fear that if you don't it'll raise a red flag and you'll be "caught with your pants down"
That's a funny phrase to use here considering that you're getting caught for NOT looking at porn...
I am disrespectful to dirt! Can you see that I am serious?!
The author of the article compares complicated and difficult passwords to 4 digit pins for ATM machines and points to the lack of fraud in the ATM situation. There is a significant difference between the two scenarios - with ATM access you need a card in addition to your pin - this is referred to as two-factor authentication.
Sidebar
Factors are things you need to prove your identity and there are three types -
"what you know" - typically a password
"what you have" - typically a card, token, key fob, or digital certificate
"what you are" - typically biometrics
End Sidebar
The ATM example is 2-factor, which is inherently more secure than a password which is single factor
A far more secure approach would be to implement a two-factor authentication mechanism, however this increases cost and overhead (AOL is now offering this as an option - for a fee or course). Some other options are one-time password schemes where the password changes after each use, or graphical based passwords.
While in theory and practice passwords are not very secure, it must be pointed out that the other options are more expensive and more difficult to manage. Imagine having to carry 20-30 key fobs or a disk with a digital certificate everywhere you go.
Where oh where has my Underdog gone?
I don't think I should be prevented from using a system if I can't sleep and want to ssh at 3AM for example. It's not just a privacy problem, it's just stupid.
Use Bruce Schneier's Password Safe if you cannot remember passwords, but saying that passwords are useless when they are hard to guess because they are hard to remember, so we should use no passwords at all so there won't be anything to guess in the first place is the most stupid thing I have ever heard. If not using secrets that people can remember than what? Biometrics? Oh please... From the article: "79 percent of people questioned on the streets of London revealed such desirable security-sensitive data as mother's maiden name and birth date." Really? People revealed such secrets as their birth date? Let us all stop using passwords then! This is just laughable.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
And if your system's security is ever compromised, then the *attacker* will know about it, too. This would result in two things:
Has anyone set up a Linux/Windows or other system so that you don't have to use passwords (only as a last resort of the admin howerver) but rather had a usb thumbdrive (keychain drive, whatever) so that when you plugged it in, it automatically mounted & authenticated you with a private "sub-key" that was signed by your private key with an "unlock" flag from your gpg keyring?
Or something similar. I'm looking to get rid of passwords altogether on my systems with something that's tested to work.
Any ideas if something like this works at all or anything like it that might be of some use?
This statement sounds very tinfoil hattish to me. There are many people who believe that a computer creating any sort of trace log is a violation of privacy. Personally, I find it good practice to record information about computer usage. For example, I usually record the incoming IP address of everyone who logs into a system. When dealing with critical information such as financial records or personnel files, I will keep a robust history of everyone who accessed a given record.
In one case, I designed a program for a call center. The call center would allow customer service agents access to a customer's credit card number. I recorded every time a customer service rep accessed a card number along with information on the call they were handling. The computer would report any abnormal behavior in the credit card number access to a supervisor.
Often the best way to improve your security is simply to provide your auditing information to your end users. For example, let's say I see a change in a behavior of a user...such as logging in from a different IP. I might make a program that informs the end user of this event. For example, if a person who usually logs in from Albany logs in from Kuala Lumpur, then I inform them of the event. IF they cannot remember traveling abroad recently, the change in behaviour just might be a security breach, requiring further investigation.
Imagine if your work computer reported the time from your last log in each time you accessed the system. So, you come in Monday morning and the system warns that you logged in during the weekend. Most workers would take something like this seriously as it implies someone was stealing their identity. Tin foil hatters would be livid that the system recorded the activities of the person who stole their identity.
On their phone system they ask for your account #, date of birth, and 3 digits from your security number. I've always been impressed by their system.
On a side note, I love how you never have to start telling the story from the top whenever they pass you on to another service representative. As soon as they pick up the phone it's "Hello Mr ______, how can I help?" I never thought I'd say this about a bank but the HSBC rocks!
Drill baby drill - on Mars
What could they be doing that would disallow a number as the first character?
$making $all $passwords $into $perl $variables??
Ironically, the word ironically is often used incorrectly.
A couple of years ago a friend of mine was backpacking in the middle east. Like a lot of backpackers, she had travellers cheques for emergencies but relied on her credit card for everything else.
Then all of a sudden, it stopped working. On the weekend.
When Monday finally rolled around she rang up the credit card company to find out what was wrong and was informed that her card had been used in a number of suspicious places - several different countries in a short space of time in a dodgy part of the world, and had automatically been stopped.
Yes she said - I'm doing a whirlwind backpacking tour of said dodgy part of the world. All that usage is legitimate. The card was re-enabled - but the process would take a couple of days during which she had to borrow money from her travelling companions.
A week later, now in some other middle eastern country (I forget where), the same thing happened.
My point? People don't always behave consistently. Life is not always stable. The real kicker is that usually when people are behaving differently than they normally do it's because they are outside of their comfort zone and really need as many things as possible to go smoothly.
A suspicion engine can prevent legitimate use of a system in these situations.
it better be stronger than the 40 bit key used for current car keys...we just had a /. art on how kids at JHU built special cracking hardware that could recover the cryptokey for any of the millions of RFID tagged car keys. If you drop you keys and the bad guy picks 'em up, you are wide open even if he only has them for about 2 hours and then hands them back to you.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I'd like to only have to remember one password, and I'd rather not tell anyone else what it is. Even banks, or shopping sites.
I have an OpenPGP key. It strikes me that there mist be some way to register my public key with a site, and then have that site challenge me to decrypt a random string. This can only be done using my private key + my password.
Could this use of OpenPGP keys form the basis of a single sign-on model (well, single password model)?
Passwords are hard to remember, that's easy to solve: store passwords encrypted under a proper-strength password. But it doesn't remove the fundamental security-problem with passwords: to prove you know the secret, you must reveal the secret.
Zero Knowledge Proofs remedy this problem (google that), and public/private key challenge authentication (properly seeded from both participants) are zero-knowledge assuming the cryptographic operation is secure.
So lets scrap passwords and have a standard protocol for zero-knowledge proofs instead, used in everything from the web to car-keys to win32, with helper libraries for accessing the required key-data using a proper master-password, so we don't have to send secret data to untrusted code.
SLOGEN [ http://ungdomshus.nu : Sebastian cover music]
The point of the article is that passwords are good but that long passwords aren't better. The idea is that your security system should be logging each attempt to authenticate (ie: don't provide public access to the encrypted string). Any brute force attack immediately triggers an alert against that account.
It's not that passwords are bad, but rather that relying on ever-longer passwords instead of having any intrusion/irregular behaviour detection. Theres a diminished return to strong passwords - if brute force gets too hard, determined attackers will get passwords another way: social engineering, phishing or trojens. Once password complexity is "good enough" (a 4-digit pin number for banks), security resources are better spent reacting to odd events.
We sysadmin types see the world in terms of root, where "monitoring" all possible events is neigh impossible. But for most of the world, passwords are for updating databases where transactions are logged and reversable (eg: slashdot spamming with a hacked accout).
This is why I no longer carry a Credit Card. As an American living in a foreign country, I used my card frequently in multiple countries. Well, the "security" group at the Credit Card company "detected" that the card was being used illegally. They shut it down 2 or 3 different times. I was so pissed at having to explain to them that I nearly blew up over the phone. This last time they forwarded me to all sorts of people, including their security group. I swear they were going to report *me* to authorities or something.
Anyway, let's just say after this experience, I ripped up my Credit Card and will never do business with FirstUSA or affiliated banks again. (AT&T credit cards too, but that's a different, longer story.)
So, basically, these "detection" systems do nothing but risk false-positives and pissing off a bunch of people.
I'm still not sorry I submitted it. but you have a point...he suggests things that he does not describe well enough to support analysis pro or con. and it turns out he misused the term "suspicion engine"...look it up with google and the first thing on the list will be ibm/tivoli's product of that name.
just the suggestion that security could be improved by burying challenges to the identity and access for a user somewhere deeper in the system than the UI/passsword mechanism we are familiar with was still a provocative if totally sick suggestion. 300+ comments tells me it hits a nerve.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Unfortunately, if we don't have complex "Don't start with a number, the new one must not be similar to the last, do this, don't do that" rules, users will tend to take the easy way out and use "password" if given the option. It seems today that the only way to ensure something random is to reduce the number of allowable permutations. Dictionary cracks become meaningless when the user has no statistical preference for leaning on dictionary words. Given the choice, I would just as likely use "A2jj*Z,L" as "dictionary" for a password, but Joe Average goes and spoils it...
You won't be secure until you educate end users, and get them to buy in to the idea of security. The weak link is rarely the hashing algorithm or the PRNG, it's the people. If you've got a bank vault with a huge steel door and a glass window, you find a rock. As long as people keep leaving passwords written down on stickies attached to the monitor, passwords won't be worth crap.
Instituting monitoring of accounts may or may not be a good idea, depending on your particular circumstances. But calling a security mechanism useless because some people don't know how to use it right is shortsighted.
This post expresses my opinion, not that of my employer. And yes, IAAL.
There's also the fact that the banks are paying attention to your transactions and will likely act on unusual behaviour - this is close to the "suspicion engine" he describes.
And the guy's example of ATMs as "getting by" for the past 20 years isn't a very good indictment of having longer, more random passwords. ATMs don't just rely on 4-digit PINs, for Christ's sake. You have to have a card, which is another layer of security. And there's also a camera at the ATM machine. I'd love to see how good ATM security turned out to be if there was no camera and a total reliance on a 4-digit PIN.
The problem here isn't that passwords are ineffective; it's user ignorance and stupidity. If companies started enforcing a strict standard of making their employees memorize a 12-digit sequence of random characters, then weak passwords in corporations wouldn't be a problem. It takes all of 15 minutes to memorize a random password through muscle memory alone.
Users need to be made aware of the repercussions of having a weak password to a network. A lot of students at my university will constantly bitch and moan about our policy of making everyone change their passwords every 60 days. We tell them it's for security. They say, "Well I don't care if someone gets into my e-mail." It's not just the student's e-mail that's at risk. It's the network. If someone obtains a legitimate username and password for an account at my school, they have access to all of our site-licensed software as well as the VPN server. With access to the VPN server comes access to the SMTP server, which means that our SMTP server could be used as a spam relay, and that hurts everyone.