Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Security Panned

Posted by CmdrTaco on from the trustno1-is-a-bad-password dept.

museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."

25 of 387 comments (clear)

  1. my password by jaymzter · · Score: 4, Funny

    is "god", because I heard from a good source that only the most "1337" admins use that!

    --
    If thou see a fair woman pay court to her, for thus thou wilt obtain love
    1. Re:my password by Anonymous Coward · · Score: 4, Funny

      Don't worry. I just did it for you.

  2. Might not be useful to you by Realistic_Dragon · · Score: 4, Interesting

    ...but when my mother comes over I thank god that my machine sets up passwords and partitions off users pretty well.

    --
    Beep beep.
    1. Re:Might not be useful to you by That's+Unpossible! · · Score: 4, Funny

      ...but when my mother comes over

      Don't you mean "down"?

      --
      Ironically, the word ironically is often used incorrectly.
  3. Surely... by rackhamh · · Score: 4, Insightful

    ... it's easier for the user to remember his/her own password than somebody who never knew the password in the first place?

    Seems to me that's the main point of a password. They may not be the end-all of security, but they sure make a decent first line of defense.

    1. Re:Surely... by tdemark · · Score: 5, Interesting

      My biggest beef with passwords is the myriad of different "rules" as to what makes a valid password at different sites.

      I have a few great passwords ... no one is going to get them short of brute forcing (or, God forbid, key logging). However, every site seems to have different (read: REDICULOUS) parameters for passwords:

      - must not start with a number
      - must have both letters and numbers (symbols don't count)
      - can only be [a-z][A-Z][0-9]

      I would love to meet the asshats that come up with these randomly applied "rules" just so I could kick them squarely in the nuts.

      I used to only need two passwords for EVERYTHING (one "weak" password for discussion sites (eg - Slashdot) and one "strong" password for the important stuff). Alas, that was too easy. Now I have to maintain around 10 passwords that, IMNSHO, are far weaker that the ones they replaced (not by my choice).

      For example, one large credit card company recently changed its password policy. Since my old password didn't "fit" in their new policy, they simply set it to something else without telling me. Mind you, the new password I had to choose is orders of magnitude easier to crack than the old password because they removed a number of possible characters.

      Which brings up a point, what's the point in LIMITING the characters that can be used in passwords? How horrible are these designers that their apps choke on '&Dkf*l,@a', but 'b4dp4ass' is OK? What could they be doing that would disallow a number as the first character?

      In close, if you have anything to do with the authentication process of a website, before you start throwing on random rules for passwords, do us all a favor and DON'T.

      - Tony

  4. Sounds like a great idea. by teiresias · · Score: 4, Interesting

    Sounds like a great idea. I'll also throw away the keys to my house and just install video cameras that track the movements of people approaching my home. If those movements are consistent with my routine behavior (come home from work, slam car door, pick up mail, etc etc) the door unlocks. Otherwise, my house becomes tighter than Fort Knox.

    Those keys were starting to be a bother in my pocket.

    Of course passwords and keys can be bypassed, just as a locked door can be. But it's the fact that there's a locked door there that keeps a good percentage of casual villians out of your life.

    --
    -Teiresias
    1. Re:Sounds like a great idea. by generic-man · · Score: 4, Interesting

      An IDS that tracks your usage patterns is not intended to replace passwords; it is intended to supplement them. Once you're in your house, to continue your analogy, there are certain things you do and certain ways in which you do them. For example, let's say you have cable television but you never watch Fox News. If someone who used your key comes into your living room and watches the Fox News channel for hours on end, that's a red flag.

      Red flags do not trigger an immediate lockdown. They just suggest to an administrator that someone may be behaving in a way that you wouldn't, and that further investigation may be warranted.

      IDSes are a great way to supplement the absolute uselessness of passwords, as long as administrators know how to use them effectively.

      --
      For more information, click here.
  5. Password alternative by dilvie · · Score: 4, Interesting

    There are lots of alternatives to passwords that have really been around a long time. Lots of companies, for instance, offer products like USB security keys. IMO, what the world needs is a really good key standard to get behind, and a killer ap to champion it. If MSN, Yahoo! and Google all supported a new key standard for authentication, it would go a long way towards universal adoption.

    --
    MakePassword.com Mp3 Blog
    1. Re:Password alternative by kzinti · · Score: 5, Insightful

      To paraphrase Bruce Schneier, a system can authenticate you with one of three things: something you know, something you have, something you are, or some combination of those somethings. The author of that article says we should wean ourselves from passwords, but doesn't offer any realistic alternatives other than "suspicion engines", which don't meet any of Schneier's criteria, although they sound like a weak attempt to add a new one: "Something you do". Would anyone here feel comfortable trusting their bank account or Paypal account to a suspicion engine? Thanks, but no thanks.

  6. He's right. by Sheetrock · · Score: 4, Interesting
    No password length can match a biometric, especially mine. The level of detail a good scanner can pick up well exceeds a memorizable password, with of course the understanding that too perfect a read will make it impossible to scan twice the same way, and the technology is only getting better.

    In the future, we'll have smart cards that will act like our Social Security numbers/national IDs work today. Cash, credit, verification and signing will all be possible using one card or perhaps even an embedded chip, and we can once and for all eliminate this nonsense about having to remember a different password for each service or the concern about identity theft.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




    1. Re:He's right. by grub · · Score: 4, Funny


      Re: your sig. Dr. Spock was a famous pediatricion. Mr. Spock is from Star Trek. Also note that it wasn't he that said the line in your quote, I'm pretty sure it was Yoda from Star Wars. You've managed to bastardize my childhood worse than George Lucas and Rick Berman now, thankyouverymuch.

      --
      Trolling is a art,
    2. Re:He's right. by renderhead · · Score: 4, Insightful

      The main problem with biometrics is that once a hacker gets past it once, they've gotten past it forever. You can't change your thumbprint like you can your password, and your retinal scan is definitely permanent. So the security works great until someone figures out a way to fake your thumbprint. Then they can get into any of your thumbprint-protected resources anywhere in the world. Not only that, they have all the time in the world to come up with a perfect way to fake the print because they know it won't be changing in 30 (or 90, or 5) days.

      What do you do when you realize that even one of them has been breached? How do you change your security settings to lock out the intruder from the vulerable resources while allowing you to retain access?

      --
      I wish that my inferiority complex were as good as yours.

      -RenderHead

  7. Re:can you elaborate? by rackhamh · · Score: 5, Interesting

    In order to compare current usage against "normal" usage, the system has to record what "normal" usage is.

    So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.

    But do you really want the system to record the fact that you browse armadillo porn?

  8. So... by eln · · Score: 5, Insightful

    So what you're saying is passwords are a crappy form of security, but other forms of security suck just as much or worse?

    Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.

    Passwords are also superior to things such as biometric scanning on things like Internet sites, because they place a limit on how much trust you have on that site. Unlike biometrics, passwords can be easily changed if, say, you use the same password on multiple sites but find out that one of them has been using peoples' passwords to crack into their accounts on other sites.

    These days, if you have a well chosen password, you're far more likely to get cracked because of some other undetected vulnerability in your system rather than someone guessing your password.

    1. Re:So... by nine-times · · Score: 4, Insightful
      Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.

      Seems to me that there's a different difference that makes passwords worthwhile. See, there are three sorts of security measures (everything I can think of fits into one of these): Measure something the user has (like a keycard), measure something the user is (biometrics), or measure something the user knows (like passwords).

      Something the user has can be stolen. With measuring something the user is, there's something like the risk of "being stolen". If it's a fingerprint scanner, someone could take your fingerprint from an object you've touched without your knowledge. If you use facial recognition, well, you're face is out in the open for everyone to see all day long-- couldn't someone somehow capture that image and re-display it? I know, they are improving the detail and complexities of the scanners all the time, but for however much they improve the resolution of the scanners, they just need to have a "camera" with enough detail to fool it. More complex scanning methods only mean you need more complex display/replay methods to fool them.

      However, when it comes to measuring something the user knows, with current technology, there isn't a good way to "capture" that without my knowledge. At least not as long as I'm wearing my tinfoil hat.

  9. Information wants to be free by geoffspear · · Score: 4, Funny

    It's inherently immoral to deny access to your data to anyone who wants to see it. All that information wants to be free! How dare you lock it behind passwords, and try to find even more oppressive methods of keeping it in chains?

    --
    Don't blame me; I'm never given mod points.
  10. But I wrote down all of my passwords... by Eclipse5302 · · Score: 4, Interesting

    I went to help a user this morning with their voicemail. I push the "Voice Mail" button on their phone and it asks their password. He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.

    I couldn't believe my eyes...

    Then some of my other users have started using "asdfg" and "qwerty" because I make them change it too often (every 90 days). I guess that's a little better than using their last name.

    I agree that passwords ARE useless.

  11. Physical keys by ch-chuck · · Score: 5, Insightful

    When Mr. Joe Sixpack opens the house door, he doesn't have to remember, "tumbler one is 13, tumbler 2 is 25, tumbler three is 10, etc.". He just puts a key in an moves on. Same with car, bank safe deposit box, etc. That's the way it will have to be with IT, a key card, something physical they carry around for access. Sure there are people who lose keys, lock them in their car, etc, but it's a 'metaphor' any adult can relate to. You go to work, they hand you a key-card to access your account, you don't have it you can't get in and it'll cost extra for someone to help you if you lose it, just like for the real thing. Fingerprints are for criminals and can spread illness, voice prints and retina scans are weird sci-fi stuff. Just give 'em a key.

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  12. Your... what? by DeadVulcan · · Score: 5, Funny

    No password length can match a biometric, especially mine.

    Help me out, are you dissing the security of your own password, or are you bragging about the size of your biometric?

    --
    Accountability on the heads of the powerful.
    Power in the hands of the accountable.
  13. Passwords are fine, the systems that are broken by frovingslosh · · Score: 4, Insightful
    Passwords can work fine and be easy for the users, it is the systems that make passwords weak. The ability to use a dictionary attack on passwords is insane. Any reasonable implimentation of password security would let a user try a very limited number of attempts to gain access by a password (to allow for typing errors and human error, even accidentally using the wrong password). After multiple failures, a reasonable system would lock out the user account for a period of time (at a minimum, it could also begin a notification process or take other measures to protect data if appropriate). After the imposed delay the user could be given another chance to enter the password, but again after one or more failed attempts a delay could be imposed again, perhaps with a longer delay after each failure. These delays would have little or no real impact on a user who made an error in password entry, but would be a major step in stopping dictionary attacks or other guessing approaches used by attackers. Not using them is simply poor system design.

    It would certainly be easy for any on-line system to recognize a dictionary attack and distinguish it from user error or just a user who had forgotten his password. For example, a large number such as 25-30 hits against a small dictionary of vastly different but common words or passwords, without ever coming close to the actual password, should certainly trigger recognization of an attempt to break into an account and take appropriate steps (perhaps imposing a delay on the account, perhaps locking out the offending IP address, perhaps locking the account until there was human action, or some other action appropriate to the particular circumstances).

    Users should always be advised of any failed attempts to gain access to the account after a sucessful login, a feature that is lacking from most current systems.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  14. Re:can you elaborate? by merlin_jim · · Score: 4, Funny

    So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.

    But do you really want the system to record the fact that you browse armadillo porn?

    More importantly do you want to feel compelled to compulsively look at armadillo porn daily out of fear that if you don't it'll raise a red flag and you'll be "caught with your pants down"

    That's a funny phrase to use here considering that you're getting caught for NOT looking at porn...

    --
    I am disrespectful to dirt! Can you see that I am serious?!
  15. Poor comparison - Passwords to Bank Card Pins by a55mnky · · Score: 4, Insightful

    The author of the article compares complicated and difficult passwords to 4 digit pins for ATM machines and points to the lack of fraud in the ATM situation. There is a significant difference between the two scenarios - with ATM access you need a card in addition to your pin - this is referred to as two-factor authentication.

    Sidebar
    Factors are things you need to prove your identity and there are three types -
    "what you know" - typically a password
    "what you have" - typically a card, token, key fob, or digital certificate
    "what you are" - typically biometrics
    End Sidebar

    The ATM example is 2-factor, which is inherently more secure than a password which is single factor

    A far more secure approach would be to implement a two-factor authentication mechanism, however this increases cost and overhead (AOL is now offering this as an option - for a fee or course). Some other options are one-time password schemes where the password changes after each use, or graphical based passwords.

    While in theory and practice passwords are not very secure, it must be pointed out that the other options are more expensive and more difficult to manage. Imagine having to carry 20-30 key fobs or a disk with a digital certificate everywhere you go.

    --
    Where oh where has my Underdog gone?
  16. Re:can you elaborate? by yintercept · · Score: 4, Insightful
    Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy

    This statement sounds very tinfoil hattish to me. There are many people who believe that a computer creating any sort of trace log is a violation of privacy. Personally, I find it good practice to record information about computer usage. For example, I usually record the incoming IP address of everyone who logs into a system. When dealing with critical information such as financial records or personnel files, I will keep a robust history of everyone who accessed a given record.

    In one case, I designed a program for a call center. The call center would allow customer service agents access to a customer's credit card number. I recorded every time a customer service rep accessed a card number along with information on the call they were handling. The computer would report any abnormal behavior in the credit card number access to a supervisor.

    Often the best way to improve your security is simply to provide your auditing information to your end users. For example, let's say I see a change in a behavior of a user...such as logging in from a different IP. I might make a program that informs the end user of this event. For example, if a person who usually logs in from Albany logs in from Kuala Lumpur, then I inform them of the event. IF they cannot remember traveling abroad recently, the change in behaviour just might be a security breach, requiring further investigation.

    Imagine if your work computer reported the time from your last log in each time you accessed the system. So, you come in Monday morning and the system warns that you logged in during the weekend. Most workers would take something like this seriously as it implies someone was stealing their identity. Tin foil hatters would be livid that the system recorded the activities of the person who stole their identity.

  17. Suspicion engines by miskate · · Score: 4, Insightful

    A couple of years ago a friend of mine was backpacking in the middle east. Like a lot of backpackers, she had travellers cheques for emergencies but relied on her credit card for everything else.

    Then all of a sudden, it stopped working. On the weekend.

    When Monday finally rolled around she rang up the credit card company to find out what was wrong and was informed that her card had been used in a number of suspicious places - several different countries in a short space of time in a dodgy part of the world, and had automatically been stopped.

    Yes she said - I'm doing a whirlwind backpacking tour of said dodgy part of the world. All that usage is legitimate. The card was re-enabled - but the process would take a couple of days during which she had to borrow money from her travelling companions.

    A week later, now in some other middle eastern country (I forget where), the same thing happened.

    My point? People don't always behave consistently. Life is not always stable. The real kicker is that usually when people are behaving differently than they normally do it's because they are outside of their comfort zone and really need as many things as possible to go smoothly.

    A suspicion engine can prevent legitimate use of a system in these situations.