MS Employee Calls for No More Passwords

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

Re:Biometrics

[mboverload]

Biometrics is the most over-rated security idea ever thought of.

Once someone gets a copy of your fingerprint or retina, your credit card is comprimised for life. You can't change you biometrics, which is why they are a total joke.

I can't type my 8 char passwords half the time

[Ingolfke]

I think this method is flawed for a few reasons.

1. Fat fingering - People fat finger their 8 char passwords already. With a 40 char pass phrase their just that much more likely to mistype the password. If someone is mistyping 1 out of every 10 of their 8 char passwords it follows that they would only correctly type every other password if it was 40 chars long.
2. Typing sped will be reduced - People will slow down their typing to increase their accuracy when typing a 40 char password into a text box that shows asterisks or blank space. This makes it easier for individuals looking over their shoulder to see which characters their typing.
3. Phrases include hints - Now someone could come up with a completely nonsense phrase, but that sort of defeats the purpose of the easy to remember pass phrase in the first place, so it's likely that individuals will use a phrase that follows standard local language grammer which means that if someone is able to see a single piece of that phrase they are then able to narrow down the scope of the possible phrases that could be the passphrase. Of course simple passwords contain these types of hints as well.

Re:Biometrics

[jayed_99]

I've helped implement a biometric system for time-keeping. I've also worked in very, very secure environments.

There are two definite (and related) advantages to biometric systems.

One -- the bar to "unauthorized use of credentials" is raised to a higher level. Which, to a large degree, is what all security is about. If ${large organization of nefarious intent} wants my data, they have the means to get it. Biometrics helps weed out the less well-funded and well-motivated people. It's like me using one-time passwords for SSH access. No, it doesn't prevent someone from entering my house and installing a tiny hardware key-logger in my PC, but it does stop all of those clowns running dictionary attacks.

With biometrics, people can't just rummage around a desk looking for the password post-it. They (as in your case) have to arrange for greasy finger-print covered glasses and scotch tape. Not insurmountable, just a bit more difficult.

Two -- any kind of remotely plausible deniability in the event of a breach is gone. ("Uh, I don't know how it happened. I just happened to have a jelly mold of this guy's fingerprint..."). Unauthorized access to a biometrically controlled system is pretty solid primae faciae evidence that Evil Deeds[TM] are afoot.

Yes, there are problems with biometric authorization. Irrevocability being a very large one. Almost all of the people complaining about biometrics being ineffective -- and almost all of the people touting them as *the* solution to all security problems -- are forgetting one thing.

Security is about the whole organizational process. Total security is enhanced or diminished by the particular method of authentication that you use -- and poor authentication can undermine a lot of the rest of the system. Hackable authentication does not automatically invalidate the rest of the security process. 100% provable authentication does not automatically mean that your system is 100% secure.

Let's look at the example of an anonymous FTP server. There's no authentication. None. However, any sensible person would be running it read-only. It would be jailed or chrooted. IP addresses would be logged for auditing purposes. The partition that the ftp server is serving data from could be mounted noexec. Blah, blah, blah, etc, etc, etc. Here's a case where zero authentication does not mean zero security.

People often talk about biometrics in the context of some theoretical, non-existent system where there is no other security other than this one, initial biometric authentication...and the whole system is either "secure" or "insecure" based on the authentication. Which is just garbage.

Even in the simplest case -- biometric time-keeping -- there are other checks in the system.

Let's assume that worker A and worker B have colluded to provide each other with false handprints. We'll leave out such annoying real-world problems like, "Hey, Bob, why are you clocking in with that jelly-filled hand-on-a-stick ?" and assume that worker A and worker B can at any time just clock in and clock out as each other without anyone noticing.

OK, at the end of the week, Manager M gets a payroll report. Manager M gives it a cursory glance. Uber-manager N gets the same report, and gives it an even more cursory glance. Let's not even talk about Director O -- we know that it's just sitting in her in-box with all of the other reports.

HR Flunkie T runs the weekly "check for discrepancies between scheduled shifts and actual time worked" and sends those to Manager, Uber-Manager and Director. Manager M fires an email back saying, "Hey, no problem." Or perhaps the email says, "Hey, worker A is showing up as having no discrepancies -- I distinctly remember that he was thirty minutes late on Tuesday".

Every month, Auditor X takes a brief look at all of the discrepancies between last month and today and all of the explanations for them. Auditor X looks for any suspicious or unusual patterns -- and the absenc