MS Employee Calls for No More Passwords

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

Biometrics

[nuclear305]

What about biometrics? Passphrases are nothing more than longer passwords. I can see several things resulting from
converting to all passphrases. First, the person will probably use the same passphrase for everything because it's too difficult
to remember multiple passphrases. Second, it's difficult to remember passphrases! Phone numbers (In the US, at least) are limited to
10 digits because research shows the average person can only memorize 10 digits, as a result...we tend to write things down, or in the case of
data people are likely to store their passphrases in a central location that is still prone to theft/decryption.

Biometrics, on the other hand, requires that you only have your body present at the time! No special USB keys to lug around, no pieces of
paper with important passwords/phrases. This won't solve the problem of possible data interception when talking about remote
authentication--but every form of authentication is prone to such attacks when transmitted.

Re:Biometrics

[Blindman]

The question is wheter or not one can spoof biometrics. I can probably get a copy of a lot of fingerprints, and I could post them on my wall. That doesn't mean I could make gloves with them. Despite how it appears in movies, I don't know how easy it would be to fake someone else's fingerprints or retina for that matter.

I agree that biometrics can't be changed, but will you ever need to?

Re:Biometrics

[JoeNotCharles]

Fuzzy memory can be a problem, though. Was it "...to come to their country's aid" or "...to come to the aid of their country"? Did you use punctuation, and if so, which? I created a gpg passphrase and stupidly used two sentences - was never able to recover my keys again, because I couldn't remember if I used one or two spaces between the sentences, or if the first ended with a period or an exclamation mark. (Actually, I tried all 4 variations of that, and none worked, so I must have forgotten something else - but with such a long passphrase, I couldn't even begin to think of the many possible variations on what I got wrong. With a password, I can at least try changing each letter at a time if I've gotten something wrong, on the assumption I only made one mistake. Of course, I'm not saying passwords are good either - I hate them.)

how about public key authentication?

[j1m+5n0w]

Passphrases are just long passwords with (usually) low entropy. They still have the same problems... You have to have a separate passphrase for each account, and you have to trust the computer you're using not to log your keystrokes. I would much rather carry around a device that can authenticate me and never have to remember a password again.

Why don't we all just switch to USB tokens for authentication? You have one device that can authenticate you by generating an RSA signature without divulging any information that would allow someone else to pretend to be you. It amazes me that more people don't use these things. I've never used one, but have considered ordering one. Does anyone out there have experience with USB tokens? Is there a good model/brand to buy? Is it easy to get them to work with Linux and ssh? Do any brick-and-mortar stores sell them?

One Time Passwords.

[frob2600]

I'm not sure why he was taking so many jabs at Linux. Well, okay... I know exactly why but this seemed especially odd to me since I have disallowed passwords on all my computers unless the user is sitting at the keyboard. And that is mainly because I haven't got X to work with one time passwords yet (besides... how would I calculate them without being able to run the program to generate one?).

I use s/key or opiekey (depending on OS) for ALL my remote logins. Both of these programs use a pass phrase but (even better) this pass phrase is never transmitted across the network... encrypted or not. What happens is the pass phrase is used to generate a one time pass phrase.

In practice it looks like this:
ssh localhost
otp-md5 498 la7365 ext
Password:

I then open another window: type in
opiekey 498 la7365 ext
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:

type my passphrase at the prompt and it spits out:
GIG DIRE EGG HISS HUB COOK
I type that at the password prompt and go on my way (cut and paste between xterms is best here). Even if I was not using an encrypted protocol the password is useless once it is used. You can even hit enter once so the phrase will be echo'ed back to you on the screen so you don't mistype it. Doesn't matter if someone reads over your shoulder because GIG DIRE EGG HISS HUB COOK will never work again.

Next time my password might be:
KNEW LARD ARGO LARD BARE YOGA

Or whatever. The point is that it is a mixture of pass phrases with the ability to avoid sending your pass phrase over an untrusted connection. You can even print out a list of the next 10 pass phrases you will have so you can log in from a computer where you wouldn't trust it enough to run the opiekey program.

How exactly is this an insecure linux system, at least in regards to passwords?

lol, besides that... I think pass phrases are a good idea. Just a little anoying at first.