Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Employee Calls for No More Passwords

Posted by Zonk on from the wise-man-in-a-unique-position dept.

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

32 of 614 comments (clear)

  1. Biometrics by nuclear305 · · Score: 4, Interesting

    What about biometrics? Passphrases are nothing more than longer passwords. I can see several things resulting from
    converting to all passphrases. First, the person will probably use the same passphrase for everything because it's too difficult
    to remember multiple passphrases. Second, it's difficult to remember passphrases! Phone numbers (In the US, at least) are limited to
    10 digits because research shows the average person can only memorize 10 digits, as a result...we tend to write things down, or in the case of
    data people are likely to store their passphrases in a central location that is still prone to theft/decryption.

    Biometrics, on the other hand, requires that you only have your body present at the time! No special USB keys to lug around, no pieces of
    paper with important passwords/phrases. This won't solve the problem of possible data interception when talking about remote
    authentication--but every form of authentication is prone to such attacks when transmitted.

    1. Re:Biometrics by jbridge21 · · Score: 4, Insightful

      something you have, something you are, something you know

    2. Re:Biometrics by lachlan76 · · Score: 4, Insightful

      Biometric authentication can't be changed. I can change a password, but I can't change my fingerprints.

      This won't solve the problem of possible data interception when talking about remote
      authentication--but every form of authentication is prone to such attacks when transmitted.

      No it isn't, because if you use a salted hash (chosen by the server), you can't just replay the traffic.

    3. Re:Biometrics by mboverload · · Score: 5, Insightful
      Biometrics is the most over-rated security idea ever thought of.

      Once someone gets a copy of your fingerprint or retina, your credit card is comprimised for life. You can't change you biometrics, which is why they are a total joke.

    4. Re:Biometrics by Blindman · · Score: 4, Interesting

      The question is wheter or not one can spoof biometrics. I can probably get a copy of a lot of fingerprints, and I could post them on my wall. That doesn't mean I could make gloves with them. Despite how it appears in movies, I don't know how easy it would be to fake someone else's fingerprints or retina for that matter.

      I agree that biometrics can't be changed, but will you ever need to?

      --
      I don't practice what I preach because I'm not the kind of person that I'm preaching to.
    5. Re:Biometrics by lachlan76 · · Score: 4, Informative

      Read this. There is no problem faking them.

      Not to mention that fingerprints are left EVERYWHERE.

    6. Re:Biometrics by iocat · · Score: 4, Informative
      When you do a pass-phrase, each of the 10 "digits" you remember are words. Assuming you don't have dyslexia or other language-center-damaging brain issues, you don't have to remember the correct position of every letter of each word as though it was some random digit, because your brain encodes "Now is the time for all good men to come to their country's aid" much differently than "suh ob wjf nait fdn ap; qomf ..." -- you get the picture.

      It's a lot easier to remember a series of words than a series of digits that have no obvious relationship to each other.

      --

      Dude, I think I can see my house from here.

    7. Re:Biometrics by DrMrLordX · · Score: 5, Funny

      You don't need to make gloves with someone else's fingerprints. All you need are gummy bears.

      Gummy Bears! Bouncing here and there and everywhere! Foiling security beyond compare! They are the Gummy Bearrrrrrrrrrrs.

    8. Re:Biometrics by bentcd · · Score: 4, Informative

      Biometrics can certainly be spoofed. How easy this is depends entirely upon the equipment being used for recording and verifying it.

      Here's a link to a Norwegian article about one successful breach:
      http://www.tu.no/nyheter/ikt/article30692.ece
      The article links to this Swedish one on the same story:
      http://www.nyteknik.se/pub/ipsart.asp?art_id=37392
      and this concerning some Japanese experiments:
      http://www.rootsecure.net/content/downloads/pdf_do wnloads/fingerprint_scanners.pdf

      (mind the /.-inserted spaces in those links if you're copying them)

      --
      sigs are hazardous to your health
    9. Re:Biometrics by dexterpexter · · Score: 5, Informative

      Yes. Actually, I did a fair amount of research in biometrics and found that for most systems, you don't even need to make fake fingers or gloves. In fact, many biometric systems will work with simply a black and white photocopy of the person's fingerprint with a heated hand (your own) behind it while its held up to the scanner. It depends on whether is static-based or image-based. Same goes for retina scanners. Some systems can be fooled with a high-quality picture of an eye.

      Even worse, some fingerprint-based biometric sensors that were being toted as secure were able to be broken by simply blowing warm breath on the reader, much like when you go up to a cold, glassy window and fog it with your breath. The biometric sensors, for one reason or another, read the previous fingerprint.

      Again, it all depends on which system is in question, but my research found that most biometric systems were able to be broken, sans bloody, cut-off fingers or jelly replicas. Of course, they are toted as super-secure.

      That is why the fundamental rule for using biometrics for authentication is as follows:
      Biometrics aren't meant to replace passwords/passphrases. They are meant to be used as an added layer of security in addition to the password.

      (As a side note, if you wanted to do more than just get the copy of fingerprints, invite someone out for beer and french fries at the local bar and bring some scotch tape with you. When they are done and leave, take their greasy, finger-print covered glass and apply the scotch tape to it. You will lift the oily fingerprint. Depending on how the system works, you can now use watery ink to get a negative of the fingerprint. Print this onto the old boards they used to hand-make printed circuit boards, etch the board with chemicals, and come out with a fairly 3-D version of the fingerprint. Now, make your standard flat, thin jelly mold and, when set, wrap it on your finger. Viola!)

      --

      *-*-*-*-*-*-*-*
      "We are Linux. Resistance is measured in Ohms."
    10. Re:Biometrics by darkpixel2k · · Score: 5, Funny

      Biometric authentication can't be changed. I can change a password, but I can't change my fingerprints.

      Ooh...yea--that'll be the downfall of biometric authentication. Someone steals my retina and then all my accounts are 0wned for ever and ever...

      --
      There's no place like ::1 (I've completed my transition to IPv6)
    11. Re:Biometrics by JoeNotCharles · · Score: 5, Interesting

      Fuzzy memory can be a problem, though. Was it "...to come to their country's aid" or "...to come to the aid of their country"? Did you use punctuation, and if so, which? I created a gpg passphrase and stupidly used two sentences - was never able to recover my keys again, because I couldn't remember if I used one or two spaces between the sentences, or if the first ended with a period or an exclamation mark. (Actually, I tried all 4 variations of that, and none worked, so I must have forgotten something else - but with such a long passphrase, I couldn't even begin to think of the many possible variations on what I got wrong. With a password, I can at least try changing each letter at a time if I've gotten something wrong, on the assumption I only made one mistake. Of course, I'm not saying passwords are good either - I hate them.)

    12. Re:Biometrics by laughingcoyote · · Score: 4, Insightful

      Great, now what happens when I need to log into a remote server? I currently live in Colorado and have access to machines in Wisconsin and Alberta, and the great security of fingerprint biometrics aside, my arms just aren't that long. And if that remote machine will accept data from a reader at my own machine, well, that reader is vulnerable to tampering and outside their control, and we're back where we started.

      At some point, we HAVE to realize that we just can't have some type of perfect security. Like a real safe or vault, someone determined enough to get in WILL get in. However, the better the security, the more chance that you will catch them in the act and prevent it, or deter the would-be attacker in the first place. This is the true goal of security.

      Biometric security measures, in my opinion, would be too intrusive and unwieldy for use at the desktop level. If I want to let my friend Bob use my machine, I can give him my password, but I cannot hand him my retina. Of course, for ultrasensitive applications (bank vaults, national security information, nuclear power facilities) it would be an excellent alternative to the current cards and such which can be stolen.

      As to the passphrase idea, it's not -terribly- hard to remember multiple phrases. And you don't need a different one for each site you visit-four or five different ones are sufficient for most people. And it's a lot harder for a would-be cracker to guess that your passphrase is "My daughter threw cake at the dog on her second birthday" then it is to look up your kid's date of birth.

      --
      To fight the war on terror, stop being afraid.
    13. Re:Biometrics by darkpixel2k · · Score: 4, Funny

      Besides, it IS possible even today to change the pattern of blood vessels on the retina using lasers - this is done all the time to treat diabetic retinopathy.

      Good point, but anyone who wants to go through all that trouble is welcome to my slashdot account. ;)

      --
      There's no place like ::1 (I've completed my transition to IPv6)
    14. Re:Biometrics by jayed_99 · · Score: 5, Insightful

      I've helped implement a biometric system for time-keeping. I've also worked in very, very secure environments.

      There are two definite (and related) advantages to biometric systems.

      One -- the bar to "unauthorized use of credentials" is raised to a higher level. Which, to a large degree, is what all security is about. If ${large organization of nefarious intent} wants my data, they have the means to get it. Biometrics helps weed out the less well-funded and well-motivated people. It's like me using one-time passwords for SSH access. No, it doesn't prevent someone from entering my house and installing a tiny hardware key-logger in my PC, but it does stop all of those clowns running dictionary attacks.

      With biometrics, people can't just rummage around a desk looking for the password post-it. They (as in your case) have to arrange for greasy finger-print covered glasses and scotch tape. Not insurmountable, just a bit more difficult.

      Two -- any kind of remotely plausible deniability in the event of a breach is gone. ("Uh, I don't know how it happened. I just happened to have a jelly mold of this guy's fingerprint..."). Unauthorized access to a biometrically controlled system is pretty solid primae faciae evidence that Evil Deeds[TM] are afoot.

      Yes, there are problems with biometric authorization. Irrevocability being a very large one. Almost all of the people complaining about biometrics being ineffective -- and almost all of the people touting them as *the* solution to all security problems -- are forgetting one thing.

      Security is about the whole organizational process. Total security is enhanced or diminished by the particular method of authentication that you use -- and poor authentication can undermine a lot of the rest of the system. Hackable authentication does not automatically invalidate the rest of the security process. 100% provable authentication does not automatically mean that your system is 100% secure.

      Let's look at the example of an anonymous FTP server. There's no authentication. None. However, any sensible person would be running it read-only. It would be jailed or chrooted. IP addresses would be logged for auditing purposes. The partition that the ftp server is serving data from could be mounted noexec. Blah, blah, blah, etc, etc, etc. Here's a case where zero authentication does not mean zero security.

      People often talk about biometrics in the context of some theoretical, non-existent system where there is no other security other than this one, initial biometric authentication...and the whole system is either "secure" or "insecure" based on the authentication. Which is just garbage.

      Even in the simplest case -- biometric time-keeping -- there are other checks in the system.

      Let's assume that worker A and worker B have colluded to provide each other with false handprints. We'll leave out such annoying real-world problems like, "Hey, Bob, why are you clocking in with that jelly-filled hand-on-a-stick ?" and assume that worker A and worker B can at any time just clock in and clock out as each other without anyone noticing.

      OK, at the end of the week, Manager M gets a payroll report. Manager M gives it a cursory glance. Uber-manager N gets the same report, and gives it an even more cursory glance. Let's not even talk about Director O -- we know that it's just sitting in her in-box with all of the other reports.

      HR Flunkie T runs the weekly "check for discrepancies between scheduled shifts and actual time worked" and sends those to Manager, Uber-Manager and Director. Manager M fires an email back saying, "Hey, no problem." Or perhaps the email says, "Hey, worker A is showing up as having no discrepancies -- I distinctly remember that he was thirty minutes late on Tuesday".

      Every month, Auditor X takes a brief look at all of the discrepancies between last month and today and all of the explanations for them. Auditor X looks for any suspicious or unusual patterns -- and the absenc

    15. Re:Biometrics by Anonymous Coward · · Score: 5, Funny

      Indeed, that's all the security I need.

      Something I have... Smith and Wesson.

      Something I know... How to freaking shoot.

      Something I am... Bad MotherFucker.

    16. Re:Biometrics by ultranova · · Score: 4, Insightful

      Ooh...yea--that'll be the downfall of biometric authentication. Someone steals my retina and then all my accounts are 0wned for ever and ever...

      Suppose you are just walking in the streets when someone suddenly shoves a camera to your face and takes a picture. The flashlight blinds you momentarily, so you can't pursue him. He disappears into the crowd with a picture of your retinas in his camera.

      What are you going to do ? The picture contains all the data he needs to log into online services as you. You cannot change the password, since you don't have any. In theory, you might be able to burn a distinguishing pattern into your retina with a laser - but, of course, that will negatively impact your vision.

      So yes, that's exactly what will happen. Someone will steal your retina (or rather, copy the biometric info that is used to authenticate you) and then all your accounts are 0wned for ever and ever.

      Not to mention the privacy concerns - I wouldn't want every online service to be able to link my identity to my real one, would you ?

      Biometric identification is an extremely bad idea that will hopefully die the silent death it deserves.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  2. Offer Void on pre-2000 MS operating systems. by LostCluster · · Score: 4, Informative

    One thing I just read in my MCSE study book... Windows 2000 and up support 127-character passwords, but Windows NT, Windows 9x and Windows ME only support 14-characters in a password. A user who has a Windows password greater than 14 characters simply cannot using the older operating systems even if they otherwise should be able to.

    Therefore, if you have any legacy systems to support, these password tips don't apply to you, and that's got to be part of the reason there hasn't been much of a movement to suggest that users use longer passwords.

    1. Re:Offer Void on pre-2000 MS operating systems. by jacksonj04 · · Score: 5, Informative

      I've just tested this on my 2003 Active Directory with an account with a 127 character password. Changing the last character caused the password to be rejected, so unless it uses 126 characters and dumps the last one then it seems to be a true 127 character password.

      Took a bloody age to authenticate though.

      --
      How many people can read hex if only you and dead people can read hex?
  3. People are lazy by hedronist · · Score: 4, Informative

    One of the main obstacles to better security is that people are fundamentally lazy. Typing 30 or 40 characters is difficult to do, and it takes time, so people won't do it. Or if forced to do it, they will whine about it -- a lot.

    I have convinced a majority of my friends & family to at least stop using dictionary words and names of pets. Instead, I have them pick some favorite line from a movie or book and then use the first letter of each word. It's easy to remember, so they don't stick it on the bottom of their keyboard. It also is not a word in the dictionary so at least Crack & friends can't be used to guess it.

    For example, if one of my friends is a Dead Head, he might use "stlasom.oticbs" If you're a Dead Head you'll probably be able to guess the lyric. But you *won't* be able to find it in a dictionary.

  4. Excellent! by PedanticSpellingTrol · · Score: 5, Funny

    Now replacing my brute force wordlists with "He's dead, Jim", "In soviet russia, passphrases validate YOU" and "passwords are for old korean people" will allow root access to 90% of the internet.

  5. Only a few thousand years behind... by physicsphairy · · Score: 4, Funny

    And I quote, "Open Sesame!"

    --
    When things get complex, multiply by the complex conjugate.
  6. My passphrase... by Noryungi · · Score: 4, Funny
    In many companies where I worked, for kind of reason, my passphrase always ended up as:

    • [name_of_boss]isabloodyidiot


    or

    • whatabloodyidiot[name_of_boss]is


    Make of that what you want, but:

    • it's always accepted by whatever program is in charge of checking password
    • it's easy to remember, yet hard to crack (unless you know me and the bloody^W... er... boss...
    • it always made me smile as this was the first thing I had to type in the morning


    Of course, I changed the password to something more politically correct before leaving the companies....
    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  7. No one will ever break my password! by Nova+Express · · Score: 4, Funny
    It's the inscription on the One Ring, translated into Klingon, then rendered in l337! Three levels of Ubergeek encryption ensures maxiumum security!

    --
    Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)

    http://www.lawrenceperson.com/

  8. two obvious problems with this idea by mattdm · · Score: 4, Insightful

    1) it's just as easy (give or take the odd case where you're just able to sample a few bytes) to sniff a passphrase as a password

    2) if most people's passphrases are made of dictionary words take from their active vocabularies, dictionary attacks are still very possible. If we figure a typical vocabulary of 25000 words and a six-word phase, hmmm, some quick math indicates we're in the range of a 14-character random alphanumeric+punctunation password -- not too bad. (Especially if you grant people bigger vocabularies....) But, suddenly, we're open to language-based attacks -- there's probably thesis project in here for someone to come up with good algorithms to narrow down the required attack dictionary.

  9. how about public key authentication? by j1m+5n0w · · Score: 4, Interesting

    Passphrases are just long passwords with (usually) low entropy. They still have the same problems... You have to have a separate passphrase for each account, and you have to trust the computer you're using not to log your keystrokes. I would much rather carry around a device that can authenticate me and never have to remember a password again.

    Why don't we all just switch to USB tokens for authentication? You have one device that can authenticate you by generating an RSA signature without divulging any information that would allow someone else to pretend to be you. It amazes me that more people don't use these things. I've never used one, but have considered ordering one. Does anyone out there have experience with USB tokens? Is there a good model/brand to buy? Is it easy to get them to work with Linux and ssh? Do any brick-and-mortar stores sell them?

  10. Passphrases are MUCH easier by aardwolf204 · · Score: 4, Informative

    The company I work for has a password policy like this:

    1. Must contain at least 8 characters
    2. Must contain at least 2 lowercase letters
    3. Must contain at least 2 capital letters
    4. Must contain at least 2 numbers

    Since a lot of people cant grok this we start to see passwords like 34erdfCV. If you are using a QWERTY keyboard take a look at that password and tell me whats wrong with it.

    Since I saw this article in a MS Security newsletter I've started using passphrases. Here is an example of my Windows Server 2003 administrator login (local only, not going to help you). "Rent is due on the 5th". Now I see many comments already talking about how that is so much harder to type than "34erdfCV" but I beg to differ. For me at least it is much easier to type a coherent sentense than a bunch of random letters and numbers.

    This password is not only easy to type, but it is very secure. I'm sure some mathematician is going to come down on my with a bunch of stats about how I'm wrong and what not but just the fact that the LM hash is not stored when you use a password larger than 14 characters helps significantly. Sure you can tell windows not to store a LM hash by editing the registry but do you really expect all employees of a mid size company to follow directions that start out like "Click Start, then Run. Type 'regedit' and click OK"?

    Now of course this isn't going to defend you against the ol' linux bootdisk trick, or that awesome "NT Password Recovery" bootdisk, which is basically linux which allows you to overwrite the password, but thats what NTFS and encryption is for. And if you've got physical access all bets are off anyway. At least you know they wont be able to run a rainbow table lookup on your LM hash and figure it out in a few seconds.

    Also, passphrases are easier to remember, harder to guess, harder to figure out by watching someone type them, and if your really that dense you can just pick up a book off your shelf, turn to a page, type in the first sentense and remember the book and page number.

    And there is an added bonus to having a passphrase over 14 characters that you are all completely missing here. When the hot chick in accounting sees you keying in some enormously long password she will think your smart and savy and will want to have hot sex with you right there in the server room.

    Well, maybe not the hot chick and sex part.

    Now, what would be a good long slashdot post without a question for you to ponder. If you havent figured yet I'm the sysadmin at this company and am trying my hardest to find a way to "sell" this passphrase idea. It seems that the easiest thing to do in IT is configure complex servers and firewalls and support ID10T's. The hard part is "selling" common sense stuff like SSL and passphrases.

    "You mean we're going to have to add an 's' to the end of 'http', do you really expect 100 people to change their bookmarks! They've been using those bookmarks all year!"

    Insight from other admins very welcome.

    --
    Im dreaming ofa big bndwdth, That can resist the /.crowd.May ur days b merry & bright & may al
  11. I can't type my 8 char passwords half the time by Ingolfke · · Score: 5, Insightful
    I think this method is flawed for a few reasons.
    1. Fat fingering - People fat finger their 8 char passwords already. With a 40 char pass phrase their just that much more likely to mistype the password. If someone is mistyping 1 out of every 10 of their 8 char passwords it follows that they would only correctly type every other password if it was 40 chars long.
    2. Typing sped will be reduced - People will slow down their typing to increase their accuracy when typing a 40 char password into a text box that shows asterisks or blank space. This makes it easier for individuals looking over their shoulder to see which characters their typing.
    3. Phrases include hints - Now someone could come up with a completely nonsense phrase, but that sort of defeats the purpose of the easy to remember pass phrase in the first place, so it's likely that individuals will use a phrase that follows standard local language grammer which means that if someone is able to see a single piece of that phrase they are then able to narrow down the scope of the possible phrases that could be the passphrase. Of course simple passwords contain these types of hints as well.

  12. Thesis? I can do it right now, right here. by khasim · · Score: 4, Insightful
    But, suddenly, we're open to language-based attacks -- there's probably thesis project in here for someone to come up with good algorithms to narrow down the required attack dictionary.
    I'll give you one right now.

    subject - verb - object
    (I like pizza).

    Here's another:
    adverb/adjective - object - verb
    (Mean people suck).

    The trick is finding the most common 3 word phrases (in English) and applying the basic grammatical rules you learned in school.

    That guy didn't understand that passphrases/passwords are covered in cryptology under "authentication".

    And any student of cryptology can tell you that PATTERNS are the problem.

    With passphrases, there are too many GRAMMATICAL RULES and PATTERNS that make it simple to crack.

    He focuses solely on the number of characters and never looks at how someone else would approach this to crack it.
  13. absolutely! by dexterpexter · · Score: 5, Informative

    Yep. I first learned about it in my forensics coursework.

    For more information on this, this Google search produced some good sites explaining tihs.

    Also, in just conducting that search, I learned that 2000 and XP is apparently immune from this particular problem, according to this site.

    "With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes.
    ...
    But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.

    With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."

    --

    *-*-*-*-*-*-*-*
    "We are Linux. Resistance is measured in Ohms."
  14. Re: It's no joke! by rush22 · · Score: 5, Informative

    Gummi bears defeat fingerprint sensors

  15. Passphrases are no silver bullet by erik_norgaard · · Score: 4, Insightful

    Using passphrases does not add much more entropy, although they may be easier to remember. They are still prone to sniffing, 40chars can easily be packed in a single ethernet frame. Could some one tell Microsoft to use encrypted connections?

    Users hate passwords, they hate typing them, and they hate having to remember things. They will always opt for whatever is easy. They will hate you if you set a lower limit of 30 characters, and their passphrase was 28.

    Passwords or passphrases - same thing - will be chosen easy the more obstacles you place on the users: Requiring users to change password every three months will leave your systems less secure:

    Users will choose easier passwords, and/or they will rotate just two different passwords. No security gained.

    Further, in the race with a bruteforce attack, nothing is gained unless you change your password to one that has been tried.

    In stead, as the administrator you have a head start in the race with the crackers. Go password cracking and require users to change their password when it has been cracked.

    If password is cracked too quickly it should be followed by disiplinary actions as a compromise of security. Ofcourse the users must be informed beforehand of such proceedures.

    Just my 5euro-cent contribution...