Slashdot Mirror
MS Employee Calls for No More Passwords
BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."
Now replacing my brute force wordlists with "He's dead, Jim", "In soviet russia, passphrases validate YOU" and "passwords are for old korean people" will allow root access to 90% of the internet.
Once someone gets a copy of your fingerprint or retina, your credit card is comprimised for life. You can't change you biometrics, which is why they are a total joke.
You don't need to make gloves with someone else's fingerprints. All you need are gummy bears.
Gummy Bears! Bouncing here and there and everywhere! Foiling security beyond compare! They are the Gummy Bearrrrrrrrrrrs.
Yes. Actually, I did a fair amount of research in biometrics and found that for most systems, you don't even need to make fake fingers or gloves. In fact, many biometric systems will work with simply a black and white photocopy of the person's fingerprint with a heated hand (your own) behind it while its held up to the scanner. It depends on whether is static-based or image-based. Same goes for retina scanners. Some systems can be fooled with a high-quality picture of an eye.
Even worse, some fingerprint-based biometric sensors that were being toted as secure were able to be broken by simply blowing warm breath on the reader, much like when you go up to a cold, glassy window and fog it with your breath. The biometric sensors, for one reason or another, read the previous fingerprint.
Again, it all depends on which system is in question, but my research found that most biometric systems were able to be broken, sans bloody, cut-off fingers or jelly replicas. Of course, they are toted as super-secure.
That is why the fundamental rule for using biometrics for authentication is as follows:
Biometrics aren't meant to replace passwords/passphrases. They are meant to be used as an added layer of security in addition to the password.
(As a side note, if you wanted to do more than just get the copy of fingerprints, invite someone out for beer and french fries at the local bar and bring some scotch tape with you. When they are done and leave, take their greasy, finger-print covered glass and apply the scotch tape to it. You will lift the oily fingerprint. Depending on how the system works, you can now use watery ink to get a negative of the fingerprint. Print this onto the old boards they used to hand-make printed circuit boards, etch the board with chemicals, and come out with a fairly 3-D version of the fingerprint. Now, make your standard flat, thin jelly mold and, when set, wrap it on your finger. Viola!)
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I've just tested this on my 2003 Active Directory with an account with a 127 character password. Changing the last character caused the password to be rejected, so unless it uses 126 characters and dumps the last one then it seems to be a true 127 character password.
Took a bloody age to authenticate though.
How many people can read hex if only you and dead people can read hex?
Biometric authentication can't be changed. I can change a password, but I can't change my fingerprints.
Ooh...yea--that'll be the downfall of biometric authentication. Someone steals my retina and then all my accounts are 0wned for ever and ever...
There's no place like
Fuzzy memory can be a problem, though. Was it "...to come to their country's aid" or "...to come to the aid of their country"? Did you use punctuation, and if so, which? I created a gpg passphrase and stupidly used two sentences - was never able to recover my keys again, because I couldn't remember if I used one or two spaces between the sentences, or if the first ended with a period or an exclamation mark. (Actually, I tried all 4 variations of that, and none worked, so I must have forgotten something else - but with such a long passphrase, I couldn't even begin to think of the many possible variations on what I got wrong. With a password, I can at least try changing each letter at a time if I've gotten something wrong, on the assumption I only made one mistake. Of course, I'm not saying passwords are good either - I hate them.)
Yep. I first learned about it in my forensics coursework.
...
For more information on this, this Google search produced some good sites explaining tihs.
Also, in just conducting that search, I learned that 2000 and XP is apparently immune from this particular problem, according to this site.
"With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes.
But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.
With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I've helped implement a biometric system for time-keeping. I've also worked in very, very secure environments.
There are two definite (and related) advantages to biometric systems.
One -- the bar to "unauthorized use of credentials" is raised to a higher level. Which, to a large degree, is what all security is about. If ${large organization of nefarious intent} wants my data, they have the means to get it. Biometrics helps weed out the less well-funded and well-motivated people. It's like me using one-time passwords for SSH access. No, it doesn't prevent someone from entering my house and installing a tiny hardware key-logger in my PC, but it does stop all of those clowns running dictionary attacks.
With biometrics, people can't just rummage around a desk looking for the password post-it. They (as in your case) have to arrange for greasy finger-print covered glasses and scotch tape. Not insurmountable, just a bit more difficult.
Two -- any kind of remotely plausible deniability in the event of a breach is gone. ("Uh, I don't know how it happened. I just happened to have a jelly mold of this guy's fingerprint..."). Unauthorized access to a biometrically controlled system is pretty solid primae faciae evidence that Evil Deeds[TM] are afoot.
Yes, there are problems with biometric authorization. Irrevocability being a very large one. Almost all of the people complaining about biometrics being ineffective -- and almost all of the people touting them as *the* solution to all security problems -- are forgetting one thing.
Security is about the whole organizational process. Total security is enhanced or diminished by the particular method of authentication that you use -- and poor authentication can undermine a lot of the rest of the system. Hackable authentication does not automatically invalidate the rest of the security process. 100% provable authentication does not automatically mean that your system is 100% secure.
Let's look at the example of an anonymous FTP server. There's no authentication. None. However, any sensible person would be running it read-only. It would be jailed or chrooted. IP addresses would be logged for auditing purposes. The partition that the ftp server is serving data from could be mounted noexec. Blah, blah, blah, etc, etc, etc. Here's a case where zero authentication does not mean zero security.
People often talk about biometrics in the context of some theoretical, non-existent system where there is no other security other than this one, initial biometric authentication...and the whole system is either "secure" or "insecure" based on the authentication. Which is just garbage.
Even in the simplest case -- biometric time-keeping -- there are other checks in the system.
Let's assume that worker A and worker B have colluded to provide each other with false handprints. We'll leave out such annoying real-world problems like, "Hey, Bob, why are you clocking in with that jelly-filled hand-on-a-stick ?" and assume that worker A and worker B can at any time just clock in and clock out as each other without anyone noticing.
OK, at the end of the week, Manager M gets a payroll report. Manager M gives it a cursory glance. Uber-manager N gets the same report, and gives it an even more cursory glance. Let's not even talk about Director O -- we know that it's just sitting in her in-box with all of the other reports.
HR Flunkie T runs the weekly "check for discrepancies between scheduled shifts and actual time worked" and sends those to Manager, Uber-Manager and Director. Manager M fires an email back saying, "Hey, no problem." Or perhaps the email says, "Hey, worker A is showing up as having no discrepancies -- I distinctly remember that he was thirty minutes late on Tuesday".
Every month, Auditor X takes a brief look at all of the discrepancies between last month and today and all of the explanations for them. Auditor X looks for any suspicious or unusual patterns -- and the absenc
Indeed, that's all the security I need.
Something I have... Smith and Wesson.
Something I know... How to freaking shoot.
Something I am... Bad MotherFucker.
Gummi bears defeat fingerprint sensors