Slashdot Mirror

← Back to Stories (view on slashdot.org)

Enforcing Crytographically Strong Passwords

Posted by Zonk on from the nd3knsdkh238979103dsw dept.

Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"

9 of 429 comments (clear)

  1. Two suggestions by BillsPetMonkey · · Score: 2, Informative

    1. Wasn't there a thread about two factor authentication replacing passwords a short while back?

    2. Microsoft Research came up with an inkblot authentication scheme which appears to have solved this problem.

    --
    "It's not your information. It's information about you" - John Ford, Vice President, Equifax
  2. Forget passwords. by ezzzD55J · · Score: 4, Informative
    Ask Bruce Schneier. From his latest Crypto-Gram:
    Passwords just don't work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there's an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can't be guessed. For anything that requires reasonable security, the era of passwords is over.
  3. Mod parent up by Colin+Smith · · Score: 2, Informative

    Single sign on and single login are very important if you are going to attempt to enforce strong passwords. People will simply write their multiple strong passwords down along with helpful hints on what they are for.

    The corollary of this is that if you do have single sign on and/or single login then you should be enforcing strong passwords as a weak password provides access to everything.

    BTW, at the moment, the closest thing to single sign on is Kerberos.

    --
    Deleted
  4. Re:GOD by MikeBabcock · · Score: 2, Informative

    I didn't realize the native Hebrew alphabet was Latin.

    --
    - Michael T. Babcock (Yes, I blog)
  5. cryptographically strong by cahiha · · Score: 2, Informative

    "Cryptographically strong" refers to properties of functions (usually one-way functions) and makes a statement about how difficult certain computations involving them; it has nothing to do with the quality of passwords.

    You can try to force users to use "strong passwords" or "good passwords", but passwords can't be "cryptographically strong".

  6. Obscene Nonsense by OmgTEHMATRICKS · · Score: 2, Informative

    Okay. I'm a Security Engineer by day. I've seen a lot of ways to come up with strong passwords, but one of my favorite methods to come up with relatively strong passwords that are unlikely to be shared. Try the following algorithm...

    1. Come up with a phrase that is meaningful only to you -- not a quote from a book or movie. For example, lets say that your first dog's name was Samael and that you have never told anyone that you thought Samael was a reincarnation the infamous hell-hound Kerberos. Yes, he was a bastard!

    2. So a sample phrase might be:

    "Samael, Vigilant Guardian of the Gates of Hell"

    Take the first character of each word.

    'svgotgoh'

    Not a bad start. You have eight characters there.

    3. Now you want to make sure that you never share this password with anyone, or if you do it should look sufficiently random that they couldn't remember it after using it once. Only you remember it because you have the generating phrase.

    How do we do that? Take the previous phrase and make it obscene nonsense. That means introduce some strange and fantastically improbable obscene twist to it. Something that you would never tell your friend or cubemate. Try this on for size.

    "Samael, Vigilant Guardian F***s Me Silly At The Gates of Hell!"

    That gives us:

    SVGFMSATGOH, an 11 character passphrase, much better.

    4. Okay, so I used all caps there for a reason. Feel free to intermix capitals, that will increase entropy by selecting from a larger character set. Come up with an easy rule like capitalizing the first letter in the subject and object of the sentence. So 'S' in Samael and the the 'F' from, well, this is a family geek site ;-)

    That leaves us with 'SvgFmsatgoh'. Looking pretty entropic.

    5. Feel free to add entropy by including special symbols in your password. An easy way to do that is to convert the obvious characters to hacker symbols. 5's for S's. 0's for O's. etc...

    5vgFmsatg0h

    6. Now you have a damnned fine password of relatively high entropy. '5vgFmsatg0h'

    Please, please don't use this example password on your site. Everyone who reads Slashdot may try it.

    7. Do a sanity check on your password. Avoid strings of words that begin with the same character. Avoid obvious patterns like abcdefghi etc.

    8. A real problem with most institutions these days is that they force you to change your password every 30 days. Good for security, but bad for passwords. Many don't allow you to recycle the last ten passwords or use a password sufficiently like the previous one (or ten).

    So after designing a really nice password like this you are forced to toss it after 30 days. What's a good geek to do?

    I'd come up with a high-quality password like this and only use it as a 'passphrase'. Something that protects your SSH keys or the contents of your flash drive.

    9. I'm a big proponent of SSH RSA/DH login instead of anything that uses passwords anymore. Passwords suck. Use the above algorithm as a passphrase that encrypts your flash drive collection of private ssh keys. Use ssh-agent.

    10. If you must use passwords, have a little proggy on your flash drive that generates relatively secure ones quickly and easily. Something like . It's not great, but then I believe I said passwords suck.

    Good Luck.

    This tape will self-destruct in 5 seconds.

  7. cryptographically strong passwords by wk633 · · Score: 2, Informative

    They can be written down.

    The same password can be used on a secure system, and some trojan web site.

    They can be collected with keyloggers.

    They can be told to other people.

    They are less memorable, which means more password resets. Password resets will always be a weak point in the system.

    For high security AND a large number of users, you HAVE to have two factor authentication.

  8. Re:Easier to remember random passwords by Lehk228 · · Score: 2, Informative

    Another thing that helps a lot is using always passphrases instead of passwords. "theBLACKcat!" is as strong as "gm4JIsdf39PO".

    not even close to being equivilant, the first, being three english words (assume vocabulary of 10,000) results in 8.00 e12 combinations (10,000*2)^3[caps or not caps]

    while the other password gives 3.23 e 20 combinations 62^12 [letters*2 + 10 digits] if we allow the other symbols on the top row of the keyboard it goes up to 5.00 e22 combinations

    --
    Snowden and Manning are heroes.
  9. Re:GOD by Anonymous Coward · · Score: 1, Informative

    I think you're missing the joke. It's a quote from a film...