Slashdot Mirror
Enforcing Crytographically Strong Passwords
Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"
Yes, I have a suggestion. Don't force people to use stronger passwords. If they choose to use a weak one then when it is cracked, that'll be their fault. In either case, how many of us actually have to worry about someone breaking our passwords?
The whole point of passwords are to deter regular joe from from gaining access. Yet anyone with enough time and commitment can and will break any password or encryption method ever created.
For the more important stuff (like my credit card details) I use a random generated password 10 characters long, mixing normal letters, capitals and numbers. But if I had to use several of these, I would have to start writing them down (I am in my mid twenties, recently graduated from a medical school, so I like to think my memory is quite good).
:)
Forcing an average user to use a difficult random password is like asking them to write it down on their monitor (I've seen this done more often than I can remember - and don't forget my memory is good
Wouldn't a non-random but still difficult to guess password be more secure?
Using the method mentioned in the article (e.g. t7p4i0t1 for combining a phrase a and a number) is OK until you are forced to change the password too often. Was it "pearl in the river" and my birthay or was that last time and now it is "lorem ipsum dolor" and my wife's birthday?
Seems to me that forcing too secure passwords unto yours users is bound to be insecure in the end.
If you make passwords the users can't remember they will just write them down. If they're pronounceable that helps, but only so much. Lists like this help, but ultimately you just have to tell your users to use the best passwords they can and hope that's good enough. Making them use passwords too "secure" will hurt you more.
I am trolling
The problem is that this is even LESS secure than than just no convention.
Sure, you get rid of idiots using "password" or something, but brute forcing all combinations of 2 4-6 letter english words plus 2 digits is rediciously easy...
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
I thought this discussion is long over. Everybode knows that there are two possible solutions to theis problem.
A) Either use a passsentence instead of just a word, most modern systems allow for rather long passwords. Since the sentence makes sense it is easy to remember. Since the sentence has many characters, it is pretty hard to crack with current tools. Dictionary tools may change this, put place a few strange names or made-up words in the sentence and you are much saver as any 8 char password today.
B) If stuck with old systems, I usually recommend the secretaries to write their passwords down. YES! Comparing the risk that one of the ~250 daily stupid attemps to guess passwords from random idiots succeeds is MUCH larger if people are told to remember their passwords. They'll automatically choose simple ones. I guess about two or three passwords in our own system per week. If they choose a very complicated passwd and write it down, then an attacker needs to be physically in the office to steel it. If the guy is physically in the secretaries office, he has no problem getting everywehere anyway and we have much bigger problems.
Cheers
KdenLive/PIAVE - non-linear video editing
AFAIK, the current thinking among those to have to enforce strict security is to use phrases
Most modern password systems allow an almost arbitrary length password, and randomly generated passwords are not working - people simply write them down in order to remember them.
Take a phrase that is meaningful to the user, say, 'My car is a red Ford' and add some simpleobfuscation 'My c@r is a red-F0rd!', and you have a phrase that is not only easy to remember, but is going to take a lot of effort to brute-force.
The current standard is to force users to regularly change their passwords.
I understand that this might help expose a compromised account - the person wrongfully using it would not know the new password.
But assuming the account has not yet been compromised, does it help at all?
I know that the requirements of my workplace that a password never be reused has led to me (and, I suspect, many others) just incrementing a number on the end.
This procedure is particularly annoying when our PR database has no passwords at all, and our main data repositry has a single password shared amongst all users.
isn't it about time we realize that if users do things like sequencing or recycling, the password is no more secure than if users were allowed to keep using the same original "secure" password to begin with?
First mistake, having an IT policy that forces users to remember dozens of passwords. Second mistake, telling a user to put their passwords in a plaintext file on the desktop. Third mistake, posting that fact on /. without posting as AC.
I'm not making fun of you, but I feel for those admin b/c nobody would make such a policy unless forced by the higher ups.
Security is based upon three types of authorization: 1) something you know (password) 2) something you are (biometrics) 3) something you have 3) a key of sometype. Assuming that security is this important to your org, maybe you should get some type of thumb drive with a security credential and then you could use weak passwords safely. Or biometric fingerprint ids (now available from IBM) plus weak passwords. But the policy your network has in place is probably weaker (b/c I'll bet many people have these plaintext files) than a much slower password cycle.
"Those that start by burning books, will end by burning men."
They would if they took their job/security seriously.
This is like having your credit card stolen. It's in your best interest to get on top of that as soon as possible.
Tom
Someday, I'll have a real sig.
I find that it's easy to remember passwords if you take a sentence and use the first letters of the words, and any numbers as the digits themselves.
ie: one man takes two steps down the hall: 1mt2sdth
Weak passwords are a reality. In my current job, I've got eleven different systems that require a password. If you think I'm going to selct and memorize a cryptograhically correct password for each and every one of them every three months when the passwords are set to expire, you're insane.
The more important and sensitive systems get strong passwords. The web-based tool I use to diagnore hardware issues in equipment that isn't even online? It gets something easy to remember.
For non-technical users, the situation is worse. If you get too psychotic in your password policies, they're just going to write them down on a post-it they stick to the underside of their mousepad if they're bing circumspect, and right to the monitor if they're not.
If you're dumb enough to run a system so braindamaged that it allows brute-force attacks and so insecure that running a decrypt on a password file gives the bad guys the keys to your palace, you need a strong password policy. You will also deserve to be mocked when a soceng hack allows someone into the building to look closely at any monitors bearing post-it notes.
Password security is the last refuge of the incompetent sysadmin or web developer. Careful separation of user roles and discouraging escalation of priveleges is more important than someone using gpe~9u?bi4 as their password for this week.
SoupIsGood Food
Just use RSA SecurID and forget about it. Only problem is changing codes every thirty seconds is just too much time. I mean I can almost get all 20 numbers in just before it changes. Thats way too convenient.
UNIX: A set of Linux-like operating systems that grew out of an original version written by some guys at a phone company
No wonder people write down their passwords on postit notes stuck on their monitors.
Engineering is the art of compromise.
This is exactly right. Most models of good password creation ignore the problem of good password handling, and security gets massively compromised.
I find that using SSH keys wherever possible, with the local accounts actually having their passwords locked and forced to use SSH keys, works quite well. The trick then is to force the user to passphrase the SSH key, which is helped by using tools like keychain that allow them to use the password once and use it anywhere.
Kerberos has a similar approach but requires a central server, and isn't as broadly implemented.
But once you have users going out into the field with on-line lists of plain-text passwords, or paper with the passwords on them, your password security has failed.
Actually, password12 is a completely possible password using their scheme.
Easy, but still much better than the usual girl's name/birthday style. Consider there are at least 10.000 words in the average person's vocabulary. So two words gives you 100 million possible passwords, add two digits and you have 10 billion. Actually, this is the system I personally use, I feel comfortable with it. It's not invulnerable but safer than most.
It works like this:This has been in VMS since the mid 80-ies. The sysadmin can also mandate SET PASS/GEN and set a maximum password lifetime (after which the user has to set a new password before logging in).
This concept could be easily modernized with non-alphabetical characters and longer passwords.
)9TSS
That's such a good idea, it's already been done. One example is:
Password Helper
Use the Password Helper panel to pick a secure password.
From mac os X 10.4.
I use mag strips where I work. For a while, I tried to enforce it on everyone, but now I only enforce it on people with any kinds of admin privledges.
People will always report a loss immediately, because they cannot log into a computer and cannot clock in, and hence cannot get paid without it.
The problem with the regular users was they would lose it constantly, forcing me to issue several cards every day, and it just got to be too much hassle when they have generic system privledges anyways.
I wanted to just fire them for being idiots, but HR wouldn't let me fire half the buildings workforce.
Yes, taking "lampshade" and sticking 56 in the middle is much more secure than taking two seperate words, such as "lamp" and "shade", and sticking 56 in the middle.
~~~~~ BigLig2? You mean there's another one of me?
Strong passwords will be a necessary evil for the forseeable future. How many phones, public/coffee terminals, and home computers have biometric authentication gadgets? How many of these gimicks work together? My users need the ability to access nearly everything on our systems, from anywhere. This includes our WAP portal, email from their phone, our various web-apps, SSH/terminal servers, and their IMAP/SMTP email clients. How many of these systems could even possibly function with anything but passwords. Take the IMAP/SMTP system for example, how would you tie biometic authentication into standard SMTP AUTH? How about a web app - how is a fingerprint entered there? Or consider our WAP gateway, how are users going to enter a fingerprint on their phones?
We cant just mandate users access our systems from "approved" sources - that flys in the face of what management is asking for: A system accessible anywhere, with reasonable security percautions in effect.
Though centralized authentiation schemes like LDAP are working well for us, "legacy systems" (ie: accounting, payroll, and factory/inventory management) dont integrate with central authentication systems. Meaning that's yet another password to remember...
With users accessing our systems from so many sources, strong and frequently changed (90-180 days) passwords are a necessity. Though they need the ability to save them:
1) How important is the data in your wallet/purse. Why not just write the passwords down, store them in your wallet/purse, and then manage that. After-all, if your wallet/purse has been stolen or rumaged through, there's a good chance you'll know.
2) Consider this two-factor authentication system:
Something you have: cell phone
Something you know: password to program
How many folks now have MIDP/Java enabled phones. Why not provide them with an app to securely save their passwords on their phone? With a tool like FreeSafe They could not only store all their passwords on their cell phone, they can generate both random new passwords, and One Time Password hashes.
Now if FreeSafe could only store notes, and have some sort of backup capability (which the developer says he's working on)...
For instance, take this random number:
47105259
Substitute syllables for the digits, and you have:
ra(4)fit(7)on(1)ze(0)pa(5)ki(2)pa(5)ma(9)
rafitonzepakipama
This is an over-simplification of how to do this, but one can easily see that the pronouncable password can be every bit as secure as the random string.
Ruby Neural Evolution of Augmenting Topologies