Slashdot Mirror
Too Many Passwords
LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"
This frustration is leading to behaviors that could jeopardize IT security, as well as compliance initiatives.
Any good sysadmin knows that if you make the password policy to strick you could actually be worsening your security situation. People will start sticking their passwords under their keyboards or on their monitors.
Bradley Holt
(BTW, this is basically a dupe from about four or five years ago...)
From the article (and the post):
First, I can't let this pass. I was on the IT team for a large company that had the described oodles of systems and oodles of passwords dilemma. And I'd been out on the floor where our users had to use these systems. The last thing in the world someone should be saying to them is, "You know how you are", as if these people are doing some wrong. Their jobs of dealing with the consumer public is hard enough without having to genuflect to the "security" (inconsistent, obfuscated, inane, ineffective, and myriad) measures of the systems from which they are supposed to server the consumers. I never had to deal with as many passwords as they did, but had I had to, I'd have been tempted to do the same thing.
As for the dilemma of too many passwords... yeah, there are too many passwords. And the funny thing about that is, they (in my opinion) provide little to no security and may even subtract from the overall security of the network. Especially in a closed access building (which these users were), passwords were and are a hindrance, not an enabler. I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building. Most stolen and broken passwords are via social engineering, and half the social engineering is just gaining access.
In the personal computing arena, I'd be awfully surprised if even 10% of the problems occur because of too many passwords. More likely it's because of incorrectly configured access levels for general users.
I'm guessing the world of passwords will never go away, but in settings where users have to deal with many (in the case described above, literally hundreds) of systems and their various password paradigms, passwords SHOULD go away (NOTE: the use of the plural... I'd be okay with somehow consolidating total access down to ONE password). Somehow it must be comforting to PHB's to know their universe is multiply protected by multiple schema, whether or not it affords any protection.
No kidding. Someone should invent a special "web token" of sorts that would keep you logged in. You know, it would be transmitted everytime you access the site. It wouldn't have to be very big, maybe a maximum of 4KB.
:-P
You know, I better go patent this idea before someone else thinks of it!
Javascript + Nintendo DSi = DSiCade
Someone should invent a special "web token" of sorts that would keep you logged in.
Tried that. Turns out, nobody wants all their online identities to merge together.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Damn, that's way too much work! (And what about me and my 30-40 passwords... that's a BIG piece of paper!) Just GPG one file full of passwords, and remember your GPG key.
This can fail to comply with password rules -- the password for, e.g.,
your web-request-line account for WXKE radio, zGZuvwaY, doesn't have any
numeric or punctuation characters.
I think a lot of people fail to distinguish between cases where strong
passwords are needed, and where they aren't. For Amazon.com, with its
stored credit-card data, and PayPal, and my bank, and my user account
at work, obviously strong passwords are a good idea. But for slashdot,
nytimes.com, and other sites that just require them for your user-state
info, crappy passwords that never change are just fine, and putting those
on post-it notes on the monitor is also fine.
2*3*3*3*3*11*251
Or better, just use your GPG keypair to identify yourself to start with. For example, when you register on a website you could paste in your GPG public key. Then to authenticate, the website encrypts a word with that key and shows it on a page; you decrypt it and enter the original word. So - no need to remember a password for this website, and if the website is cracked or just plain evil, they still can't do anything to access other sites since all they have is your public key.
The browser could automate this pretty easily, of course
-- Ed Avis ed@membled.com
I wonder how long before we figure out that this very requirement frequently leads to sequencing of the password, which completely defeats the purpose of changing it every so often.
I do like your idea, though, for places where I don't have to change the password every so often.
I just use an algorithm based on the web site, plus an additional few letters. For example if the site is Slashdot your password could be slashDOG8cAt, on Google it could be googDOG8cAt, etc. You can get a little more creative when financial or other stuff is valuable, e.g. a different user name and password algorithm for banks/credit card sites, etc. One important note - treat every computer not in your home as being infected with a virus/key logger - DON'T use public computers for your financial stuff.
Obviously - for many websites, security really doesn't matter, and so the same password can be used for most of them - just don't use the same one for the important stuff.
..........FULL STOP.
Or what I often do is have some short random string (for example "C@5") which I could prepend before all passwords. The upside is even if someone gets the card, and by some miracle they figure out what it is, they still don't have my passwords. Unless they can read my mind, in which case they will also realize I have a negative bank balance and will go find someone else to steal money from.
I Am My Own Worst Enemy
Your method would be great except that it relies on you carrying around and frequently consulting a piece of paper in your wallet. As such it's only marginally less secure than just carrying around a note of your passwords in the first place.
How long would it take someone observing you to figure out what you were doing and swipe your wallet? (In an office it would probably be easy for a thief to xerox your codesheet). Then they just need a few guesses for your trivial "unencrypted" password and they're in.
Not my idea of great security.
The author of this post asserts his moral rights.
Something you have (physical key)
Something you know (password)
Something you are (biometrics)
I strongly object to this bastardization of traditional authentication scheme theory. "Something you are" is a load of crap. It is an attempt to graft biometrics onto existing theory without evaluating how they really work. Biometrics identifiers are just something you have and need to be evaluated on their strengths and weaknesses on that basis. For the most part biometrics are something you have that you keep with you all the time and cannot easily remove or change. This is good in that it makes them harder to steal and less likely to be lost. This is bad because you cannot put them away somewhere safe and are constantly exposing them to the possibility of being copied. It is also bad because unlike other things you might have and use to authenticate, biometrics are almost impossible to change, so once compromised are a nearly permanent vulnerability. Finally, biometrics are bad because they can lead to the escalation of a crime in that their theft can be physically damaging. Take note of the man who was first kidnapped, then had his thumb cut off when car-jackers wanted to be able to start his fancy thumbprint lock car. Criminals don't need to be given extra motivation to commit mutilations.
Biometrics proliferate these days largely on their "cool" factor. The more blinking lights and high-tech gadgets the more secure it must be, right? Sadly they are being used to replace either the something you know or something you have in traditional biometric schemes, with the end result being less overall security. Biometrics have their place, and that is in a tightly controlled environment, supplemented by human observers to prevent copies from being easily used, and as an additional security measure on top of "something you know" and "something you have" that can't be copied from your beer glass at the bar. They do not belong in an authentication scheme in place of either a traditional "something you know" or "something you have" unless your goal is to have very, very convenient placebo security that is trivially bypassed by design.
Don't even need to break the scheme really. Ever notice that some sites, when you forget your password, will email it to you? Email you YOUR password, plain text, through email. Which means they're storing it in a format that is readable to them, AND they think email is an acceptable medium for transporting passwords. Oy vey.
That kind of stuff makes me crazy. Any system I design has completely obfuscated passwords, the sort that can't be retrieved but have to be reset. To authenticate I mangle the password that they submit, and see if it matches the mangled one on file. Sure it's possible to de-mangle them, but it's a hell of a lot harder than cracking a piece of 2-way encryption, and you don't have to worry about people who are merely curious or unskilled.
I can't think of a situation where I would want someone to be able to find out my password. I don't want them to be able to email it to me. If I forget, just reset it and send me a temporary password. Anything else is begging to be broken.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I hate strong-but-lame passwords. One site I have to use requires a password at least eight characters long, and you must have at least one digit and one uppercase character, but you can't use any non-alphanumeric characters. Why would anyone restrict the search space like that? Unless they're validating using javascript and can't be arsed to come up with a sufficiently capable RE.
If it were up to me, a password field would accept everything except enter and escape. Enter would process the password, and escape would reset the field. Anything else is fair game. Control characters, characters with accents/umlauts/cedilles, go for it. It would also be cool to have the ability to C&P images into the field, but I doubt that's of widespread usefulness. Still, how many people are going to have that picture of your dog handy to use to access your account?
Just junk food for thought...
the key problem here, is that people are lazy and stupid.
the best way to secure something without taxing the average persons feeble brain is to use a password and an ssh key on a swipe card or a usb drive.
that way even if someone gets one they are very very unlikely to get the other. it also means you can change the ssh key on them without them having to remmeber anything. hell in a system i'm impementing everyone get a new key when they swipe in for the day and it expires after 24 hours.
If you mod me down, I will become more powerful than you can imagine....
> To authenticate, the website encrypts a word with [your public] key and shows it
...) needs the cryptography software (yeah, just *try* talking the IT deparment into *that* one) and *potentially* might obtain a copy of your private key.
> on a page; you decrypt it and enter the original word.
Right, so every computer you ever need to use to access a website (the one at home, the one at work, the one at the library, the one at your brother's place,
This *might* work for people who carry around a PDA, because they could do the encryption/decryption on the PDA. Then as long as you don't lose the PDA, your private key can remain secure.
I think the real problem is the burning need people feel to protect *everything* with the same level of security. I mean, really, does your account with every web forum or online retailer you ever visit *really* need a unique, secure password? Couldn't 99% of them use the same password? Seriously, save your memory for *important* stuff, like your bank password, your ssh account on the server at work, and so forth.
Granted, some of us have jobs that by their nature mean a larger number of secure passwords needed, but that's mostly IT professionals -- system administrators and the like. Ordinary end users don't need so many. Ask yourself, "What are the consequences if a criminal gets this password?" If the answer is something like, "I might have to create a new neopets account, if I still want to play these cheesy games", then by all means, use the same lame password you use for everything else that doesn't matter. If the answer is more like, "I could lose thousands of dollars", then spend the time you need to generate and memorize a unique secure password.
Cut that out, or I will ship you to Norilsk in a box.
Hook up your windoze computer to a network and have it owned in 12 minutes anyway. All good practices, when applied to insecure softare, are just an inconvenience to the user. What good are passwords, expensive biometric scanners and all that when your users have Outlook, IE and your "server" runs junk that gets owned all the time? That's just good money after bad.
Friends don't help friends install M$ junk.
At the top, are your ultra secure passwords that you only use for your bank / brokerage / etc. At the next level down, is your password that you use on all your personal computers, encrypted volumes, shell account, etc. Below that, is your password that you use for stuff you login to over the internet and don't want other people logging into (e-commerce, etc). Below that, is the one you use for crap you couldn't care less if people use (nytimes.com, etc.).
If you follow that system, you'll end up with only half a dozen passwords or so, and you'll still be pretty secure, as the important passwords aren't used as often as the less important ones.
There are standards to achieve this - SAML, Liberty, Passport, Oasis, etc. The problem is the great unwashed masses are not ready for it yet - they do not see the value.
Microsoft's solution (Passport) requires the user to submit all their information and trust M$ to do the right thing. Suprisingly, many people don't like this idea.
Another way is to federate your identity between systems, so no single system knows all your details but they know enough to identify you. You get to specify the information that is shared between any two systems. There is a chicken and egg problem here - most companies have yet to roll out such solutions as customers don't seem to want it (or don't know it exists) and customers won't start using it until most of the sites they visit support it.
None of these solutions address the issue of graded authentication in a satisfactory manner. Right now it is easier to either remember/record a few usernames and passwords, or use the one set across all systems. Neither is good from an identity or security point of view.
I don't make predictions, and I never will.
What I'm wondering, in connection with the requirement by many companies that passwords be changed regularly, is this: is there any empirical evidence as to how much password hacking actually occurs, and whether this policy has any real effect? By "password hacking" I mean anything other than theft of the actual password files housed by the authenticating system.
Because unless someone has stolen your password from another source (like the authenticating system itself, in which case changing the password regularly has no effect), changing passwords just provides another opportunity for your password to be written down and then lost/stolen. The fact that most people write the password down somewhere in the vicinity of their computer makes this even worse.
And changing passwords can't prevent brute force attacks, which rely on running through multiple combinations automatically.
(By the way, anyone want to guess how unlikely it is that bad guys will try to figure out your password by determining your dog's name and your birthday, or whatever silly mnemonic device you've converted into a password? Bruce Schneier calls some bad terrorism response plans "movie plot" scenarios because they are responding to things that only occur in movies, not real life. Although the movie scene with someone breaking into someone's computer by reasoning out what the person would use as a password is ubiquitous, does this really happen?)
Finally, the other justification for this policy of having ever-changing passwords is that if someone does get access to your password, it will either be outdated already or will become outdated. But how many situations does this really cover -- and how much of a help is it if you are not scheduled to change your password until 2 months later (now, a password that changed every day or every minute would be a different story -- oh, wait, isn't that encryption?)? And even it it helps somwhat, does that outweigh the risk of having employees post their passwords next to their computer?
Know what these policies may really represent, at least in some instances? Businesses trying to make it appear that they are putting security into place, when it's really just a fig leaf.
- Web Passwords
- Application Passwords
- Security Certificates
- Public/Private keypairs
- Secure Notes
It integrates with most apps on the system so, for instance, if I go to a passworded site in Safari (the Web browser) and Safari can get the username and password from the keychain (by asking me for my keychain password) and then I can optionally allow Safari to always access this item without asking me first. You can have multiple keychains, have some unlocked automatically and have more secure ones that you have to unlock each time, or even go into the Keychain Access application and manually unlock...Specialist Mac support for creative pros, Melbourne