Spafford On Security Myths and Passwords

An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."

Dupe

[dadragon]

If I recall correctly, this has been posted before.

Re:Dupe

[Warg!+The+Orcs!!]

If I recall correctly, posts pointing out duplicate posts have been posted before.

Re:Dupe

[Karl+Cocknozzle]

Dupe (Score:2, Troll)

Sorry crack-smoking mods, but pointing out that a story is a dupe is NOT a troll. Note: Unfair use of the "Troll" designation on valid criticisms of Slashdot will be meta-moderated unfair.

Re:Dupe

[TheOtherChimeraTwin]

Passing grades

• O for Outstanding
• E for Exceeds Expectations
• A for Acceptable

Failing grades

• P for Poor
• D for Dreadful
• T for Troll

Re:Dupe

It might help your karma if you took the political crap out of your signature.
Just a thought.

And,yes, you have the right to air your opinion, and in fact you have; but others also have the right to dislike it and see it as unnecessary, irrelevant, exploitative, and argumentative.
That goes for either or any party.

Re:Dupe

[Karl+Cocknozzle]

It might help your karma if you took the political crap out of your signature.
Just a thought.

And,yes, you have the right to air your opinion, and in fact you have; but others also have the right to dislike it and see it as unnecessary, irrelevant, exploitative, and argumentative.
That goes for either or any party.

1) My karma's fine, thanks. "Excellent," in fact.

2) I'll take it out of my .sig when the President leaves office, either through resignation, impeachment, or normal course of term. OR when he comes clean about the various hoodwinkings the public has been subjected to during his administration.

3) What you are referring to is more accurately described as "abuse of the moderation system" than "political discourse." A political discourse involves reubtting somebody else's point of view, not simply silencing them. When comments are modded down because the moderator disagrees with them they are abusing the moderation system, per the moderation guidelines.

Also, 4) I was complaining about crack-ass moderation of somebody else's comments, and am thoroughly amused that somebody (multiple-somebodies) wasted mod-points on a message from me complaining about... Wasted mod-points.

Are you suggesting that conservatives really that desperate to believe in Bush (and petty enough) that they throw mod-points at people they don't agree with? Could that be a larger symptom of a weak argument, more than a symptom of my post being inappropriate?

In the 90's, liberals and moderates had to accept that Clinton was a dud, why can't the far-right accept that Bush is, likewise, a total disaster for this country? Why can't the dialog shift from "Bush sucks worse than Clinton! No! Clinton sucks worse than Bush!" to "How did we get stuck with two crappy, law-breaking, constitutionally-clueless Presidents in a row?"

Re:Dupe

[Ohreally_factor]

What does that spell?

OEAPDT!

What does that spell?

OEAPDT!!

I can't hear you!!

OEAPDT!!!

Password changing

[mikesd81]

I still think changing passwords periodically is a great idea. Even just to keep some cracker on his toes or incase you accidentally wrote it down or devulged it or typed it in the wrong field and is in clear text.

You have a more secure system if it's harder to use a password when un-authorized. Especially if the user is an Admin account.

Re:Password changing

[Psychotria]

I would expect that if passwords are required to be changed on a regular basis, then that would be more reason to write them down (if they're secure they're probably harder to remember). In this case it would seem that less-regular changing would be beneficial, resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin.

Re:Password changing

[mikesd81]

But if you can find a way to remember them (ex: 94FE5spd - 94 Ford Exploer 5spd) or if you must write them down, lock them in a desk drawer or lock box of hide them in that secret compartment in the bookshelf, then it's a little more acceptable..

No 94FE5spd is NOT my password for /. :)

Re:Password changing

[Psychotria]

But if you can find a way to remember them (ex: 94FE5spd - 94 Ford Exploer 5spd) or if you must write them down

Yep, I couldn't agree with you more. I do this, and I am sure many others do this, just as I would hazard a guess that many more don't do this and choose a secure password and write it down somewhere. :-)

Re:Password changing

[hackwrench]

I come up with an idea for a password and that idea changes a little bit, so at first I change it a few times until I settle on one remembered version.

Re:Password changing

[tazan]

I disagree with his reasoning that the cracking method is obsolete. A couple of years ago I ran our password database through a cracker just out of curiousity. Of course 99% cracked immediately during the dictionary attack, but the ones with odd characters did in fact take over a month to crack. Iirc it took 6 weeks to get all of the users passwords.

Re:Password changing

[c_forq]

resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin

I still don't see why this is a problem. To me if a person is able to get to where the password is written down that means they can have physical access to the machine (unless the computer is somehow locked inside a desk or something, which isn't very practical). With physical access it would be trivial to hook up a key-logger (I believe one of the OSTG sights, thinkgeek maybe, carries them). Or if you know what your doing set up a root-kit.

Re:Password changing

[mattkinabrewmindspri]

"94 Ford Explorer 5-speed" would be a better password, and would be a lot stronger than "94FE5spd".

A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.

Re:Password changing

[Sique]

Because there are environments, where physical access to your machine is no problem, and it still shouldn't compromise security (think: large office rooms with several desks). And if you have shared desks, then writing down passwords and keeping them near the computer is a quite bad idea.

Then there is another aspect in server environments: Password recovery always requires a reboot or at least a service disruption, so this is very likely to be noticed by people. Entering a password you just found on a stick it note might go without any notification.

Re:Password changing

[harborpirate]

I agree with the article, and not the parent post. Constant changing of a frequently used password is a complete failure in the exploration of logic regarding passwords. It is laziness, plain and simple; the reliance on the folklore of old to tell us what we should do. Frequent Password Changing Makes a System More Secure is an old wives tale.

Over time, even a hard password will be memorized by your average user. This password does not somehow become more insecure over time, because, as the article points out, the largest vulnerabilities are not due to the cracking of passwords, but rather human error, ignorance, and/or incompetance. These should decrease with time. The user should become better educated and better able to remember the password, thus less likely to give it out. Only the chance of human error increases slightly (typing password in login box and such). Of the three, this presents the least risk by far of those three, and generally the user is aware of this occurrance and with proper education will know to immediately change their password.

Forcing a user to change password frequently is likely to only cause them to alter one character (likely the last) in the password because committing another secure password to memory is difficult. This causes both usability and security to be comprimised in the same fell swoop. The other option is that they will write the password down or otherwise record it, thus defeating its security. If you've got users with photographic memories who instantly memorize a new hard password every month, you must be the luckiest damn admin in the world.

As the article points out, modern computing and cracking techniques expose vulnerabilities much more quickly, so passwords would have to be changed so frequently as to make a changing password policy useless in many environments anyway.

Caveat:
The opposite is true of Administrator passwords or others which are rarely used. These are generally not committed to memory, and likely documented in some fashion (hopefully they are, or when the admin leaves you're screwed). If they're meant to protect a truly important system, a biometric and/or time sensitive method (such as a synchronized continously changing key generator) should be used in addition to the password. Changing these passwords with some frequency is a good idea, as it forces someone to ensure the validity of the current password (the account is not locked or disabled) as well as provide the aforementioned small measure of protection against cracking.

Please, stop forcing password changes on user accounts. Its a stupid idea. It serves no purpose other than to ensure the latest user password is written down at every desk.

Rant complete.

Re:Password changing

[LordLucless]

I think the GPs point was that physical access to a machine compromises security by definition. If you have physical access to a mchine, you can install a keylogger to find the password (as simple as an inline USB dongle on the keyboard), remove the harddrive and crack at your leisure (a bit more noticable) or anything in between. Hell, you could just cart off the machine.

If you're in a place where security is sufficiently tight to have mechanisms to prevent this (ie: Security Guards) then they're likely to be sufficient to cover the little password notes in the top drawer as well as the machine itself.

Re:Password changing

[MrLizardo]

The biggest threat to security is often from within the corporation/organization itself. And there's a big difference between being able to walk by someone's desk and see the sticky note with the password on it versus climbing under their desk and putting a key-logger between the system and the keyboard. Think about the following two scenarios:

Scenario 1:
Worker: What were you doing going through the drawers in my desk for while I was away?
Cracker: Sorry. I was looking for a stapler.

Scenario 2:
Worker: What were you doing crawling around under my desk, screwing with my computer?
Cracker: Sorry. I was looking for a stapler.

See, one of these is activities is a little more dubious than the other. Also, you don't have to be a 1337 hax0r to be a threat to security. All you have to do is have access to a file/account/system you shouldn't.

Re:Password changing

[ObsessiveMathsFreak]

I still think changing passwords periodically is a great idea.

I think that idea sucks.

What's the advantage? Crackers find it harder to crack things? Why? Because the password will have expired by the time they crack it? Maybe, maybe not. Unless you rotate passwords every month, at this stage, rotation is useless.

Maybe a better solution would be to make passwords the first line of defense, not the last. Simply assume they will eventually be broken, no matter how many times you rotate and plan accordingly.

For that matter, why are admins still making things easy for the cracker? I read somewhwre that 90% of all military databursts are in fact, random noise, to frustrate the crackers bruteforce attacks. Why don't regular networks do this?

In the meantime, stop relying on passwords, or boimetrics, or passphrases, or usb-keys for access to the system. Passwords should get you one thing and one thing only, a prompt/desktop. Everything else should be subject to finely granulated access, with logs. At this current time, on most networks, the only thing higher than normal user level access is root/domain controller.

Re:Password changing

[ajs318]

That all depends on your implementation of crypt() ..... some systems truncate passwords to 8 characters. Yours is not one of these, if the stored passwords start with $1$.

Re:Password changing

(Posted Anonymously for obvious reasons) A long, long, long time ago. Ya know, '94 or so. I was trying to download a bit of software. Somewhere around 80 megs or so. Trouble is, my current service would download ftp to their local BBS,and then serve to me, and they had a 20 meg cap.

So, just being playful in my youth, I was poking at a local ISP. I found an account still set to the default password. Nothing great there, but in /tmp was a world readable passwd file. Not shadowed. So I snagged it, and loaded up cracker jack, and went to bed. My poor little 486DX managed to crack three passwords by the time I woke up. Only one was active, so I "borrowed" it to download the software, transfer it to me, and left a note to the user advising him to change his password. No malicious use. Just borrowed and returned, less than 5 hours total.

Long story short, even that horrificaly underpowered box was able to crack a couple of passwords from a passwd file. Now with evil doers being able to purchase time on botnets for $.01s, I wouldn't underestimate the power of snooping, sniffing, and cracking. Even for what you think might be secure data.

Allow me a horrible analogy: the fight between fortication and weapons will never end. Walls, moats, castles. Swords, arrows, cannons. and it goes on and on. So will be the same with security. You have to constantly be on top of it.

I do agree with the authors insite into risk assessment. Keeping your game box secure probably requires less work than keeping bank transactions secure.

But now I ramble....

Re:Password changing

[somersault]

If someone caught a couple of the words you were typing, they'd be more likely to be able to guess the whole password than if it was a 'random' sequence of characters, though the punctuation and capitals would help. I don't usually look when people type passwords, but if I saw that they were typing proper words then I would expect it's easier to tell exactly what they wrote than if they had just typed '94FE5spd'. Just playing devil's advocate a bit.. mixing techniques is usually better.

Re:Password changing

[somersault]

A lot of people here will work in IT depts, and would actually have an excuse for screwing around with someone's computer. Of course since I'm an admin here I can access anyone's files anyway, but I dont *shrug*

Re:Password changing

[TCM]

To conquer this whole password mess of mine (dozens of password for forums/shops/accounts/etc.) I use a scheme I came up with. I'm certainly not the first to do this, but it goes like this:

I remember only one password, let's call it master password. Then I use the following algorithm to derive all passwords I need from it:

$ echo -n "$USER:$DOMAIN:$ITERATION:$MASTERPASS" | openssl ripemd160 -binary | openssl base64 |

USER and DOMAIN are just reminders of where I logged in with which username. ITERATION is a number starting from 1 that I can increase to change a single password. All triplets can be stored because they are almost useless without the master password (apart from disclosing that I frequent forum X as user Y).

The only problem with this approach is that I must never lose or disclose the master password. That's why currently, I only enter it on a non-connected machine which outputs the result over a one-way serial connection to my desktop. This algorithm could also be implemented on a PDA for example to make the approach portable.

Re:Password changing

[TCM]

$ echo -n "$USER:$DOMAIN:$ITERATION:$MASTERPASS" | openssl ripemd160 -binary | openssl base64 |

Preview, preview, preview. Anyway, there sould be a final pipe element that reads "< remove all non-alphanumeric characters and truncate the result to 16 chars >"

Re:Password changing

[HaydnH]

Actually real words make passwords easy to crack as parts of the password can be compared to a dictionary. Have a look at LophtCrack (think that was it's name) which did exactly this for windows systems. It's actually quite impressive how quickly the passwords can be cracked if the words are in the dictionary (or just have a word followed by numbers etc).

Re:Password changing

[Sique]

Everything that affects the machine compromises security by definition. So that's no argument as such, you have to elaborate. The connection made between 'written down passwords' and 'physical access to a machine' is very weak. Of course: If I got into the secured building with the computer desk, it may be easier to just root the computer and then access whatever you want than to break into the file cabinet and search for the password. But security by itself does not only contain prevention of a compromisation, but also detection of a compromisation. And a security breach by physical access to a machine is often much more easy and timely to detect than a physical access to the written down password. Stick-It notes don't log access, as far as I remember ;). So if it is an inside job, a security breach may go unnoticed if the attacker just reads the password while passing by and then trying it from another machine, or if he just seems to 'look for that one file I left on the desk' and searches for the password. In this case the first security breach (compromise of the password) is not necessarily time-connected to the second one (unauthorized access to the password protected entity), and such the detection of both is more complicated.

Re:Password changing

[LordLucless]

In this case the first security breach (compromise of the password) is not necessarily time-connected to the second one (unauthorized access to the password protected entity), and such the detection of both is more complicated.

And yet, the same could be said for the installation of a USB keylogger if given physical access to the machine. The greater danger with writing the password down, I find, isn't so much unauthorized access as improperly authenticated access. You're not in danger of industrial espionage so much as someone logging in using a coworkers account to do something illegal/immoral. And if that's the case, well, it's the problem of the user who wrote down the password, not the sysadmin.

Re:Password changing

[Fred_A]

Even worse, some systems silently truncate *or not* depending on how you login. So you get an error when you enter it through a login method that doesn't truncate... So when your password was silently truncated when you first entered it, you have to figure at what length it was truncated (8 is still a safe bet though).

I get a number of help requests about this kind of things :(

Re:Password changing

[grahamlee]

You're going into the bowels of history a bit there aren't you? Most UNIX systems have been using SHA-1, MD5, blowfish or [insert a list of other non-DES encryption techniques] for at least this millennium, if not longer[*]. It's only if your network has to support some legacy SunOS 4 box or something that the real world will see DES-crypted passwords. Of course, if there *is* a real-world UNIX OS with DES passwords, do let me know... [*]glares at Mac OS X for not getting with the system until 2004...

Re:Password changing

[Fred_A]

Didn't Windows finally start salting the passwords in the recent versions ? It should quite lengthen the dictionnary attacks.

(sorry I'm not really up to date on MS stuff)

Re:Password changing

[JaredOfEuropa]

But if you can find a way to remember them (ex: 94FE5spd - 94 Ford Exploer 5spd)

That's a good trick, but it breaks down when you have to remember passwords on multiple systems that have varying password expiry timeframes and different rules for password length, allowable characters, etc. You'll still end up writing them down.

Re:Password changing

[Pusene]

Changing passwords at somewatat-constant intervals is a good idea, as long as you are able to select the time-frame yourself. Changing the password monthly on a system you use twice each month is just as usefull as changing the password daily on a system you log on twice each day! In my experience, and lots of others (Google is your friend), forcing password change too often leads to significantly weaker security, mainly due to passwords beeing written down or otherwise easily locatable (Modelname of monitor, anyone?), or beeing made in an easy-to-guess sequence (). I, for one, would like to welcome some new non-password-changing overlords!

Re:Password changing

[senatorpjt]

I hate it. I have to change my password every few months on my school email account. What I do is, I change the password, and immediately change it back to the old password. I suspect it probably works on most systems that require a password change.

Re:Password changing

[trezor]

Nice. Now I only need to compromise one password to own your cyberidentity.

Re:Password changing

Nope. At work we have an answerphone system (of all things) that requires a new PIN every month or so, and refuses to let you use any of the previous ten numbers. Naturally, everyone uses 1111, 2222, etc. (or similar sequences).

The most pointless security measure in the world? Probably.

Re:Password changing

[Alioth]

Assuming Windows, it would be better to write a replacement GINA to capture passwords if you have physical access. Put the new GINA on the system and you're only capturing usernames and passwords and don't have to hunt them from the rest of the stuff typed into the machine.

Re:Password changing

[WhoDey]

I have to disagree with your statements. There's two things to keep in mind here - one is minimizing the risk of compromise, and the other is minimizing the damage. The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.

I certainly don't claim that the damage will be reduced, and as always it depends on the situation. If password compromise leads to total administrative control of your network by a malicious entity, well, then, you're a bit screwed. But if someone manages to obtain one or two user passwords through social engineering and is biding their time, poking around a bit, then a user being forced to change their password suddenly closes up that hole.

Of course, you're still not dealing with the root cause (in the case of Social Engineering, user education, but there are many others). But regardless of passwords being changed regularly or not, those root causes will exist and need to be address. My argument is simply that regular password changing can provide enough benefit to make it worthwhile to enforce.

Re:Password changing

"The cracker will always get through" (apologies to the WWII maxim).

If someone really, really wants access to a particular system, they'll get there eventually. All you can do is make it hard enough to deter casual script kiddies with portscanners and be internally secure enough so that being compromised is more of an annoyance than a disaster.

Think about it: if you were malicious, how many computers could you install keyloggers on? How many people would find "I just need to update your anti-virus, what's your login so I can do it quickly" from you reasonable? How likely is it they have their same password for their Hotmail and their IMs?

All the security in the world won't prevent one person's misplaced trust doing them damage.

Re:Password changing

[Phleg]

A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.

You must be new here.

Re:Password changing

[LordSnooty]

Use a computer program to store them - e.g. PasswordSafe - the logic of storing all your passwords in a program may seem strange, but if you can keep the database in a safe place - on your USB key, for example - it should be a lot more secure than writing them down. A "cracker" would still need a password to open the database. At least you only have to remember one password.

Re:Password changing

[SatanicPuppy]

My usual worry with that is, for the first few weeks after I change my password (And I favor long, complicated passwords without words), I type it slowly, and this raises the odds of someone shoulder-surfing me, but if I try and type it fast, I end up screwing up, and having to repeat, which increases the odds yet further.

Re:Password changing

[networkBoy]

Yup.
I keep my logins to all websites on an encrypted volume on my notebook.
the login for that volume is 12 chars and uses some chars not even on the keyboard.
-nB

Re:Password changing

[Vexorian]

I simply did not understand how periodic changing helps against cracking, it just has a chance to help against cracking and even so the chance must be really low.

I mean if someone is trying to crack your password and you change the password during the cracking process then it would only help if the new password was in the first attempts of the cracking algorythm, if it was in the later attemps then it would be helpless, also a cracking attempt would just do the process twice or periodically and that would eventually crack the password

Re:Password changing

[networkBoy]

"And if that's the case, well, it's the problem of the user who wrote down the password, not the sysadmin."

Thanks for playing, but we all know the sysadmin is going to get plenty of greif over something like that.
-nB

Re:Password changing

Exactly...

I was horrified recently to go to my local branch of a MAJOR worldwide bank. The physical security was almost non-existant.

I was left alone in a room with a logged in computer for around 2 minutes, I looked at the back of the computer expecting to see a high security enclosure... NOTHING, the machine was a standard box with standard PS/2 mouse & keyboard.

I dont think anyone at the bank would have noticed if I had planted my own keylogger.

It just goes to show that even the big boys do not understand computer security properly...

Re:Password changing

Or if you run on a windows AD and you have idiotic IT policies, your account gets locked every time you change your password...
Well, at least that's how it goes at work. Probably has something to do with using multiple PCs...

Re:Password changing

[hal9000(jr)]

Have a look at LophtCrack (think that was it's name) which did exactly this for windows systems.

that's not entirely true. L0Phtcrack leveraged a brain dead authentication mechanism where in Windows NT using NTLM password. NTLM can be from 1 to 14 characters in length. What happens is the password is spit into two 7 character passwords and using an unsalted hash, concatenated and stored. If the password was under 7 characters a constant was use for the upper 7 characters, so by simply parsing the string you could tell if the password was more or less than 8 characters (which had great performance improvements).

I probably missed some steps in here, but that is essentially it.

Re:Password changing

This password does not somehow become more insecure over time, because, as the article points out, the largest vulnerabilities are not due to the cracking of passwords, but rather human error, ignorance, and/or incompetance.
 
IMHO, this points out why they should get changed. it is human error, ignorance, and/or incompetance that get passwords out in the open. every minute they have a new password is another minute they may give it away, tell the person sitting by them, "damn i hate changing passwords, so i named this one after my dog toby" or other crap. i have been a network admin for awhile and i have found a lot of cases where passwords got out after a period of time and i had to tighten up the password policy. THE worst case i saw was a group of programmers needing a less restrictive account for testing, they couldn't remember the fairly easy password, so they printed it on a poster and hung it on the wall, several times, in huge bold print and a note stating the access level - i nearly shot them all and they definitely suffered less access after that.

i'm not concerned with what the parent article is talking about, password crackers work a hell of a lot faster than a month. and these days its easier to just rewrite passwords on machines you have physical access to. i can get access to a machine by putting in a floppy disk, turning off the monitor, turn on the pc, chat up the IT guy so he doesn't see, reboot and your done in 5 minutes.
 
my concern with passwords is that in a corporation of 5000, how many times do you think a password goes from one person to the next innocently (until one with the password gets 2 weeks notice that they are fired), it happens, it happens a lot. you have now way to track it unless you force a reset - and then your only starting the clock off again, you also NEED complex password requirements to prevent single words. if you want real security get biometrics in conjuction with a password.
 
one last rant in return for the above rant. picture this, i've heard this scenario many times. guy in office likes porn, checks it late in the day (there are weirdoes like this, i used to manage a websense server), gets a new site that asks you to sign up free - guy signs up, it asks for email, gives work address, asks password, decides it would be fine to use the work one. now there is a porn site run by who the fuck nows that has a username (email) and password for your network, if I follow Spafford's idea, than it's possible that this porn website now has a permanent login to the company and our IP from the office guy's browsing. whereas if i have a password policy to change this, it is only a temporary problem that may get fixed before a problem occurs, but to give them a permanent login --- i just can't agree with this.

Re:Password changing

[Asgard]

It does help. Most password crackers work by obtaining the password hash somehow and then attempting to figure out an input to the hash that results in the obtained output. Changing the password changes the stored hash and invalidates the work done by the cracker.

I think you are thinking of attempts to brute-force a password by trying to log in repeatedly. In that case it is true that changing the password only helps if the new password is before the current position of the password cracker. However, most authentication systems have protections against brute-forcing, such as locking accounts with excessive failed attempts or enforcing a timeout after every attempt.

Re:Password changing

[Poltras]

No it didn't. The only real upgrade to the hashing system of windows is the avent of NTLM hashes, with arbitrary lengths (LM was 'limited' to 7 [1]) and better hashing (LM was case insensitive).
BTW, all of you sysadmins should change the policies on your DC (or your own computer if you're not in a domain) to remove the storage of LM passwords if you don't have any Win9x and WinNT [1] it is not limited, although the hash is separated in 7 characters hashes (meaning for "ABCDEFGHIJKLMNOP" it keeps the hashes of "ABCDEFG", concatenated with the hash of "HIJKLMN", and so on). Just for you who did not follow LophtCrack...

Re:Password changing

But regular password changes can also help to minimize the damage when a password is compromise via other methods.

[...]

I certainly don't claim that the damage will be reduced,

... so your point is what, exactly?

Re:Password changing

[John+Whitley]

If you're in a place where security is sufficiently tight to have mechanisms to prevent this (ie: Security Guards) then they're likely to be sufficient to cover the little password notes in the top drawer as well as the machine itself.

But this doesn't protect against the greatest threat: insiders who can get right past the security guards. If an insider's up to something truly nefarious, better to use someone else's credentials to do it (especially if they have access priviliges you don't.)

Remember, the point of login credentials in most organizations isn't just to identify someone as part of the organization, but also to determine identity and levels of access to resources.

Re:Password changing

[Ed_Pinkley]

A friend of mine worked at a local branch of a major wordwide bank. They used two part authentication method. They had a keychain-size device that would display a 6 (8?) digit number every minute. In addition to a password, you had to type in that number.

So, a keylogger would only solve half of a criminal's problem. The bigger security issue is the logged in computer. (Still horrifying, IMHO)

Re:Password changing

[Pollardito]

And a security breach by physical access to a machine is often much more easy and timely to detect than a physical access to the written down password. Stick-It notes don't log access, as far as I remember ;)

the solution is simple! cover your desk in a sea of Post-It notes containing various usernames and passwords, make some of the usernames be accounts with no real password listed on the desk, and check those accounts regularly for attempted logins. it's like personal steganography. if it's too hard to remember which notes have the right passwords, you can write down a reminder for yourself on another Post-It that you stick under your desk

p.s. this research was brought to you by 3M

Re:Password changing

[buysse]

Solaris out of the box uses traditional crypt().

You can switch the password encryption algorithm by editing /etc/security/policy.conf. On Solaris 9 and 10, the available algorithms are __unix__ (crypt()), BSD MD5, BSD Blowfish, and Sun MD5.

By default, it's set to allow other algorithms, but new passwords set (including root) are __unix__.

Re:Password changing

[TCM]

If you can also tell me how you would do that?

The password is made with Diceware and is 7 words long and is never entered on a connected machine.

Re:Password changing

[harborpirate]

The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.

I have to disagree.

First of all, again: the most common method for password discovery is directly related to the user. If this was the discovery method, our enemy will easily use the same methodology to obtain the password again when it has been changed.

If the password is cracked through guessing, snooping, etc - the problem is that the user is likely to choose a new password which is very close, or just as insecure as their old password. The first thing I would try as a cracker, if someone had a reasonably hard password and changed it, would be to try every variation of the last character. If they had an easy password ("password" or some other dictionary word), I'd just know that I could run a speedy dictionary attack against their password and have it cracked in no time. These two methods of user password changing represent the vast majority - thus forcing a password change has not made the password significantly more secure because the original password was discovered.

Re:Password changing

[Fallus+Shempus]

I think the point is about enforcing password changes

Which is probably the biggest reason people write passwords down,
coz' they can't find one they like and stick to it

We have accounts on absolute tons of servers, some of them have stupid password
requirements, so we just share one and don't tell the admins.

Re:Password changing

[Mister+Whirly]

If you can also tell me how you would do that?

Sodium Pentathol - the weakest element in a password/cypher is always the human element.

Re:Password changing

[mikesd81]

some systems have a dictionary of used words that yuo can't use for x amount of times or in a certaion time slot

Re:Password changing

[tylernt]

I don't know about you, but I type my password probably 20 to 30 times a day. I keep my passwords at 8 characters because a) I would go insane typing long passwords two dozen times a day and b) typing long passwords that often would, seriously, waste several hours of my life over the course of a few years. I'd rather use those hours for something useful.

Like reading /..

Re:Password changing

[nasch]

I'm sure everyone agrees that forcing password changes, and forcing strong passwords, each solve some problems. I think you can also see that they also cause problems. The question is, for any particular security situation, what will be the most effective policy? For ordinary business PCs and ordinary users, I would say unchanging or infrequently changing strong passwords are best. It doesn't seem like frequently changing passwords help, because if somebody somehow gets my password fido3, and finds that it doesn't work, what are they going to try next? fido4, fido5, etc. Most users change their passwords in this way so that they can remember them, so you haven't improved anything. More draconian policies require you to change it to something that doesn't include any large part of the previous several passwords. That could probably be a pretty effective policy at the expense of annoyed users (perhaps a good price to pay). Otherwise, as you say if you want real security use biometrics and/or two-factor authentication, because even rotating passwords don't solve many of the problems you mentioned.

Re:Password changing

[init100]

I don't know about you, but I type my password probably 20 to 30 times a day.

Just out of curiosity, why do you (need to) do that?

Re:Password changing

[tylernt]

I'm in IT support, so I am frequently leaving my desk to go help someone. I always lock my PC when I leave (and I have it set to lock itself after 5 minutes), so every time I get back I have to unlock it. Also, there are a lot of intranet websites that won't keep me logged in between sessions, for security reasons (or clueless web developers, I have't decided ;) ).

If I didn't get up as much and only had to type my password a couple times per day, I agree having a whole sentence as a password wouldn't be a bad idea.

Re:Password changing

[remitaylor]

I would expect that if passwords are required to be changed on a regular basis, then that would be more reason to write them down (if they're secure they're probably harder to remember)

Yes, but the key here is *where* your users write down their passwords.

If I find peoples' passwords on post-its, etc, I snatch them and they go in the shredder. I realize, however, that some users really struggle to remember their passwords (and we require relatively secure/complex ones), so I offer my own suggestions to users as to where they can save their passwords.

My favorite piece of software for this, with a basically non-existent learning curve, is Steganos LockNote. It's basically a self-encrypting, password secure text file. Copy the .exe to your user's desktop and have they set the password and voila - it's like Notepad but password secure. (Unlike Notepad, the text and the text editor are wrapped up in one, but it seems just like Notepad to your end user.) I have users store their passwords in these, if they can't remember them.

Ofcourse, if they forget the password to log on and they can't get to the file, they're screwed :P But it is a great app for everyone, especially employees with no real IT knowledge/training. For more advanced users, I recommend KeePass.

Re:Password changing

[init100]

I always lock my PC when I leave (and I have it set to lock itself after 5 minutes), so every time I get back I have to unlock it.

I do that myself too, but unlocking is almost automatic when I return to my workstation so I don't usually remember how many times I actually type the password. :)

Re:Password changing

[Starker_Kull]

I think that's the logic behind OS X's Keychain app. You don't need remote storage, since the keychain database is encrypted. And to top it off, if your account password is reset by an admin (or someone unfriendly with admin access), the keychain password remains unchanged; if you lose it or forget it.... bye, bye, data. On the whole, a pretty sensible app.

Re:Password changing

[LordLucless]

And there's no way to stop users giving out their passwords. There's just no way. Unless you couple the password with something like biometrics, which is signicantly harder, not to mention more painful, to give away.

Re:Password changing

[Bush+Pig]

I think your problem is more to do with idiotic system administrators than idiotic IT policy. This is essentially what happens at my workplace, and the only time people get locked out of their accounts is if they get the password wrong on 3 consecutive attempts.

The only problem caused by using multiple PCs is that your desktop/preferences/etc don't follow you around, unless you specifically request a roaming desktop.

Re:Password changing

[showardkid]

Not correct. The NTLM hash was designed to overcome the shortcomings of the original LM (LanMan) hash, which was as you describe. Modern cracking generally cracks the LM hash first if it exists (which is far easier), THEN uses the full set of possible passwords that the cracked LM password could be in its original case to see if it matches the LM hash.

Other than that, you're pretty much dead on.

Re:Password changing

Keeping passwords in an electronic "safe" is a GREAT idea...for those passwords you use infrequently (eg. frequent flyer miles, logins for sites you buy from once or twice a year, etc.). It doesn't help much with password you use every day.

At my work, they mandate that you lock your screen when you step away (with a screen saver that does it for you with 5 minutes of inactivity) which means I end up entering my login password somewhere around 20 times a day. I'd love to use something long and secure, but I refuse to spend that much time typing my passphrase and getting it wrong several times (with the resulting lock out...), talking to the help desk to get it unlocked, etc. Put that 90 day required change on top of that and I use the shortest password I can, with as simple a pattern as I can manage.

Re:Password changing

[Imsdal]

I always lock my PC when I leave (and I have it set to lock itself after 5 minutes)

I do too, but I find that this is very uncommon and not even a standard policy, which is just weird to me. I think this is by far the biggest security concern in a regular office today.

I have only seen it strongly enforced at one place ever (and I've been a cosnultant, so I have seen several dozen companies), and the way it was enforced there was that whenever someone from IT spotted a non-locked PC, they changed the background picture to pr0n!

That way, it was obvious to everyone that there had been a major screwup, and the person who had forgotten to lock the computer was embarrased as hell. I spent almost a year at that company and only saw two unlocked PCs during that whole time.

Re:Password changing

[Imsdal]

And there's no way to stop users giving out their passwords. There's just no way. Unless you couple the password with something like biometrics, which is signicantly harder, not to mention more painful, to give away.

A previous poster mentioned SecurID from RSA or similar solutions: a small device, typically attached to your keychain, that displays a six figure number that changes every minute. In order to login, you use username and a password consisting of your password and the six figures from the ScurID concatenated.

In such a setting, giving away your password is meaningless and never happens. This system works surprisingly well. I've used it a three different places, and find it far better than anything else I've seen.

Re:Password changing

[Sarisar]

I never used to lock my PC... mainly because there were better ways of breaking into the system (like the text file on the server everyone connected to with full admin rights everywhere which no user had access to, including IT, as their default account). Oh this password was also the same name as the account.

Company policy was to lock the PCs after 10 minutes but I ran a .reg file to override this on logon (this was another problem with the company allowing any user to have access to the registry).

Personally if I had cared about that job I may have done something else, but given they had a mandatory 28 days change your passwords thing on about 4 different systems almost everyone wrote them down, or simply upped a number at the end. One of the systems gave you a random 6 letter number combo that you couldn't change!

So given that almost every single user simply wrote this down, or incremented the password. The help desk had been seen asking for passwords to pass to IT to 'help' them and they had possibly the most screwed up security setup, what was the point?

Re:Password changing

[tylernt]

That's awesome. Around here, if someone spots an unlocked PC, they'll use it to send an email to everyone announcing their newfound gay lifestyle or their love of monkeys. Also quite effective. :)

Re:Password changing

[Vexorian]

All right, again I suffered from term confusion because of different languages, thanks for the clearing up

APG

[wuzzeb]

I have found that using APG is a great way to generate passwords. They are easy to remember since you can pronounce them. For example, I just ran the generation and these are the passwords that popped out. I have found that most users can remember these kinds of passwords.

lewcyHirUx6 (lew-cy-Hir-Ux-SIX)
drywaWrop2 (dry-wa-Wrop-TWO)
ScekGul4 (Scek-Gul-FOUR)
lacWaup7 (lac-Waup-SEVEN)
IphIaft3 (Iph-Iaft-THREE)
glidTevPos8 (glid-Tev-Pos-EIGHT)

Re:APG

[MichaelSmith]

I have found that using APG is a great way to generate passwords

In OpenVMS you can go set password/generate which combines the generation with normal passwd functionality. When I moved to unix I was surprised that you can't do this as standard.

Re:APG

[dgatwood]

Blech. There's no way in H*LL I would be able to remember any of those. They're completely random crap. It's hard enough to remember the twenty-plus passwords I have to keep track of that -I- created -without- somebody forcing me to use bloody line noise for one of them.

Re:APG

[woolio]

Well, maybe YOU can pronounce them!!!!

And for the viewing audience, which one if your root password?

Re:APG

[Nutria]

In OpenVMS you can go set password/generate which combines the generation with normal passwd functionality.

I've been using VMS for 16 years, and never knew that... Now I must hate you forever.

CompuServe had the best password generation policy, which I still follow:

word digit word

Thus, I am able to use easily remembered words, but there is enough variation in combinations that guessing and dictionary cracking is well-nigh impossible.

Re:APG

CompuServe had the best password generation policy, which I still follow:

word digit word

Nope. This is a relatively weak password generation scheme. Many brute-force attack programs include this scheme in their dictionary attacks: shortword-digit-shortword. Some of them also include combinations with a second digit at the end (or beginning) of the password.

I would advise you to change your policy and add an extra non-alphanumeric character somewhere, or change one of the words to something that is not in a dictionary.

Re:APG

[ZeroExistenZ]

There's no way in H*LL I would be able to remember any of those.
After typing a certain random generated password for a few times, its engraved in your memory, no?

I find myself unable to "pronounce" most of my passwords, but I remember them without much thinking. (It's more remembering how to move my hands over my keyboard as to actually remember what I'm actually typing.)

It's the same with my PIN-codes. I just remember a figure and how to draw it in a certain order. Not the numbers themselves..

Re:APG

[Captain+Zep]

Sounds like I'm in the minority, but I think this APG thing looks pretty good, assuming it generates from a large enough space.

Despite what everyone is saying, these passwords are pronounceable, and for the really important passwords that you use frequenctly, you can memorise them fairly easily.

I currently use completely random character sequence passwords for my main accounts. I keep them written down until I've learnt them (after a week maybe), then destroy the piece of paper. Since the passwords are strong, I don't need to change them very often.

For all the other minor accounts that I need passwords for as well, I still use randomly generated passwords, but keep them in a keyring application on a memory stick, so I only need to remember it's master password, and I can still have a different password on every account. I carry the stick around just like I carry around a bunch of keys (same thing really)

Yes, good passwords are a nuisance, but if it's convenience you want then just use something easy to guess like '7of9', 'top5ecret', or even the classic 'admin'.

Z.

Re:APG

I find myself unable to "pronounce" most of my passwords, but I remember them without much thinking. (It's more remembering how to move my hands over my keyboard as to actually remember what I'm actually typing.)

You'd better pray you never need to log on to anything from overseas, then. Newsflash -- not everyone uses QWERTY.

Re:APG

[Nutria]

Many brute-force attack programs include this scheme in their dictionary attacks: shortword-digit-shortword. Some of them also include combinations with a second digit at the end (or beginning) of the password.

I've run my password file thru John The Ripper many times, and never come up with a crack.

Re:APG

[ajs318]

Unix is a bit more "self assembly" than VMS. Try this. It's a little Perl script I wrote to generate passwords. The standard form is CCVCDCVC which is fairly "pronounceable", obviously you can customise it. To get around issues with letters looking like numbers and vive versa, it will never use a capital letter O nor a small letter L in a password. Save it in /usr/local/bin/pwgen and chmod it 755.

Usage:

pwgen [username]

If a username is not specified, generates a "pronounceable" password of the form consonant, consonant, vowel, consonant, digit, consonant, vowel, consonant and displays it on STDOUT; along with its scrambled form suitable for usermod(8) or direct editing of the password file.
If a username is specified, and that user actually exists, then pwgen sets the new password using usermod(8).

NB. My careful indenting was spoiled by Slashdot. Feel free to un-spoil it. Good job it's written in Perl and not That Other Language!

#!/usr/bin/perl -w
# this is /usr/local/bin/pwgen

my ($password, $salt, $scram, $user, @stuff);

$user = shift || "";

sub vowel {
$_ = substr "aeiou", int rand 5, 1;
tr/aeiu/AEIU/ if rand > .75;
return $_;
};
sub consonant {
$_ = substr "bcdfghjkLmnpqrstvwxyz", int rand 21, 1;
tr/a-z/A-Z/ if rand > .75;
return $_;
};
sub digit {
$_ = int rand 10;
};
sub saltchar {
$_ = substr "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ./", int rand 64, 1;
};

$password = consonant . consonant . vowel . consonant . digit . consonant . vowel . consonant;
$salt = '$1$';
foreach (1 .. 8) {
$salt .= saltchar;
};
$salt .= '$';
$scram = crypt $password, $salt;

print "\nAJS's password generator - now with no Os or ls!\n";
print "-" x 48 . "\n\n";
print "Password is $password.\n";
print "Scrambled form is '$scram'.\n";

if ($user) {
if (@stuff = getpwnam $user) {
system "usermod -p'$scram' $user";
print "Set password for '$user' to '$password'.\n";
}
else {
print "There is no such user as '$user'.\n";
};
};

print "\n";

exit;

Copyright 2005-2006 AJS.

Distribution of this program in Source Code form is allowed, with or without modification, provided that this licence accompanies every copy of the program. Distribution in binary executable form, where applicable, is permitted only in conjunction with complete corresponding Source Code and build instructions.

Statement of Warranty: the copyright holders warrant that this program, when run on a properly-functioning computer, will perform substantially as indicated by the source code. No other warranty is made in respect of the program. If you are in doubt as to what this program does, you should consult a competent programmer.

This licence is in addition to, and is not to be construed as prejudicing, any statutory rights granted to you under the Law of the Land.

Re:APG

[ZeroExistenZ]

Newsflash -- not everyone uses QWERTY.

I know; I'm using AZERTY ;)

Re:APG

pwgen (http://sourceforge.net/projects/pwgen/) provides equally 'memorable' passwords:

Yeip3cee
phoo4ieW
ooW1aeng
deeH4Ahd
thoi9Hei
Aechoi9p
au3maiXe
IeJee2uy

Each run usually turns up a few that are fairly easy to remember.

Re:APG

[gmby]

Only if you can "pronounce and speel" what your cute little program tells you to use.

I find keyboard patterns work very well.
You do not have to remember actual charaters; just patterns.
I bit of waring; If you try to remember your password by leters instead of patterns; you just might mix it up and forget it all together. I've done it a few times.

But having pysical access to the boxes makes it not a big problem. Just reset with a live boot disk.

"Around you root is."
"The Force you must feel; Luke"
"Think not your pass; Feel root you must."

Re:APG

[CmdrGravy]

I've found the best policy with administrator passwords is to set them as simple and easy to remember as possible rather than using long complicated strings because that is what the crackers are least expecting. I favour things like pass or word

Re:APG

[ajs318]

It's the same with my PIN-codes. I just remember a figure and how to draw it in a certain order.

Um.

One of the disadvantages {or advantages, if you're dishonest} of those point-of-sale payment machines is that the keypad layout is static. Yes, there's a plastic screen around the keys; but a person watching from above and behind can see everything if they know what they're looking for. Those tendons ..... they're an Achilles' heel {irony fully intended}.

I had the idea that it might be more secure to use full-travel keyswitches with built-in OLED or LCD display elements {rather than a touchscreen, which creates errors through the absence of negative feedback} and scramble the key layout for each user {possibly even for each digit, though this might be too confusing}. This way, although you know what keys the person in the next checkout lane was pressing, you don't know what number they were entering.

But that doesn't fit the paradigm, if people memorise the pattern formed on a "standard" keyboard by their PIN rather than the digits themselves. And it could actually end up making things easier for fraudsters. It really would be better to use something more secure than a four-digit PIN to authorise a payment ..... how about a handwritten signature {which cannot be disclosed under duress} instead?

Re:APG

[Zontar_Thing_From_Ve]

While this was a useful post, the following statement:

I have found that most users can remember these kinds of passwords.

is enough to warrant modding this article as "funny".

Re:APG

[Digital+Vomit]

I don't know about that:

lucy-her-ucks-six
dri-wah-rop-two
skek-gull-four
lack-wop-seven
if-eeyaft-three
glid-tev-pos-eight

Maybe the last one seems pretty good for remembering...

Re:APG

[ktwombley]

Rock on!

I just got my next 6 passwords.

Thanks!

Re:APG

Personally, I prefer the nice pwgen program. http://sourceforge.net/projects/pwgen/
It can make all sorts of passwords, with letters and numbers and such... things like "Meh4Rohfah". Passwords like this would be a pain in the butt to crack, but are much easier to remember than "lewcyHirUx6"

Re:APG

[ZeroExistenZ]

I had the idea that it might be more secure to use full-travel keyswitches with built-in OLED or LCD display elements {rather than a touchscreen, which creates errors through the absence of negative feedback} and scramble the key layout for each user {possibly even for each digit, though this might be too confusing}. This way, although you know what keys the person in the next checkout lane was pressing, you don't know what number they were entering.

I think you're absolutely right with this. It would be more secure, and I would applaud it and implement it myself where possible if that sortof added security were available...

It's just because of "habit" of typing my passwords that I memorized most my passwords by pattern. (as I often don't think anymore when I type about each what each individual finger is doing but I still type quite well.)

Just look at nearly every keyboard or input-device; the F and J have some sort of deviating surface to identify the position on your keyboard by touch. ("touch-typing"). On numerical input-devices you always have the 5 standing out. Which is a convenience which helps you orientate on your input-device, but as you pointed out it's a security risk as everything has such a standard "lay-out" it's possible to get to know passwords by observing not what, but how one enters a password. (this reminds me to this program which could capture passwords by "listening" how one entered a password)

It's a problem, definatly. I think authentication via eID's and other smart-cards are a plausable sollution, but it's kindof creepy privacy-wise. (and those can be quite easily stolen. And for the signature you again have a PIN... back to start.)

Re:APG

[squallbsr]

'nothing' is also another good Admin password =P

Re:APG

Crackers don't crack passwords by hand, they use tools. These tools also do dictionary attacks, words in the dictionary (like "word" and "pass") will be found within a short time.

Re:APG

[ajs318]

Handwritten signatures were used until quite recently to authorise transactions. This prompted me to make the following:

PATENT APPLICATION: Method for handing over personal property to another person.
What is claimed is:

1. A method by which a person, hereinafter referred to as victim, and equipped with a payment {credit or debit} card issued by a bank or similar institution and a mobile telephone, substantially enriches two other parties, hereinafter referred to as villain and accomplice, one of whom is already equipped with a mobile telephone.
2. The villain and accomplice being known to one another but the victim not necessarily knowing either.
3. The handing over by the victim, at the {somewhat less than polite} request of the villain, of a payment card and mobile telephone belonging to the victim, and the announcement in a trembly voice of the PIN associated with the card for the purpose of withdrawing cash from a hole-in-the-wall machine or making payment at a store checkout.
4. The victim remaining in the firm grasp of the accomplice whilst the villain enters a nearby store with the payment card and the victim's telephone; the accomplice also retains a telephone.
5. If applicable, the announcement by the victim, in an even shakier voice, of the correct PIN associated with the card, upon a simple request {initiated using the victim's own mobile telephone} from the villain to the accomplice.
6. The suffering of financial loss by the victim, as a result of all the above actions.
7. Anything else not mentioned above but which the victim may reasonably be expected to do under the circumstances described above.

Note that I have phrased this patent application from the point of view that it would be violated by the victim of "PINpoint robbery", rather than the perpetrator. For one thing, it's not usually illegal to be robbed, which makes getting a patent just a little easier. For another, claiming a royalty payment requires actually getting hold of the person who owes the money; the perpetrator is likely to be long gone, but the victim is right there.

Re:APG

[CmdrGravy]

Goodness me who would have thought it, I suppose I need to rethink my entire policy then. Unless you're a cracker and are just trying some of that social engineering jive I've been reading about and are trying to co-orce me into weaking my network...

Re:APG

[CmdrGravy]

I used to work somewhere where the password policy was to reset it to the day of the week, admittedly these weren't especially powerful accounts but anyone with half a brain and an inclination for mischief could have had a lot of fun.

Re:APG

[init100]

For all the other minor accounts that I need passwords for as well, I still use randomly generated passwords, but keep them in a keyring application on a memory stick, so I only need to remember it's master password, and I can still have a different password on every account. I carry the stick around just like I carry around a bunch of keys (same thing really)

For really minor accounts, like web community accounts (e.g. Slashdot), I use the "save password" functionality of Firefox with a master password set. This encrypts the passwords on disk (IIRC with triple-des) with a hash of the master password as the key. And I almost forgot, I also use random-generated passwords, usually by cat:ing /dev/urandom through strings.

Re:APG

[owlstead]

Be warned that there are about 37 bits of entropy in the passwords generated by this program. A completely random pattern of 8 characters will normally generate over 50 bits of entropy (if you include special characters). It's a good idea to take some measures against checking too many passwords per second anyway, but 37 bits may be a bit too little. And if you let the users use the application directly, they may change passwords until they find an easy to use one (which may be more easy to crack).

Re:APG

[ajs318]

Hey, what self-respecting BOFH lets users choose their own passwords? ;> Depending on your usermod(8) implementation, it might or might not work for users anyway.

As for the lower entropy due to more rigidly defined patterns ..... I know, but it's a compromise. A weak password that isn't written down on a yellow sticky note attached to the side of the PC is still more secure than a strong one that is written down. A brute force attempt will generate log file entries that can be spotted before the l337 5cript kiddies get far enough to do any damage.

Re:APG

[owlstead]

Yeah, I agree with all that, but it's just a warning that people should not use too simple passwords on things that can be brute forced. You're better off generating a stronger password for such uses. I've created some scripts myself (in Java) to generate passwords. It is pretty amazing sometimes which scheme's generate passwords with more or less entropy. Fortunately, there are quite a lot consonants in your scheme. Schemes with many vowels will be much less effective.

Re:APG

[eddeye]

You went to all that trouble yet you're using rand for entropy. That's like putting a padlock on a paper bag. Try reading from urandom on linux instead, or something else suitable on other platforms.

Re:APG

[macdaddy]

I have another method that I prefer. I use passwords that are simply easy to type (ie, something that your fingers will get used to over time). I'm right-handed so I start the password with my left hand. The format is simply 2 numbers, followed by 3 lower-case letters, followed by 3 upper-case letters, followed by the last digit of the sum of the first two numbers. For example:

37cspDUP0

I type the keys with a certain pattern in mind. L = Typed with my Left hand, R = typed with my right hand. In order: LRLLRLRR. More specifically LRLLR press-left-shift-key LRR let-up-left-shift R.

If desired you can use 3-letter acronyms for the characters. You can also put a non-alphanumeric character between the alphanumeric triplets. It's a good place for it because you're already pressing the left shift key.

That's one good password scheme. Phonetics is also good.

Re:APG

[Bush+Pig]

That is outstanding! You, sir, are a comic genius.

Password change policy

[MichaelSmith]

We all know that its stupid. People write it down on post it notes etc. But when the luser gets hacked he is going to be gunning for the sysadmin who needs to be able to prove that he is serious about security so that he can put the onus back where it belongs.

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

Re:Password change policy

[KiloByte]

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

I'm afraid that you have never seen a corporate environment; otherwise you wouldn't mention "doing the sensible thing".

Re:Password change policy

[einhverfr]

Well.... I think the author misses one real reason to change passwords every so often (monthly is good): If a password is compromised, then it is a good idea to have a periodic change so that the compromise may be at least somewhat limited automatically after a period of time. I think that in many environments, a change of a month is reasonable.

This doesn *not* mean you are necessarily reducing the chance of a breakin. What it does mean is that a break-in is going to be more limited in its impact even if undiscovered if it relies solely on passwords. In essence this has the effect of being able to increase the cost of an effective attack that will have an enduring impact.

Re:Password change policy

[urbanriot]

... People write it down on post it notes etc.

Agreed completely. In the "real world", the harder the password you supply a user with, the greater chance it will be recorded somewhere easily accessible by other employees.

In most of my environments, it's quite common to see post-it notes stickied to a monitor with both the login name and the associated password.

In a network environment where file security is paramount and the possibility of corporate espionage exists, then perhaps a strict password policy should be enforced. Otherwise, it's really just silly.

Re:Password change policy

Not only harder passwords, but *more* passwords. We've pared down the number of passwords lately, but we still have at least six passwords for each employee (not including passwords for accessing HR resources like Benefits, Retirement, etc..). If I had to re-memorize six "hard passwords" every month, they'd be written on a card in my wallet (or briefcase, desk drawer, etc.).

Re:Password change policy

[shawb]

Alot of people eventually do the second thing... but it usually requires two weeks of notice.

Re:Password change policy

[ehrichweiss]

I only have one question. What if the cracker is the one who gets the "it's time to change your password" message, they change it to something they know and then back again to the original? Think anyone's gonna notice? Depending on the host OS, it could be trivial to exploit a man in the middle attack to acquire the password from that user when they logon, just have a script that checks for a value on a webpage(or a million other things) that you control..if it finds it then it puts the user right back infront of a legit looking logon screen..they re-enter and it emails the result to one of a large list of email addy's you have setup. Better check those .*shrc's.

As always, this stuff is for educational purposes only. If you're thinking of doing it, it's probably for illegal purposes so don't blame me if you get caught.

Re:Password change policy

[muhgcee]

Well, if you're logging in to some sort of network service, like Active Directory or eDirectory, the admin can quite easily make it so you cannot use any of your previous x passwords. I would imagine this is the normal corporate environment. In this environment, what you describe above would not work.

Re:Password change policy

[cdrudge]

In that case, while the damage could obviously already be done, at least the continued effects can start to be minimized. If the attacker changed the account's password, it would immediately be identified. I would say that is significantly better then if the attacker was allowed to continued to log in undetected for months or years on end without anyone being the wiser.

Re:Password change policy

[ajs318]

That's what's so great about having all your important stuff on in-house written and customised web applications, rather than some closed-source crap that makes you work the way they want you to work. As well as requiring passwords, you can lock things to an IP address. Users can't change their IP address without the root password for their workstation -- which, of course, they don't have. Users' application passwords can be the same as their workstation login passwords {just paste the first part of a line from /etc/shadow into /var/www/html/*/htpasswd} or different. The IT department never need to know a user's password, despite the show we always make of looking away as they enter it :)

Thanks to a complicated mess ..... er ..... a cunning arrangement of NFS mounts and symlinks {which ensures there's always a root user and a dummy user called 'user', even if the remote mounts don't come up because some D.H. has been messing with cables}, it's possible to enter something like

# awk -F: '/fred/{print $1 ":" $2}' /etc/shadow >> /var/www/html/wages/.htpasswd

to give fred access to the wages applications.

Re:Password change policy

[MindStalker]

I recently moved the users in my domain who need extra security to dekart login. Kinda like smart cards, but cheaper (we really couldn't afford the expense of smart card readers). It works great. I assign a very complicated password to the person that they don't even know. Use the dekart login to enter that password when they use their usb key with a small password. It also supports biometric auth as a third measure, if you have a biometric reader.. I then shread and burn the passwords.

Re:Password change policy

[ehrichweiss]

I don't think you understood fully. I meant the cracker changes the password and then IMMEDIATELY changes the password back to the original. I don't think I've run into an OS yet that ONLY allows you to change the password in a certain interval without admin privs but it would be a good idea in this situation.

Re:Password change policy

[ehrichweiss]

That would help at least but I wonder how often it really happens that admins set that option and how large X typically is. I mean it'd be trivial to write a script to change my passwd 25-25,000,000 times before changing it back to the original. But at least that's an option.

Re:Password change policy

[ehrichweiss]

Oh, I forgot to mention that if the cracker were smart and he saw the "please change" message he'd just cancel the login and let the man-in-the-middle login script he previously had setup do the passwd snagging for him. THAT would go totally unnoticed for the most part since it'd simply ask the real user to change the passwd upon login. BTW, yes, it is my nature to circumvent almost anything.

Re:Password change policy

[muhgcee]

Many password change policies also have a minimum password age. So, for instance, a password has to be 90 days old before using it again.

Re:Password change policy

[mengel]

Well, I have two problems with this post:

1. Having unauthorized access for "only" half a month on average is not acceptable
2. It ignores completely whatever mechanism was used to obtain the password in the first place.

If the person got the password by looking at the postit note on the authorized users keyboard, they can do it again once the password is changed. If you examine the assorted mechanisms for obtaining a password mentioned in the article, all but maybe 2 of them are repeatable once the password is changed.

Secondarily, if he/she knows the password, the bad guy/gal can change the password, possibly locking out the valid user. Depending how often the valid user uses that system, that can persist for quite a while, too.

Re:Password change policy

[einhverfr]

Having unauthorized access for "only" half a month on average is not acceptable

Of course not, but it is important to limit the damage in addition to other measures. It certainly is better than allowing unauthorized access indefinitely...

Of course, on average it would be more likely to be a week (assuming the password can be broken in a week), which is still bad, but not as bad as it might otherwise seem.

It ignores completely whatever mechanism was used to obtain the password in the first place.

That is true. My concern is of technological cracking. However, you are right-- social engineering is a larger issue and one that is often unfortunately overlooked. If I call you and ask you for your password because I am looking into a security incident, and you give it to me, then I can call back later after the passwords have been changed, say that I see you have changed your password but there is still something odd and I need your new password.

Secondarily, if he/she knows the password, the bad guy/gal can change the password, possibly locking out the valid user.

What is the alternative? Requiring that people make password change requests through the IT staff? I am sorry, but your last point seems irrelevant to the question at hand.

I am *not* saying that password changing is a good primary method of security control but it is often an important secondary measure.

For example, I would generally recommend that all off-site access ought to require a zero-knowledge authentication routine ideally with both private key and password phases. Passwords should be relegated to on-site use only because you have better control over this area of your security physically. In my network, passwords can only be used from outside the network to access email. While such a compromise might *still* be unacceptable, it is still vastly better than allowing access to other internal resources via such a password. External access is by public key only.

One issue is that the user is usually the weakest link. We require password rotation as a way of reducing the value of this sort of attack. We also require training and point out that we can access all users' accounts without their passwords so we will never need to ask.

Re:Password change policy

[ehrichweiss]

True. It would at least be effective against an attacker who relied solely on the password not changing however I just prefer reading logs(I speed read about 25k wpm, no joke, so this is just practice for me) and watching for suspicious patterns. If the attacker is a "cracker" who has no real knowledge of what they're doing but manages to snag a password that was written down(and quite possibly can do it repeatedly), they'll still manage to get access but they won't manage to prevent multiple logons, or late-night probes, or whatever from being logged. If they're a real attacker who knows what they're doing, knows about MITM attacks, etc. they'll leave other signs in the logs that, if one is familiar with the look of typical usage, will stick out like a sore thumb. And that brings up another point, laziness on the part of the sysadmins themselves. I mean how many times have we seen an admin who relies on their initial security measures like frequent password changes, password age, etc. and never bother reading logs to see if there is an issue they should be aware of. I'd rather think like an attacker than the typical admin for that reason alone.

Re:Password change policy

[Rich0]

Ok, so the hacker finds out a user has a password "hardtoguess24". At the end of the month they find the password no longer works.

No problem - they type in "hardtoguess25", and now they're in again. The typical user response to password expiry is to add an incremented field to their password. The hackers know this as well.

One attack he didn't mention...

[patio11]

... getting your server brute-forced by a Slashdotting.

Re:One attack he didn't mention...

I have no way of telling, as I got an error page when I tried to RTFA, and TFA was posted eight hours ago! ...and then there's the most recently posted article about why the US isn't producing CS majors, I think this explains it.

Would you study CS in a school whose servers could be slashdotted eight hours after TFA was posted?

I fear my grandchildren will live in a thiord world country named "USA".

(MRC="wreched")

Couldn't agree more on some points

[tanveer1979]

Monthly change policies. they are simple stupid. If your password is inherently weak, such as your car number, date of birth etc., it will be easy to crack. If you throw a monthly change policy at such people they will change their passwords to simple things. Other option is to educate them to choose good passwords, but that works with half the people. Best solution, let the users not choose a password. Let the machine generate random passwords. Then the user can choose out of those random combinations. At a place where I used to work, the web login system on internal network was set this way. You would click on a button saying, choose new password. Many options would appear and you choose one. If you dont like any of the options you could keep on generating new ones indefinitely. The change policy was that after 1 year you had to get a new password. Perfectly sane and secure. In those random 6 lettered words, sometimes easy to remember combinations would appear, like y1pl3t. Remeber it as yiplet!

If you dont have the benefit of a machine generator and want to specify something remembrable dont be too obvious. For example you have a poodle named fido(If you do I doubt you would be reading /.). So you can have a password which is easy to crack fidopoodle. But if you go as pfoioddole or better pf010dd0l3 only you can remember it and guessing it will be almost impossible.

Re:Couldn't agree more on some points

[dgatwood]

Using a generator to force secure passwords may be the most insecure thing I've ever heard suggested to improve security. No, seriously.

If a user has to generate a password, it is something they can at least possibly remember. If a machine generates it, there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices will be able to access those people's accounts using the password reminder neatly affixed along the margin of the user's monitor.

Besides, 99% of security compromises aren't through guessed passwords anyway. They are through either social engineering (25% of people will give up a password when they receive a call that says "Hi, I'm Fred from the IT department, and I need to verify your account information"; try it if you don't believe me), buffer overflow attacks (l33t h4xx0Rz), or physical security compromises (while latency is terrible, it is difficult to overestimate the bandwidth of a pickup truck filled with backup tapes).

Seems to me that, generally speaking, admins are worried about entirely the wrong problems, and while this may help cover their a**es against being blamed for intrusion a bit, it does little to improve actual security.

Re:Couldn't agree more on some points

[tanveer1979]

It will be the most insecure thing if people are writing down their passwords. I suggested choose an easy to remember combination which can be guessed by nobody but you. For example h4r4m1. In an office environment its social engineering but with internet spreading you form a parallel identity. Sombody could hijack that identity and cause you lot of grief. Case in point. http://news.google.com/news/url?sa=t&ct=:ePkh8BM9E 2IFGm_AIgSzKgkkUGLAituezDwjgWL1DQKJ3Pxeu2LZfMLctqk CAEoGDEE/2-0&fp=444d618030161f0b&ei=5sVNRN-THb_uHP jSyegK&url=http%3A//timesofindia.indiatimes.com/ar ticleshow/1495553.cms&cid=0 http://news.google.com/news/url?sa=t&ct=:ePkh8BM9E 2IFGm_AIgSzKgkkUGLAituezDwjgWL1DQKJ3Pxeu2LZfMLctqk CAEoGDEE/1-0&fp=444da6352b89004c&ei=CMZNRKrXHaqKHI Osif4K&url=http%3A//economictimes.indiatimes.com/a rticleshow/1495644.cms&cid=0 Now he may have posted those messages himself, or his account may have been cracked. Now if its the latter, his laxness with his computer security has led to events which may change his life permanently. More often that not such attacks take place due to weak passwords or security. Having a m/c generated password will save you against dictionary attacks atleast!

Re:Couldn't agree more on some points

[iabervon]

I think IT departments concerned about security should make it a stated policy that they will try to find out your password, and, if they succeed, they'll reset it and prevent you from ever using that one again, and you have to figure out yourself that it's been changed, and ask them to let you set it to something you know. That would quickly make people a lot more resistant to social engineering and less likely to write passwords down or choose obvious ones. It would also show that the IT department is doing something about password security, since they'd occasionally catch people revealing their passwords and enforce the policy.

(Obviously, they wouldn't use their special IT abilities, like being able to install keyloggers on people's computers, but anything that an arbitrary employee would be able to do without being too obvious or causing damage is fair game.)

Re:Couldn't agree more on some points

[gbobeck]

Using a generator to force secure passwords may be the most insecure thing I've ever heard suggested to improve security.

I agree. I believe that trusting an algorithm to produce a "random" password is foolish because it is at best "pseudo random". The passwords generated aren't always good. In any case, all passwords can be brute forced given enough time and firepower.

Besides, 99% of security compromises aren't through guessed passwords anyway

I would also add escalation of privelages, backdoors, and of course, stupid administrator tricks (the "hey, no one would want to hack us... we aren't important enough" or "telnet, wtf uses telnet... we are safe!" kind of tricks).

Re:Couldn't agree more on some points

[cyborch]

... there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices ...

... 99% of security compromises ...

... 25% of people ...

In other news: 87.3% of all surveys are made up on the spot.

Re:Couldn't agree more on some points

[suv4x4]

"So you can have a password which is easy to crack fidopoodle. But if you go as pfoioddole or better pf010dd0l3 only you can remember it and guessing it will be almost impossible."

Yup, impossible, there's apparently this belief that hackers have no "1" and "3" on their keyboard so that every I should be written as 1, and every E as 3.

When, like 90% of the passwords are made that way, guess what, it's not harder to guess.

Re:Couldn't agree more on some points

[Jessta]

how is 'pf010dd0l3' more secure than 'pfoioddole'?
everyone knows that i or l could be replaced by a '1' and e is usually replaced by a '3'.

The reason for having both numbers and letters in a password is to increase the number of combinations(from 26 to 36 times per character). For this to work all numbers and all letters have to be possible in the password.

As for myself I prefer longer passwords that easy to remember because they contain words. As long as you take the "something you have and something you know" aproach and have lock out after a certain number of incorrect password guesses then it really doesn't matter how strong your passwords are as long as they are not completely obvious.

The usual downside of locking people out for incorrect guesses is that this can be used to perform a denial of service attack. The solution to this is the 'something you have', the attacker is required to have already stolen the 'something you have' before they get a chance to brute force your password. In such a case, with a three guess lockout, a three character password is almost sufficient.

- Jesse McNelis

Re:Couldn't agree more on some points

[muhgcee]

I would really hope that a password that a user is meant to keep for one year is longer than six characters. If they are keeping it for a year then, hell, it could be 16 characters, with letters, numbers, and other characters and impossible to pronounce. It really isn't that hard to remember a long password, especially if you only have to remember one or two of them, and you don't have to change it for a long time.

Re:Couldn't agree more on some points

I believe that trusting an algorithm to produce a "random" password is foolish because it is at best "pseudo random".

This is irrelevant. Pseudo random doesn't mean that it's always "less random", but that if you have enough information on the state of the system when the password was generated, you can compute the password easily. "Enough" information may be as simple as the time (in seconds since epoch) when the password was made, but even that is hard to guess afterwards. If the system used /dev/random or similar things, then good luck.

Pseudo random algorithms become a problem when you're using a lot of those numbers, because they may produce unwanted patterns. But in the case of a password, you'll only use about 10 or 12 of them.

Re:Couldn't agree more on some points

[somersault]

I don't think it should be the case that you let them figure out the password is changed themselves, otherwise they call you down to fix some strange problem, then it just turns out to be that their password has expired. I really want to get one section of our company in particular choosing better passwords, the ones they use really are moronic.. also they think that you can only get onto one computer using a certain persons username/password combo, and share their passwords around. They were thinking about selling off that division a few years ago, hopefully they will reconsider soon! One of my colleagues tried to have a word with them about their password policies, I have the odd little rant, but I dont think they really care..

Re:Couldn't agree more on some points

[TCM]

I think IT departments concerned about security should make it a stated policy that they will try to find out your password

I'm sure $PHB will happily spew some cash for the extra password-cracking cluster in the closet. :)

Re:Couldn't agree more on some points

If you throw a monthly change policy at such people they will change their passwords to simple things.

This is assuming they will use a difficult password if only they didn't have to ever change it. Patently not true. The vast majority of users will use the simplest password they can get away with. Any policy you put in place for password security can and will be circumvented. Period.

Re:Couldn't agree more on some points

If a user has to generate a password, it is something they can at least possibly remember. If a machine generates it, there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices will be able to access those people's accounts using the password reminder neatly affixed along the margin of the user's monitor.

Not a problem if people would put their password reminders under the mousepad where they belong. :)

Re:Couldn't agree more on some points

[faust13]

I guarantee:

After the user click "Choose a new password" 10 times, didn't like any of them. Out of sheer frustration, they finally just selected one, about 1.2 seconds later, they wrote that password down on a post-it note. Where their new password is proudly displayed on their monitor.

There's secure, and then there's stupid. This falls into the latter. No average user will be able to remember some machine generated pword.

Absolutely true

[Chairboy]

I worked at a company that rolled out increasingly stringent password policies. It got to a point where the passwords required upper and lower case characters, numbers, non-alpha numeric characters, and (this is the kicker) were required to be changed every few weeks.

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms. None of the people involved were bad, in fact, I worked with a fine bunch of people who really cared about security and individually had great ideas for making the company safer, but when they were all implemented simultaneously: Ka-BLAM.

A security policy cannot be a list of best practices, it has to be a designed holistic plan that takes into consideration the very human nature of the people it is protecting.

Re:Absolutely true

[crossmr]

I've seen forums that try to implement ridiculous password requirements. Not anything fancy, your standard web forum for Joe User requires that you have upper and lower case letters, that you include numbers, but the password can neither begin nor end with the number, that the number has to be 8 characters long and prime, if its a Tuesday it won't let you enter your password while wearing blue shorts, and other absolutely pathetic stuff. You're a web forum.. about cheese. Seriously you don't need security this tight.

Re:Absolutely true

[MichaelSmith]

had begun writing their passwords down at their desks.

The ITS department where I used to work had a similar policy. One time I had to get a file or something from one of the civil engineering teams. The team leader was out but one of his staff knew the algorithm they had decided on for the password. It was something like initials+year+month.

Re:Absolutely true

[Barnoid]

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms.

If the people able to see your password are trustworthy, this is not necessarily only a bad thing. Firstly, you can write your password down without posting it to the monitor, and even so, a remote attacker still can't see your post-it notes on the screen.

In my lab, I don't worry about co-workers knowing passwords of their colleagues. I rather have them write it down if it withstands a brute force attack on the SSH/webmail interface.

Re:Absolutely true

[Vo0k]

Login: bugmenot
Password: Bugm3n.+
Reminder: http://www.bugmenot.com/

Re:Absolutely true

Posting as AC.

As an onsite tech admin who rotates through many companies (im a rentable IT guy) I just visited a client today who had diligently recorded every password for the network, his account, the admin account, and his wife's account all in a paper folder that he referenced along with the network diagram and configuration.....

And his biggest concern was about physical theft of his server / hard drives. Someone could walk in, photo copy a piece of paper, and walk out and then copy the files at leisure.

Re:Absolutely true

People where I work at are staring to write password*s* down when corporate IT announced new password policy:

* password has to be at least 12 chracters

* has to contain uppper and lower case letter, number, special character and no word

* must change every 3 months

* must not repeat or be similar to the previous 12 passwords you have used

* and we have another system that we also have to use, which take at most 8 characters and does not allow special characters and is case-incensitive, the system also requires a different user ID from other systems, which happens to be case-insensitive but the user ID has to be at least 6 characters

* and there is yet another system that we also have to use at the same time, which takes case-sensitive letters, numbers as password, and depending on the version of that system, some of them limits the maxinum length of passwords to be 8.

And people have started writing down passwords.

Re:Absolutely true

[shmlco]

FYI: A company I know of that relies on user registrations automatically flags email addresses, usernames, and passwords that contain anon, bugme, spam, asd, sdf, and other key words. Most such accounts are automatically closed.

Re:Absolutely true

[Beryllium+Sphere(tm)]

>Writing. Their. Passwords. Down.

The part which should horrify you is the At. Their. Desks. part. If the paper with their password is in their wallet, protected as well as their ~$100 in cash, and especially if it doesn't have other login details on it -- well, some places need more security than that but not all. At that point the paper with the password on it becomes a strange kind of hardware token.

Even the At. Their. Desks. part should be kept in perspective. You should close attack paths on general principles of course but remember that anyone standing at the person's desk has physical access. Physical access gives you a lot of other worries though all of them require more motivation than reading somebody's password does.

Re:Absolutely true

I used to do business with that company untill the implemented that policy.

Sincerely,
Spamsdfbumeasdanon Smith

Re:Absolutely true

[shmlco]

"... untill the [sic] implemented that policy..."

Yeah, it's obvious you're in their primary demographic.

Re:Absolutely true

[jrumney]

Physical access to a desktop PC doesn't give you much in many corporate situations. The valuable information is on network drives, and the password hands the intruder this on a plate. Given the number of activities companies outsource these days, physical access is the easy part.

Re:Absolutely true

If the paper with their password is in their wallet, protected as well as their ~$100 in cash

I love you Americans and your olde-worlde ways. Carrying large amounts of cash around? How quaint!

Re:Absolutely true

Gee. Does this mean we actually have to think for ourselves now???!??!?!?!?!?!?!??1+1111 ;-)

Re:Absolutely true

[surprise_audit]

Even the At. Their. Desks. part should be kept in perspective.

Yep, sure does. When I go home, my company-supplied laptop goes with me. I could leave my password taped to my monitor, and it wouldn't do anyone any good, unless they broke into my house...

Re:Absolutely true

[somersault]

You should either have individual accounts with proper access privileges (assuming people 'need' to use someone else's account to access something), or a shared account for everyone. What happens when someone malicious (maybe not likely to happen where you are, but you can never be 100% sure) uses the account for something illegal/'not safe for work', and the owner of the account gets the blame? I am the sort of person that likes to trust people, and I would 'trust' my friends with using my account, but I'm not going to give my password to them, as there is no need, and maybe they won't understand how important it is to keep my password secure, if I was lax enough to give it to them.

The people at my workplace are bothered about security guards/whoever being able to use our network to browse inappropriate material now, as this did actually happen (our content filter license had run out before I started working here, and was running on a grace period for a few months), and so while you and I feel we can trust our colleagues, have you thought about all the situations that your security needs to cope with? What if a cleaner sees one of your passwords and uses it/tells someone? Or if someone poses as a cleaner to locate passwords? Then they can leave and get into your system from the comfort of a remote computer.. it's not very likely to happen, but it could, and if you don't take it seriously enough, chances are your security will get compromised eventually.

Re:Absolutely true

[darkmeridian]

Management can suggest writing down the passwords on a thin strip of paper, and then gluing that thin strip of paper onto their credit cards. Well, at least that's what I do with my super-long passwords which cannot be remembered easily. That way, the password becomes more of a physical embodiment, a token of sorts. If I lose my credit card, well, I'll be unable to login and then I'll have to cry for help. But at least I'll know something's wrong. The security of this method is pretty good, I would figure, since I'd never, ever let the credit card out of my sight--even when buying something. Of course, removing the sticker without wiping out the signature strip (which dissolves under solvent!) is kind of tricky.

Re:Absolutely true

It was the national literacy support group, you insensitive clod!

Re:Absolutely true

[timbck2]

Yep, sure does. When I go home, my company-supplied laptop goes with me. I could leave my password taped to my monitor, and it wouldn't do anyone any good, unless they broke into my house...

... or steal your laptop out of your car, or off the subway, or from the coffee shop, or wherever you take it.

Re:Absolutely true

[antdude]

It's worse when there are many passwords to remember in one company. Very frustrating.

Re:Absolutely true

If you can't remember your password (which is why you'd write it down, presumably) you would need to keep it with your laptop. So in all likelyhood it would be glued not to the monitor but to the laptop. If that was stolen, the thief would have access to your company network too.

Re:Absolutely true

[zippthorne]

That is very interesting: must not repeat or be similar to the previous 12 passwords you have used

In order to enforce this, the plain-text password must be stored somewhere. You can't get similarity from a hash.

Re:Absolutely true

[sckeener]

Writing. Their. Passwords. Down.

writing their passwords down is not a problem. It is only a problem if they do not treat it like a $1000 bill.

Re:Absolutely true

[houghi]

I did the following at a company. After a month I needed to change my password. I did that and the next day I just phoned IT who then reset my password. That one I could use once and I then changed it to my regurlar one.

At another company that did not work, so I just used PassMMYY (Pass0406) and changed that every month.

Changing your password every month makes you look for easier passwords, not for more difficult passwords or safer ones.

Re:Absolutely true

[Blakey+Rat]

Nothing wrong with writing them down as long as:

1) It doesn't have more login details (username, company name, specific software it's for, etc)

2) It goes with the user in their wallet or purse, and isn't sitting right next to the computer its used on.

If you have: "Novell Login for J Smith, Sting Ray Systems: moonunit" in your wallet, that's bad.

If you have: "moonunit" in your wallet, that's just confusing and weird.

Re:Absolutely true

[Unoti]

That's an interesting idea. If I were to try this, then I'd be showing my super secure password to 20 strangers every week. I suppose whether that is more secure is less secure than posting it on a monitor at work depends on the environment.

Re:Absolutely true

[jc42]

It's worse when there are many passwords to remember ...

My password file (which is a "hidden file" on a couple of web sites that I use ;-) currently has 108 passwords. There are very few duplicates. Not because of any policy of mine, but because the rules for passwords are different on most of the sites. At least most of them don't require monthly changes, or I'd be doing 5 or so changes every workday.

When admins complain, I just tell them that it's their own policies that force me to do this. There's no way I'm going to remember a hundred or more different passwords; I have no choice but to record them somewhere. And since I need them while working from an assortment of places around the Net, I obviously have to put them somewhere that I can get at them from anywhere.

And no, I won't keep them in my wallet. That would mean that a single pickpocket could destroy my life. No way I'd be that foolish.

At least nearly everywhere I work allows the use of ssh. This pretty much minimizes the chance that some ISP worker can intercept my passwords. Or that a link over an AT&T long line will send a copy to a US government agency. If a site won't allow ssh/ssl, I just don't use that site in any way that requires password access. I've resigned from a few jobs because of this.

Maybe some day the idiots running the various pieces of the Net won't force such measures on me, and I can use a single Something That I Know nearly everywhere. But right now, we're getting farther from that every day.

Advice on passwords

[Brandee07]

Advice my dear mother gave me a long time ago:

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

With that said, I'd like to argue the point made by the article about periodic changing of passwords. He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it. This actually happened in my high school, and then we had the admin password to every computer in the lab. And had that access until the last of us graduated. While periodic password changing won't protect you from a serious hacker, it will save you lots of grief from more petty mischief, especially if the person who has your password is clever enough to not let you know that he has it.

Re:Advice on passwords

[dgatwood]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

Even if that's a real concern, the password shouldn't be typed in where someone can watch your fingers. In a lab, it might be of -slight- risk. In a private office, it basically is zero.

Thus, from this we can deduce that the #1 most serious security hole a company can have is the use of cubicle farms. :-)

No, seriously. It is.

Re:Advice on passwords

[raftpeople]

It happened to me. I was logging onto some box after having passed through a few different operating systems on various boxes to get there, when I keyed in my password the damn thing got echoed back to the screen and the person behind me started laughing (it was one of those passwords you wouldn't tell your mom about!).

Re:Advice on passwords

[loqi]

No, seriously. He's talking about the cleartext username box.

Re:Advice on passwords

[dgatwood]

Heheheh. At least it was something so offensive that you'd know it if anybody found it out. :-)

Anyway, this is why I make it a point to only connect via ssh anymore. Telnet had lots of those issues (and was usually in the clear anyway).

Re:Advice on passwords

[wfberg]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

The problem lies with badly designed operating system/windowing system software that allow windows to grab focus. No window should be allowed to programmatically, without user intervention, pop to the foreground and get focus (whether it's a pop-up ad or any sort of dialogue). Unfortunately, this happens all the time. Especially windows applications love to pop up messages, dialogues, windows, and all allow you to quickly (without noticing) press OK and continue typing your password in plain sight in the application that just hijacked your focus! XP's "prevent applications from stealing focus" doesn't always work, and never works if an application happens to be spawning in the background (like during startup, which might be a good time to enter a password into putty's pagent for example).. *sigh*

Re:Advice on passwords

[noidentity]

"Passwords are like toothbrushes; change them every three months and don't share them with your friends."

I like to be thorough so I go even further by asking around to be sure my passwords aren't the same as anyone else's.

Re:Advice on passwords

[wildsurf]

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

Passwords are like toothbrushes. Don't get too enameled with yours, or it'll cause a dentin security and may even expose your root.

Re:Advice on passwords

[Zantetsuken]

and that you dont share it with the dipshits that are going to visit half the porn sites on the net (who knows, maybe that would be fine if the system got so overloaded with spyware?)

Re:Advice on passwords

[LarsWestergren]

Advice my dear mother gave me a long time ago:
Passwords are like toothbrushes; change them every three months and don't share them with your friends.

That is great advice! Your mother works with security I take it?

Re:Advice on passwords

[ArsenneLupin]

He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it.

Yeah, saw one such incident too. A slideshow presentation about the library catalog system, before a room full of people. At a certain point in the presentation, the library lady decides to do a small demo of the system, and proceeds to log in to her account. Of course, she accidentally types here password (which has admin privileges...) into the login box, where everybody could see it on the huge projection screen! A big aww goes through the room...

And funniest of all, she didn't change her password until a week after! (probably, after a week, she got tired of the inevitable pranks that everybody was playing using her account...)

Morale of the story: if you expose your password in such a way, at least change it as soon as possible!

Re:Advice on passwords

[smasm]

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

I can't help but compare email security with filing cabinet security. I don't think I'm alone in leaving my filing cabinet open with friends unaccompanied in my house. So why is it such a sin to share an email password? Occasionally I've asked a friend to retrieve an email when I need and am unable to check it myself.

In the end, for my email account at least, I don't have much worth protecting. And even then, I trust my friends.

Re:Advice on passwords

Actually, it's the lack of focus stealing that's cost me my password. Twice now I've sent a password to GuildWars to one of my friends over an IM window. It takes a little while to load, particularily if there is an update, so I may chat while it loads. When done, the window pops up full screen, with the cursor flashing in the password box (username already filled in). I type the password, press return and nothing happens. A few seconds, I get a message beep "What's this garbage you've sent me?".

Re:Advice on passwords

[icybee]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen?

Errr. In every single TV program that ever featured someone entering a password. Usually in a huge font with lovely colors and accompanying sound effects and background graphics.

Re:Advice on passwords

[Dantu]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen?

Have you ever used something 'secure' on palmOS. I regularly use an SSH client on it; the password is shown on screen by default (and I leave it that way) because 'typos' are too easy to make with a stylus. Ditto a couple of other apps that require a password.

Re:Advice on passwords

[Mawbid]

Software that echoes passwords to the screen? All over the place. Not on purpose, mind you.

My friends have seen my passwords, or at least the beginning of my passwords, in the linux console and the gdm login box.

What happens in the console is one of two things. Either the system is slow to turn off echo and start accepting the password and I blurt it out before that happens, or I mistype the password and retype it in the next username prompt (because most other things prompt for the password again at that time).

gdm is not susceptible the first kind of error, but falls for the second as well. It's actually a little worse than the console in that the change in the label on the input field is less noticable than the change in the console prompt due to the size of the font. Microsoft does this better in XP.

Re:Advice on passwords

[Asgard]

It also supercharges the the electron gun in the monitor such that the image is projected onto the face of the user.

Re:Advice on passwords

[kenneth_martens]

The problem lies with badly designed operating system/windowing system software that allow windows to grab focus. No window should be allowed to programmatically, without user intervention, pop to the foreground and get focus (whether it's a pop-up ad or any sort of dialogue). Unfortunately, this happens all the time.

I agree. Focus-stealing should never happen, but it does happen--on Windows. It can happen in KDE too, but in the KDE control panel there's an option to disallow focus-stealing. Once I set that, KDE didn't let any app ever steal the focus from me. Instead of stealing focus, apps that want attention simply flash their taskbar entry.

OS X does that by default. If an app needs user input, the Dock icon bounces to notify you that it's waiting for attention. But it doesn't steal the focus.

To be fair to Microsoft, Windows XP is far better about handling focus than earlier incarnations of Windows. Focus-stealing happens only occasionally. I still think it could do a better job, but on the whole it's quite usable. (Sometimes, it's the opposite problem: an app is waiting for my input, but it never bothers to inform me that it needs attention. For example, Visual Basic 6 will wait silently for me to enter my SourceSafe password, without doing anything to notify me that it's waiting for input.)

Re:Advice on passwords

[Idarubicin]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

Here's the problem for a typical login/password dialog box:

What I want to type:

Idarubicin <tab> snickerdoodle37

What I expect to see on the screen:

Username: Idarubicin
Password: **************

What I might inadvertantly type with my fat fingers:

Idarubicin <Caps Lock> snickerdoodle37

What I don't want to see on the screen, but get anyway:

Username: IdarubacinSNICKERDOODLE37
Password:

See the problem now?

Re:Advice on passwords

[forkazoo]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

I see it under two circumstances:
a: They are in the username field, and type their password without noticing right away
b: Some command line utility, where they are passing the password as a command line argument, rather than being prompted for it, i.e.:
ncftp -u ueberleetmastersteve -p fluffybunny7 secretftpserver.dyndns.com

People sometimes do stupid things. Even I do, rarely.

Re:Advice on passwords

[remitaylor]

Our office was having a group IM conversation when, all of a sudden, I saw our admin password show up in the conversation (to everyone in the office). I turned around to see my IT colleague as his face started to glow red. He had been logging onto one of our servers when the IM window stole foucs.

myth #1

writing passwords down is not secure. This is untrue, Sticky Notes now has a special invisible ink mode.

another trick

[tanveer1979]

Wish I had pressed preview! Anways this will work with non english speakers or if you know a language other than english. Well best are the languages like Punjabi, Hindi, Arabic etc., which are not popular in the web. You can have a word from those languages. Like bh44gj4. This is pronounced as Bhaag Ja. Which means Run away. Long time back I had a password which was t0g4dh4. This means To gadha, or "you donkey".

Re:another trick

So if I knew were you worked, and knowing what you just posted - I'd need a hindi dictionary and a script which replaces o -> 0, a -> 4. I'm not convinced those are hard passwords. There are an awful lot of Indian programmers out there...

I don't need to REMEMBER passwords on sticky notes

[crazyjeremy]

An old company I was with found out how many users forgot their passwords & the stats for password resets with the Help Desk (passwords usually account for more tickets than anything). Upper management didn't like the number of tickets for passwords, so they told people to start using family names for their passwords and suggested they put all the passwords on a sticky note near their desk "in case they forgot".

My Rule of Thumb

[QuantumG]

I tell this to every sysadmin that turns on 100% of the annoying features of enforced password change policies:

      "You have to balance security with convenience."

Otherwise people will just circumvent your security by changing their password twice (or 10 times), resulting in the same password they started with, or just write their password down.

Re:My Rule of Thumb

[bhima]

Years ago a new admin saddled us with ridiculous & onerous password requirements and when numerous people complained and wanted an explanation the official party line was that it was up for discussion. So more or less instantly they alienated anyone with any tenure and passwords have been on post-it notes on desks ever since. Because we have no input in these sorts of decisions most of us feel like it's not our problem. When the story broke about people giving their passwords to strangers who asked for them in the lobby (for a chocolate) the general consensus around here was despite the fact that we all knew what was going on, if our backups were up to date we'd give our passwords to anyone for the asking... again it's not our problem (once the data for your project is backed up).

And in a real sense, in our environment, passwords are nearly useless. In order to open the door to the building you either have to have a keycard or have the security man to let you in. To get into the lobby you have to have a keycard or an escort from security. To get to my department you have to pass through two more secured doors, the door to my lab requires a keycard and the door to my office requires a real key. By then if you are there and you shouldn't be you are starring in Mission Impossible and a small thing like me having a password with 12 alphanumerics (1 capitalized) and 1 symbol isn't going to slow you down much.

So like I said some person in the lobby asking for passwords is a stooge for the IT group and they better have good chocolate.

Re:My Rule of Thumb

[jonwil]

What about systems that remember every password you ever use (or remember so many that its unfesable to go to one you used before)?

Re:My Rule of Thumb

[jonwil]

In my workplace (which shall remain nameless), to get into the building during normal hours you need a photo badge passcard.
To get in after hours, you need a photo badge passcard and a pin number.
I also have an individual key to my desk to keep any confidential paper or other physical materials secure plus several different access passwords for different parts of the system (email, login, corporate intranet, other locations), all of which have to be changed periodically.

Without passwords, there would be nothing to stop cleaners (who all have the same photo badge passcard access as I do), repair guys or even other engineers (I work in software development) accessing your machine and pretending to be you to steal confidential information or cause other problems.

Re:My Rule of Thumb

[Beryllium+Sphere(tm)]

Your keycard should be your login token.

The technology is available.

The real myth about passwords is that they still make sense. Passwords are dead. Passwords that can hold up to a good cracking program are outside the memory capacity of normal people. (I memorized a 10-word Diceware passphrase with 129 bits of entropy once, but that only proves I'm abnormal).

Your employer would improve both their security and your convenience by letting you have a hardware login.

Re:My Rule of Thumb

Secure authentication combines the following:
1) What you have - keycard
2) What you know - password
3) Who you are - biometrics, etc

What's to stop someone from stealing your card and being fully authenticated until you report the loss and that report is acted on? Nothing.

Re:My Rule of Thumb

[bhima]

Oh absolutely!
But I don't think this has ever been a technology problem. Most of the network has no route to the outside world and those ports that do are all behind locked (as in need a metal key) doors. Actually the only ports outside of keycard protected areas are attached to printers. So essentially the only real difference between having my password and not, is the ability to impersonate me... I doubt they could find something to email to CEO that I would truly object to.

I swear some days it's like someone has read some of Bruce Schneier's stuff and is actively trying to implement the "don't do this" list.

Re:My Rule of Thumb

[bhima]

That's very close to my work environment except the cleaning crew works during the day and has keycards but not keys. If my office is not open it doesn't get cleaned... so just by random chance I think they get it once a week. A different sort clean the labs because not only are they bonded they are also trained in basic lab and infectious disease safety.. anyway given the difficulty in getting to an actual computer with network connectivity (particularly without having the security system record your entry) my keycard (or any of my assistants') should be enough to access the actual computer and that would be a far sight better than the post-it note somewhere in the desktop debris strata.

Re:My Rule of Thumb

[Alioth]

Oh it gets even better than that. The brain trusts at our place decided to have a monthly enforced password change, but you can't change your password for 20 days after changing it to prevent you from cycling through passwords to get back to your original.

So now, if you think someone shoulder-surfed your password, you might not be able to actually change it!

Re:My Rule of Thumb

[Scudsucker]

Yup. My Dad's a fed, and at the place he works at, the average age is probably 65. For most of the employees in his position, this is probably the first job they've had where they've needed to use a computer, or even the first time they've ever used one. Their department's password policy is a typical 10 charachter minimum, 2 capital letters with 2 symbols, and they have to be changed once a month. Sooo...EVERYONE writes their passwords on Post It notes, which they leave at their desks.

Re:My Rule of Thumb

[nosferatu1001]

However, brute force cracking should not be an option - I find in my job that recommending failed attempts = 3, lockout = 0 and window - 1440 minutes normally suffices (gives 2 attempts per day without locking the account. average time to crack 1 account - years)

However, unless you have a good minimum length requirement, yr screwed!

Re:My Rule of Thumb

[booch]

I like to put it a different way: availability is actually priority #1, when it comes to security. That is, the system should be available to those who need access to it. (If the system was not available at all, it wouldnt't need protecting, would it?) And if the users cannot get into the system due to stupid password policies, then you've reduced their availability to the system.

Re:My Rule of Thumb

[241comp]

My 6 character password stands up to cracking programs. Because you only get 3 tries. Of course, it never takes me more than 2 tries (and rarely takes even 2) because I know just what the password is. Passwords aren't the problem - the problem is the way modern systems use them. Why don't we make things ever harder the more tries you fail at. For instance, you get 1 try to enter the password. If that fails, the next time you must enter the password and user's birthday. If that fails, you must enter the password, birthday and last 4 of the user's social. If that fails, you must enter the password, birthday, last 4 of the user's social and mother's maiden name. If that fails... well, you get the point.

I once wrote a program that I didn't want anyone else to be able to use. There were a number of security features but one of them was that if any part of the authentication routine (password, physical pass key disk, image point selection, etc) failed, it didn't tell you and just continued on in the process and when you completed it you would see fake data and interface controls. It would let you start manipulating things and after a short random time interval it would run garbage collection, throw a random error code and kill itself. Anyone trying to use my program probably thought I was the worst programmer in the world. And they probably would have given up after a few tries.

The point is - cracking your password/account/program/whatever doesn't have to be impossible. It just has to be significantly more difficult than cracking the next guy's.

Re:My Rule of Thumb

[bhima]

You obviously don't understand how "brute force cracking" works. The cracker *never* uses the MS Windows password entry UI. The average time to crack Windows passwords is minutes. So your company's recommendations are useless... which is more or less the point of the article.

you should read up on it...

Re:My Rule of Thumb

[bhima]

Sounds like you need to read up on brute-force and Time-Memory Trade-Off attacks. The number of tries "the system" gives you is irrelevant to these attacks as they don't use "the system".

I find it fascinating... go read up on it... you may find it interesting and it may help you secure your computer or your applications.

Re:My Rule of Thumb

[nosferatu1001]

ONly if they can get an example of the hashed LM - easy enough with laptops, but we cant help with that.

If they're trying to come in from the outside, then some methods do query the database - this method is quite slow, however without meaningful lockouts it will be effective.

Re:My Rule of Thumb

[bhima]

The password hash is easily available on desktops as well and it's only an account escalation away from some one from the outside. The true solution is salted password hashes which most decent OS's use anyway... and by decent I mean *BSD, Mac OS X, Solaris, Sun, and some Linux distros (I don't know which because I don't use Linux).

I am also aware of a half measure implemented by Microsoft but I don't know what exactly it is or how to turn it on.

I am also vaguely aware of a demonstrated Time-Memory trade-off attack on an oracle database but I did not see it, I only read about it.

Re:My Rule of Thumb

[241comp]

Thanks for the tip. From what I know, for these kind of attacks to be carried out without multiple system login attempts requires access to the hashed or encrypted password which users do not have unless they have physical access to my computer. In which case they can just boot a Live CD and be done with it. Right? Or have I missed something?

Re:My Rule of Thumb

[bhima]

physical access to the computer is not always needed (it makes things much, much easier).

A account isn't always needed although it also makes things a lot easier.

Having a guest account isn't really needed either.

I've seen a security demonstration where he had most the passwords in the building in a surprisingly short time... To be fair this did not take into account the building security or the physical security of the network because we let him in and gave him a working port to begin with.

This is one of the reasons any sort of wireless is banned.

I guess my real point is that there are dozens of hacking methods and these guys don't use brute force in ways where it is so obviously defeated AND that getting the password hashes was surprisingly easy (even if they were stored in some high dollar database).

I walked away with overall idea that it is extremely dangerous to maintain a combative working relationship with employees with these sorts of skill sets.

MOD PARENT +5 Funny!

[WoTG]

Uh... yeah, those passwords look easy enough to remember.

Heck, I forgot my 4 digit alarm code about 6 months ago... and you want me to remember how to "spell" glid-Tev-Pos-EIGHT???

pass PHRASE

[Tumbleweed]

Doesn't anyone remember the 'pass phrase' thing from awhile back? You know - less complex but much longer passwords, so they're secure but easy to remember? "The quick fox jumps over the lazy brown dog" type of thing (though that should probably not be allowed :)

Just please, NO biometrics.

Re:pass PHRASE

[Vo0k]

> Doesn't anyone remember the 'pass phrase' thing from awhile back?
> "The quick fox jumps over the lazy brown dog"

Way too long to type.

> D'tart'pp;tfawb?
> Tqfjotlbd

Passphrase-based passwords (take each first leter, caps and semigraphics retained) are a good option.

Re:pass PHRASE

I personally use the pass-phrase "thequickbrownfoxjumpedoverthelazydawg" for my slashdot account and it's never been hacked to!

He's wrong

[gvc]

There was never any rational basis for rotating passwords. Spafford's 70's rationale is amusing but bogus.

Re:He's wrong

[honkycat]

I think you're right -- even if you assume it takes a month for the systematic password search on the mainframe to try every password combination, changing your password doesn't help much.

It does buy you a tiny bit, if they are actually trying every combination. Suppose it takes them two months to try every combo and after one month, your password is still unknown. They are now guaranteed to have it within the next month if you do not change it. If you do change it, then there's a 50% probability that you change it to something in the half they've already run tried. It's not hard to work out the expected time to compromise, and you will find that there is some way to maximize it by changing your password at just the right rate.

However, it's a pretty minor benefit. Furthermore, if they are doing anything less than checking every single password, then I'd bet it actually buys you nothing at all. The difference is because in that case, they're not guaranteed to guess your password after a fixed time interval.

Re:He's wrong

[Dr.+Evil]

..and even that only makes sense if they have something to crack, like a password hash or an encrypted file.

Otherwise, slowing down the system to human time scales and locking out passwords with a reasable reset system (so as to reduce impact of denial of service) would prevent any guessing.

Re:He's wrong

[honkycat]

Yep.

The only real benefit of changing your password that I can think of was raised earlier in the discussion here -- it limits the amount of time that someone can surreptitiously use your account. Depending on what sort of system it is, that's possibly of some value. In any case, if security is important, you've got to have a good method for detecting unauthorized use quickly. Changing your password doesn't do this...

I write passwords down...

[cirby]

Well, they *look* like passwords.

They're not actually *to* the systems they're next to, but it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Re:I write passwords down...

[MichaelSmith]

it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Maybe honeypots will become a standard security thing. The password will always work but it won't get you anywhere useful.

Admin passwords, generating passwords, passphrases

[Acer500]

Several comments actually:

1- What's the usually accepted frequency of changing the admin password where you work? I work in a Microsoft shop, and there are way too many systems that have the password hard-coded (yes, I know that should not be), and everytime we change it everything breaks down, bringing down the wrath of upper management (the very same upper management that pushes for more frequent changes and more stringent password policy).

2- Another company I know of forced so many frequent changes that users started generating short passwords with an incremental number (d00D$001, d00D$002, d00D$003), making them easy to guess once you learn one (but complying with the password policy otherwise). Is that acceptable? (no I did not read TFA)

3- There was a nice article on Microsoft on passphrases and how they are so much better than passwords. Has anyone had a good (or bad) experience with that?

Picture Passwords

[Metabolife]

I always thought the picture based passwords shown here were a creative way of making passwords.

Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

Re:Picture Passwords

[Redwin]

When I was doing my undergrad there was some research into alternative methods for passswords including using pictures. Clicking areas on the screen was great in that it was easy to remember however anyone watching the screen to see where you click as well. Alternatives were assigning areas of the screen to numbers on the keypad of the keyboard. Another was combining it with sound, hearing a storm triggers different recollections to hearing a bird song for example. Given 9 different pictures on the screen you select one that you associate with the sound. The flaw of course was having to wear headphones to enter the system. :-)

An intersting side note was that if you are selecting pictures from a list and you know the person it is possible to guess what sort of pictures would appeal to that person and select those. Countering this, having 4 pictures that you select and 4 screens of nine pictures helps alleviate this slightly. Still facinating stuff.

Re:Picture Passwords

[Red+Alastor]

Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

Forget security too. There is a limited number of points in a picture that are easy to spot and remember (windows, people heads, signs, whatever) so it's very easy to brute force.

Auto change?

[posterlogo]

Wouldn't it be simple to set the system to automatically request a password change from the user at manageable intervals? I know it's a "shove it down their throat" approach to security, but if it works...

Then again, changing passes too frequently causes people to forget them and the end up writing them down, which might be worse. I dunno, it's a tough nut to crack. Need something unique to the person... biometric, RFID, retinal scan, brain wave scan, etc.

Re:Auto change?

[mikesd81]

Biometric has gotten big lately, and personally I like it. Hell, I think I even saw a commercial where a car compant incorporated it into their doors (Lexus?). You can't really get someone's DNA or whatever and crack with it..unless you're a clone I suppose.

I haven't seen too much biometric stuff for Linux though, other than servers/stations that come with it built in out-of-box.

Re:Auto change?

[Zantetsuken]

I think Lenovo is starting to sell a lot of finger-print-biometric-scanner notebooks now, it seems to be one of their big selling points for business buyers - not sure if it would work under Linux, but if its something where you have to scan your finger before it gets through with BIOS it oughta be something embedded into CMOS or some other part of the motherboard, in which case I would think it would still work whether you run Windows or Linux on it...

Re:Auto change?

[mikesd81]

Right, but how many people password a BIOS?


The bio read before the computer boots up is great, but what about timed logouts during ssh sessions?

Re:Auto change?

[cheezitmike]

Need something unique to the person... biometric, RFID, retinal scan, brain wave scan, etc.

It's only a matter of time until some institutional IT committee following "best practices" starts requiring users to change their fingerprints every 6 months.

Passwords?

[bm_luethke]

The last supposed "high security" place I worked (Oak Ridge National Labs) had a pretty sane password scheme - computer generated every 6 months or year (too long ago, I do not remember now). They generated a big list and you picked one so you could get one you could remember. It was good combination of stuff, not really something that was attackable by a dictionary and they watched external requests pretty hard (ad most of the service providers did also).

But, the problem was that every single hack/intrusion we knew of (either on our machines or lab wide) had nothing to do with password and all to do with users desktops on SSH key management. Everyone wanted symetric keys so they never needed to type a passphrase of password. No one wanted to mess with keeping thier computer updated. So once one computer was violated nearly all in the lab were - even those of us who tried to patch and watch were brought down by what the users demanded. We were really damned when an offsite place (say a university) was weak and a user had symmetric keys installed.

That ended up being a VERY difficult issue to educate on - it's a fairly abstract idea. Very very very few of the people there were unintelligent but few were educated enough in that field to even really understand the issues (no reason why a chemist should understand key management any more than I should know how carbon rings react in some random environment). Password management is pretty obvious, heck many of us even had "secret" clubs in elementary school that did similar stuff. However strong encrypted keys tend to be something different, offering the ease of no password and the security of really strong ones (when done correctly). It take some amount of knowledge to "get it" along with thinking about having the private keys stored in unsafe places.

*shrug* I think that password management (in secure business processes) is becoming much less important. Even hotel reservation systems are mostly moving over to SSH and key management. For logging into your credit card service? SSH key and passphrase is great. For much of business practice, as SSH and similar type things become the standard password management this is MUCH more important. Right now we are horrid in that area of education.

Less articles about password management, if it has not been beat into your head by now you are a lost cause. Lets spend some time on key management and other security issues that are becoming MUCH more useful.

Re:Passwords?

What does having a symmetric key have to do with having a passphrase-less key?

If you're saying that everyone has a passphrase-less key, that's bad, and if you're saying that everyone uses the same key for each machine on which they have access, that's bad, and if you're saying that both of those things are true, that's VERY bad.

But symmetric encryption is somewhat orthogonal to this issue.

Shoulder surfable.

[loqi]

You ever wonder why password fields don't echo the actual characters back to the screen?

Re:Shoulder surfable.

[stud9920]

No, but I hate it. If I'm going to let someone peep over my fucking shoulder, I know it is someone I can trust. Most generally, there IS no one. I have to retype my dictionary attack safe passwords dozens of times because of these fucking stars.

Re:Shoulder surfable.

[vinlud]

Well that easy to solve, we wont show the cursor!

Re:Shoulder surfable.

[Rob+the+Bold]

You ever wonder why password fields don't echo the actual characters back to the screen?

I used Lotus Notes for a while, and it had a "cool" feature of echoing seemingly-random numbers of heiroglyphics when you typed each character of a password. You never knew if your finger slipped or if you did just type bird-bird-eye-"guy going like this"-bird-ankh-ankh-ankh. Worse then single stars, worse than nothing, really.

Re:Shoulder surfable.

[nasch]

It has the advantage of not disclosing to anyone watching over your shoulder how many characters your password has. Whether that's a meaningful advantage or not is questionable.

Re:Shoulder surfable.

[loqi]

If I'm going to let someone peep over my fucking shoulder, I know it is someone I can trust. Most generally, there IS no one.

While I'm thrilled you have the opportunity to employ Security By Isolation (patent pending), there are use cases for almost anything involving a password that also involve untrusted parties with at least the ability to glimpse your screen.

Maybe password fields should come with a checkbox to "turn them off"?

Re:Shoulder surfable.

[morzel]

Actually, the glyphs (nowadays its a keyring, btw) are linked to both the password and the private key stored in the ID file, giving each user a specific sequence. Basically you get visual feedback on the keypair that is being decrypted while you are typing the password. Once you get accustomed to "your" sequence of glyphs, you should be able to easily detect a spoofed password prompt as it is displaying the wrong glyphs -- this all happens subconciously so its kinda spooky
So it has its uses, although a lot of users are oblivious about them because they're simply not educated about them...

I've (unfortunately) forced this on users before

[Corbets]

From a comment I just made on Spaf's blog....

I've mandated rotating passwords before. My thought was that I knew my users shared passwords over time (oh, I need to use your computer for a few minutes, but your screen is locked) so by forcing a change I was hoping that if a person left the company they wouldn't retain access to anyone's accounts. However, the better solution in that case would have been termination for people who shared passwords and/or forcing all users (only about 15-20 in the company) to change passwords everytime someone left.

And of course, there are times in larger companies where I simply got told by those higher up that passwords would be rotated.

Thank you!

[Pfhor]

Thank you!

I have been looking for ways at new password generation for system administration, and that is brilliant. Throw in some l33t speak for number / letter swaps and the suggestion you mentioned is golden.

Re:Thank you!

[Vo0k]

For better remembering effect and to help your imagination at 'inventing' the passphrases have it "written" somewhere around the workplace. Use a sentence from a cover of some user's manual, writing on some poster, "safety regulations notice" or such lying around. Just sit at given computer and look around for some text. If you feel especially rude, swipe the text right from the login screen, like from the standarised footer of the login page with a copyright notice and such :) Especially helpful if you give the password with explanation to the user. "You don't need to write it down, it's written RIGHT HERE already." Steganography rules ;)

Re:Thank you!

[GigsVT]

Yes it does need some mixing up. The first letters of english words are pretty biased. Adding some replacements to it, not really l33t but something like replacing one word with a symbol is a good idea.

Password "best practices" are counter-productive.

[Symphonix]

The company I work for enforces a lot of these password "best practice" rules. Most of our systems require passwords to be exactly 8 characters long, contining one digit but not in the first or last position, and must be changed every month. I'm certain this only makes things less secure, as users have a tendency to use even dumber and less secure passwords under these rules. For instance, if you instruct ten thousand users to change their password every month, then at least 500 of them will have "APRIL" or "APR" in their password at this very moment - even if you expressly forbid them to do this. Having complicated rules like "You must use 8 characters, including a digit in the middle" means that helpdesk staff often need to explain to the user several times what their password can be, and what they might or might not be able to have. When the average luser is now spending 3 minutes asking helpdesk - quite loudly in a crowded office - whether "BENJIDOG4" is a good password or not - then you've instantly lost the security of the password. Would it be more secure to let the user set a password without any requirement for it to contain numbers, or is it more secure to include the requirement and have every second user holding a long and loud discussion with everyone around them about what they're putting in and why won't it frickin work?

Re:Admin passwords, generating passwords, passphra

Not reading TFA is like not bothering to unzip, not bothering to point at the porcelain, just letting go in your pants.

Sure, it saves time, but everyone gets to see the big old wet patch.

Easy for a Star Trek Fan Maybe...

[Qybylance]

They do sound an awful lot like planet names... "Scotty, beam me down to Lac Waup 7!" "Can we recover the team on Sek Gul 4?" "The colony of Ip Laft 3 is under Romulan attack!"

Re:Password "best practices" are counter-productiv

[mark-t]

There are two dangerous policies that they implement.

One, the requirement that passwords be exactly 8 characters long. An minimum length specification is fine, but it shouldn't be the same as the maximum.

Further, changing every month is too often. You end up with people having to write them down because they don't have time to get used to any one. I'm all for changing passwords reguarly, but that's waaaaay too often. On average, I think the ideal number of times that you should change a password is maybe 4 times in one year.

Re:I've (unfortunately) forced this on users befor

[tbird81]

You'd fire people for sharing a password??

Seriously, what's more important to the company: people logging in as another employeee, or actually having employees with morale!

Who cares if people use the same password. I've worked in a hospital where everyone shares passwords, and in a lab where everyone's password was the same. (Won't say where, but it happens everywhere)

There's nothing worse than a stupid nerdy geek telling people off for following some geekhole paranoid rule that has only minimal risk in real life. Like the telltale at school who takes all the rules literally, without trying to understand their purpose and the spirit behind them.

Try phrases instead of gibberish

While I like the idea of pronounceable gibberish passwords, an alternative is to use a pass-phrase and then abbreviate it - like so:

I don't trust password generators from Khazikstan -> Id'tpgfKz
My Birth-Day is February 29th - MB-DiF29th
I like beagle puppies for dinner at 6pm - Ilbpfd@6pm
I like hotdogs for lunch at 12pm - Ilhfl@12pm

Using a phrase like that lets you assign some sort of meaning to the password which can help you recall it in the future. It also lets use "themed" passwords like the last two which helps at sites with rapid password expiration - you can remember that for a certain system your password is always about a certain theme which makes it easier to remember when you have to change it frequently.

Re:Try phrases instead of gibberish

A problem with password sentences with a theme could be you can rember the theme (i.e. i like eating some dog thingy sometime during the day) but that it is difficult to rember which variant you used most recent for that particular site.

But you're probably much better at remembering things than i am.

Merifs of the one password per site policy

[Beryllium+Sphere(tm)]

Porn sites, in fact, were Bruce Schneier's idea for large-scale password theft. A crook could send out spam advertising a free porn site, simply requiring a no-cost signup. Umpteen suckers sign up, they choose umpteen passwords, some fraction f uses the same password for everything, and your "porn site" has just accumulated f*umpteen valid passwords and associated IP addresses.

Re:I've (unfortunately) forced this on users befor

[Corbets]

Yes, I would fire people for that. I'd fire people for any intentional violation of corporate policy. It's one thing if you don't know, it's another if you choose to break the rules, especially after repeated warnings. I've often found that people who break little rules will ocassionally break big ones - like those kids in school you mentioned, those who tell little lies will from time to time tell a whopper.

It's an issue of trust, not to mention security (why bother with multiple user accounts at all if people are going to have access to all accounts anyway?).

Being able to trust your employees leads to them being able to trust you (and yes, vice versa, I'm aware of that implication). This in turn creates an atmosphere with good employee morale.

There's nothing worse than a ./er trying to insult someone and having to pull from his own life example of being that poor little geeky kid that nobody liked....

Re:Password "best practices" are counter-productiv

I used to work for a banking institution, that had a similar policy.
8 characters, had to have a special character somewhere in the middle, change every month, last 20 passwords cannot be re-used.

The result: Post-It notes with password written on them on most monitors or at least under keyboards.

Re:Password "best practices" are counter-productiv

[pryonic]

Do you work for RWE Npower? We have exactly the same policy on the client site I'm working on at the moment and it drives me mad. Pretty much everyone I know writes their password down, and its always a pain to think of a new one. Even though I try to be security concious i only have about three passwords, and i rotate them myself, and occasionally change the upper/lower case or the number. The old policy of changing every 3 months worked much better.

We knew this already. They don't. Won't change.

[jthill]

TFA:

In summary, forcing periodic password changes given today's resources is unlikely to significantly reduce the overall threat -- unless the password is immediately changed after each use.

Security is one of those things that complete ignoramuses believe they understand without benefit of thought or experience. ~Just make it too hard~. Experience says there is simply no reaching these people. I can actually find some sympathy for them: the least whiff of an implication that their existing security policies were wrong is politically all but intolerable.

Re:Password "best practices" are counter-productiv

As a sysadmin, It's always a red flag with me when the idea (password changes, use of 'root', etc) is being sold as a 'best practice'. I almost feel it's the equivalent of 'blah blah blah', used when a person can't be bothered to present meaningful dialogue.

If it's a best practice, it should be referenceable. I want page and source.

Requirements...

[Vo0k]

A real error message from a real e-store registration, denying access for a customer who entered his actual, legit personal data:

"Your surname name is too short. Surname must be at least 4 characters long."

Re:Requirements...

Heh, I often use me@domain.com for multiple domains. I thought it would be cute that I could say mail me@domain.com . Then I found that many places would not accept the email because "me" is too short. =/

Re:Requirements...

[james_orr]

Ha ha, hope I don't have to buy anything at that store, my lastname is only three letters (Orr).

I haven't come across that before, but I have been prevented from registering because I did not provide a middle initial ... problem is I don't have a middle name! I just put in an "X" to get around it and complained to the contact address.

On the password issue, one of the best password schemes I've come across is the one that compuserve used to use. This consisted of two words joined by a random piece of punctuation, I still remember mine and I haven't used it in ten years.

Re:Requirements...

[bostonguy]

A similar thing that happened to me a few times:

I had a credit card that actually bothered to spell my name with an apostrophe (O'Brien). There were a few instances where an e-commerce site, when asking for my name as spelled on my credit card, wouldn't accept OBrien, but would belch back with an error if I tried to use O'Brien. It's tough to type in my name if one of the characters in the name is illegal!

Re:Requirements...

[mmmiiikkkeee]

i get this all the time... my last name is hancock. computers tell me i can't have 'cock' in my name.. go figure..

Diceware

[krunk4ever]

Another common one is Diceware: http://world.std.com/~reinhold/diceware.html

Example

Suppose you want a five word passphrase, as we recommend for most users. You will need 5 times 5 or 25 dice rolls. Let's say they come out as:

            1, 6, 6, 6, 5, 1, 5, 6, 5, 3, 5, 6, 3, 2, 2, 3, 5, 6,
            1, 6, 6, 5, 2, 2, and 4

Write down the results on a scrap of paper in groups of five rolls:

            1 6 6 6 5
            1 5 6 5 3
            5 6 3 2 2
            3 5 6 1 6
            6 5 2 2 4

You then look up each group of five rolls in the Diceware word list by finding the number in the list and writing down the word next to the number:

            1 6 6 6 5 cleft
            1 5 6 5 3 cam
            5 6 3 2 2 synod
            3 5 6 1 6 lacy
            6 5 2 2 4 yr

Your passphrase would then be:

            cleftcamsynodlacyyr

There's also rules on top of that where you can find which character to capitalize and where to add symbols and spaces.

Re:Diceware

[surprise_audit]

The braindead password policy around here is: at least one alphabetic, one numeric and one punctuation character. No subset of the word can be in the dictionary, and it has to be 8 characters (or more if supported by the OS).

The problem with that is that *some* systems have slightly stricter rules than others, so you can get partway through Password Change Day with a perfectly good word and then run into a machine where it isn't allowed.

Perhaps the nuttiest part of the policy is that you can't go back and change a password within 7 days. That may originally have been set up to stop a user immediately putting the password back to a previously used password, but now the change mechanism stores the last 6 or more words, so that's largely irrelevant.

Re:Diceware

Your passphrase would then be:

                                cleft cam synod lacy yr

  Which interestingly is Welsh for all your base are belong to us

Re:Diceware

[wileyAU]

Perhaps the nuttiest part of the policy is that you can't go back and change a password within 7 days. That may originally have been set up to stop a user immediately putting the password back to a previously used password, but now the change mechanism stores the last 6 or more words, so that's largely irrelevant.

Never underestimate the tenacity of lazy people. There would be certain people who would diligently sit there and change their password 7 times until it cycles back so they can use the original.

Re:Diceware

[Ed_Pinkley]

Skimming quickly through this post, here's what I saw:

dice rolls. Let's say they come out as:
Write down the results on a scrap {craps} of paper in groups of five rolls:

Now I want to go to a casino.

Re:Diceware

[Impy+the+Impiuos+Imp]

I'm also sure 99% of the time, when people are required to use "at least three of each of cap, lower, number, or symbol", that people will capitalize the first letter, and only it, and add 1 as the number, and have it as the last digit.

In any event, one can simply remove the numbers from the prospectively decoded password, then run it through the word matcher anyway, since the number is basically irrelevant to determining if the bulk of a password is a real word or not, as is the capitalization.

All that this does is create a few multiples more of permutations for a brute force hack, which nobody uses anyway, and is useless anyway since machines have delays between multiple attempts, and temporarily 10 minute disabling between multiple failed attempts.

But given the first char is almost always a capital letter, and the last almost always a number, and the number 1, I'm sure that aids crackers.

Re:Password "best practices" are counter-productiv

[rainman_104]

One, the requirement that passwords be exactly 8 characters long. An minimum length specification is fine, but it shouldn't be the same as the maximum.

To elabourate... 8 characters long reduces the number of permutations a password can have. Brute force attacks take less time because of this password policy. Minimum good, but forced length will take considerable less time.

Further, changing every month is too often.

No kidding, especially when the warning comes 15 days in advance. That means you have 15 days of nagging and 15 days of quiet time. I can't stand that 30 day password rule. I do what another poster said - cycle through passwords five times until I get my same password again.

Passwords + Physical securoty + SE

[Ajehals]

I used to be responsible for IT security at for my previous employer and find that the biggest danger to any password based security is the user. When I started there were no passwords in use anywhere, After about a month and a half I implemented a password policy (nothing strenuous, just the requirement for a 6+ char password, with a monthly change requirement. I was not popular. (this may have been the passwords or possibly the pave and nuke job I did on all the corporate desktops killing at least 3 of those electronic pet things...)

The good news is that after the first month the number of password resets required reduced dramatically and we actually had some accounting of user activity on things like network use etc..

However 6 months in we started to note the usual issues of people sharing passwords (i.e. how come John doe is logged on on three computers at the same time...) and had to curb that.

Then we started carrying physical audits of desk areas and started to clamp down on people writing down passwords (including those people that wrote them down in a poorly obfusticated manner....)

Again our security situation improved (I should point out that we did have internal users actively engaged in 'hostile' activities for their own gain...) and we were quite happy for a while..

Finally we started to carry out regular penetration testing, including a social engineering portion, this bit surprised me most. I came to the conclusion that 70% of our user base would give out their user name an password to anyone claiming to be IT staff - including when the tester called from outside of the company, and the number showing as internal.

So in short the problem with security is always going to be with the user, that is as long as the user is authenticated by either password, or token (swipe card etc..) and will only become significantly better when security is based on something the user cant forget or lose. Oh and anyone trying to implement security is always going to be the bad guy if it causes inconvenience.... And best practice in my oppinion is finding reasonable security procedures that are applicable to your situation, whether thats a 4 digit pin, daily changing 12 character complex passwords or rectal probes and dna testing, and then more importantly implementing it in such a manner that it is actually adhered to.

just my thoughts

Re:Passwords + Physical securoty + SE

When I started there were no passwords in use anywhere, After about a month and a half I implemented a password policy (nothing strenuous, just the requirement for a 6+ char password, with a monthly change requirement.

Monthly change is too frequent. Personally I think once every two months is about as frequent as I can tolerate. If your users are like me, they have far too many passwords already. Passwords have severe limitations. Against certain threats, increasing the change frequency will only improve security marginally, while doing so will greatly increase the burden and frustration on the part of the users.

Then we started carrying physical audits of desk areas and started to clamp down on people writing down passwords (including those people that wrote them down in a poorly obfusticated manner....)

Writing passwords down is not per se a problem (although writing them down where everyone can see them is).

At some point one has to decide if the residual risk associated with password authentication is acceptable or if it makes sense to move to something more secure like SecurID.

Re:fp

this beige theme looks like crap.

Re:Password "best practices" are counter-productiv

[(chubbstar)]

i just use 1234 and be done with with it.

One possible benefit

[Dobeln]

I broadly agree with parent, but let's illustrate one possible benefit of password changing:

Using myself as a subject, I have tended to use variations on a common, 'hard' password in many different contexts over the years. Hence, it would most likely have been possible for someone to intercept my password in one context (I.e. website) and use it in another (I.e. network access).

It's quite possible that this is one of the areas in which forced password switching is a plus - it forces users to differentiate their passwords over different networks and sites, so that it is more difficult to "fish" for a particular password.

Re:One possible benefit

[wfberg]

It's quite possible that this is one of the areas in which forced password switching is a plus - it forces users to differentiate their passwords over different networks and sites, so that it is more difficult to "fish" for a particular password.

Usually what happens is that people start changing all of their passwords on the password-age-restricted systems synchronously. So when some systems have a limit of 30 days, and some other 60 days or 99 days, they'll just change their passwords on all of these monthly. To something like "MyCatsNameJan", "MyCatsNameFeb" etc.

KeePass is great for personal password management

[owlet]

KeePass is a great password management tool. By now I have over 300 accounts and KeePass makes it practical to create and use unique passwords.

It's free, secure, easy to use and runs off a thumb drive.

Changing passwords isn't really a big deal when using KeePass.

Double bluff

[Yonan]

No one expects admin as a password anymore so I use it for all my accounts - easy to remember and great for the ego. nimda is a close second or 12345, works great for luggage security.

Spaf Could Never Get a Real Job

ITS SPAF!!! Hey old man, ever held a job outside of academia? Oh yeah, you can't.

Re:Spaf Could Never Get a Real Job

[Archtech]

Could you get (never mind hold) a job in academia? They are actually harder than many jobs in industry and commerce, let alone government. Not to mention less well paid.

But perhaps you believe that people's worth should be measured by the size of their income.

Re:Spaf Could Never Get a Real Job

[wk633]

Let me guess, you got an F in his class?

Seriously, the only reason I didn't lose my job of this exact argument, twice, is that I deferred to pointy headed bosses who were dumber than me. I don't take the 'smarter' claim lightly. But just for example, what would you do if your boss was Jerry Taylor? (Tuttle OK city manager). I haven't been THAT unlucky, but there have been a few.

biometrics

Hope I don't have to get new fingers every 30 days when they bring biometrics as password replacements....

Re:biometrics

Hope I don't have to get new fingers every 30 days when they bring biometrics as password replacements....

It's either that or purchasing a new system every 10 months :)

Getting in is easy...

[mulhall]

...what you can do once your in is where security comes in.

We've seen time and time again peoples opinions on enforcing password strength, but we all know that you can get someones password with a chocolate bar and a clip-board (http://www.out-law.com/page-4469)

The next part is what we have to concentrate on; make sure that your permissions adhere to the principle of least privilege.

Think of the firewall Deny All rule apply it to your users and grant only the permissions they actually need.

Three unsuccessful attempts and you're locked out

[rollingcalf]

Another useless rule of thumb is the one that locks you out after three unsuccessful login attempts. It was based on the theory that the authentic user would be able to remember the password within three attempts.

In reality, with passwords being case sensitive and people having to remember dozens of passwords for different systems at work and personal web sites, three attempts will end up locking out numerous legitimate users.

Caps lock is on... one failed attempt. You turn off caps lock and enter the password for a different system... another bad attempt. You think your bad attempt was due to a typo, so you re-enter the same password... you're locked out.

With so many people getting locked out, either they become lax with the password-reset procedures, allowing an intruder to take advantage of that. Or they stay strict, which results in numerous users losing hours of productive time.

Give 10 or 20 attempts, dammit.

Passwords Suck

[esme]

We should all be using public keys.

-Esme

Sometimes you don't even need the post-it note.

[forgotten_my_nick]

There was a MMORPG that used to play that had nearly a whole clan hacked. Something like 60 or so accounts hacked, stripped bare and/or deleted.

There were more then 60 members, and they couldn't figure out the pattern for the attack. They checked thier servers, the login logs showed no brute forcing at all.

Finally they figured out what had happened. One disgruntled person who hated the clan had created an alt and joined the clan. He played with them for a few months and then asked a question on thier clan forum of "What is your mothers maiden name" in a series of a group of questions. The questions was like a joke email where you guess a number or something.

The point is a large number of people actually posted that information. After that he cross-referenced the email addresses on the forums (to hotmail) and just told them he had lost the password and here is my mothers maiden name.

Once in thier email he told the MMORPG he had forgotten the password, it emailed them. He grabbed that and deleted the email.

Social hacking wins over passwords.

Re:Sometimes you don't even need the post-it note.

[MichaelSmith]

Social hacking wins over passwords.

Oh absolutely but I think it takes a particular kind of person to hunt down a bunch of people in this way, and not to be able to brag too much about what they have done.

And if I got hacked by such an individual I could at least live on with the knowledge that I have a life and he doesn't.

Re:Sometimes you don't even need the post-it note.

[forgotten_my_nick]

> and not to be able to brag too much about what they have done.

TBH I think thats how they caught him. :)

Re:I've (unfortunately) forced this on users befor

Depends on where you are. I used to work for UK social security. Crappy little admintrative job, but I had access to people's benefits info. We used smart card and password systems to log into the computers, and there was the risk of instant firing and application of the Official Secrets Act (though unlikely in practice) if anyone left their card unattended.

Most people kept their card attached to their belt by a chain to be damn sure. If I was ever head geek in a place where people had access to data of that security (I'm including credit card numbers at that level) I'll apply the same policy. Tokens that must remain physically attached to the user.

"Easy to remember" must be relative

[mopslik]

They are easy to remember since you can pronounce them.

Pronunciation is only one half of the coin. Essentially, you're still going to have to remember how to spell the password, whether you can pronounce it or not.

(lew-cy-Hir-Ux-SIX)

Let's see, here:

• lucyherux6
• looseyhiruks6
• lewcyheruxsicks
• ...

Sure, I can pronouce it, but I'm still locked out after 3 attempts.

Re:Three unsuccessful attempts and you're locked o

[rjstanford]

Give 10 or 20 attempts, dammit.

Screw that. Give 500. Give a number so rediculously high that your help desk should practically never have to deal with another "locked account" again, but so stunningly low that a brute-force attack will never succeed. It turns out that these two boundaries are still pretty far apart from one another.

A plain text file and GnuPG

is what I use to keep track of passwords for various places.

huh?

[farker+haiku]

Cracking is when an intermediate form of the password (e.g., an encrypted form stored in the authentication database) is captured and attacked algorithmically, or where iterated attempts are made to generate the password algorithmically. The efficacy of this approach is determined by the strength of the obfuscation used (e.g., encryption), the checks on bad attempts, and the power and scope of the resources brought to bear (e.g., parallel computing, multi-lingual databases).

So, if I capture an ntlm hash, and run it through a rainbow table, how in the hell is 3 checks on bad logon attempts or parallel computing going to do anything? Excuse me mr expert, but I think you need to STFU.

n00b.

Re:huh?

Well, since Rainbow tables are a form of parallel computing (since separate processors were likely assigned different sections of the character space), or could even be thought of as a multi-lingual database. Those were just examples of different "power and resources brought to bear" (Rainbow tables being a fairly hefty resource to bring to bear, though largely useless against SSH keys, for now). Obviously 3 bad login attempts aren't going to do anything in this situation, but what about the case where you don't have the NTLM hash yet? Why go to all the trouble of grabbing an NTLM hash when the system is likely set up with username of adminstrator and a blank password? Wouldn't you at least check that first?

Re:huh?

[Nintendork]

So, if I capture an ntlm hash, and run it through a rainbow table, how in the hell is 3 checks on bad logon attempts or parallel computing going to do anything? Excuse me mr expert, but I think you need to STFU.

Rainbow tables are way overhyped. First off, good luck capturing an NTLM hash. Being the man in the middle isn't practical on modern, switched networks. If you did get an NTLM hash and the password policy is like most companies, it'll have upper case, lower case, numbers and symbols. The password space for an eight character password of this type is 6.8 quadrillion, requiring a database 17.4 Petabytes in size (For NTLM hashes). In Wikipedia's entry of petabyte, the largest store mentioned is a 6PB robotic tape store. In other words, good luck with rainbow tables unless you're a governement trying to crack 8 character passwords and want to build something 3x larger than the current known storage facility. If you're dealing with an environment using passphrases averaging 12 characters...well, you do the math.

n00b.

Author of the Article

[fdiskne1]

Never fear, I is here. My name is The Plague.

Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and... god. So, would your holiness care to change her password?

Oh, wait, the article was by Eugene Spafford? I thought you said Belford. Nevermind.

Off topic: my captcha for submitting this message is "crotch"? oookaaaaaay.

Re:Advice on passwords -- Underwear!

[Ajaxamander]

The University of Michigan had a "Poster Campaign" at all of the computing sites a bunch of years ago when I started there. All the posters compared kerberos passwords to underwear.

Passwords are like underwear: The longer the better. (had a drawing of a guy braving a michigan winter storm)
Passwords are like underwear: Don't share them with friends.
Passwords are like underwear: Change them often.

There might have been more but I've forgotten the rest. Any other U of M alumi who remember those ads?

I would have thought this obvious

[Thaelon]

If you force your users to change passwords too frequently they'll just pick one password and increment some number in it, or write it down each time.

Or if they're really tricksy ones, they'll just change the password $numberOfTimesSystemRemembers + 1 in one sitting and resume using their old one within minutes of changing it.

There's a fine balance to be struck between security and inconviencing your users to the point that they work around security for convenience.

Re:Three unsuccessful attempts and you're locked o

[Alphi1]

Screw that. Give 500. Give a number so rediculously high that your help desk should practically never have to deal with another "locked account" again, but so stunningly low that a brute-force attack will never succeed. It turns out that these two boundaries are still pretty far apart from one another.

IMHO, I think a relatively-small artificial delay (after a certain number of attempts) should slow down the "brute-force" attack significantly as well...

After all, let's say that it has an artificial delay of 1 second after every 5 tries. Most human-entered attempts won't even notice the delay (and even if they do, it's a relatively minor inconvenience - much more minor than having to contact someone about unlocking the account after 3 unsuccessful attempts).

But a brute-force attack that would send, say, 1,000,000 passwords in quick succession will take at least 50 hours, or over two days. Not very practical. Especially when it may take more than 1,000,000 tries (assuming the password was set up to deliberately avoid things such as dictionary searches and things like that).

Not only that, but those two things (after how many "attempts" to have the delay, and the delay itself) could even be tweaked based on how much abuse the site is getting. Maybe a 2 second delay after 3 failed attempts, which would be even MORE effective (approx. 7.7 days if my calculations are correct) than a 1 second delay after 5, while only being slightly more intrusive for legitimate users.

Here is what happens

[Oldsmobile]

I can tell you what happens. My girlfriend works at company where they have several different passwords for several different purpose made programs that they use daily.

The passwords can't be all the same, they have to contain numbers and enough letter, and they have to be changed periodically. And the changes have to be more than just one or two (or even three, I think) digits.

You would think this would make the system incredibly safe. Unfortunately, because of the number of passwords, nobody can remember any of them and everyone is totally confused!

So they just end up writing the passwords on paper and hiding the note under the blotter.

So there, whover has designed their "incredibly secure" system has just made it incredibly insecure simply by making it too complicated.

Re:Here is what happens

[Richard+Steiner]

Several? I wish. I haven't counted, but I need to remember somewhere between 20 and 30 different passwords here at work for various mainframe systems, various UNIX servers, various web sites that each have their own password, my Windows and Novell logins, Lotus Notes, etc.

I keep them on my Palm IIIc in my (normally locked) briefcase and in my Abacus WristPDA.

Mod this up!

[Morrigu]

Yes. Passwords suck. Any piece of software that can be configured to use X.509 certs or public keys should be configured to do so. And it should also refuse any and all attempts at password authentication.

Of course, in the real world, this isn't so easy. But I look forward to the day when I can pop my smartcard into my laptop, type in a passphrase ONCE to prove that I am its rightful owner, and not have to type in another single password until I log out.

Re:Mod this up!

[collinl]

So what protects yours rivate key thats linked toyyour X.509 cert?
Either nothing (so simply accessing your maachine=being you) or a password (so cracking a password is needed before someone can masquerade as you)

This sort of idea is shortsighted and achieves nothing positive for security.

Lyal

What I do

[danpsmith]

What I find the best thing to do is to make the password the first letters in the sentence of some phrase, lyric, etc and try to include numbers in this.

For instance, I'm kind of a NIN fan, so you could use a lyric like:
"I will take my place in the great below"
iwtmpitgb

then add numbers

that way if you forget the password, you just have to remember the phrase you used to came up with it, and the numbers

Encrypted key exchange

[XNormal]

Encrypted key exchange protocols (e.g. EKE, SPEKE) allow the safe use of relatively weak passwords. They resist all known passive sniffing, man-in-the-middle and offline dictionary attacks. How can a system be secure with weak passwords? Think of your ATM card's 4-digit PIN: it's pretty safe because it's limited to only a couple of unsuccessful attempts and you can't do an offline dictionary attack that would bypass this limit.

Unfortunately, these algorithms are all patented.

As far as I can tell, the SRP system infringes on the EKE patent. The fact that Stanford got a patent for SRP means nothing - a patent grant says nothing about infringement of other patents. AT&T probably won't sue anyone using it in an open source project but they will not issue a statement that SRP does not infringe the Bellovin patent, either. Result: commercial users shy away from SRP.

The only widely deployed remote password authentication mechanism which is safe even with weak passwords is "plaintext over SSL" but it relies on PKI which has its own set of problems.

Kerberos tickets are pretty secure because they use machine-generated random keys instead of user-provided passwords. But this whole tower is built on a weak foundation because the initial authentication to the TGT does use the weak user password. If just this part was replaced by EKE all Kerberos services would benefit from increased security.

Microsoft domains use Kerberos. Is there any chance Microsoft would bite the bullet and pay the EKE or SPEKE patent license fees?

My way

[sasdrtx]

Abcd0001

Increment as needed.

Re:My way

[BrianPan]

How about the more secure Dvorak version of asdfjkl;

Aoeutns-

Security through.....lazy geekiness.

Perhaps his next considered article will be on...

[KenDodd]

... how to keep a web server running while it gets knocked about a bit by the /. crowd. The minions in the Purdue IT Dept might benefit from that :) That box isn't answering HTTP reqests - wonder why? :)

Re:Three unsuccessful attempts and you're locked o

[lobsterGun]

Want to get that changed?

Just try to log in as your sysadmin (or his boss) every time you get some free time (don't try this from your desk).

Eventually they will get tired of having their account reset every time they log in/access-a-network-share/try to print/etc.

I hate to sound cynical...

[KenDodd]

But isn't most of the content of the article highly cliched at this stage in the game.

Surely it doesn't take a "Ph.D., D.Sc.(h.c.), FAAAS, FACM, FIEEE, CISSP (h.c.)" (in the European style!) to point out these issues. Most of it seemed like straightforward, common sense issues dressed up in pseudo-academic-speak.

A better way

[hoggoth]

It wouldn't be difficult to impliment a better authentication scheme than passwords, without the cost of smart-cards or biometrics.

Just use Challenge/Response. Have a simple little app that takes a password, a challenge text, and generates a response text.

When logging in instead of asking 'Username:', 'Password:' the system would ask 'Username:', 'If I said 'xyz' what would you say:'

The user enters the challenge text into his little app, and the response is put right into the copy/paste buffer.

The user's password is never sent across any network.

How about the ones that give you limited attempts.

[antdude]

Don't forget the passwords that only give you like three tries/attempts. After that, the account gets locked out PERMANENTLY because you entered the passwords incorrectly three times. Lame!

Context of article: new Purdue password policy

[mdpowell]

The author is a professor in the CS department at Purdue. At the beginning of 2005-2006, Purdue IT announced that they were going to require *every* password on *every* computer to be changed every 30 days. They made it clear that this policy was not restricted to administrator accounts, and in fact it has been pointed out in several articles that students will have to remember to change their passwords during summer and co-op sessions, or their accounts will be disabled. You also won't be allowed to re-use passwords for six replacement cycles. The policy isn't enforced yet but will be "real soon now."

This policy seems to be generally seen as idiotic by students, faculty, and staff. The IT people who talk about it seem to be made to "toe the line," and make up excuses about how this policy went through all the review/administrative processes. Nobody has an explanation for how this policy will be made practical for all the alumni and external accounts which might be accessed only a few times a year.

Many people see this policy as a copout response to the multiple security breaches in the past several years. On multiple occasions the whole university (30K+ studenets, plus faculty/staff) received orders to change passwords immediately because some database was compromised. Rumor had it that one database was storing passwords in plaintext because of incompatibility between hashing mechanisms used by different systems. Rather than take responsibility for and fix their security breaches, they are simply forcing this policy on everyone.

I suspect the author wrote this article largely as a condemnation of this policy.

Here's the link to the Purdue password policy: http://www.itap.purdue.edu/security/procedures/pas sguidelines.cfm

Re:Admin passwords, generating passwords, passphra

[Acer500]

You're correct, I must admit.

However, it would help if Slashdot submitted the cache link so the webpage was not slashdotted.

I'll have to look up that Firefox extension.

BTW, what's an analogy for Anonymous Coward :-)

something similar

[dnamaners]

I do something similar, i use a random generated matrix used to decode simple passwords like "father" into a complex password, each month I generate a new matrix and file the old one, just in case I need to use a backup (when I backup I write the sheet id on the media). Only I know the column I use this month (I suppose it can be the real month too) and the simple key I use with cipher to get out my password. As long as in don't tell anyone my simple cipher, I can use it as many times as I like, on as many sites and computers, I just change the matrix. If I am good I may remember the complex password, if not, its easy to look up. I put my matrix right on the wall over my monitor or terminal.

Here is the python code if you care, white space was eaten see placeholders.


uc = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lc = uc.lower()
digits = "0123456789"
funny = "!@#$%^&*-_"
vowels = "aeiou"
cols = 12
counter = 0
import random
print version + " sheet-" + random.choice(uc) + random.choice(digits) + random.choice(digits)
print "C 1 2 3 4 5 6 7 8 9 10 11 12"
for letter in lc:
[TAB] line = letter
[TAB] while counter [TAB][TAB] counter = counter+1
[TAB][TAB] if letter in vowels:
[TAB][TAB][TAB] line = line + " " + random.choice(uc) + random.choice(funny)
[TAB][TAB] else:
[TAB][TAB][TAB] line = line + " " + random.choice(lc) + random.choice(digits)
[TAB] print line
[TAB] counter = 0

Re:something similar

[Impy+the+Impiuos+Imp]

You mean like this?

uc = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lc = uc.lower()
digits = "0123456789"
funny = "!@#$%^&*-_"
vowels = "aeiou"
cols = 12
counter = 0
import random
print version + " sheet-" + random.choice(uc) + random.choice(digits) + random.choice(digits)
print "C 1 2 3 4 5 6 7 8 9 10 11 12"
for letter in lc:
    line = letter
    while counter [TAB][TAB] counter = counter+1
          if letter in vowels:
              line = line + " " + random.choice(uc) + random.choice(funny)
          else:
              line = line + " " + random.choice(lc) + random.choice(digits)
    print line
    counter = 0

But I'm not as good a programmer as you at figuring things out...

Re:Three unsuccessful attempts and you're locked o

[tutori]

Actually, I don't think the locking after 3 attempts was meant to stop brute force attemps, but rather to stop password guessing attempts, i.e. birthdays, mother's maiden name, children's names and ages... There are at least a couple dozen likely passwords for someone based on things you can find out about them. Having suffered through a couple lock-outs, I still think 3 is too low, however, 500 is too high to prevent this sort of thing.

Except

Not such a great idea when many companies ban thumb drives. And many companies prohibit running unapproved software.

But YMMV.

Re:Perhaps his next considered article will be on.

[coj]

We're working on it. This is by far the most traffic we've gotten on this box. We need to take it down for a bit to get in a caching system on the blog, and then (hopefully) it should handle the traffic much better.

BTW, you guys are kicking the Digg folks' ass in terms of taking down hosts... digg hardly affected us. 8)

Re:I've (unfortunately) forced this on users befor

[nosferatu1001]

I would also fail the company in their annual audit if it was known that user accountability had been compromised - only financial systems though, any others we really could care less about.

What this would mean would be a substantive audit, costing around 4x the cost of a controls based audit. Trust me, more than one person would be fired once THAT bill reaches the upper echelons!

Re:I've (unfortunately) forced this on users befor

[poot_rootbeer]

However, the better solution in that case would have been termination for people who shared passwords

There are two scenarios where this would happen:
1) the password sharing has not compromised any security, in which case you've just lost a potentially valuable team member over something where no harm was done, or
2) the password sharing HAS compromised security, in which case the damage has already been done and the policy is worthless as a preventative.

I don't really see how either of those is any better.

Re:I've (unfortunately) forced this on users befor

[dubl-u]

I'd fire people for any intentional violation of corporate policy. [...] Being able to trust your employees leads to them being able to trust you (and yes, vice versa, I'm aware of that implication). This in turn creates an atmosphere with good employee morale.

Quick tip: telling people you will fire them for violations of policy, even when they are trivial or when they *should* violate the policy to serve a higher goal, is not the best way to build trust or morale.

Draconian enforcement only makes sense when the policies perfectly address every situation ever encountered. With policies that complex, nobody will remember them anyhow. Given the choice, I'll always take an employee with good judgement over one who's pefectly obedient.

Untrue

[phorm]

No window should be allowed to programmatically, without user intervention, pop to the foreground and get focus

There are times when a rather immediate attention is required. Important messages such as "The network is going down, save your work!" or "you're running low on both RAM and SWAP space" etc are rather important. Personally I wouldn't mind if my spreadsheet or web-browsing were interrupted to show me a message indicating a possibly more serious interruption was imminent.

But I do agree that your general userland applications should not be able to popup you to death and steal focus, just the OS-integral ones.

Re:Untrue

[wfberg]

Important messages such as "The network is going down, save your work!" or "you're running low on both RAM and SWAP space" etc are rather important.

Amusingly (well.. not for me), I get the "battery critical" warning AFTER plugging my laptop in because it's lost its power... That's the one popup they take too long to push in your face.. :-(

Re:Untrue

[Blakey+Rat]

No, those applications are what the Notification Area in Windows is for, or nasty blinking icons in the Dock in OS X is for. (I have no idea how Linux communicates things like that, but knowing Linux it either doesn't have a way at all, or is has 3 dozen incompatible different ways and nobody uses any.)

Personally, I think Microsoft did a good job creating the notification area as long as software doesn't abuse it-- and of course, software does. Heck, when you first log in, MSN pops up all kinds of useless "add your passport to Windows!" stuff you don't care about. But the theory behind it is sound.

Of course you're missing the MOST IMPORTANT reason that critical notices shouldn't interrupt your work in another application: If you happen to be typing when it comes up, you can easily close the notification by accident before you have a chance to read it. And then you're a ton worse off than if it was in the background, or a bubble in the Notification Area.

Re:Three unsuccessful attempts and you're locked o

[bhima]

do you people have any clue how a brute-force attack is carried out?

One does not use the password entry UI of the system.

Muscle Memory

Many people don't realize that it is far more effective to 'memorize' a random password by using your muscle memory. The brain does a very poor job of memorizing random strings because when using the linguistic and speech areas of your brain, there are subconscious patterns that you don't even realize that you notice. I purely random password doesn't have these patterns and is very difficult to memorize. However, the areas of the brain that control muscle movements can very quickly memorize a pattern after just a few iterations.

For example:
I just generated the following password using passwordsafe (theres a sourceforge site for this, but I'm too lazy to look it up right now): 1/E.I!BEp[
I modified this slightly to make it a little easier to type (ymmv): 1/E>i1BEp[
And I typed this 20 times into notepad.
I now have this password pretty much memorized (although if asked to repeat it out loud I would be at a complete loss) and I am 80% sure that I will still remember it tomorrow morning. If I continue to use it on a daily basis I will be able to remember it indefinately.
Just remember, folks; your brain has a lot more power than you give it credit for.

On a side note: its pretty obvious that some of you didn't read the article. Spaf is advocating NOT changing passwords every month. That doesn't mean he's saying you should never change passwords, just not so often. And, keep in mind, this is a blog post, not an acedemic paper; and therefore it has a less formal tone and of course is relating information that many people already know.

Password is based on a Romulan dictionary word

[wsanders]

"Sorry, your password is based on a Romulan dictionary word. Please choose a password with at least three non-alphanumeric characters, a "!" in position 5, a number at the end, at least 3 different puntuation marks, then write it down and tape it to the bottom of your keyboard."

Kids as password generators

[FurryFeet]

A security consultant once told me little kids can be great password generators. As an example, he explained how his toddler couldn't say "penguin"; it came out sounding something like "pewing". Instant (admittedly, low sec) password.

Re:I've (unfortunately) forced this on users befor

[AK+Marc]

Quick tip: telling people you will fire them for violations of policy, even when they are trivial or when they *should* violate the policy to serve a higher goal, is not the best way to build trust or morale.

Quick tip: having policies you make known are not enforced will not build morale. Some will follow it and resent those that don't. Others won't follow it and get annoyed at those that do. Since the policy "please feel free to share your password with everyone else" doesn't seem reasonable, I'd suggest that firing someone for a password sharing is better for overall morale than ignoring multiple repeated violations of the policies.

I think you are assuming "fire on a first offence." I understand and realize that people will occassionally (like once every 5 years or so, maybe less frequently) have an actual reason to violate such a rule. However, there is no reason for someone to violate it on a weekly basis. From how I read the thread, you are saying it is unreasonable to fire someone for the first offence. That is perfectly compatible with the statements of the person you are responding to. Read his posts again, and insert the word "eventually" before every instance of "fire" and you'll see what I think he was meaning. "Yes, I would *eventually* fire someone for repeated violations of the corporate policy."

the more imp point is

[cinnamon+colbert]

how do you resist what is little more then a myth when it is labeled a best practice ? Humans have a propensity to regard anything they hear as a basis; even though you know it is totally rediculous, if i say that using consonant free paswwords is a good practice, simply hearing it will make you think in that direction; there is a whole literature in the psychology field on this ( i forge the term)

for instance, the whole change paswword frequency debate - if one can't get data, should one just ignore the "commonsense" idea that longer = better ?

Re:I've (unfortunately) forced this on users befor

[Just+Some+Guy]

You'd fire people for sharing a password??

Yes, because authentication is a whole different beast from accounting. I don't care so much that you accessed a resource with a different userid than we issued to you, but I care a whole awful lot about the fact that I can't tell who updated Salary.xls last Saturday at 2:34 PM.

If you think this stuff doesn't matter, then trade paychecks with someone who makes the same as you, and attempt to simultaneously cash them at the same back. Since the amounts are the same, the bank shouldn't care, right?

Re:Three unsuccessful attempts and you're locked o

[zCyl]

In reality, with passwords being case sensitive and people having to remember dozens of passwords for different systems at work and personal web sites, three attempts will end up locking out numerous legitimate users. ...
Give 10 or 20 attempts, dammit.

I've seen people use this "feature" for practical jokes plenty of times. I don't think increasing it to 10 or 20 would deter this. And if it's used as a practical joke, it can certainly be used as a serious attempt at a DoS.

If anything, it should simply lock people out from the terminal or ip they are attempting it from. And if you want something that will do a smarter job of defeating brute force attacks, simply have a variable delay that doubles each time for that particular terminal or ip. If the password is wrong once, wait two seconds before giving that location another chance. If the password is wrong four times, wait 16 seconds. By the 10th attempt from that location, it would take 17 hours for the 11th attempt, and by the 20th, this would be 12 days, effectively preventing a brute force attack while only minimally inconveniencing real users, and requiring essentially no complex reset procedures.

YES

[pclminion]

Somebody else gets it! Of the 6 passwords I have to use on a daily basis, I cannot recite a SINGLE ONE from memory. I have no idea what they are! But if I sit down at the keyboard, I can type them with no problem.

overreliance on passwords

[spatenbrau]

Many of the places that plaintext passwords are used, one needn't allow a password login at all. The strongest security is to disable all other login services (like telnet, rsh etc) and require remote users to log in via ssh using rsa or dsa keys. The whole beauty of this rsa/dsa-only method is the users could choose easily guessed passwords and the protected computer still wouldn't be at risk from external attackers because the user's password is only used to access their local computer. To break in the remote attacker would still have to guess the RSA or DSA key which is computer-chosen and very long (1024 - 2048 bits). If all computers are configured such that unix passwords are only acceptable for local (console or perhaps hardwired rs-232 terminal) logins, then a remote attacker gains little by discovering the unix plaintext password.

Protocol 2
PermitRootLogin without-password
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePam no

(The last line may fail on computers that have PAM turned off at compile time. Leaving PAM logins on for machines that have PAM globally enabled negates the whole rsa/dsa-only requirement.)

Re:overreliance on passwords

[collinl]

THis seems silly to me.
In other words, the sole protection of the network and all applications you have access to is the password on your workstation/logon account.
Break one machine, access all your apps and networks, in your name.
I wouldn't want that liability on my shoulders.

Lyal

Re:overreliance on passwords

[spatenbrau]

It isn't any worse than the folks that use the same passwords on all the machines anyway. Break one and you have them all (or at least most of them).

Secondly, and this is the real clincher, the breaking of that first machine can't be done by guessing passwords either. One either needs to be sitting at the console to break that password or have some other sloppy program that allows remote login (or at least file-theft) exploits. One then needs to break the password of the targeted user. This still doesnt' leave one any worse off than the case where one can break passwords remotely via password-guessing attacks.

Re:overreliance on passwords

[lorcha]

In other words, the sole protection of the network and all applications you have access to is the password on your workstation/logon account.

No, the protection of the network is my workstation password AND the passphrase used to encrypt my RSA private key.

There is only one password

[Vainglorious+Coward]

Does anyone remember (and have a link?) the spoof password policy from *mumbles* years ago - it started off innocuously with things like "must not be a dictionary word" and "must include a number", progressed through things like "cannot repeat characters" and "characters must not be adjacent on the keyboard", until the last part was "There is only one password that meets these requirements - please ask your sysadmin to give it to you".

Silly Policy

[DarthVain]

I have commented on this before, as it is something that ticked me off. I work for a large company, in which they recently (last several years) changed their security policy (no idea why, just out of the blue). So now not only do I have a ton of passwords, they also have to change every stupid month, and cannot be the same or like the previous passwords. Talk about a nightmare. I have accounts all over for various networks, different corporate application, etc... I have little spidery arms out everywhere in IT, and it is hard enough to remember them all. I tried to explain to the IT people (I work with IT, but not for the people who are in change of our networks or IT security policies), that this sort of policy while you think you are doing good is really very very bad. Where I had a handfull of passwords that I used to use, I was very protective of them and they were quite good. Now everyone is contantly forgeting their passwords so they end up calling the stupid help desk to get their password reset or released to them. Worse is people finally just get fed up and write them on a sticky note and stick it to their computer. Yeah, good policy in action there.

Well seeing as no one heeded my warning, I found a fun way to protest:

Many of my Passwords now are something of this flavor: StupidRandomPass#19 or ITSecurityPolicySucks, or JustAnotherPass#11, IT&SecurityEqual0, etc.... So every time I forget a password, I get a little laugh when I have to contact the smuck at the Help desk to get my password.... ah fun times. (note none of those are are my passwords)

Re:Three unsuccessful attempts and you're locked o

[rjstanford]

do you people have any clue how a brute-force attack is carried out?

One does not use the password entry UI of the system.

What's your point? This has nothing to do with the number of attacks it takes for the password verification component to lock the account, no matter what your backend architecture.

Re:Three unsuccessful attempts and you're locked o

[bhima]

My point is a brute-force attack has nothing to do with the number of attacks it takes for the password verification component to lock the account, no matter what the back-end architecture is. In fact the attack doesn't have to even occur on the target's hardware (although it can) nor does it have to use the target's OS (although it can). And as far as I know any OS which does not salt the password hash is susceptible... all of Microsoft's offerings, nearly all Linux distros (SELinux maybe?) and Mac OS X. I do know that OpenBSD does salt the password hash by default. I don't know about Sun or Solaris.

So any computer which an attacker can perform an account escalation on, or has physical access to, is vulnerable.
I've seen it done... it took less than 15 minutes to recover every password stored on the box.

Go read up on it.

Re:Three unsuccessful attempts and you're locked o

[bhima]

Ahh ha! Since MAC OS 10.3 Apple has added a 12bit salt to the password hash.

I have no idea about Linux but presumably FreeBSD & NetBSD do too.

Auditors and "Best Practices"

[h4ck7h3p14n37]

Having been responsible for the implementation of internal controls in my domain (Solaris servers running B2B applications) as required under the Sarbanes-Oxley Act, I can attest to the fact that auditors make some very stupid demands because that's what the "best practices" say. Unfortunately, in my case we seemed to have an auditor on-site that was fresh out of school and was basically just doing what she was told by her employer and was completely unable to justify such demands. I would explain why something did not make sense in our environment and how it would actually increase our cost of doing business while at the same time adding absolutely no value and get a response of, "well, it needs to be that way".

Have others encountered these sorts of problems with auditors? What did you do? How do we deal with pointless, or harmful "best practices"?

Re:I've (unfortunately) forced this on users befor

[dubl-u]

Quick tip: having policies you make known are not enforced will not build morale. Some will follow it and resent those that don't. [...]firing someone for a password sharing is better for overall morale [...]

You're creating a false dichotomy. I'm not saying that one should create a bunch of policies and then ignore them. I'm saying one should ask employees to further big-picture goals rather than load them down with a zillion rules that may or may not make sense in all circumstances.

If they're sharing passwords, that either means they don't understand why it's bad or the system is set up poorly, forcing them to share passwords to get work done. The solution to the former is education; the latter, better systems. If you've got an employee that won't learn or fails to develop good judgement, by all means fire them.

Re:I've (unfortunately) forced this on users befor

[D'Arque+Bishop]

There's nothing worse than a stupid nerdy geek telling people off for following some geekhole paranoid rule that has only minimal risk in real life. Like the telltale at school who takes all the rules literally, without trying to understand their purpose and the spirit behind them.

Considering the laws that have gone into effect concerning accountability and auditing in regards to accounting and IT here in the USA (Sarbanes-Oxley, in particular)... I do believe I understand the purpose and spirit behind the rules, and that is why people get in trouble for sharing passwords. I might not fire them (that's not my decision), but their accounts will certainly be locked out and they will have to explain themselves to management, who thanks to all of the scandals surrounding Enron et al take Sarbanes-Oxley compliance VERY seriously...

Just my $.02...

Re:Three unsuccessful attempts and you're locked o

[rjstanford]

So any computer which an attacker can perform an account escalation on, or has physical access to, is vulnerable.

Who said anything about physical access? In a lot of environments, like your average office setup, you won't have access to the machine that stores the passwords (in whatever format). You have to access through the API. Even if you have root (or whatever) on a local machine, it doesn't give you any special benefit in cracking someone's network password. So if the password server locks the account after 500 invalid attempts, you're still fine.

I'm not arguing about local machine passwords, but that's not the type of environment we've been discussing anyway.