Slashdot Mirror
Spafford On Security Myths and Passwords
An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."
> Doesn't anyone remember the 'pass phrase' thing from awhile back?
> "The quick fox jumps over the lazy brown dog"
Way too long to type.
> D'tart'pp;tfawb?
> Tqfjotlbd
Passphrase-based passwords (take each first leter, caps and semigraphics retained) are a good option.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
I always thought the picture based passwords shown here were a creative way of making passwords.
Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.
Maybe honeypots will become a standard security thing. The password will always work but it won't get you anywhere useful.
http://michaelsmith.id.au
I disagree with his reasoning that the cracking method is obsolete. A couple of years ago I ran our password database through a cracker just out of curiousity. Of course 99% cracked immediately during the dictionary attack, but the ones with odd characters did in fact take over a month to crack. Iirc it took 6 weeks to get all of the users passwords.
The last supposed "high security" place I worked (Oak Ridge National Labs) had a pretty sane password scheme - computer generated every 6 months or year (too long ago, I do not remember now). They generated a big list and you picked one so you could get one you could remember. It was good combination of stuff, not really something that was attackable by a dictionary and they watched external requests pretty hard (ad most of the service providers did also).
But, the problem was that every single hack/intrusion we knew of (either on our machines or lab wide) had nothing to do with password and all to do with users desktops on SSH key management. Everyone wanted symetric keys so they never needed to type a passphrase of password. No one wanted to mess with keeping thier computer updated. So once one computer was violated nearly all in the lab were - even those of us who tried to patch and watch were brought down by what the users demanded. We were really damned when an offsite place (say a university) was weak and a user had symmetric keys installed.
That ended up being a VERY difficult issue to educate on - it's a fairly abstract idea. Very very very few of the people there were unintelligent but few were educated enough in that field to even really understand the issues (no reason why a chemist should understand key management any more than I should know how carbon rings react in some random environment). Password management is pretty obvious, heck many of us even had "secret" clubs in elementary school that did similar stuff. However strong encrypted keys tend to be something different, offering the ease of no password and the security of really strong ones (when done correctly). It take some amount of knowledge to "get it" along with thinking about having the private keys stored in unsafe places.
*shrug* I think that password management (in secure business processes) is becoming much less important. Even hotel reservation systems are mostly moving over to SSH and key management. For logging into your credit card service? SSH key and passphrase is great. For much of business practice, as SSH and similar type things become the standard password management this is MUCH more important. Right now we are horrid in that area of education.
Less articles about password management, if it has not been beat into your head by now you are a lost cause. Lets spend some time on key management and other security issues that are becoming MUCH more useful.
------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin
I still don't see why this is a problem. To me if a person is able to get to where the password is written down that means they can have physical access to the machine (unless the computer is somehow locked inside a desk or something, which isn't very practical). With physical access it would be trivial to hook up a key-logger (I believe one of the OSTG sights, thinkgeek maybe, carries them). Or if you know what your doing set up a root-kit.
Computers allow humans to make mistakes at the fastest speeds known, with the possible exception of tequila and handguns
"94 Ford Explorer 5-speed" would be a better password, and would be a lot stronger than "94FE5spd".
A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.
Albuquerque PC
I think you're right -- even if you assume it takes a month for the systematic password search on the mainframe to try every password combination, changing your password doesn't help much.
It does buy you a tiny bit, if they are actually trying every combination. Suppose it takes them two months to try every combo and after one month, your password is still unknown. They are now guaranteed to have it within the next month if you do not change it. If you do change it, then there's a 50% probability that you change it to something in the half they've already run tried. It's not hard to work out the expected time to compromise, and you will find that there is some way to maximize it by changing your password at just the right rate.
However, it's a pretty minor benefit. Furthermore, if they are doing anything less than checking every single password, then I'd bet it actually buys you nothing at all. The difference is because in that case, they're not guaranteed to guess your password after a fixed time interval.
I think Lenovo is starting to sell a lot of finger-print-biometric-scanner notebooks now, it seems to be one of their big selling points for business buyers - not sure if it would work under Linux, but if its something where you have to scan your finger before it gets through with BIOS it oughta be something embedded into CMOS or some other part of the motherboard, in which case I would think it would still work whether you run Windows or Linux on it...
While I like the idea of pronounceable gibberish passwords, an alternative is to use a pass-phrase and then abbreviate it - like so:
I don't trust password generators from Khazikstan -> Id'tpgfKz
My Birth-Day is February 29th - MB-DiF29th
I like beagle puppies for dinner at 6pm - Ilbpfd@6pm
I like hotdogs for lunch at 12pm - Ilhfl@12pm
Using a phrase like that lets you assign some sort of meaning to the password which can help you recall it in the future. It also lets use "themed" passwords like the last two which helps at sites with rapid password expiration - you can remember that for a certain system your password is always about a certain theme which makes it easier to remember when you have to change it frequently.
Porn sites, in fact, were Bruce Schneier's idea for large-scale password theft. A crook could send out spam advertising a free porn site, simply requiring a no-cost signup. Umpteen suckers sign up, they choose umpteen passwords, some fraction f uses the same password for everything, and your "porn site" has just accumulated f*umpteen valid passwords and associated IP addresses.
I think the GPs point was that physical access to a machine compromises security by definition. If you have physical access to a mchine, you can install a keylogger to find the password (as simple as an inline USB dongle on the keyboard), remove the harddrive and crack at your leisure (a bit more noticable) or anything in between. Hell, you could just cart off the machine.
If you're in a place where security is sufficiently tight to have mechanisms to prevent this (ie: Security Guards) then they're likely to be sufficient to cover the little password notes in the top drawer as well as the machine itself.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
As always, this stuff is for educational purposes only. If you're thinking of doing it, it's probably for illegal purposes so don't blame me if you get caught.
0x09F911029D74E35BD84156C5635688C0
There's also rules on top of that where you can find which character to capitalize and where to add symbols and spaces.
HD Trailers
Despite what everyone is saying, these passwords are pronounceable, and for the really important passwords that you use frequenctly, you can memorise them fairly easily.
I currently use completely random character sequence passwords for my main accounts. I keep them written down until I've learnt them (after a week maybe), then destroy the piece of paper. Since the passwords are strong, I don't need to change them very often.
For all the other minor accounts that I need passwords for as well, I still use randomly generated passwords, but keep them in a keyring application on a memory stick, so I only need to remember it's master password, and I can still have a different password on every account. I carry the stick around just like I carry around a bunch of keys (same thing really)
Yes, good passwords are a nuisance, but if it's convenience you want then just use something easy to guess like '7of9', 'top5ecret', or even the classic 'admin'.
Z.
(Posted Anonymously for obvious reasons) A long, long, long time ago. Ya know, '94 or so. I was trying to download a bit of software. Somewhere around 80 megs or so. Trouble is, my current service would download ftp to their local BBS,and then serve to me, and they had a 20 meg cap.
/tmp was a world readable passwd file. Not shadowed. So I snagged it, and loaded up cracker jack, and went to bed. My poor little 486DX managed to crack three passwords by the time I woke up. Only one was active, so I "borrowed" it to download the software, transfer it to me, and left a note to the user advising him to change his password. No malicious use. Just borrowed and returned, less than 5 hours total.
So, just being playful in my youth, I was poking at a local ISP. I found an account still set to the default password. Nothing great there, but in
Long story short, even that horrificaly underpowered box was able to crack a couple of passwords from a passwd file. Now with evil doers being able to purchase time on botnets for $.01s, I wouldn't underestimate the power of snooping, sniffing, and cracking. Even for what you think might be secure data.
Allow me a horrible analogy: the fight between fortication and weapons will never end. Walls, moats, castles. Swords, arrows, cannons. and it goes on and on. So will be the same with security. You have to constantly be on top of it.
I do agree with the authors insite into risk assessment. Keeping your game box secure probably requires less work than keeping bank transactions secure.
But now I ramble....
I used to be responsible for IT security at for my previous employer and find that the biggest danger to any password based security is the user. When I started there were no passwords in use anywhere, After about a month and a half I implemented a password policy (nothing strenuous, just the requirement for a 6+ char password, with a monthly change requirement. I was not popular. (this may have been the passwords or possibly the pave and nuke job I did on all the corporate desktops killing at least 3 of those electronic pet things...)
The good news is that after the first month the number of password resets required reduced dramatically and we actually had some accounting of user activity on things like network use etc..
However 6 months in we started to note the usual issues of people sharing passwords (i.e. how come John doe is logged on on three computers at the same time...) and had to curb that.
Then we started carrying physical audits of desk areas and started to clamp down on people writing down passwords (including those people that wrote them down in a poorly obfusticated manner....)
Again our security situation improved (I should point out that we did have internal users actively engaged in 'hostile' activities for their own gain...) and we were quite happy for a while..
Finally we started to carry out regular penetration testing, including a social engineering portion, this bit surprised me most. I came to the conclusion that 70% of our user base would give out their user name an password to anyone claiming to be IT staff - including when the tester called from outside of the company, and the number showing as internal.
So in short the problem with security is always going to be with the user, that is as long as the user is authenticated by either password, or token (swipe card etc..) and will only become significantly better when security is based on something the user cant forget or lose. Oh and anyone trying to implement security is always going to be the bad guy if it causes inconvenience.... And best practice in my oppinion is finding reasonable security procedures that are applicable to your situation, whether thats a 4 digit pin, daily changing 12 character complex passwords or rectal probes and dna testing, and then more importantly implementing it in such a manner that it is actually adhered to.
just my thoughts
I have to disagree with your statements. There's two things to keep in mind here - one is minimizing the risk of compromise, and the other is minimizing the damage. The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.
I certainly don't claim that the damage will be reduced, and as always it depends on the situation. If password compromise leads to total administrative control of your network by a malicious entity, well, then, you're a bit screwed. But if someone manages to obtain one or two user passwords through social engineering and is biding their time, poking around a bit, then a user being forced to change their password suddenly closes up that hole.
Of course, you're still not dealing with the root cause (in the case of Social Engineering, user education, but there are many others). But regardless of passwords being changed regularly or not, those root causes will exist and need to be address. My argument is simply that regular password changing can provide enough benefit to make it worthwhile to enforce.
Give 10 or 20 attempts, dammit.
Screw that. Give 500. Give a number so rediculously high that your help desk should practically never have to deal with another "locked account" again, but so stunningly low that a brute-force attack will never succeed. It turns out that these two boundaries are still pretty far apart from one another.
You're special forces then? That's great! I just love your olympics!
p.s. this research was brought to you by 3M