Slashdot Mirror


Spafford On Security Myths and Passwords

An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."

2 of 356 comments (clear)

  1. Picture Passwords by Metabolife · · Score: 5, Interesting

    I always thought the picture based passwords shown here were a creative way of making passwords.

    Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

  2. Passwords? by bm_luethke · · Score: 5, Interesting

    The last supposed "high security" place I worked (Oak Ridge National Labs) had a pretty sane password scheme - computer generated every 6 months or year (too long ago, I do not remember now). They generated a big list and you picked one so you could get one you could remember. It was good combination of stuff, not really something that was attackable by a dictionary and they watched external requests pretty hard (ad most of the service providers did also).

    But, the problem was that every single hack/intrusion we knew of (either on our machines or lab wide) had nothing to do with password and all to do with users desktops on SSH key management. Everyone wanted symetric keys so they never needed to type a passphrase of password. No one wanted to mess with keeping thier computer updated. So once one computer was violated nearly all in the lab were - even those of us who tried to patch and watch were brought down by what the users demanded. We were really damned when an offsite place (say a university) was weak and a user had symmetric keys installed.

    That ended up being a VERY difficult issue to educate on - it's a fairly abstract idea. Very very very few of the people there were unintelligent but few were educated enough in that field to even really understand the issues (no reason why a chemist should understand key management any more than I should know how carbon rings react in some random environment). Password management is pretty obvious, heck many of us even had "secret" clubs in elementary school that did similar stuff. However strong encrypted keys tend to be something different, offering the ease of no password and the security of really strong ones (when done correctly). It take some amount of knowledge to "get it" along with thinking about having the private keys stored in unsafe places.

    *shrug* I think that password management (in secure business processes) is becoming much less important. Even hotel reservation systems are mostly moving over to SSH and key management. For logging into your credit card service? SSH key and passphrase is great. For much of business practice, as SSH and similar type things become the standard password management this is MUCH more important. Right now we are horrid in that area of education.

    Less articles about password management, if it has not been beat into your head by now you are a lost cause. Lets spend some time on key management and other security issues that are becoming MUCH more useful.

    --
    ------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it