Spafford On Security Myths and Passwords

An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."

Password changing

[mikesd81]

I still think changing passwords periodically is a great idea. Even just to keep some cracker on his toes or incase you accidentally wrote it down or devulged it or typed it in the wrong field and is in clear text.

You have a more secure system if it's harder to use a password when un-authorized. Especially if the user is an Admin account.

Re:Password changing

[Psychotria]

I would expect that if passwords are required to be changed on a regular basis, then that would be more reason to write them down (if they're secure they're probably harder to remember). In this case it would seem that less-regular changing would be beneficial, resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin.

Re:Password changing

[mikesd81]

But if you can find a way to remember them (ex: 94FE5spd - 94 Ford Exploer 5spd) or if you must write them down, lock them in a desk drawer or lock box of hide them in that secret compartment in the bookshelf, then it's a little more acceptable..

No 94FE5spd is NOT my password for /. :)

Re:Password changing

[tazan]

I disagree with his reasoning that the cracking method is obsolete. A couple of years ago I ran our password database through a cracker just out of curiousity. Of course 99% cracked immediately during the dictionary attack, but the ones with odd characters did in fact take over a month to crack. Iirc it took 6 weeks to get all of the users passwords.

Re:Password changing

[c_forq]

resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin

I still don't see why this is a problem. To me if a person is able to get to where the password is written down that means they can have physical access to the machine (unless the computer is somehow locked inside a desk or something, which isn't very practical). With physical access it would be trivial to hook up a key-logger (I believe one of the OSTG sights, thinkgeek maybe, carries them). Or if you know what your doing set up a root-kit.

Re:Password changing

[mattkinabrewmindspri]

"94 Ford Explorer 5-speed" would be a better password, and would be a lot stronger than "94FE5spd".

A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.

Re:Password changing

[harborpirate]

I agree with the article, and not the parent post. Constant changing of a frequently used password is a complete failure in the exploration of logic regarding passwords. It is laziness, plain and simple; the reliance on the folklore of old to tell us what we should do. Frequent Password Changing Makes a System More Secure is an old wives tale.

Over time, even a hard password will be memorized by your average user. This password does not somehow become more insecure over time, because, as the article points out, the largest vulnerabilities are not due to the cracking of passwords, but rather human error, ignorance, and/or incompetance. These should decrease with time. The user should become better educated and better able to remember the password, thus less likely to give it out. Only the chance of human error increases slightly (typing password in login box and such). Of the three, this presents the least risk by far of those three, and generally the user is aware of this occurrance and with proper education will know to immediately change their password.

Forcing a user to change password frequently is likely to only cause them to alter one character (likely the last) in the password because committing another secure password to memory is difficult. This causes both usability and security to be comprimised in the same fell swoop. The other option is that they will write the password down or otherwise record it, thus defeating its security. If you've got users with photographic memories who instantly memorize a new hard password every month, you must be the luckiest damn admin in the world.

As the article points out, modern computing and cracking techniques expose vulnerabilities much more quickly, so passwords would have to be changed so frequently as to make a changing password policy useless in many environments anyway.

Caveat:
The opposite is true of Administrator passwords or others which are rarely used. These are generally not committed to memory, and likely documented in some fashion (hopefully they are, or when the admin leaves you're screwed). If they're meant to protect a truly important system, a biometric and/or time sensitive method (such as a synchronized continously changing key generator) should be used in addition to the password. Changing these passwords with some frequency is a good idea, as it forces someone to ensure the validity of the current password (the account is not locked or disabled) as well as provide the aforementioned small measure of protection against cracking.

Please, stop forcing password changes on user accounts. Its a stupid idea. It serves no purpose other than to ensure the latest user password is written down at every desk.

Rant complete.

Re:Password changing

[LordLucless]

I think the GPs point was that physical access to a machine compromises security by definition. If you have physical access to a mchine, you can install a keylogger to find the password (as simple as an inline USB dongle on the keyboard), remove the harddrive and crack at your leisure (a bit more noticable) or anything in between. Hell, you could just cart off the machine.

If you're in a place where security is sufficiently tight to have mechanisms to prevent this (ie: Security Guards) then they're likely to be sufficient to cover the little password notes in the top drawer as well as the machine itself.

Re:Password changing

[MrLizardo]

The biggest threat to security is often from within the corporation/organization itself. And there's a big difference between being able to walk by someone's desk and see the sticky note with the password on it versus climbing under their desk and putting a key-logger between the system and the keyboard. Think about the following two scenarios:

Scenario 1:
Worker: What were you doing going through the drawers in my desk for while I was away?
Cracker: Sorry. I was looking for a stapler.

Scenario 2:
Worker: What were you doing crawling around under my desk, screwing with my computer?
Cracker: Sorry. I was looking for a stapler.

See, one of these is activities is a little more dubious than the other. Also, you don't have to be a 1337 hax0r to be a threat to security. All you have to do is have access to a file/account/system you shouldn't.

Re:Password changing

[ObsessiveMathsFreak]

I still think changing passwords periodically is a great idea.

I think that idea sucks.

What's the advantage? Crackers find it harder to crack things? Why? Because the password will have expired by the time they crack it? Maybe, maybe not. Unless you rotate passwords every month, at this stage, rotation is useless.

Maybe a better solution would be to make passwords the first line of defense, not the last. Simply assume they will eventually be broken, no matter how many times you rotate and plan accordingly.

For that matter, why are admins still making things easy for the cracker? I read somewhwre that 90% of all military databursts are in fact, random noise, to frustrate the crackers bruteforce attacks. Why don't regular networks do this?

In the meantime, stop relying on passwords, or boimetrics, or passphrases, or usb-keys for access to the system. Passwords should get you one thing and one thing only, a prompt/desktop. Everything else should be subject to finely granulated access, with logs. At this current time, on most networks, the only thing higher than normal user level access is root/domain controller.

Re:Password changing

[Sique]

Everything that affects the machine compromises security by definition. So that's no argument as such, you have to elaborate. The connection made between 'written down passwords' and 'physical access to a machine' is very weak. Of course: If I got into the secured building with the computer desk, it may be easier to just root the computer and then access whatever you want than to break into the file cabinet and search for the password. But security by itself does not only contain prevention of a compromisation, but also detection of a compromisation. And a security breach by physical access to a machine is often much more easy and timely to detect than a physical access to the written down password. Stick-It notes don't log access, as far as I remember ;). So if it is an inside job, a security breach may go unnoticed if the attacker just reads the password while passing by and then trying it from another machine, or if he just seems to 'look for that one file I left on the desk' and searches for the password. In this case the first security breach (compromise of the password) is not necessarily time-connected to the second one (unauthorized access to the password protected entity), and such the detection of both is more complicated.

Re:Password changing

[LordLucless]

In this case the first security breach (compromise of the password) is not necessarily time-connected to the second one (unauthorized access to the password protected entity), and such the detection of both is more complicated.

And yet, the same could be said for the installation of a USB keylogger if given physical access to the machine. The greater danger with writing the password down, I find, isn't so much unauthorized access as improperly authenticated access. You're not in danger of industrial espionage so much as someone logging in using a coworkers account to do something illegal/immoral. And if that's the case, well, it's the problem of the user who wrote down the password, not the sysadmin.

Re:Password changing

[WhoDey]

I have to disagree with your statements. There's two things to keep in mind here - one is minimizing the risk of compromise, and the other is minimizing the damage. The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.

I certainly don't claim that the damage will be reduced, and as always it depends on the situation. If password compromise leads to total administrative control of your network by a malicious entity, well, then, you're a bit screwed. But if someone manages to obtain one or two user passwords through social engineering and is biding their time, poking around a bit, then a user being forced to change their password suddenly closes up that hole.

Of course, you're still not dealing with the root cause (in the case of Social Engineering, user education, but there are many others). But regardless of passwords being changed regularly or not, those root causes will exist and need to be address. My argument is simply that regular password changing can provide enough benefit to make it worthwhile to enforce.

Re:Password changing

[Phleg]

A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.

You must be new here.

Re:Password changing

[LordSnooty]

Use a computer program to store them - e.g. PasswordSafe - the logic of storing all your passwords in a program may seem strange, but if you can keep the database in a safe place - on your USB key, for example - it should be a lot more secure than writing them down. A "cracker" would still need a password to open the database. At least you only have to remember one password.

Re:Password changing

[hal9000(jr)]

Have a look at LophtCrack (think that was it's name) which did exactly this for windows systems.

that's not entirely true. L0Phtcrack leveraged a brain dead authentication mechanism where in Windows NT using NTLM password. NTLM can be from 1 to 14 characters in length. What happens is the password is spit into two 7 character passwords and using an unsalted hash, concatenated and stored. If the password was under 7 characters a constant was use for the upper 7 characters, so by simply parsing the string you could tell if the password was more or less than 8 characters (which had great performance improvements).

I probably missed some steps in here, but that is essentially it.

Re:Password changing

[Pollardito]

And a security breach by physical access to a machine is often much more easy and timely to detect than a physical access to the written down password. Stick-It notes don't log access, as far as I remember ;)

the solution is simple! cover your desk in a sea of Post-It notes containing various usernames and passwords, make some of the usernames be accounts with no real password listed on the desk, and check those accounts regularly for attempted logins. it's like personal steganography. if it's too hard to remember which notes have the right passwords, you can write down a reminder for yourself on another Post-It that you stick under your desk

p.s. this research was brought to you by 3M

Re:Password changing

[harborpirate]

The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.

I have to disagree.

First of all, again: the most common method for password discovery is directly related to the user. If this was the discovery method, our enemy will easily use the same methodology to obtain the password again when it has been changed.

If the password is cracked through guessing, snooping, etc - the problem is that the user is likely to choose a new password which is very close, or just as insecure as their old password. The first thing I would try as a cracker, if someone had a reasonably hard password and changed it, would be to try every variation of the last character. If they had an easy password ("password" or some other dictionary word), I'd just know that I could run a speedy dictionary attack against their password and have it cracked in no time. These two methods of user password changing represent the vast majority - thus forcing a password change has not made the password significantly more secure because the original password was discovered.

APG

[wuzzeb]

I have found that using APG is a great way to generate passwords. They are easy to remember since you can pronounce them. For example, I just ran the generation and these are the passwords that popped out. I have found that most users can remember these kinds of passwords.

lewcyHirUx6 (lew-cy-Hir-Ux-SIX)
drywaWrop2 (dry-wa-Wrop-TWO)
ScekGul4 (Scek-Gul-FOUR)
lacWaup7 (lac-Waup-SEVEN)
IphIaft3 (Iph-Iaft-THREE)
glidTevPos8 (glid-Tev-Pos-EIGHT)

Re:APG

[Captain+Zep]

Sounds like I'm in the minority, but I think this APG thing looks pretty good, assuming it generates from a large enough space.

Despite what everyone is saying, these passwords are pronounceable, and for the really important passwords that you use frequenctly, you can memorise them fairly easily.

I currently use completely random character sequence passwords for my main accounts. I keep them written down until I've learnt them (after a week maybe), then destroy the piece of paper. Since the passwords are strong, I don't need to change them very often.

For all the other minor accounts that I need passwords for as well, I still use randomly generated passwords, but keep them in a keyring application on a memory stick, so I only need to remember it's master password, and I can still have a different password on every account. I carry the stick around just like I carry around a bunch of keys (same thing really)

Yes, good passwords are a nuisance, but if it's convenience you want then just use something easy to guess like '7of9', 'top5ecret', or even the classic 'admin'.

Z.

Re:APG

[ajs318]

Unix is a bit more "self assembly" than VMS. Try this. It's a little Perl script I wrote to generate passwords. The standard form is CCVCDCVC which is fairly "pronounceable", obviously you can customise it. To get around issues with letters looking like numbers and vive versa, it will never use a capital letter O nor a small letter L in a password. Save it in /usr/local/bin/pwgen and chmod it 755.

Usage:

pwgen [username]

If a username is not specified, generates a "pronounceable" password of the form consonant, consonant, vowel, consonant, digit, consonant, vowel, consonant and displays it on STDOUT; along with its scrambled form suitable for usermod(8) or direct editing of the password file.
If a username is specified, and that user actually exists, then pwgen sets the new password using usermod(8).

NB. My careful indenting was spoiled by Slashdot. Feel free to un-spoil it. Good job it's written in Perl and not That Other Language!

#!/usr/bin/perl -w
# this is /usr/local/bin/pwgen

my ($password, $salt, $scram, $user, @stuff);

$user = shift || "";

sub vowel {
$_ = substr "aeiou", int rand 5, 1;
tr/aeiu/AEIU/ if rand > .75;
return $_;
};
sub consonant {
$_ = substr "bcdfghjkLmnpqrstvwxyz", int rand 21, 1;
tr/a-z/A-Z/ if rand > .75;
return $_;
};
sub digit {
$_ = int rand 10;
};
sub saltchar {
$_ = substr "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ./", int rand 64, 1;
};

$password = consonant . consonant . vowel . consonant . digit . consonant . vowel . consonant;
$salt = '$1$';
foreach (1 .. 8) {
$salt .= saltchar;
};
$salt .= '$';
$scram = crypt $password, $salt;

print "\nAJS's password generator - now with no Os or ls!\n";
print "-" x 48 . "\n\n";
print "Password is $password.\n";
print "Scrambled form is '$scram'.\n";

if ($user) {
if (@stuff = getpwnam $user) {
system "usermod -p'$scram' $user";
print "Set password for '$user' to '$password'.\n";
}
else {
print "There is no such user as '$user'.\n";
};
};

print "\n";

exit;

Copyright 2005-2006 AJS.

Distribution of this program in Source Code form is allowed, with or without modification, provided that this licence accompanies every copy of the program. Distribution in binary executable form, where applicable, is permitted only in conjunction with complete corresponding Source Code and build instructions.

Statement of Warranty: the copyright holders warrant that this program, when run on a properly-functioning computer, will perform substantially as indicated by the source code. No other warranty is made in respect of the program. If you are in doubt as to what this program does, you should consult a competent programmer.

This licence is in addition to, and is not to be construed as prejudicing, any statutory rights granted to you under the Law of the Land.

Re:APG

[ZeroExistenZ]

I had the idea that it might be more secure to use full-travel keyswitches with built-in OLED or LCD display elements {rather than a touchscreen, which creates errors through the absence of negative feedback} and scramble the key layout for each user {possibly even for each digit, though this might be too confusing}. This way, although you know what keys the person in the next checkout lane was pressing, you don't know what number they were entering.

I think you're absolutely right with this. It would be more secure, and I would applaud it and implement it myself where possible if that sortof added security were available...

It's just because of "habit" of typing my passwords that I memorized most my passwords by pattern. (as I often don't think anymore when I type about each what each individual finger is doing but I still type quite well.)

Just look at nearly every keyboard or input-device; the F and J have some sort of deviating surface to identify the position on your keyboard by touch. ("touch-typing"). On numerical input-devices you always have the 5 standing out. Which is a convenience which helps you orientate on your input-device, but as you pointed out it's a security risk as everything has such a standard "lay-out" it's possible to get to know passwords by observing not what, but how one enters a password. (this reminds me to this program which could capture passwords by "listening" how one entered a password)

It's a problem, definatly. I think authentication via eID's and other smart-cards are a plausable sollution, but it's kindof creepy privacy-wise. (and those can be quite easily stolen. And for the signature you again have a PIN... back to start.)

Password change policy

[MichaelSmith]

We all know that its stupid. People write it down on post it notes etc. But when the luser gets hacked he is going to be gunning for the sysadmin who needs to be able to prove that he is serious about security so that he can put the onus back where it belongs.

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

Re:Password change policy

[KiloByte]

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

I'm afraid that you have never seen a corporate environment; otherwise you wouldn't mention "doing the sensible thing".

Re:Password change policy

[ehrichweiss]

I only have one question. What if the cracker is the one who gets the "it's time to change your password" message, they change it to something they know and then back again to the original? Think anyone's gonna notice? Depending on the host OS, it could be trivial to exploit a man in the middle attack to acquire the password from that user when they logon, just have a script that checks for a value on a webpage(or a million other things) that you control..if it finds it then it puts the user right back infront of a legit looking logon screen..they re-enter and it emails the result to one of a large list of email addy's you have setup. Better check those .*shrc's.

As always, this stuff is for educational purposes only. If you're thinking of doing it, it's probably for illegal purposes so don't blame me if you get caught.

One attack he didn't mention...

[patio11]

... getting your server brute-forced by a Slashdotting.

Couldn't agree more on some points

[tanveer1979]

Monthly change policies. they are simple stupid. If your password is inherently weak, such as your car number, date of birth etc., it will be easy to crack. If you throw a monthly change policy at such people they will change their passwords to simple things. Other option is to educate them to choose good passwords, but that works with half the people. Best solution, let the users not choose a password. Let the machine generate random passwords. Then the user can choose out of those random combinations. At a place where I used to work, the web login system on internal network was set this way. You would click on a button saying, choose new password. Many options would appear and you choose one. If you dont like any of the options you could keep on generating new ones indefinitely. The change policy was that after 1 year you had to get a new password. Perfectly sane and secure. In those random 6 lettered words, sometimes easy to remember combinations would appear, like y1pl3t. Remeber it as yiplet!

If you dont have the benefit of a machine generator and want to specify something remembrable dont be too obvious. For example you have a poodle named fido(If you do I doubt you would be reading /.). So you can have a password which is easy to crack fidopoodle. But if you go as pfoioddole or better pf010dd0l3 only you can remember it and guessing it will be almost impossible.

Re:Couldn't agree more on some points

[dgatwood]

Using a generator to force secure passwords may be the most insecure thing I've ever heard suggested to improve security. No, seriously.

If a user has to generate a password, it is something they can at least possibly remember. If a machine generates it, there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices will be able to access those people's accounts using the password reminder neatly affixed along the margin of the user's monitor.

Besides, 99% of security compromises aren't through guessed passwords anyway. They are through either social engineering (25% of people will give up a password when they receive a call that says "Hi, I'm Fred from the IT department, and I need to verify your account information"; try it if you don't believe me), buffer overflow attacks (l33t h4xx0Rz), or physical security compromises (while latency is terrible, it is difficult to overestimate the bandwidth of a pickup truck filled with backup tapes).

Seems to me that, generally speaking, admins are worried about entirely the wrong problems, and while this may help cover their a**es against being blamed for intrusion a bit, it does little to improve actual security.

Re:Couldn't agree more on some points

[cyborch]

... there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices ...

... 99% of security compromises ...

... 25% of people ...

In other news: 87.3% of all surveys are made up on the spot.

Re:Couldn't agree more on some points

[suv4x4]

"So you can have a password which is easy to crack fidopoodle. But if you go as pfoioddole or better pf010dd0l3 only you can remember it and guessing it will be almost impossible."

Yup, impossible, there's apparently this belief that hackers have no "1" and "3" on their keyboard so that every I should be written as 1, and every E as 3.

When, like 90% of the passwords are made that way, guess what, it's not harder to guess.

Absolutely true

[Chairboy]

I worked at a company that rolled out increasingly stringent password policies. It got to a point where the passwords required upper and lower case characters, numbers, non-alpha numeric characters, and (this is the kicker) were required to be changed every few weeks.

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms. None of the people involved were bad, in fact, I worked with a fine bunch of people who really cared about security and individually had great ideas for making the company safer, but when they were all implemented simultaneously: Ka-BLAM.

A security policy cannot be a list of best practices, it has to be a designed holistic plan that takes into consideration the very human nature of the people it is protecting.

Re:Absolutely true

[Barnoid]

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms.

If the people able to see your password are trustworthy, this is not necessarily only a bad thing. Firstly, you can write your password down without posting it to the monitor, and even so, a remote attacker still can't see your post-it notes on the screen.

In my lab, I don't worry about co-workers knowing passwords of their colleagues. I rather have them write it down if it withstands a brute force attack on the SSH/webmail interface.

Re:Absolutely true

[Beryllium+Sphere(tm)]

>Writing. Their. Passwords. Down.

The part which should horrify you is the At. Their. Desks. part. If the paper with their password is in their wallet, protected as well as their ~$100 in cash, and especially if it doesn't have other login details on it -- well, some places need more security than that but not all. At that point the paper with the password on it becomes a strange kind of hardware token.

Even the At. Their. Desks. part should be kept in perspective. You should close attack paths on general principles of course but remember that anyone standing at the person's desk has physical access. Physical access gives you a lot of other worries though all of them require more motivation than reading somebody's password does.

Re:Absolutely true

[timbck2]

Yep, sure does. When I go home, my company-supplied laptop goes with me. I could leave my password taped to my monitor, and it wouldn't do anyone any good, unless they broke into my house...

... or steal your laptop out of your car, or off the subway, or from the coffee shop, or wherever you take it.

Advice on passwords

[Brandee07]

Advice my dear mother gave me a long time ago:

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

With that said, I'd like to argue the point made by the article about periodic changing of passwords. He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it. This actually happened in my high school, and then we had the admin password to every computer in the lab. And had that access until the last of us graduated. While periodic password changing won't protect you from a serious hacker, it will save you lots of grief from more petty mischief, especially if the person who has your password is clever enough to not let you know that he has it.

Re:Advice on passwords

[dgatwood]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

Even if that's a real concern, the password shouldn't be typed in where someone can watch your fingers. In a lab, it might be of -slight- risk. In a private office, it basically is zero.

Thus, from this we can deduce that the #1 most serious security hole a company can have is the use of cubicle farms. :-)

No, seriously. It is.

Re:Advice on passwords

[raftpeople]

It happened to me. I was logging onto some box after having passed through a few different operating systems on various boxes to get there, when I keyed in my password the damn thing got echoed back to the screen and the person behind me started laughing (it was one of those passwords you wouldn't tell your mom about!).

Re:Advice on passwords

[wfberg]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

The problem lies with badly designed operating system/windowing system software that allow windows to grab focus. No window should be allowed to programmatically, without user intervention, pop to the foreground and get focus (whether it's a pop-up ad or any sort of dialogue). Unfortunately, this happens all the time. Especially windows applications love to pop up messages, dialogues, windows, and all allow you to quickly (without noticing) press OK and continue typing your password in plain sight in the application that just hijacked your focus! XP's "prevent applications from stealing focus" doesn't always work, and never works if an application happens to be spawning in the background (like during startup, which might be a good time to enter a password into putty's pagent for example).. *sigh*

Re:Advice on passwords

[wildsurf]

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

Passwords are like toothbrushes. Don't get too enameled with yours, or it'll cause a dentin security and may even expose your root.

My Rule of Thumb

[QuantumG]

I tell this to every sysadmin that turns on 100% of the annoying features of enforced password change policies:

      "You have to balance security with convenience."

Otherwise people will just circumvent your security by changing their password twice (or 10 times), resulting in the same password they started with, or just write their password down.

MOD PARENT +5 Funny!

[WoTG]

Uh... yeah, those passwords look easy enough to remember.

Heck, I forgot my 4 digit alarm code about 6 months ago... and you want me to remember how to "spell" glid-Tev-Pos-EIGHT???

pass PHRASE

[Tumbleweed]

Doesn't anyone remember the 'pass phrase' thing from awhile back? You know - less complex but much longer passwords, so they're secure but easy to remember? "The quick fox jumps over the lazy brown dog" type of thing (though that should probably not be allowed :)

Just please, NO biometrics.

Re:pass PHRASE

[Vo0k]

> Doesn't anyone remember the 'pass phrase' thing from awhile back?
> "The quick fox jumps over the lazy brown dog"

Way too long to type.

> D'tart'pp;tfawb?
> Tqfjotlbd

Passphrase-based passwords (take each first leter, caps and semigraphics retained) are a good option.

I write passwords down...

[cirby]

Well, they *look* like passwords.

They're not actually *to* the systems they're next to, but it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Re:I write passwords down...

[MichaelSmith]

it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Maybe honeypots will become a standard security thing. The password will always work but it won't get you anywhere useful.

Picture Passwords

[Metabolife]

I always thought the picture based passwords shown here were a creative way of making passwords.

Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

Re:Picture Passwords

[Red+Alastor]

Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

Forget security too. There is a limited number of points in a picture that are easy to spot and remember (windows, people heads, signs, whatever) so it's very easy to brute force.

Passwords?

[bm_luethke]

The last supposed "high security" place I worked (Oak Ridge National Labs) had a pretty sane password scheme - computer generated every 6 months or year (too long ago, I do not remember now). They generated a big list and you picked one so you could get one you could remember. It was good combination of stuff, not really something that was attackable by a dictionary and they watched external requests pretty hard (ad most of the service providers did also).

But, the problem was that every single hack/intrusion we knew of (either on our machines or lab wide) had nothing to do with password and all to do with users desktops on SSH key management. Everyone wanted symetric keys so they never needed to type a passphrase of password. No one wanted to mess with keeping thier computer updated. So once one computer was violated nearly all in the lab were - even those of us who tried to patch and watch were brought down by what the users demanded. We were really damned when an offsite place (say a university) was weak and a user had symmetric keys installed.

That ended up being a VERY difficult issue to educate on - it's a fairly abstract idea. Very very very few of the people there were unintelligent but few were educated enough in that field to even really understand the issues (no reason why a chemist should understand key management any more than I should know how carbon rings react in some random environment). Password management is pretty obvious, heck many of us even had "secret" clubs in elementary school that did similar stuff. However strong encrypted keys tend to be something different, offering the ease of no password and the security of really strong ones (when done correctly). It take some amount of knowledge to "get it" along with thinking about having the private keys stored in unsafe places.

*shrug* I think that password management (in secure business processes) is becoming much less important. Even hotel reservation systems are mostly moving over to SSH and key management. For logging into your credit card service? SSH key and passphrase is great. For much of business practice, as SSH and similar type things become the standard password management this is MUCH more important. Right now we are horrid in that area of education.

Less articles about password management, if it has not been beat into your head by now you are a lost cause. Lets spend some time on key management and other security issues that are becoming MUCH more useful.

Shoulder surfable.

[loqi]

You ever wonder why password fields don't echo the actual characters back to the screen?

Re:Shoulder surfable.

[Rob+the+Bold]

You ever wonder why password fields don't echo the actual characters back to the screen?

I used Lotus Notes for a while, and it had a "cool" feature of echoing seemingly-random numbers of heiroglyphics when you typed each character of a password. You never knew if your finger slipped or if you did just type bird-bird-eye-"guy going like this"-bird-ankh-ankh-ankh. Worse then single stars, worse than nothing, really.

I've (unfortunately) forced this on users before

[Corbets]

From a comment I just made on Spaf's blog....

I've mandated rotating passwords before. My thought was that I knew my users shared passwords over time (oh, I need to use your computer for a few minutes, but your screen is locked) so by forcing a change I was hoping that if a person left the company they wouldn't retain access to anyone's accounts. However, the better solution in that case would have been termination for people who shared passwords and/or forcing all users (only about 15-20 in the company) to change passwords everytime someone left.

And of course, there are times in larger companies where I simply got told by those higher up that passwords would be rotated.

Password "best practices" are counter-productive.

[Symphonix]

The company I work for enforces a lot of these password "best practice" rules. Most of our systems require passwords to be exactly 8 characters long, contining one digit but not in the first or last position, and must be changed every month. I'm certain this only makes things less secure, as users have a tendency to use even dumber and less secure passwords under these rules. For instance, if you instruct ten thousand users to change their password every month, then at least 500 of them will have "APRIL" or "APR" in their password at this very moment - even if you expressly forbid them to do this. Having complicated rules like "You must use 8 characters, including a digit in the middle" means that helpdesk staff often need to explain to the user several times what their password can be, and what they might or might not be able to have. When the average luser is now spending 3 minutes asking helpdesk - quite loudly in a crowded office - whether "BENJIDOG4" is a good password or not - then you've instantly lost the security of the password. Would it be more secure to let the user set a password without any requirement for it to contain numbers, or is it more secure to include the requirement and have every second user holding a long and loud discussion with everyone around them about what they're putting in and why won't it frickin work?

Easy for a Star Trek Fan Maybe...

[Qybylance]

They do sound an awful lot like planet names... "Scotty, beam me down to Lac Waup 7!" "Can we recover the team on Sek Gul 4?" "The colony of Ip Laft 3 is under Romulan attack!"

Re:He's wrong

[honkycat]

I think you're right -- even if you assume it takes a month for the systematic password search on the mainframe to try every password combination, changing your password doesn't help much.

It does buy you a tiny bit, if they are actually trying every combination. Suppose it takes them two months to try every combo and after one month, your password is still unknown. They are now guaranteed to have it within the next month if you do not change it. If you do change it, then there's a 50% probability that you change it to something in the half they've already run tried. It's not hard to work out the expected time to compromise, and you will find that there is some way to maximize it by changing your password at just the right rate.

However, it's a pretty minor benefit. Furthermore, if they are doing anything less than checking every single password, then I'd bet it actually buys you nothing at all. The difference is because in that case, they're not guaranteed to guess your password after a fixed time interval.

Re:Auto change?

[Zantetsuken]

I think Lenovo is starting to sell a lot of finger-print-biometric-scanner notebooks now, it seems to be one of their big selling points for business buyers - not sure if it would work under Linux, but if its something where you have to scan your finger before it gets through with BIOS it oughta be something embedded into CMOS or some other part of the motherboard, in which case I would think it would still work whether you run Windows or Linux on it...

Re:I've (unfortunately) forced this on users befor

[tbird81]

You'd fire people for sharing a password??

Seriously, what's more important to the company: people logging in as another employeee, or actually having employees with morale!

Who cares if people use the same password. I've worked in a hospital where everyone shares passwords, and in a lab where everyone's password was the same. (Won't say where, but it happens everywhere)

There's nothing worse than a stupid nerdy geek telling people off for following some geekhole paranoid rule that has only minimal risk in real life. Like the telltale at school who takes all the rules literally, without trying to understand their purpose and the spirit behind them.

Merifs of the one password per site policy

[Beryllium+Sphere(tm)]

Porn sites, in fact, were Bruce Schneier's idea for large-scale password theft. A crook could send out spam advertising a free porn site, simply requiring a no-cost signup. Umpteen suckers sign up, they choose umpteen passwords, some fraction f uses the same password for everything, and your "porn site" has just accumulated f*umpteen valid passwords and associated IP addresses.

Re:I've (unfortunately) forced this on users befor

[Corbets]

Yes, I would fire people for that. I'd fire people for any intentional violation of corporate policy. It's one thing if you don't know, it's another if you choose to break the rules, especially after repeated warnings. I've often found that people who break little rules will ocassionally break big ones - like those kids in school you mentioned, those who tell little lies will from time to time tell a whopper.

It's an issue of trust, not to mention security (why bother with multiple user accounts at all if people are going to have access to all accounts anyway?).

Being able to trust your employees leads to them being able to trust you (and yes, vice versa, I'm aware of that implication). This in turn creates an atmosphere with good employee morale.

There's nothing worse than a ./er trying to insult someone and having to pull from his own life example of being that poor little geeky kid that nobody liked....

Re:Dupe

[Warg!+The+Orcs!!]

If I recall correctly, posts pointing out duplicate posts have been posted before.

Requirements...

[Vo0k]

A real error message from a real e-store registration, denying access for a customer who entered his actual, legit personal data:

"Your surname name is too short. Surname must be at least 4 characters long."

Diceware

[krunk4ever]

Another common one is Diceware: http://world.std.com/~reinhold/diceware.html

Example

Suppose you want a five word passphrase, as we recommend for most users. You will need 5 times 5 or 25 dice rolls. Let's say they come out as:

            1, 6, 6, 6, 5, 1, 5, 6, 5, 3, 5, 6, 3, 2, 2, 3, 5, 6,
            1, 6, 6, 5, 2, 2, and 4

Write down the results on a scrap of paper in groups of five rolls:

            1 6 6 6 5
            1 5 6 5 3
            5 6 3 2 2
            3 5 6 1 6
            6 5 2 2 4

You then look up each group of five rolls in the Diceware word list by finding the number in the list and writing down the word next to the number:

            1 6 6 6 5 cleft
            1 5 6 5 3 cam
            5 6 3 2 2 synod
            3 5 6 1 6 lacy
            6 5 2 2 4 yr

Your passphrase would then be:

            cleftcamsynodlacyyr

There's also rules on top of that where you can find which character to capitalize and where to add symbols and spaces.

Re:Diceware

[surprise_audit]

The braindead password policy around here is: at least one alphabetic, one numeric and one punctuation character. No subset of the word can be in the dictionary, and it has to be 8 characters (or more if supported by the OS).

The problem with that is that *some* systems have slightly stricter rules than others, so you can get partway through Password Change Day with a perfectly good word and then run into a machine where it isn't allowed.

Perhaps the nuttiest part of the policy is that you can't go back and change a password within 7 days. That may originally have been set up to stop a user immediately putting the password back to a previously used password, but now the change mechanism stores the last 6 or more words, so that's largely irrelevant.

Passwords + Physical securoty + SE

[Ajehals]

I used to be responsible for IT security at for my previous employer and find that the biggest danger to any password based security is the user. When I started there were no passwords in use anywhere, After about a month and a half I implemented a password policy (nothing strenuous, just the requirement for a 6+ char password, with a monthly change requirement. I was not popular. (this may have been the passwords or possibly the pave and nuke job I did on all the corporate desktops killing at least 3 of those electronic pet things...)

The good news is that after the first month the number of password resets required reduced dramatically and we actually had some accounting of user activity on things like network use etc..

However 6 months in we started to note the usual issues of people sharing passwords (i.e. how come John doe is logged on on three computers at the same time...) and had to curb that.

Then we started carrying physical audits of desk areas and started to clamp down on people writing down passwords (including those people that wrote them down in a poorly obfusticated manner....)

Again our security situation improved (I should point out that we did have internal users actively engaged in 'hostile' activities for their own gain...) and we were quite happy for a while..

Finally we started to carry out regular penetration testing, including a social engineering portion, this bit surprised me most. I came to the conclusion that 70% of our user base would give out their user name an password to anyone claiming to be IT staff - including when the tester called from outside of the company, and the number showing as internal.

So in short the problem with security is always going to be with the user, that is as long as the user is authenticated by either password, or token (swipe card etc..) and will only become significantly better when security is based on something the user cant forget or lose. Oh and anyone trying to implement security is always going to be the bad guy if it causes inconvenience.... And best practice in my oppinion is finding reasonable security procedures that are applicable to your situation, whether thats a 4 digit pin, daily changing 12 character complex passwords or rectal probes and dna testing, and then more importantly implementing it in such a manner that it is actually adhered to.

just my thoughts

Three unsuccessful attempts and you're locked out

[rollingcalf]

Another useless rule of thumb is the one that locks you out after three unsuccessful login attempts. It was based on the theory that the authentic user would be able to remember the password within three attempts.

In reality, with passwords being case sensitive and people having to remember dozens of passwords for different systems at work and personal web sites, three attempts will end up locking out numerous legitimate users.

Caps lock is on... one failed attempt. You turn off caps lock and enter the password for a different system... another bad attempt. You think your bad attempt was due to a typo, so you re-enter the same password... you're locked out.

With so many people getting locked out, either they become lax with the password-reset procedures, allowing an intruder to take advantage of that. Or they stay strict, which results in numerous users losing hours of productive time.

Give 10 or 20 attempts, dammit.

Passwords Suck

[esme]

We should all be using public keys.

-Esme

Re:Three unsuccessful attempts and you're locked o

[rjstanford]

Give 10 or 20 attempts, dammit.

Screw that. Give 500. Give a number so rediculously high that your help desk should practically never have to deal with another "locked account" again, but so stunningly low that a brute-force attack will never succeed. It turns out that these two boundaries are still pretty far apart from one another.

Re:Three unsuccessful attempts and you're locked o

[Alphi1]

Screw that. Give 500. Give a number so rediculously high that your help desk should practically never have to deal with another "locked account" again, but so stunningly low that a brute-force attack will never succeed. It turns out that these two boundaries are still pretty far apart from one another.

IMHO, I think a relatively-small artificial delay (after a certain number of attempts) should slow down the "brute-force" attack significantly as well...

After all, let's say that it has an artificial delay of 1 second after every 5 tries. Most human-entered attempts won't even notice the delay (and even if they do, it's a relatively minor inconvenience - much more minor than having to contact someone about unlocking the account after 3 unsuccessful attempts).

But a brute-force attack that would send, say, 1,000,000 passwords in quick succession will take at least 50 hours, or over two days. Not very practical. Especially when it may take more than 1,000,000 tries (assuming the password was set up to deliberately avoid things such as dictionary searches and things like that).

Not only that, but those two things (after how many "attempts" to have the delay, and the delay itself) could even be tweaked based on how much abuse the site is getting. Maybe a 2 second delay after 3 failed attempts, which would be even MORE effective (approx. 7.7 days if my calculations are correct) than a 1 second delay after 5, while only being slightly more intrusive for legitimate users.

Encrypted key exchange

[XNormal]

Encrypted key exchange protocols (e.g. EKE, SPEKE) allow the safe use of relatively weak passwords. They resist all known passive sniffing, man-in-the-middle and offline dictionary attacks. How can a system be secure with weak passwords? Think of your ATM card's 4-digit PIN: it's pretty safe because it's limited to only a couple of unsuccessful attempts and you can't do an offline dictionary attack that would bypass this limit.

Unfortunately, these algorithms are all patented.

As far as I can tell, the SRP system infringes on the EKE patent. The fact that Stanford got a patent for SRP means nothing - a patent grant says nothing about infringement of other patents. AT&T probably won't sue anyone using it in an open source project but they will not issue a statement that SRP does not infringe the Bellovin patent, either. Result: commercial users shy away from SRP.

The only widely deployed remote password authentication mechanism which is safe even with weak passwords is "plaintext over SSL" but it relies on PKI which has its own set of problems.

Kerberos tickets are pretty secure because they use machine-generated random keys instead of user-provided passwords. But this whole tower is built on a weak foundation because the initial authentication to the TGT does use the weak user password. If just this part was replaced by EKE all Kerberos services would benefit from increased security.

Microsoft domains use Kerberos. Is there any chance Microsoft would bite the bullet and pay the EKE or SPEKE patent license fees?

My way

[sasdrtx]

Abcd0001

Increment as needed.

Context of article: new Purdue password policy

[mdpowell]

The author is a professor in the CS department at Purdue. At the beginning of 2005-2006, Purdue IT announced that they were going to require *every* password on *every* computer to be changed every 30 days. They made it clear that this policy was not restricted to administrator accounts, and in fact it has been pointed out in several articles that students will have to remember to change their passwords during summer and co-op sessions, or their accounts will be disabled. You also won't be allowed to re-use passwords for six replacement cycles. The policy isn't enforced yet but will be "real soon now."

This policy seems to be generally seen as idiotic by students, faculty, and staff. The IT people who talk about it seem to be made to "toe the line," and make up excuses about how this policy went through all the review/administrative processes. Nobody has an explanation for how this policy will be made practical for all the alumni and external accounts which might be accessed only a few times a year.

Many people see this policy as a copout response to the multiple security breaches in the past several years. On multiple occasions the whole university (30K+ studenets, plus faculty/staff) received orders to change passwords immediately because some database was compromised. Rumor had it that one database was storing passwords in plaintext because of incompatibility between hashing mechanisms used by different systems. Rather than take responsibility for and fix their security breaches, they are simply forcing this policy on everyone.

I suspect the author wrote this article largely as a condemnation of this policy.

Here's the link to the Purdue password policy: http://www.itap.purdue.edu/security/procedures/pas sguidelines.cfm