Slashdot Mirror
Spafford On Security Myths and Passwords
An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."
I have found that using APG is a great way to generate passwords. They are easy to remember since you can pronounce them. For example, I just ran the generation and these are the passwords that popped out. I have found that most users can remember these kinds of passwords.
We all know that its stupid. People write it down on post it notes etc. But when the luser gets hacked he is going to be gunning for the sysadmin who needs to be able to prove that he is serious about security so that he can put the onus back where it belongs.
Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.
http://michaelsmith.id.au
... getting your server brute-forced by a Slashdotting.
Help poke pirates in the eyepatch, arr.
I worked at a company that rolled out increasingly stringent password policies. It got to a point where the passwords required upper and lower case characters, numbers, non-alpha numeric characters, and (this is the kicker) were required to be changed every few weeks.
I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.
Writing. Their. Passwords. Down.
It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms. None of the people involved were bad, in fact, I worked with a fine bunch of people who really cared about security and individually had great ideas for making the company safer, but when they were all implemented simultaneously: Ka-BLAM.
A security policy cannot be a list of best practices, it has to be a designed holistic plan that takes into consideration the very human nature of the people it is protecting.
Passwords are like toothbrushes; change them every three months and don't share them with your friends.
With that said, I'd like to argue the point made by the article about periodic changing of passwords. He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it. This actually happened in my high school, and then we had the admin password to every computer in the lab. And had that access until the last of us graduated. While periodic password changing won't protect you from a serious hacker, it will save you lots of grief from more petty mischief, especially if the person who has your password is clever enough to not let you know that he has it.
I would expect that if passwords are required to be changed on a regular basis, then that would be more reason to write them down (if they're secure they're probably harder to remember). In this case it would seem that less-regular changing would be beneficial, resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin.
I tell this to every sysadmin that turns on 100% of the annoying features of enforced password change policies:
"You have to balance security with convenience."
Otherwise people will just circumvent your security by changing their password twice (or 10 times), resulting in the same password they started with, or just write their password down.
How we know is more important than what we know.
> Doesn't anyone remember the 'pass phrase' thing from awhile back?
> "The quick fox jumps over the lazy brown dog"
Way too long to type.
> D'tart'pp;tfawb?
> Tqfjotlbd
Passphrase-based passwords (take each first leter, caps and semigraphics retained) are a good option.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
I always thought the picture based passwords shown here were a creative way of making passwords.
Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.
The last supposed "high security" place I worked (Oak Ridge National Labs) had a pretty sane password scheme - computer generated every 6 months or year (too long ago, I do not remember now). They generated a big list and you picked one so you could get one you could remember. It was good combination of stuff, not really something that was attackable by a dictionary and they watched external requests pretty hard (ad most of the service providers did also).
But, the problem was that every single hack/intrusion we knew of (either on our machines or lab wide) had nothing to do with password and all to do with users desktops on SSH key management. Everyone wanted symetric keys so they never needed to type a passphrase of password. No one wanted to mess with keeping thier computer updated. So once one computer was violated nearly all in the lab were - even those of us who tried to patch and watch were brought down by what the users demanded. We were really damned when an offsite place (say a university) was weak and a user had symmetric keys installed.
That ended up being a VERY difficult issue to educate on - it's a fairly abstract idea. Very very very few of the people there were unintelligent but few were educated enough in that field to even really understand the issues (no reason why a chemist should understand key management any more than I should know how carbon rings react in some random environment). Password management is pretty obvious, heck many of us even had "secret" clubs in elementary school that did similar stuff. However strong encrypted keys tend to be something different, offering the ease of no password and the security of really strong ones (when done correctly). It take some amount of knowledge to "get it" along with thinking about having the private keys stored in unsafe places.
*shrug* I think that password management (in secure business processes) is becoming much less important. Even hotel reservation systems are mostly moving over to SSH and key management. For logging into your credit card service? SSH key and passphrase is great. For much of business practice, as SSH and similar type things become the standard password management this is MUCH more important. Right now we are horrid in that area of education.
Less articles about password management, if it has not been beat into your head by now you are a lost cause. Lets spend some time on key management and other security issues that are becoming MUCH more useful.
------- Sorry about the spelling, I suffer from two problems. Dyslexia makes it difficult to spell well, lazy makes it
They do sound an awful lot like planet names... "Scotty, beam me down to Lac Waup 7!" "Can we recover the team on Sek Gul 4?" "The colony of Ip Laft 3 is under Romulan attack!"
Seriously, what's more important to the company: people logging in as another employeee, or actually having employees with morale!
Who cares if people use the same password. I've worked in a hospital where everyone shares passwords, and in a lab where everyone's password was the same. (Won't say where, but it happens everywhere)
There's nothing worse than a stupid nerdy geek telling people off for following some geekhole paranoid rule that has only minimal risk in real life. Like the telltale at school who takes all the rules literally, without trying to understand their purpose and the spirit behind them.
Porn sites, in fact, were Bruce Schneier's idea for large-scale password theft. A crook could send out spam advertising a free porn site, simply requiring a no-cost signup. Umpteen suckers sign up, they choose umpteen passwords, some fraction f uses the same password for everything, and your "porn site" has just accumulated f*umpteen valid passwords and associated IP addresses.
I agree with the article, and not the parent post. Constant changing of a frequently used password is a complete failure in the exploration of logic regarding passwords. It is laziness, plain and simple; the reliance on the folklore of old to tell us what we should do. Frequent Password Changing Makes a System More Secure is an old wives tale.
Over time, even a hard password will be memorized by your average user. This password does not somehow become more insecure over time, because, as the article points out, the largest vulnerabilities are not due to the cracking of passwords, but rather human error, ignorance, and/or incompetance. These should decrease with time. The user should become better educated and better able to remember the password, thus less likely to give it out. Only the chance of human error increases slightly (typing password in login box and such). Of the three, this presents the least risk by far of those three, and generally the user is aware of this occurrance and with proper education will know to immediately change their password.
Forcing a user to change password frequently is likely to only cause them to alter one character (likely the last) in the password because committing another secure password to memory is difficult. This causes both usability and security to be comprimised in the same fell swoop. The other option is that they will write the password down or otherwise record it, thus defeating its security. If you've got users with photographic memories who instantly memorize a new hard password every month, you must be the luckiest damn admin in the world.
As the article points out, modern computing and cracking techniques expose vulnerabilities much more quickly, so passwords would have to be changed so frequently as to make a changing password policy useless in many environments anyway.
Caveat:
The opposite is true of Administrator passwords or others which are rarely used. These are generally not committed to memory, and likely documented in some fashion (hopefully they are, or when the admin leaves you're screwed). If they're meant to protect a truly important system, a biometric and/or time sensitive method (such as a synchronized continously changing key generator) should be used in addition to the password. Changing these passwords with some frequency is a good idea, as it forces someone to ensure the validity of the current password (the account is not locked or disabled) as well as provide the aforementioned small measure of protection against cracking.
Please, stop forcing password changes on user accounts. Its a stupid idea. It serves no purpose other than to ensure the latest user password is written down at every desk.
Rant complete.
// harborpirate
// Slashbots off the starboard bow!
A real error message from a real e-store registration, denying access for a customer who entered his actual, legit personal data:
"Your surname name is too short. Surname must be at least 4 characters long."
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Everything that affects the machine compromises security by definition. So that's no argument as such, you have to elaborate. The connection made between 'written down passwords' and 'physical access to a machine' is very weak. Of course: If I got into the secured building with the computer desk, it may be easier to just root the computer and then access whatever you want than to break into the file cabinet and search for the password. But security by itself does not only contain prevention of a compromisation, but also detection of a compromisation. And a security breach by physical access to a machine is often much more easy and timely to detect than a physical access to the written down password. Stick-It notes don't log access, as far as I remember ;). So if it is an inside job, a security breach may go unnoticed if the attacker just reads the password while passing by and then trying it from another machine, or if he just seems to 'look for that one file I left on the desk' and searches for the password. In this case the first security breach (compromise of the password) is not necessarily time-connected to the second one (unauthorized access to the password protected entity), and such the detection of both is more complicated.
Use a computer program to store them - e.g. PasswordSafe - the logic of storing all your passwords in a program may seem strange, but if you can keep the database in a safe place - on your USB key, for example - it should be a lot more secure than writing them down. A "cracker" would still need a password to open the database. At least you only have to remember one password.