Slashdot Mirror
Poor Passwords A Worse Problem Than Poor Antivirus
dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."
In TFA the author complains about "sunflowers", people who have passwords on post-its stuck around their monitor frame. The thing about post-its is that 89% of last year's credit-card breaches originated from sources outside the companies. And there is no malware possible that can read what's written on a post-it note.
John
I think one day, we'll look back at this period of needing umpteen different 8-16 character one capital letter one alphanumeric character passwords (changed each month!) with the same horror we now regard the times when the best solution to a serious leg injury was to cut the freaking thing off. With no anasthetic. Maybe it's not directly analogous, but it's just as barbaric and wrong and crazy!
It's password! How ingenious is that?
Oh, wait...
"The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
security service providers say they find more problems with password management than antivirus applications when they do security assessments.
The important words being "security assessments." In real-life impact viruses are far more serious an issue; I know many, many people who have had their computers infected with viruses than have had their passwords stolen. In fact, I can't really remember if anyone I know has ever had a password stolen.
They just implemented wierd password rules in our company, before I use to have long but easily remembered passwords with characters and special characters. Now with the new rules there is no way I can remember the passwords so I have them on a post-it taped to my laptop. I have to login to many times otherwise, so if you want more security dont get insane on password rules :)
Comment removed based on user account deletion
I know passwords are the norm, but some places have adopted fingerprinting. For example, to get drugs from the pharmacy for my ambulance, I have to sign in to Pyxis using a fingerprint scanner. There are also laptops that are carrying password keyrings linked to fingerprint scanners. Even at UNH, when I signed in to get my meal, they had a hand scan to ID you so you could get through the turnstile. Not new technology, already implemented into everyday software, and tough to fake. For something like a corporation or law office (who can probably afford it), why not? Just a thought.
Companies need to implement a 'good' policy. I've seen policies that enforced only a 5 character password. I've seen one policy that was a minimum of 8 characters, at least 1 number, and at least 1 special character. Sure, /.'s could handle that, but I once knew an administrative assistant (I forget if secretary is PC or not any more) that kept forgetting how to cut and paste. Great lady, just wasn't computer friendly. Another thing- if you can't remember your passwords, at least stick the Post-It note in your drawer rather than on your monitor!
Vote monkeys into Congress. They are cheaper and more trustworthy.
It's good to see Arora getting some more attention now. I've been using it now for more than half a year and I must say it's the first webbrowser I have actually liked in several. I would definetly consider it the best OSS webbrowser on linux right now, particularly if you're running KDE (although Arora is desktop agnostic, it is Qt). I've been fed up with Firefox's bloat (ever try comparing Firefox and Seamonkey these days? Guess which is heavier...) for some time and Arora is a nice change from that.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
What's wrong with biometrics? Maybe somebody could explain to me why more keyboards don't ship with biometrics built in? Instead of remembering 25 different passwords each with their own ridiculous rules you could just scan your finger. It could even work when you want to make CC purchase or login to your email.
mod this down, I'm an idiot and responded to the wrong thing.
I'd like to make a proposition to everyone on slashdot.
For the greater good of humanity, we need to employ some social engineering. I suggest that all of us stop referring to it as a "password" and start referring to it as a "passphrase". With a little luck, it'll catch on and people will start using phrases instead of just words. This tiny change should cause people to create easily remembered passes that are in excess of 10 characters long.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Until people get over this misconception and communicate to their users: "give yourself a good password. I won't ask you to change it so you can pick a strong password that you will remember and that will be the end of memorising passwords" Then stress what makes a strong password.
The real "Libtards" are the Libertarians!
When the password is the name of the computer owner's son, daughter, or significant other, why is it that the main character never has to fiddle around altering names by replacing random letters with 1337 or @, $, and # signs?
The article repeats the same Myths of password security that we have been repeating for the last thirty years. Let me review them for you:
- Password Length is important
- Password Complexity is key (e.g. A-Z with at least one special, one number)
- Password Expiration is important
Like all good myths these have elements of truth in them but fail to really hit the nail on what the problems actually are, or namely:
- Strong login auditing is important (failed attempts, unusual patterns, etc)
- Login speed should be throttled (e.g. No 60/guesses per minute)
- Failed logins should be capped (e.g. Login wrong five times? Consult technical support)
Now we are talking about password security. You can also throw on a five length minimum. Now even if your password was "password" they would still find it extremely difficult to compromise the system since it would be slow and would break after the first five. If you tried to spread out the attempts over several weeks (making it slower still) the audit logs should be alerting the administrator to 14/failed attempts per week from China.
Instead encourage them to do so and teach them to properly manage them. There are many possibilities: password-safe programs, little black books to be kept in the user's wallet, lockable desk drawers, elctronic one-time pads . . . (even post-it notes on monitors in some circumstances). First, however, you must accept that the average user is never going to memorize any password more complex than a minor variation on the name of his favorite pet. Get that idea out of your head.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This is probably because most security assessments aren't very good and don't correlate well to an organization's actual security problems. At least the assessments help people get rid of all that extra money they have.
I remember when working for a major financial firm in Boston, they had the most ridiculous password policies for each password. We had to have at least four or five different passwords according to what you needed to access, each with their own rules and limitations (size, characters allowed etc...). Not only that, but each password expired in different intervals. So basically every week, you'd have to change at least one password making the whole damn thing impossible to remember.So, what did people do? They wrote them down in little sticky-notes. Sure, I came up with my own schemes to facilitate remembering them, but nevertheless a forgotten password was bound to happen. It amazes me how paranoid firms are about some policies, yet leave the back door wide open due to such stupidity
Due to a recent identity-theft scare I had the other day, it made me realize the importance of safe-guarding the data with good passwords. Since then, I've used KeePass to generate and store all my 20-digit random passwords that I've since never have to remember (a backup, of course, is constantly made and stored in a safe place). Either way, I'm no security expert, but it seems to me an approach like this would be much more sensible than inconsistent password policies that expire randomly. Just my $0.02
I've come accross one (badly coded) site where that stategy backfired on me. I typed my standard use-it-for-non-critical-sites 15 character passphrase - all seemed well and good. But then, when I tried to log in, it kept telling me I had the wrong password.
Turns out their form only saved the first 12 or so characters - but they hadn't limited how many characters you could type into the field, so I didn't know I'd typed too many. And guess what - the login form accepted more than 12 characters! Hence my borked login.
Fortunately I think that flaw got fixed when they upgraded their site, but I wonder how many more sites out there are broken like this...
We all know most people will never use "proper" passwords, let alone "properly", quite aside from offices in which ridiculous password management policies drive people to drink^h^h^h^h^h simply writing their passwords on Post-it notes stuck to their monitors. Why not make the best of a bad situation by only insisting on reasonable passwords changed no more than once per six months, complete with freely available "wallet-sized password booklets", but which are accompanied by other methods such as once-per-session typing pattern analysis verifications or cheap magnetic stripe cards? (The obvious security problem with a magnetic stripe card in the same wallet as a password booklet, for example, can be ameliorated by insisting that the magnetic stripe cards be kept in small employee lockers, and never allowed off-premises).
The point is that a little imagination is all that is needed to make security reasonably good or at least acceptable, given that the weak link will always be the kind of muppets who insist on shoving bricks between doorjambs and ultra-high-security triple-locked doors if they are at all allowed. Sure, any security method can be defeated, but it's far easier to educate (okay, frighten) people into not removing stuff from company premises (the magnetic stripe cards) or to make them perform once-a-day monkey tricks (the typing pattern analysis verifications) than it is to make them stop writing stuff down in very insecure ways. Security will tend to be more even, and problem employees will be easier to spot.
The old saying comes to mind, "The perfect is the enemy of the good."
A truly excellent pizza parlor is a delight unto the heavens. Treasure the sauce and the toppings!
This title is very poorly worded... It should be called "More users FAIL on passwords than being negligent with security software". Not to mention I disagree with the premise entirely. Even if you have a Sup3rS3cr3tUBERp@ssw0rd its useless if your machine is compromised by a keylogger.
Listen up, paranoid policy people everywhere: setting up a "strong password policy" is NOT the solution. Typically this involves forcing the user to choose a password that's more than ten characters, has punctuation and numbers and mixed case in it, and forces a password change every 30 days.
You know what that does?
It forces people to write their passwords down. On paper.
With the password written down, it's very easy to "crack" because it's sitting there, "in the clear" on a dead tree.
Tired of FB/Google censorship? Visit UNCENSORED!
This is exactly right, and PostIt's should be a firing ofence, at __all__ levels up to and including CEO, given Sarbannes Oxley, next __obvious__ passwords must be screened out, and changing passwords/ageing should __not__ be required.
;-), or "Bawrinced", generated by apg.
My singleton laptop often faces the internet un-firewalled but the bastard ssh attacks cannot do password-guessing against really secure passwords like "1", which I have never seen tried, but it will now
People can learn a __few__ strong passwords, remember them and use them in ways that stratify, and "Canary" risk, see John Patrick Ryan.
Especially for internet logins, and for the weakest you can use dictionary words, which helps with the Canary Trap. Hebrew, Maltese and Attic Greek, transliterated into Latin alphabets make very good Canary words, and help you to sue the leaker. Few guess that "Marsaxlokk" is a place name, unless they know Malta, and then you can easily make it harder by spelling it ".M1rs1xlokk.". If you you __consistently__ do this for admin passwords, and make your users pick high entropy passwords, then you have emplaced a good first line of defence; then close all un-necessary ports, and use a scanner eg "nmap" to ensure you have what you intended.
Finally, use iptables to ensure that the open ports are firewalled, so when I put my laptop on a net I dont want 'NO ARP, or ICMP packets' because I dont want to alarm any intrusion detection systems; but I want to allow outgoing PRINTER, SSH, POP3, and in some cases incoming SMTP.
Finally, while it takes more work, it is far more secure to use iptables than a generic firewall writing the rules to be minimal. There are LOTS of brute force SSH attacks, and one must assume SSL also out there. SMTP is no secure so you only want to allow it from your mail-server which should have a static address. Use TLS with fetchmail, and a proxy SMTP sender which caaan be configured to send mail securely to a mail-server. If you are mobile as I am that means, write your own sender that knows about the quirks of your ISPs.
Since most of the ISP inspired SMTP 'improvements' just open up new security holes, thanks Eric. Encrypt everything you can, and certainly anything that is important, or "potentially compromising". Never use commercial mail services, they are totally insecure and like as not have backups that can be _discovered_ in law, to your disadvantage.
It would be interesting to see a solution. I have easily 25 different logins in use for my job. At many places I am not allowed to choose my own login and then they base it on my name and each does that in a different way. Some add numbers to it. Some are shared logins.
Some I can set the password, some I may change the password and some I must change the password. The shared ones can not be changed as others then would not be able to use it and then others I must ask to change and yet others I can not change at all.
As I try to have this as simple as possible, I use the same passwords, so the result is that I have more different logins then passwords, but still I need to have a file with all logins and passwords.
So the easy part is pointing out the problem. The hard part is coming up with a solution. I can't use Firefox and am not allowed to install any programs at work.
Don't fight for your country, if your country does not fight for you.
There are two problems I see with creating and remembering passwords. First off many people simply do not understand the threat of weak passwords and blissfully use the name of their children or pets as a password. Second, people do not understand how to effectively create and remember strong passwords. I honestly believe that there should be a password or network security seminar that each person/employee should attend at their place of work. It doesn't have to be long, just enough time to explain why passwords are important to network security and how to create strong passwords. Hand out a simple sheet with examples or strong and weak passwords and suggestions on how to create strong passwords while avoiding weak ones. Also explain that passwords and log-in credentials are highly sensitive and should be considered personal information just like credit card and social security numbers. They should never be divulged to anyone but trusted IT staff. Explain the dangers of writing down passwords on random pieces of paper or post-it notes. And if it is necessary to write them down, put the paper in a secure, LOCKED place. I bet you could make the seminar only ten to fifteen minutes long and still get the point across. Bottom line is if you are trusting people with your data, why should they remain ignorant of the importance of the passwords used to access and protect that data?
Another problem I see with passwords if the sheer number of them that need to be created for users personal accounts. Banking, social networking, blogging, forum, e-commerce and gaming sites all require users to have unique passwords for each and every one of those accounts. Off the top of my head I estimate I have over two dozen accounts each needing a separate password. All too often this leads users to re use passwords and/or use weak, easy to remember passwords. At one time I had a little notepad at home that was just for writing down user names and passwords to the various accounts I have floating around. My solution to password hell was coming up with a password formula that helped me not only create but remember my passwords. Its not easy to explain but I take data from those websites that I have an account with and apply it to a simple formula which will give me a strong password. I don't actually have to remember the password because I can use the formula and data from the site to derive the password. Its not complex but clever enough to simplify the creation and recollection of passwords.
People can be password savvy, they just need to be educated a bit.
Everything is a worse problem than poor antivirus -- because viruses are so rare, if you're sensible.
In my past 16 years of running Windows machines with IE, I haven't once had my antivirus report anything. The standard precautions are enough -- use Proxomitron or don't visit dodgy websites; don't run pirate software; don't open attachments unless you were expecting them and you trust the competence of the sender.
I have had "antivirus" problems where the antivirus software interacts badly with the OS, e.g. keeping an executable open when my compiler wants to overwrite it. Nowadays I leave the antivirus switched off, and only turn it on when needed to connect to corpnet.
Why does no one realize that we seem to be stuck in the 1960's; what's this dichotomy of "user name" and "password", in which we now type the first in plain text, but the second is shown as asterisks.
As if the former is common knowledge, but the latter is super double secret. What kind of retards are in charge of this shit?
Why aren't both secret; why aren't both in asterisks.
Or, how about we don't let people look over our shoulder.
The common sense solution, from TFA, is simply horseshit. Every idea that the so called experts come up with exacerbates the problem: mixed case, numerics, frequent changes: they all contribute to no one knowing their own passwords for the many systems that they have to log in to. Simply choosing a password that isn't in the dictionary and isn't based on something personal such as your child's name, and keeping it, and don't let someone look over your shoulder, is all that's necessary, and far better.
PS: do you notice how sign up forms don't give a crap if you type anything else incorrectly, but force you to enter your email twice. That's all they want. Thanks; here, have some spam.
One thing that has worked for me is to slowly type random keys while randomly hitting the shift key. This seems to work better for me than using a random password generator. I think it is because I remember the pattern of the keys that my fingers are pressing. One problem I have is remembering which place the password is used for. I usually have to try a couple of different ones to get it right--say if I don't go to that website that often. --- Sorry My English
At this point, NOBODY should be prompted to enter a password of their choosing every time they go to a website. We have the technology to do much better, even if it is something like "go to this other website, log in, tell it what website you want to log in to, and click a button to generate a one-time-use token"
That would be what you do in the event that you DON'T have regular access to your private key (like if your office doesn't allow USB sticks through the door). EVERY other case should be "select username, click "log in", click "okay" when the confirmation pops up"
say they find more problems with password management than antivirus applications when they do security assessments
This doesn't have any relation to the quantity of break-ins resulting from poor passwords compared to the quantity for poor anti-virus, as the title would suggest.
My Etrade accounts have a traditional password with the requirement of an RSA token. This seems to be a great solution to the password problem.
The first part of the password is easy to remember, the second is changed every 60 seconds by the token.
It is a bit less convenient than a standard password, but that is the price to be paid to secure a bank account.
-ted
Oh yes they can see post it notes
don't you watch CSI on TV ?
We are Dead Stars looking back Up at the Sky
Password guessing is really not that big of a threat - most (and I know not all) websites have a sane policy about the number of times you can guess within a given time period. There's a great research paper about this:
http://www.usenix.org/event/hotsec07/tech/full_papers/florencio/florencio.pdf
Strong, weak.
Your choice.
Use 1Password t manage them all.
Dave Barnes 9 breweries within walking distance of my house
One big problem is no one asks what they are protecting. I worked at a call center (yes it was shitty) and I had a password to log on to the computer, a password to log into the phone system, a password to log into the call log system, and if I did email support another password for that. All cycled monthly. 4 constantly changing passwords all to prevent someone else from doing my job? What a waste of time. I didn't have access to personal information, no power to authorize free stuff, the only reason someone could have to use my account was to screw me over and try to get me fired. (Which I would have loved by the end of it) A lot of security could be eliminated if people ask what they are trying to protect and make things a lot easier for those that actually need access.
...our boxes were locked down so badly that telling the browser that the cert's OK didn't survive a reboot, meaning you had to go through the same song-and-dance several times a day.
I would have asked you if you worked for Creative Labs, but the ISP bit shot that down. :-)
What you describe is what I went through at CL.
Knowledge Base web pages that did not have the URLs whitelisted in the proxy we used, boxes locked down tight**, 8 minute maximum call time allowed per call for tech support...including the 2-3 minutes needed for the required interrogation about the 'problem' product, etc....
**except for the USB ports! :-)
I put Damn Small Linux in a bootable partition on a USB stick to get away from WinXP and IE that was imaged onto all of our Dell workstations. Unfortunately, I was found out by management after about 4 months when they were doing a routine 'call monitoring', and heard me offering Linux support for a customer with a Creative Labs Nomad. I was still a n00b in the tech support scam, and was actually trying to offer real tech support for our customers...silly me! I was asked to resign in lieu of being sacked.
[I grin because that was the only job I held in my life, that I felt I needed to keep a shotgun at the front door of the house...I could force myself to leave the house for work if need be!]
*me:Go to work, or I'll Dick Cheney your face!
also me:Okay, I'm going to work, asshole!
me:Damn...I just concocted a special rocksalt load with White Phosphorous[Willy Peter for you military fans] to try on you!
also me:Shit!...Decisions, decisions....Rocksalt and Willy Peter to the face, or go to work at Creative Labs again....Hmmmm...Hey, is this a trick question?!?!?!?*
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
that's something an idiot would have on his luggage!!!
Having studied this issue at length professionally, supporting client-offices: the best solution I have found was using the web service Passpack (www.passpack.com). Every single requirement I was faced with, Passpack has met from a security standpoint.
On a user-friendly perspective, I'm having trouble with training folks like my mother how to be more secure with greater user-friendliness, and I am still looking forward to Passpack improving on their initial one-click-button; but essentially passpack is the most realistic to use solution I have found to-date.
I agree.
AFAIK, the idea that passwords have to be changed in intervals from one to three months comes from the old days back when many terminal users used one Unix system that had /etc/passwd files. These were crypt() hashed so anybody could read them and start cracking them. One day some TLA calculated how much time it would take an attacker with serious resources (or better, what was regarded as a serious resourece back then) to brute force crack a password. They came up with something like "a crypt hash would be reasonalbe secure for two months, so if it is changed every month, it will be secure. This ended up written into some rainbow book (orange?) and from there on it was simply copied to all other standard security books and references.
According to my knowledge, this is why we are stuck now with every best practice guide still portraying the idea that passwords have to be changed in regular intervals.
[quotation needed]
Of course, this has been outdated at least since shadow passwords were introduced, let alone Moore's law or Rainbow tables.
Thank you, good sir!
Since MS has such a dominance, hopefully they will keep copying the features of GNU/Linux and keep improving their own OS at the same time. Win for all!
*wakes up*
Meh, just a dream...
I was not sure enough about it to post what you did, but thought so.
I castigate myself for being too lazy to research it, but thanks to you, I am saved.
Beware the Tux, do not take the Penguin/Taz for granted!
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
I've seen just too many comments in linux (related) IRC channels or forums how people want to use linux as their web, mail, $other -server because "its secure". Naturally its not needed to gain any knowledge or experience on how to get the server to work properly; making it display something is all which matters because... Well, Linux is safe, so what could go wrong ?
Poor passwords? Sure. But in most cases that will only result in personal damage, like someone messing with another persons account on a social network. I'm more concerned about the apparent ignorance when it comes to using Linux. Yes, even Linux needs maintenance and a regular installation of security updates.. Just like Windows!.
Yes, I'm aware.. Poor password, gain access, utilize local exploit (which are more common than remote exploits), $profit. Maybe I'm too cynical but even then I say that poor server management is more troublesome. A clued admin who knows whats going on will have this breach located. A regular admin-wanna-be will never even notice his server is hacked, untill his ISP eventually revokes his access from the Net.
Ofcourse, for some reason you never hear people about this topic. Maybe its not that popular?
"Here's your password. Store it and keep it in a safe place ( your wallet is a good place ) so you don't forget it. If you lose it or think somebody else may have seen it, let me know and I'll give you a new one."
Ok, so some users may stick a post it on their screen, but that is still miles better than having a login with "password" remotely accessible.
I recently registered with an un-named University and discovered that their PIN/password for my account is required to be SIX characters! Even if it can "contain letters, digits or punctuation" it seems awful limited.
Three Squirrels
I'm surprised no one has mentioned this yet, but Mac OS X has an application called "Keychain Access." Keychains store private keys, certificates, and arbitrary notes securely. I use one to store my passwords to all my e-mail and web accounts. They're encrypted using Triple DES.
Not only that, but it can generate passwords for you. Tell it how many characters you want, and whether the password should be memorable (comprised of dictionary words and a short string of numbers), letters and numbers, numbers only, something called "FIPS-181 compliant," or random. You can choose from the ones it generates from a pop-up menu, and if you don't like any of them, it can generate some more. Whatever password you choose, there's a gauge that tells you how strong it is.
I have to use it occasionally to look up a password to an infrequently visited web page. Entering my user password (that is, the one for my account on my computer) will unlock any one that is stored on the keychain.
Is it easy to use? Kind of, sort of; it takes a few seconds and more than a few mouse clicks to retrieve a password. Safari (perhaps Firefox as well, but I don't know) can be configured to remember your login information for a given page, and though it stores this information in the login keychain, the problem with Safari's implementation is that it works for some pages and not others, and doesn't require you to provide your user password--not exactly the most secure arrangement.
No one's ever compromised this scheme, as far as I know. Yet. Meanwhile, it works pretty well for me.
Those who can, do. Those who can't, write technology blogs.
You can use a single sign on solution like that offered by Imprivata and decent two factor authentication. Then, the user need only remember one password, or better yet not lose his biometric imprint, and retain control of his keycard. This does access for the whole system, and the end user doesn't even know his access credentials for subsystems. When mandatory changes happen, the sso system just handles it. It works with proximity cards too, and can be set up to log you out when you get out of range of the sensor, or to do fast user switching.
The Imprivata solution includes a high availability pair (or more) of Linux boxes that handle these things for the end user.
No I don't work for them. I did sit through some training. I understand their gear is popular in healthcare and with the military.
Help stamp out iliturcy.
Much of the problem with passwords is the number of entities who want them. Everybody you deal with wants you to create an account with them, which means one more password to deal with. I've got over a hundred passwords to various accounts in my records. Combine that with "strength" requirements that make them hard to remember and "security" policies that require changing them at (non-synchronized) intervals and you have a recipe for a migraine not all the Advil in the world can help. And many of those passwords aren't needed. Yes, I need a real account and password for my bank, or for E-Trade. No, I do not need an account and password for Amazon. Amazon doesn't need my username, they need me to be able to give them the credit-card details and shipping information for that purchase. Anything beyond that is for their convenience. If places that didn't need me to have an account didn't force me to maintain one, it'd make the password problem much more tractable.
Password strength requirements and mandatory-change intervals don't help, and do hurt. Strong passwords tend to be hard to remember in large numbers, and they're also hard to come up with. By forcing them to be changed regularly, you also all but force users to come up with passwords that aren't strong because they've run out of good ideas for strong ones. It also all but forces them to record them somewhere. Yes, one password isn't that hard to remember. But what did I say in the paragraph above? It's not just one password they have to remember, it's the dozens or hundreds that you and every other administrator out there require users to create and maintain. I'd much rather come up with one really strong password and be able to use it for a long period.
But it's vulnerable to guessing, you say Oh, really? Check your logs. When was the last time your systems were subject to a sophisticated attempt to guess passwords? I'm betting it's been years. Most attempts to guess passwords these days aren't attempts to break individual accounts, they try a few of the most obvious passwords across every user on the system looking for the couple who've left themselves open. Any password that meets even minimal strength requirements will be impervious to that sort of attack indefinitely. On top of that your system should be implementing lock-outs on repeated failed password attempts, and your IDS should be noticing the attempts from unusual (for that account) sources and blocking them. Let's face it, the most common attack users are subject to these days is the social-engineering attack designed to get them to give the attacker their password. And once the user's given the attacker their password, everything you've tried to do to keep attackers from guessing it becomes completely and utterly irrelevant.
As for writing passwords down, reality check here. At work my passwords are recorded in a locked drawer in my desk. Which is inside the secure doors, you can't get into that area without a keycard. The building's got 24/7 security on it too. If you don't work there, you're not likely to get anywhere near my password slip in the first place. And anyone who does get near it has already gotten physical access to every computer in the office. They don't need to break into desks and collect password slips, they can just install hardware keyloggers on the computers. Or reboot them from CDs or USB drives (changing BIOS settings if needed to allow it) and slide their malware straight into the OS image it and all the fancy AV software are inoperative. Or attach their own device to the network cables to sniff all the traffic for interesting things. In short, anyone in a position to read my written-down passwords is already smack in the middle of a target-rich environment and has a few hundred far more tempting things to go after before getting around to jimmying my desk drawer open, and the company's got far bigger problems to worry about.
My experience , from a users point of view, is that passwords are never secure because the user has to remember them.
The user has to choose a password that is easy to remember or write it down both of which mean the password becomes insecure.
To the poster (cant find your message now) who suggested an RSA key, this is a key-ring size lcd with a number that changes every 60 seconds, they are brillant and in combination with a password would be tough to beat.
I'm surprised no one has mentioned this yet, but Mac OS X has an application called "Keychain Access.........
word of warning from experience, used to work for apple, make sure you have another copy of your passwords because as you say the keychain is encrypted and if the keychain gets corrupted you may have to reset the keychain.
I would get a keychain access issue about once a week and the person on the other end of the phone used to get very upset as they were unable to do there banking.
I can't believe no one has mentioned Keepass yet. Strong password generation. I don't even need to know most of my passwords. I just need to know two, my login and my keepass database password. My passwords are all as strongs as any particular application will allow. I don't change my passwords often, but even if I needed to I don't loose anything because I never remembered any of my passwords in the first place.
It does put all my eggs in one basket though. If you get my keepass password, and my keepass database, then you have the keys to the kingdom.
Later,
Jason C. Wells
The practice of using of personal questions to reset passwords really annoys me. By definition, the questions and the answers are personal. Whoever is asking me that question so they can reset my password is overstepping his bounds.
I often don't like the choices people make, but I like the fact that people make choices. That's why I'm a conservative.
Comment removed based on user account deletion
Sorry for shouting. But something you leave on everything you touch is, at best, a very insecure user name.
"something you know" is always going to be a key part of the equation, since smart cards are "something you have."
But, I do have hope that we'll never need more than 12 or so characters. You just need to make sure that the authentication pathway has some verifiable hardware limitation preventing high-speed brute-force attacks. Perhaps a smartcard that has a built-in keypad and rate limiter. (and the server on the other end would also have some kind of rate limiter. BOTH would have to be leaving you as the weak link.)
Can you be Even More Awesome?!
So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
I wonder a bit why people/companies/etc are fussing a lot about the strength of passwords. Is it because security experts get anxious about all the ways that they can seemingly be hacked?
Though, it seems rare to me that the weakness of passwords contributes a lot to the actual damage that hackers actually do. Maybe it's because I am a tech layman, but I've never even heard of a company/etc having problems because the passwords were too weak. Rather, it's almost always a malicious worker, someone bringing viruses in via a laptop, keyloggers, hackers impersonating IT staff on the phone, or even the very simple shuffling through the garbage. NONE of which a strong password will do anything against, ever.
After all, trying to brute force, hack, or guess a password is generally very hard.
Bravo. Although I suspect the most popular basic hacks come from people who simply give their passwords away (ie fake login sites), as well as those that have easily cracked passwords.
Faced with a new password policy at work, at a non-profit where I'm not sure what the sensitive data in my e-mail is anyway required to add a special character, capital, and number, changed monthly, and cannot be one of the past four passwords you used...I went with how I name most of my files and added .monthyear:
regularpassword.July09, regularpassword.August09
I was pretty pissed when this went into effect, as I wondered why IT would make so much work for themselves having to reset people's email passwords and leave actually interesting data less secure: the database that includes all of our patron names, addresses etc. has one password per building, usually on a post it note by the computer.
Not true. Password security issues are just stuff that gets noticed easier than bots and malware and other assorted nasties. I know that most IT places are geared to macro security issues and ignore the micro security issues of the end user. My own experience proves that. When my work xp box got infected they "cleaned" it out using a couple of freeware downloads applied by some "tech" - did not work and that machine will have the hard drive formatted next week at my insistence to clear up the lingering issues. Also my experience has been that hackers cause the most havoc as others have noted. The latest being my Bike Nashbar account being hacked along with thousands of others - we got the letter last week. The got my credit card number, address, user name and password but I am not supposed to worry much because they did not get my social security number. So who lost the password? Bike Nashbard and not me.
I had a good giggle when I noticed that Windows NT 6.1 ("Windows 7") setup makes password hints mandatory.
I used a password hint of "aye, right!", but I can only imagine the number of poor sods who just type their passwords there (that's the optimal hint, after all...).
http://bash.org/?244321
There, that wasn't too hard was it !
Yes yes - let's make all customers change over to a strong password like XYZ communications(not the real name) just did recently. My personal experience was:
1. My current password scheme, which i have been using for 3 or 4 years, didn't work any more.
2. When I went to log in with my new password, it also didm't work.
3. When I called XYZ the CS rep immediately asked me for my password over the phone,
4. When i pointed out the inherent insecurity in that, I was told that I could change my password afterward. Of course, that is what caused me to call in the first place. Anyone see the tight loop here?
I am a somewhat savy user - I run a home network of mixed Linux and doze machines, subnets etc. That means that I understood the threat being opened by having however many hundred thousand people go through this process, including those that already had pretty strong passwords. Many customers do not.
Another case of the fix being worse that the problem?
This also happened with my bank, which left the passwords alone, but added a question - gee - that's like so much more difficult to break than the password alone (not) - again - putting the onus on the customer.
Better off leaving it alone?
Enforcing "difficult" passwords is really only valid against the possibility of someone trying to brute force your passwords, so if one knows that ABC Credit Card Services requires everyone to have a password 8-16 characters in length with one capital and one number in it, isn't that effectively a smaller search space than if the employees are allowed to use any combination of letters and numbers up to 16 characters in length?
All kings is mostly rapscallions. -Mark Twain, The Adventures of Huckleberry Finn
There are more problems due to antivirus software suddenly declaring important system parts as viruses or just simply crashing the whole kernel. That never happens with bad passwords.
On the other hand, the virus soft and database gets updates automatically whereas the overly complexified passwords and strict changing periods just create a work overload on the sysadmin because everyone just forgets their password all the time.
Atari rules... ermm... ruled.
And, you're right: That kind of thing you illustrate, does go on (& far worse, via DCC), but, what I found absolutely LUDICROUS, was this:
On a contract assignment I had in 2007-2008, I had to do calls for customers with problems in their systems, many times taking over when the other techs failed to do so, or gave up... what astounded me the most, was that vendors from the "big names" (think Compaq, DELL, HP, etc. et al) were issuing/selling systems with a BLANK ADMINISTRATOR PASSWORD!
(And, we ALL know what THAT means... i.e.-> Anyone can remotely get ahold of that machine, especially since "Client for Microsoft Networks" &/or "File & Printer sharing" are ON, by default, & the ADMINISTRATOR users is the most powerful, by default, other than SYSTEM SID that is).
That? That made me wonder @ "the powers that be" really...
APK
P.S.=> Have any of YOU seen the same? apk