Slashdot Mirror
Applying Pavlovian Psychology to Password Management
Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt:
"For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."
From the article: "Passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case letters." And sites like Phil's Hobby Shop have lowered "complexity" requirements for sufficiently long passwords. I'm glad the passphrase concept is catching on. To what extent can xkcd be credited with awareness of passphrases?
Include the quotes, and be even more secure!
"National Security is the chief cause of national insecurity." - Celine's First Law
"highly resistant to bruit forcing"
Especially if you misspell words!
"National Security is the chief cause of national insecurity." - Celine's First Law
Sure, implement this and watch most of your userbase write passwords down and keep them on the side of the monitor or under the keyboard.
Because all you are going to get is users deciding that they they cannot come up with a 10th password that year and just going picking "123456".
"I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few)"
What a joke. If every site used this method I, and many other people, would need to change multiple passwords every single day of the year. The entire system would break down and become completely unmanageable
Troll is not a replacement for I disagree.
The computer will tase the users if they forget to change their passwords at the prescribed time. If they do remember, give them a biscuit, with a glass of milk if it's a strong password.
“He’s not deformed, he’s just drunk!”
As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.
The battle to make users remember arbitrary characters isn't just foolish, it's insecure.
Which is not what this is about. The article is about varying the password expiration by whatever password grading system you have chosen
Without advocating a specific grading system.
But there are some pretty decent grading systems that use a graph-based approach to calculate an approximation of time to crack, based on application of different cracking techniques to different substrings within the password.
For example: for 3 common words strung together. You count the number of words in all the dictionaries that each word shows up in, and you figure time to crack for that substring as n/2; for each word, where n is the size of the smallest of the cracking reference dictionaries containing that word, and multiply those times together for the words strung together.
For common variants such as leet substitution, applying a misspelling, appending a digit, prepending a symbol, changing a case....
Of course, then, the approximate effect on crack time of all these things can be calculated.
Appending a digit multiplies it by 10.0. Prepending a symbol multiplies it by 6.0. Alternating the case of some letters multiplies the strength of that word by 2.0
Performing leet-speek substitution multiplies the strength of that word by 1.05
Applying a misspelling, single letter substitution, or transposition to a word multiplies time to crack that word by 26.0, etc.
There are many off-the-shelf two factor solutions today. Choose one.
That's fine if you only ever sign into one web site that uses two-factor authentication. But if every web site you sign into during the day insists on a different off-the-shelf two-factor solution, or if one of the solutions is pay-per-use, it could get very expensive. One such pay-per-use method that has become popular is receiving a text message on a cell phone.
Yes, we're assuming that the hashed password file has a substantial probability of getting leaked, just as it was in several other high-profile breaches (Sony, Target, etc.). If it's impossible for an inside job to leak the password file, then how can the system 1. use the password file to authenticate users and 2. back up the password file in case of hardware failure?
Are they really more annoying than the popups and popunders and intrusive audio ads?
But if your pw file isn't supposed to be public, then you're setting a policy assuming your system has been cracked and are passing bad math onto the users as annoyance.
Dude, the first step to good security is to assume you've been compromised and then construct your defenses based on that assumption.
It's called a defense in depth.
Or to look at it from another angle: we all have locks on our homes, but you still wouldn't leave $10,000 in cash just sitting on the kitchen table, would you?
Of course not, you'd hide it, preferably in a safe that's bolted to the floor.
[Fuck Beta]
o0t!
A very simple problem opened up by making users rapidly change their passwords is that they will frequently forget what they just changed them to. They will change it last minute on Friday to something genius and on Monday scratch their heads and go, "Crap". So now they are going to call tech support who will walk them through some crude verifications and give them a new password.
A perfect example of this is a relative of mine who works for government. He was complaining about the frequent password changes he has to do. So I bet him that we could look under everyone's keyboard and find some passwords. Two of his people put them on post it notes under the keyboard, and another guy just had 30 passwords written on the bottom of his keyboard, which oddly provided some security as I couldn't guess which one was the newest.
But the best part was that I bet that with my relatives wallet and his most recent pay stub that I could talk IT into resetting his password. So I called them up and they promptly walked me through resetting his password; but they didn't ask me a single question. So in the end I asked them how they knew I was me (him) and they said, it was because of what phone I was calling from. I asked what they would have asked had I been home and they said, birthday, maybe the office's postal code.
So it wouldn't have mattered what genius password scheme they were using as the more genius it was the worse their social hacking problem would become.
A different relative who works for a different branch of government could even log in without her key fob as all she had to do was phone IT and whine until they let her in from home.
Now you might just wave your hand and say, no problem just bolster the security by telling them not to be nitwits. But those guys weren't being nitwits. In government or any large organization if you piss the wrong person off you will lose your job far faster than if someone hacks the system. So maybe for Sally secretary they might not be so persuaded but in the case of where I phoned in a forgotten password the person who should have been sitting at that desk could have an IT person's head very quickly. As could the other relative who whined past the need for a key fob.
One day Pavlov walked into a bar and ordered a cognac. He was about to take a sip when the barkeep rang him up. He dropped his glass and shouted "Shit! I've got to feed the dogs!" and ran out.
.
Prisencolinensinainciusol. Ol Rait!
+1 to this, using foreign language characters in a passphrase is a great idea, it makes things more secure since it increases the number of combinations hackers need to try (assuming they even have the foreign language characters in their data sets which I doubt they do)
Enjoy being locked out when you realize that UTF8 != CP-1252 != UTF16LE, etc. Oh, and god help you if you need to use a different OS to login, or don't have rights on the given machine's account to change the input charset. And all this is before you get into the potential disconnect between the webapp's stated charset vs the backend password system's charset (your password text field input isn't being passed around as raw bytes no matter how much you might wish it to be, sorry).
There is no hell like charset encoding. Yes, in some imaginary world where everyone dropped IPv4 when IPv6 came out, simply because it was the correct technical solution, your idea might work due to ubiquitous, end-to-end UTF8.
Here in the real world, well, one time I got locked out of a shitty online banking system because I used a punctuation character in my chosen password while setting it and all non-alphanumerics were stripped from input in the login password field, thereby preventing me from ever being able to submit my chosen password.
The real world is horrific and soul crushing.
Limit attempts to log in to any specific account to once every minute or so. Failure locks the account for a minute, so it doesn't matter what IP or console or program the request comes in from, etc., it's once per minute, period. That's 1440 attempts / day, max.
Attempts to try every password will take forever on even a moderately stiff PW. So ensure passwords are at least moderately stiff. Or better.
After some small number of failed attempts from one IP, blacklist the IP or console. After some small number of highly concurrent failed attempts from multiple IPs, blacklist all of them.
This prevents using constant PW attempts as a trivial DOS and causes uniform attrition in botnets -- not only can that IP or console not attack that user, they can't attack any other, either.
If you've allowed people to get ahold of your password hashes or lists, you're completely hammered. So create a password server that does nothing else. Provide hardened physical security for same. Create a custom hardware bridge that does nothing but handle passwords in a very specific manner, complete with the built-in delays. No other connectivity. Passwords are now as secure as your physical plant allows for.
This puts the least load on the legit user and transfers such heavy work to the cracker that it becomes pointless to try. It's not even all that technically challenging.
Now, making your actual application secure... that, apparently, is beyond the ability of most programmers today. Sigh.
I've fallen off your lawn, and I can't get up.
I don't understand the question. Those things are all annoying. Are you implying we have to pick one?
Personally, I would say that they are more annoying than popups and popunders, because popups and popunders are conveniently encapsulated and marked as bullshit by virtue of being in their own unsolicited window. But less annoying than those autoplay audio ads for sure, which are a blight far beyond any advertising the Internet had ever seen before.
I'm glad people are out there thinking about this. As I understand it, though, there are a couple of drawbacks to this specific approach.
1. The unique identifier that now allows you to be tracked across each application you use. I guess this can be solved by having multiple IDs per app. You might want to consider this.
2. "Pay per authentication"...
3. Requirement for your phone to have connectivity. While this doesn't matter most of the time, it can be important when, for example, you're traveling abroad and don't have phone service.
4. You need to be a trusted party for your users. If you're compromised, the whole system is screwed.
Other approaches, such as Google Authenticator, provide 2FA without the requirements of connectivity, trackability, trust, or payment. The only advantage (and this is also quite a weakness) that I can see with your approach is that it's probably easier to replace a lost phone; just call you guys and have you reroute the passwords to a different app. The problem is that this opens the door to social engineering attacks (see #4).
You can mod your friends, you can mod your nose, but you can't mod your friend's nose.
This should be the first thing you tell your mother or Aunt Tilly [tm].
If you do the occasional shopping, email and Facebook usage you only really need to know one password; your email account. The others can be stored in your browser/app or reset if you ever forget. Having to do a password reset before doing your "once-a-year" ordering of photo-books is a minor inconvenience compared to having to remember loads of different passwords or worse; using the same password for all sites.
Teach Aunt Tilly [tm] the typical password-reset procedure and tell her that she doesn't have to remember these passwords, so there's no need for the password to be simple.Shopping sites really should move away from using passwords anyway. They can store a token in your browser and perform a reset using your email address if you're using a browser without the token. They can also do periodic resets of the token.
Just make sure that Aunt Tilly [tm] knows that there is one password that needs to be GOOD and she needs some way of remembering it; her email account. Having access to your email account would give criminals many great ways of screwing you over, since they can reset nearly all your passwords that way.
If she really can't remember a complicated password, then writing it down on a piece of paper in her house is much less likely to cause her trouble than using "mathilda" or "whiskers" as her password.
Another fun one is a password containing a backslash. To make matters worse, the customer support is not willing to reset the password, because the web site offers a way to retrieve the password already via e-mail, despite the fact that entering the exact password as it appears in the e-mail does not work. And the fact that the password can be retrieved at all (instead of only reset) is not a good sign either.
Noisy forcing? Ah, like, say, an American standing in line behind you?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It is one of the few things where I simply don't agree with Bruce. While it is no less secure than your CC, I consider the CC already a horrible security problem.
What you do when you write down your password is that you turn "something you know" into "something you know OR something you have". And while security improves if you make it dependent on "something you know AND something you have" (as in ATM card+code), the OR there lowers your security.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes. It's way easier to adblock than to trollblock.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The whole issue starts at "why is offline cracking possible in the first place?".
Offline cracking requires the attacker to have access not only to the machine (ok, in a time of VPN that's not as big a feat) but to the password database. If you assume or at least fear that a potential attacker can have access to the password database, and not only that but actually gain access without you noticing it immediately (else, just invalidate all pws when you notice it and be done with it), you have FAR bigger problems at your hands than figuring out password expiration dates.
First things first. Dear CISO: Instead of bossing around your users with harebrained password changing chores (including the usually impossible to fulfill requirements akin to "100 letters, at least 20 numbers and not even similar to the last half a billion passwords that were used in the company"), do you fuckin' job and make sure that nobody can steal your pwdb!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Here is wisdom. Let him that has understanding count the number of the beast: for it is the number of a man; and his number is Six hundred three score and six.
Solve that for my Slashdot password.
Dude, that password was so easy.
I've updated your password to the answer to a new riddle:
Why is a raven like a writing desk?
Good luck spelling it correctly!
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Why don't most password systems support unicode passwords? Besides the small accessibility problem, I'd like someone to try to crack some japanese, chinese, thai, or arabic text, whether it makes sense or not.
"No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
So set your computer to not require a password at login, and not require unlocking when you wake the screen.
And tell your email client to remember your password. Every one I've ever used (going back to the '80s) has been able to do that. If by some miracle yours isn't, get another one.
Your web browser should be able to remember most of the other passwords for you.
You're out of luck with the MMOs, however.
You may have missed his point. Writing down the passwords means you can use stronger passwords that you don't have to struggle to remember. The threat from brute forcing stolen hashes is much greater than the threat of having your wallet stolen by someone who is going to know what to do with the passwords.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.