Slashdot Mirror
Applying Pavlovian Psychology to Password Management
Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt:
"For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."
From the article: "Passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case letters." And sites like Phil's Hobby Shop have lowered "complexity" requirements for sufficiently long passwords. I'm glad the passphrase concept is catching on. To what extent can xkcd be credited with awareness of passphrases?
Include the quotes, and be even more secure!
"National Security is the chief cause of national insecurity." - Celine's First Law
Because all you are going to get is users deciding that they they cannot come up with a 10th password that year and just going picking "123456".
"I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few)"
What a joke. If every site used this method I, and many other people, would need to change multiple passwords every single day of the year. The entire system would break down and become completely unmanageable
Troll is not a replacement for I disagree.
The battle to make users remember arbitrary characters isn't just foolish, it's insecure.
Which is not what this is about. The article is about varying the password expiration by whatever password grading system you have chosen
Without advocating a specific grading system.
But there are some pretty decent grading systems that use a graph-based approach to calculate an approximation of time to crack, based on application of different cracking techniques to different substrings within the password.
For example: for 3 common words strung together. You count the number of words in all the dictionaries that each word shows up in, and you figure time to crack for that substring as n/2; for each word, where n is the size of the smallest of the cracking reference dictionaries containing that word, and multiply those times together for the words strung together.
For common variants such as leet substitution, applying a misspelling, appending a digit, prepending a symbol, changing a case....
Of course, then, the approximate effect on crack time of all these things can be calculated.
Appending a digit multiplies it by 10.0. Prepending a symbol multiplies it by 6.0. Alternating the case of some letters multiplies the strength of that word by 2.0
Performing leet-speek substitution multiplies the strength of that word by 1.05
Applying a misspelling, single letter substitution, or transposition to a word multiplies time to crack that word by 26.0, etc.
Yes, we're assuming that the hashed password file has a substantial probability of getting leaked, just as it was in several other high-profile breaches (Sony, Target, etc.). If it's impossible for an inside job to leak the password file, then how can the system 1. use the password file to authenticate users and 2. back up the password file in case of hardware failure?
Passwords are security through obscurity. We need a better system altogether.
Absolute hogwash. That is not what "security through obscurity" means at all. Security through obscurity refers to security based on an algorithm being secret, not specific per-user information.
The problem with the use of SMS for 2-factor auth is not that you have to pay for the messages (paying for incoming text messages is an artifact of the horridly broken pricing model for US cellphone service) but that SMS is unreliable (I have had instances of SMS messages not getting through, especially if my phone happens to be switching cells or entering a dead zone at the time) and also that with more people doing so much internet stuff on their cellphones, having the second authentication factor being the same device you are using to log into the web site makes things a lot less secure.
A very simple problem opened up by making users rapidly change their passwords is that they will frequently forget what they just changed them to. They will change it last minute on Friday to something genius and on Monday scratch their heads and go, "Crap". So now they are going to call tech support who will walk them through some crude verifications and give them a new password.
A perfect example of this is a relative of mine who works for government. He was complaining about the frequent password changes he has to do. So I bet him that we could look under everyone's keyboard and find some passwords. Two of his people put them on post it notes under the keyboard, and another guy just had 30 passwords written on the bottom of his keyboard, which oddly provided some security as I couldn't guess which one was the newest.
But the best part was that I bet that with my relatives wallet and his most recent pay stub that I could talk IT into resetting his password. So I called them up and they promptly walked me through resetting his password; but they didn't ask me a single question. So in the end I asked them how they knew I was me (him) and they said, it was because of what phone I was calling from. I asked what they would have asked had I been home and they said, birthday, maybe the office's postal code.
So it wouldn't have mattered what genius password scheme they were using as the more genius it was the worse their social hacking problem would become.
A different relative who works for a different branch of government could even log in without her key fob as all she had to do was phone IT and whine until they let her in from home.
Now you might just wave your hand and say, no problem just bolster the security by telling them not to be nitwits. But those guys weren't being nitwits. In government or any large organization if you piss the wrong person off you will lose your job far faster than if someone hacks the system. So maybe for Sally secretary they might not be so persuaded but in the case of where I phoned in a forgotten password the person who should have been sitting at that desk could have an IT person's head very quickly. As could the other relative who whined past the need for a key fob.
One day Pavlov walked into a bar and ordered a cognac. He was about to take a sip when the barkeep rang him up. He dropped his glass and shouted "Shit! I've got to feed the dogs!" and ran out.
.
Prisencolinensinainciusol. Ol Rait!
As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.
Bingo. Funny enough, I just finished doing a security job out in western canada(provincial government office) and moved them to passphrases. Funny how the number of "passes written on post-it-notes" dropped from "everywhere" to nowhere except the firebox safe. The safe of course is in it's own room, and requires two keys to open besides the combination. This of course also cut down on the intrusions into the network, because people simply "walking in" couldn't glean passwords that were posted in the open anymore.
Om, nomnomnom...
+1 to this, using foreign language characters in a passphrase is a great idea, it makes things more secure since it increases the number of combinations hackers need to try (assuming they even have the foreign language characters in their data sets which I doubt they do)
Enjoy being locked out when you realize that UTF8 != CP-1252 != UTF16LE, etc. Oh, and god help you if you need to use a different OS to login, or don't have rights on the given machine's account to change the input charset. And all this is before you get into the potential disconnect between the webapp's stated charset vs the backend password system's charset (your password text field input isn't being passed around as raw bytes no matter how much you might wish it to be, sorry).
There is no hell like charset encoding. Yes, in some imaginary world where everyone dropped IPv4 when IPv6 came out, simply because it was the correct technical solution, your idea might work due to ubiquitous, end-to-end UTF8.
Here in the real world, well, one time I got locked out of a shitty online banking system because I used a punctuation character in my chosen password while setting it and all non-alphanumerics were stripped from input in the login password field, thereby preventing me from ever being able to submit my chosen password.
The real world is horrific and soul crushing.
The problem is that password crackers can now crack strings of words relatively easily. On page three of the article it even mentions that comic specifically as an example of what crackers can now break.
Two factor authentication is the solution. If you can't use that then a long, random password stored in a password safe app is the best bet. Anything you can remember is crackable.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
That's why I actually have a password list on paper (yes, yes, despite of what I wrote only a few comments further up).
At home, in my apartment. If you manage to break in here, whether you have my passwords is my least problem.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why do you hate America?
Never underestimate the power of stupid people in large groups.