Slashdot Mirror
Password Security: Why the Horse Battery Staple Is Not Correct
First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."
> asserting that a single point of ultimate failure is the most important technology
Yeah, it's important all right. Critical, even.
We're being awfully slow about teaching people to adopt passphrases. Simple, no number no symbol nonsense.
"rrrybgdts" is a nursery rhyme. It doesn't even have to be written on a sticky.
1) Choosing a password should be something you do very infrequently
Wrong. Once your password is compromised (e.g. by use of a keylogger or otherwise), hackers can use it over and over again.
It is much better to use One-Time-Passwords (OTPs) such as the ones generated by two-factor authentication systems.
If Pandora's box is destined to be opened, *I* want to be the one to open it.
The thing is, with a good password manager, there's no reason to have a weak password, even for the sites that you aren't worried about.
Most non-technical people (the ones who we're most concerned about in terms of password security) aren't very good at figuring out where security is and isn't important. For instance, I can't count the number of times I've heard statements along the lines of "I don't care about my e-mail password, because I don't care if a hacker could read my e-mail." Better to create tools methods to make sure that people can conveniently create secure passwords across the board, rather than hoping that people will make the correct decisions related to security.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
> symbols, caps and numbers are still very useful when the site limits password length.
I disagree: Insist that there must be a cap, and it will be the initial letter in >90% of the cases.
Insist that it have numbers, and they'll either be trailing (often the year, especially if you require two digits)
Insist that it be symbols, and you'll probably find a period or comma at the end (the only symbols commonly available on the first smartphone keyboard screen).
So, now I've changed the two digits to one out of ten, and instead of a random character out of the 70 or so common ASCII characters, I'm probably starting with just one of the uppercase letters.
At one point when I was a system administrator and we only required 6-digit passwords changed every 90 days, I could log in to 3/4 of the computers with "spring", "summer", "autumn" or "winter". When we beefed up to 8 digits with numbers, it would be "spring95", "autumn96" etc.
You've got to make it more random: Pick a phrase, a song lyric, a movie quote. Change a word or two. Make some letters just the initials, a word all in caps, a number substitution: "You light up my life" -> "uL1GHT^ml". That's unlikely to be in a cracker dictionary (until today, of course).
Design for Use, not Construction!
Even with the best password, memorized or securely stored doesn't protect you against a password recovery process that's improperly engineered. Often an institution, even a BANK, will give you as a recovery password a choice from perhaps six possibilities, any of which can be divined from publicly available information or a little social engineering. Your password may be q4ot38yhewa;okl, but your password recovery phrase will be the street you lived on in high school or the name of your first dog. This is not secure.
And don't even get me STARTED about pin code security. When I set up my AmEx corporate card, the phone menu suggested strongly that I use digits that are easy to remember, like my mother's birthday. Ignoring the directions and entering a random code, I got rejected because my pin WASN'T A VALID DATE. I called tech support, told the tech monkey the error I was getting and he immediately said that I was to set it to my mother's birthday. I said I didn't want to use something that would so easily be discovered, and he seemed nonplussed. He had to consult with a supervisor. They eventually decided that I could use a random number, but I had to tell him the number over the phone so he could override the menu's requirements to use a valid date. This was AMEX!
Back to the lost password process, I give random strings as answers to the challenge questions, but I figure eventually banks won't let me use strings that aren't a valid dog's name or a listed street name in my home town.
I know why they do this -- it cuts down on service calls to require shlubs to use passwords that are easy for them to remember. But geeze... I foresee a time when we'll all be required to use the common name for an eating implement. Everyone will choose "spoon". The institution will be able to cut customer support back to one person in north-eastern Poland. Or perhaps they already have.
(I use Poland not to denigrate the Poles, but because a company I do business with was quite proud of the low low DL price they got for customer support hotline personnel in eastern Poland. To cover North American accounts. Because that makes sense. Really.)
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
We do, it's called Open ID, which is what Google leverages for their single-signon (not sure if FB is their own solution or not). It was a really popular thing about 5-10 years ago and got a ton of attention. I think even MS enabled it.
The problem with it is this: everyone was willing to let open their servers be the authenticating source for OpenID, but no one was willing to trust a 3rd party's servers to do the same.
So I can create identity authentication galore at mydomain.example.com, but if Google isn't willing to trust mydomain.example.com, then it's not very useful as a unified login authenticator.
I'm out of my mind right now, but feel free to leave a message.....
One of my older passwords for important stuff was an Office 2000 key I learned by heart. 25 characters, letters mixed with numbers, not including dashes. If special characters were required, then I'd use dashes, otherwise not.
Save for VL keys, they were unique so the chances of someone guessing that were very, very slim.
And just for kicks I wrote a password manager which allowed you to use any key on the keyboard, including ctrl, shift, alt, caps lock, Win key, you name it. How about using ctrl, shift+num*, backspace, backspace, F1, Esc, Scroll Lock, Winkey as a password? :)
(the only problem was that if you fatfingered a key you would have to wait for the 10 second cool off and try again when prompted)
The application could also be configured to give you a "wrong password" result if you entered the right password, with a configurable delay during which you were expected to do nothing to go through. There was no visual feedback when pressing the keys, only sound.
But a regular user would be driven mad by such a login method, heh-heh.
There are many ways to make an environment secure password-wise. But Average Joe wants it quick and easy, so as long as people aren't educated, nothing would really be secure enough.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)