Slashdot Mirror
Ask Slashdot: Convincing My Company To Stop Using Passwords?
gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?
Your system will be breached. Do you get enough out of this to take the fall when that happens?
Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.
As soon as you succeed with the paperless office, and don't forget to get rid of the fax machine too, then it'll be time for the password-less office. Just sayin'
Have you considered how much it will cost your company to implement and manage such a solution?
You'll need to be able to convince management that the likelihood and impact of your company's IT infrastructure is high enough to justify such an expense.
Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
Anything you do that adds an additional step to an existing process they "appears" to be working perfectly fine will potentially earn you some enemies. Some of the people most likely to be frustrated by the process may also be in positions of great influence.
A noble cause, but its success depends a lot on the existing culture of your workplace.
Certainly coming to the table with a well thought out argument in favor of this isn't bad.
But if the culture is right, you should be able to bring this up casually with superiors and discuss it with them candidly and THEN discuss putting together a formal document proposing a solution. If anything they are better equipped than we are to evaluate the user needs of the workplace and give you ideas of how to pitch this to the rest of the business.
Figure out how much time and effort tech support spends on dealing with forgotten or compromised passwords.
Factor in the time lost by employees while they wait for tech support to deal with password problems.
Find some research discussing the cost of a compromise.
Figure out how much a token based system will cost. Assume people will lose their tokens.
Make the case that your solution is cheaper than the existing solution.
Then prepare to deal with "but we won't get compromised, so this is a waste of money"
[Fuck Beta]
o0t!
use u2f, its the best authentication token on the market. Either as second factor, or as lone factor. It doesn't enforce any lock-in at all, and its experience is just like keys: you have cheap tiny things you stick into holes (please spare me with any childish dick/buttplug/etc comparisons).
If they only need to survive online attacks, the 8 character limit is enough for Passwords. However you would need to add some meaningful brute-force and weak pw recognition.
Justify the cost savings and the costs to procure the 2-factor auth system. Can you show a sure reduction in help desk support for forgotten passwords? Don't forget that if you are just shifting support costs somewhere else (like replacing lost auth tokens) to show that cost and how it is still less than having passwords.
The reason I wonder if 2FA can be at least moved to the edge or used for VPN logins is that it makes things a lot less of a headache.
Usually for internal AD, having a third party authentication apparatus strapped on can bring about issues. For example, if the system is a challenge/response system and a Web app is authenticating from AD, it likely won't have a window to present the 2FA challenge. SecurID is the only one I know which gets around this since there is no challenge token presented... users just enter in their password and the number off their token, and it logs them in with the standard username/password box. However, the downside of SecurID is that it is not cheap, and requires at least two servers to authenticate the tokens.
Internal logins, I'd just stick with AD unless there was really a need for internal security (expensive). If so, I'd then go with CAC/PIV tokens because they are fairly standard, have a wide use with the US government, and work with most major applications.
Now the edge is a completely different beast. You can set up RADIUS servers to use the Google Authenticator, SecurID, smart cards, or one's flavor of choice. This way, users can log in via 2FA, but the internal network doesn't need to have any major changes done to it.
The place I'm currently at makes me use a 20 character password with characters from at least 3 of 4 groups (numbers, lower case, capitals, punctuation), and to change it every 45 days, and the last 30 passwords cannot be reused. Clearly everyone uses a 'password system' that makes this more insecure, even though it is explicitly denied. Worse, for remote access we have to use three factor authentication (password, pin and RSA token code) anyway. Why can we not just use two factor throughout?
The same company blocks web access to dictionary.com, archive.org and anything related to computer security (hacking) and 3D graphics (games), as well as anything deemed to be file sharing (dropbox, google drive, pastebin - but not gist.github.com or thousands of other similar sites).
Why are such douchebags in charge of IT at such large companies that employ technically competent staff?
What ever happens!! Do not start your proposal with "Let's stop using passwords."
Besides, in every system I've seen with 2-factor authentication, passwords could still be used, but 2-factor authentication would only get triggered if the employee was accessing the network from an unknown computer, or an unknown ip address, or if the employee had forgotten his original password.
Not to mention that stabbing yourself in the eye with a pencil will probably be less painful and result in more real security. And at least the eye-pencil is likely to make it to completion.
My favorite part is having to change the password every 30 days.
A LOT of people will use base password+date. EG:
Slashdotnov2014
Slashdot1114
etc.
Gee. I wonder what it might be in December...
I even know people in IT with passwords like that. When setting up a new computer for you they'll ask for your username/password so they can log in and setup your profile, so they are well aware that people do that.
I would encourage users to write down their password on a piece of paper.
That paper should contain only the password, no hint to what it belongs to.
The paper will then be stored inside the persons wallet, and looked at when neccessary, but not taken out.
If that person manages to loose their wallet, they have bigger problems than the company password.
There are no atheists when recovering from tape backup.
I am not sure if it is available outside of Citrix, but that system uses 3 factor authentication, which is username, password, and an 8 digit numeric password follwed by a 6 digit RSA SecureID token that is supplied by a hardware dongle each employee has. Since it's broken into segments, there is less for the employee to remember and even having all the passwords without the RSA token the system cannot be accessed.
I work in schools.
I'd be interested in any cheap, Windows-logon compatible system that I can supply my own RFID reader hardware for.
RFID readers are stupid-cheap. Nobody's going to go to the effort of copying an RFID tag just to get on a system as a child user. And I can buy tags for about 10p each.
Every logon system I see is stupendously priced (either per reader, per card, or per seat software licence) or doesn't work on Windows logon. Those are useless to me.
I've been looking since the XP GINA days, still haven't found anything vaguely suitable and in a school's price-range.
(Note: School in the UK refers to education up to age 18, in my particular case education up to age 13).
Gurps_npc knows nothing about passwords!1!
Now if you have a problem with your software not accepting that pass, you do not have a password complexity problem, you have a software problem ("Our software requires all passwords to be all uppercase letters and no more than 8 characters!").
If your users cannot remember that pass. You need better password training or to replace defective users. If mgmt doesn't buy in, the ship is already lost.
Now if you just want to move to 2 factor because it seems cool, well that is another discussion.
I used to work for an oil company that used smart cards to login to a PC.
Sure, you still need a PIN but you also need the card. It's not foolproof but it is somewhat more secure.
The real challenge would probably be convincing your company to purchase new hardware and update their security policy.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
How do I stop that? They keep refusing.
For the same reason the TSA acts the way they do. If you take security to insane extremes such that everyone is always massively inconvenienced, you can never be blamed for not doing enough, no matter what happens. And there's an implicit assumption that if you've moved onto crazy extreme measures, you must have already exhausted all the less extreme measures.
You have a few challenges ahead of you; political ones, technical ones, and fiscal ones.
Are you just hoping to be the initial voice of inspiration and get everyone behind you? Or are you ready to be the advocate for the two factor auth you're proposing? Unless you've done your research and you know a lot of others in your department are on board with this proposal already, your proposal is going ground itself without much more than a candle flicker.
People tend to be really resilient to change, even really bright tech folk. "Good enough" is the motto that most people live by, so you're going to have to make a really enticing argument or get a lot of support across the board before even presenting this. Check with the necessary Systems folk; do they have ideas or wants or problems with a Two-Factor auth for users? Do the math for your accounts; are you saving enough money that it will make someone look good? Check with your Help Desk/Ticketing software; are password resets really enough of a problem that they're impacting people's work flow?
I promise you that most folks in a position to make a decision like this aren't staying up at night wishfully hoping that someone suggests TFA for the company, and few non-tech people in the company are even going to know what the hell you're talking about.
You're going to need to be prepared to really explain your idea and show that it already has support, else they're just gonna look at you like you suggested catapulting the ring into Mordor.
Complexity matters mainly if your attacker gains offline access to your hashes. Far and away the main source of password compromise is non-uniqueness (using the same password elsewhere). This is actually the main benefit of forcing a periodic password change. Graphical and gesture passwords are horribly insecure from shoulder surfers.
If you can, support as many factors as possible. Multiple factors gives your users flexibility- they may not always be able to receive an SMS or have a card reader handy. TPM-based virtual smart cards are super handy for remote auth from a domain-joined device- no cards or readers required.
So long, and thanks for all the Phish
Check it out...
https://www.duosecurity.com/
What about using an openhardware password storage device like Mooltipass? http://hackaday.io/project/86-... Mooltipass is composed of one main device and a smartcard. On the device are stored your AES-256 encrypted passwords. The smartcard is a read protected EEPROM that needs a PIN code to unlock its contents (AES-256 key + a few websites credentials). As with your credit card, too many tries will permanently lock the smart card. The mooltipass main components are: a smart card connector, an Arduino compatible microcontroller, a FLASH memory, an OLED screen and its touchscreen panel. The OLED screen provides good contrast and good visibility. Unfortunatley this project is about to fail it's Indiegogo crowdfunding campaign.
Our company has been using Safenet for the last year or so since we implemented 2FA for VPN and it has gone quite well. Being software based that can be loaded on laptops or smartphones makes it convenient and we don't have to worry about the tokens being lost and having to get a replacement out causing downtime. The downside is it can be locked out requiring some back and forth to unlock the token.
My routine way of logging onto anything that I hit less than once a week is to automatically click on the "I forgot my password" button and reset via email without even attempting to remember it. That basically makes all passwords equivalent to my gmail password, but since anyone with the gmail could do that any time they wanted it's no loss of security. It's a little inconvenient, but not as inconvenient as trying to remember 100 unique passwords.
I read about Iris scanning this morning on Gizmodo using a small mouselouke device called Myris. $240 and you can use super complex passwords and never have to remember (or change) them as they are encrypted and accessible only by the users eyes, which can't be accidentally lost, stolen or left at home.
http://recode.net/2014/12/02/review-myris-scans-your-eyes-to-log-you-in-to-pcs-sites/
...maybe you're not the right person to be running with this.
Security is hard. The right tools used incorrectly can be worse than the wrong ones. If you're not sufficiently confident you know how to do this off that you're asking strangers for advice, or you don't know how to make the case convincingly, maybe it's a sign.
"Some guy on slashdot said this was the best tool" is not the way to choose a security tool.
Indiana University switched to passphrases years ago. No cryptic symbols, numbers, translations, etc. Must be at least 4 words of 4 characters or more. A word is separated by a space or underscore. Easy to remember but at least 20 characters long. "Denzel likes silver haired ladies" for those Brickleberry fans. VERY secure and VERY easy for each user to remember.
The first step in trying to figure this out is to figure out what systems and services you're trying to secure. Are you trying to secure a web application? A specific file server? Are you trying to make it so people don't have to remember passwords for Dropbox? Are you trying to include your phone system, physical security to your systems, and the network AD login? Make a list of everything you're trying to secure, and then figure out what alternatives those systems support. Then cross-reference all those different systems to see what sign-on technologies and services support all of them (or the most, or the most important systems).
Maybe you don't want to go about it quite that way, but the point is, you need to know your requirements before you try to select a solution. Your biggest problem is going to be finding a single product/service that supports replacing all of your passwords, since there isn't really a universally-supported standard replacement for passwords. One of the reasons passwords have been so successful and stuck around for so long is, you don't need to support any particular hardware or software. It's just text entry.
So if you really want to pursue this, figure out what systems you want to secure, and then figure out what alternative methods support and are supported by those systems. I really wish that, instead of having 50 different companies trying to come up with their own clever little app with pretty animations to provide multi-factor authentication, there were a concerted effort to develop a set of standards that various developers could build from.
changing them all now... Post-1t.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I can't believe I'm the first to remind everyone of this: http://xkcd.com/936
Write each new password on a separate post-it and keep them all posted around your desk. Let an intruder guess which one (if any) is the correct one! It will provide minutes of entertainment! MINUTES!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Its the solution that's been touted for decades to the 'single sign on' solution. It does work - I know police forces and similar that use them without fuss.
There are plenty around, and sure you have to remember a pin, but its usually way less complicated than remembering a huge long password, plus its the start of a single-signon solution that no-one can argue against once you're using them.
If you use Windows, Microsoft has a lot of resources about smart card login
Writing them down is MUCH better than garbage passwords in the vast majority of scenarios.
Remote threats are far more prevalent than insider threats.
With regards to the actual posted question, you should find out if the company has any sort of insurance policy relating to data/security breaches that might be dictating things like the password policy. If the company has insurance to cover problems from insurance company X, and insurance company X is saying "You must do passwords, and like this, or else no insurance!", then you have a monumental task ahead of you because you have to convince your workplace to address the insurance policy/company - as well as an internal political/technical/budgetary issues.
Beyond that, the field of the business was not specified. It is possible that, depending on the country, industry, business contracts, and local regulations, there might be some specific clause dictating this corporate policy. (There can be no end to the insanity when you have a situation where, in order to do business with government and/or company Y, your own business must get certified to follow practices according to standard Z, be audited, etc.) If something like a password policy change requires a (re)audit of to verify your company's power level is still over ISO 9000, or Sigma Mane Six or whatever, well... good luck.
best thing since sliced bread
What is the risk of continuing to use passwords?
What is the cost to the business if the risk of continuing to use passwords is realized?
What is the cost of implementing an alternate system? Be sure to include the costs in training, process re-engineering, systems re-engineering, etc.
What value, if any, is generated by replacing passwords?
Unless the money you are going to spend is either going to generate more money for the business than the dozens of other projects that are competing for resources, you practically have zero hope of your change being embraced.
While some organizations are risk adverse to the point where they will act on them, more often than not unless you or your direct supervisor are liable for mitigating the risk, you are doing your career a disservice by raising the risk.
No, it's not too hard. I'm really sorry that you can't figure out how to train users on how to use strong passwords, but this is not an overly complex thing to do. It does take persistent training because nobody walking into the company will have received such training but passwords are not "bad" or "too hard".
14 years ago I implemented a full Unix based LDAP system enforcing complex passwords with aging, history, and controls on admins that could change passwords without being "Directory Admin". I have since set up and run this system at numerous other companies. Linux used to suck a bit at it's PAM LDAP configurations, but today it's not so bad.
Around the same time, I developed some methods for users to generate "STRONG" passwords with reasonable lengths. I still teach these today, and amazingly we use passwords very effectively. No, you don't pay me so can't have my methods. I'm telling you it's possible if you actually stop and do the work.
2FA is still going to require a password for any reasonable system. If you go with the average 4 digit pin shame on you, but many people seem to believe this is protection somehow and better than a strong password.
Certainly I'm not against 2FA, nor even 3FA and locks on doors. I'm against it for the common user because it does not save anything and adds a huge amount of overhead and work to reissue all the devices to users constantly. If you are in a small shop, maybe not a big deal but in a company of reasonable size it's a full time job just dealing with the Token/Badge/Whatever you have for the 2nd factor.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Verisign VIP is one ( commercial ) system that uses soft tokens, and the same token works on your ebay and paypal and other accounts, making it useful to users outside of work - since they start to introduce the same security to their outside-of-work use - Soft tokens are free and work on phones and PCs, hard tokens can be ordered ( they even have credit cards with the hardware token built in, and can print name badges with them ) -
Generally, it's a pretty good system - you can download and try it too -
GrpA
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
Bring up you work for retarded company and the STFU and stop posting dumb shit to /.
Biometrics!
LaunchKey is capable of removing the need for passwords entirely in your system, so if that's a goal then it's a great solution. It's BYOD so the cost is low or free depending on implementation while simplifying the user experience and greatly increasing security. As far as points to bring up: Removal of passwords relieves the company of a liability of holding onto hacker bait and makes it much more difficult to impersonate another user using their credentials. Dealing with people forgetting passwords and resets can be surprisingly costly and there are alternatives that are easier to use where that will never be a problem.
if you're giving your users a token, get the thing jabbed inside their hand so they don't lose it.
Retinal scan and voice confirmation.
You're trying to tout a preferred solution for something that "obviously" needs fixing. But what are you trying to protect against, and how does that protection fit in the general workflow?
In that sense the current solution is erroneous because it tries to be "secure" but does so in a way that is contraproductive and unsafe.
Your new solution, though, risks making similar (but shiny! new!) errors because you're starting with what's popular. This is a common error with techie people, and leads to high-tech hollywood stupid stuff like biometrics (usable as unreliably-read usernames but not passwords) and the hot new thing with another crowd, "2FA" (endless fun when people forget or misplace the fob, or have it stolen, or whatnot).
So I say, go back to the top of this post and work out a threat model. Also work out how to be friendly to the various workflows in the company (walk around! look how people work in the various departments), and fit your proposed solution to that. Maybe a SSO with a long-ish password is a better idea; one that doesn't need replacing so often and that only needs typing a few times a day (coming in, like after lunch). Maybe a (contact!) chip card is a better idea; combine it with rfid to open doors in the same card and people won't forget it when walking away. Of course, you still need to work out how to do recovery from loss and theft and such. But start with the problem and work out a (few) solution(s) from there.
You need to do the working-out thing anyway, as evidenced by a company policy to share passwords. That should not be needed, so there is a clear need for better account access management anyway. And, while at it, revoking access on leaving, that sort of thing. But again: Don't start with a solution to throw at the problem. Start with dissecting the problem, which is that there is a need for reasonably secure access control well-fitted to the workflows in the company, as evidenced by the obvious failures. Don't be fooled these are all possible failures. If you get it wrong you create new failure modes. So thread carefully.
What is the exposure?
If your company was ever hacked, what would the consequences be?
If the consequences could be serious, follow the advice of educating your decision makers as brilliantly outlined by Captain D, above.
Otherwise, what difference does it make if your company's machines and network(s) were actually compromised?
I mean, what difference will a few more zombies in some bot-net actually make?
First understand your position in the company and whose turf you're going to piss on if you make a move like that. You don't want your efforts to fail because you rubbed some manager the wrong way and he sabotages everything just because he can.
Secondly, make sure your system is really better in all regards, especially the failure cases. People leaving the company or getting ill for a long time? Password sharing (no matter what your policy says, people are doing it, especially bosses and secretaries)? Password recovery?
Third, make sure of user acceptance. People don't like change, and if the new system is not considerably more easy to use than the old one, you will face resistance.
Fourth, pack all of that research into a presentation and make your case. Good luck, you'll need it.
From my experience, #1 is the most important. Also take into account decision factors you may not know about. I've had a real-world experience where we (the security department) wanted to introduce an identity management system and were totally stonewalled. Three months later the company was sold - management already knew it would happen and they didn't want to commit to anything major or expensive just before the sale.
Assorted stuff I do sometimes: Lemuria.org
KeePass. 'nuff said.
I'm a huge fan of this topic! We have integrated LaunchKey as a multi-factor authentication option on our bitcoin exchange, Coinsetter (I'm the founder). I use it everyday and have to admit that I am obsessed with their product.
I don't know where to begin, but let's start with the fact that you can swipe/fingerprint scan instead of typing in an RSA token. It offers the same level of security as other options I've seen but is not at all annoying to use. Can't say the same for Authy or Google Auth. Anyway... I have been using LaunchKey for months and highly recommend integrating them.
Very long passwords are very easy to remember if you use mnemonics.
For example:
412a7YaoFbfotCanNciladthptaMace
Completely impossible to remember that password right? Wrong:
""Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty, and dedicated to the proposition that all men are created equal.""
You just have a set of rules for turning text into a password.
In this case, all numbers are written as numbers and all words are lower case except nouns which are capitalized.
Substitute that quote for any other and you can generate another very long password that is impossible to forget. You can even write the quote down prominently and no one is going to break into your system unless they know the system by which the quote is turned into a password. The system I cited above is very very simple but you can use a much more complicated one.
The system usually should not change. You can keep that static. The quotes or text strings should change every so often. And when you do, you can put a sticky note on your computer with the quote right there. No one will break in.
You can make the password as long or as short as you like.
The downside is that the decoding process does take a moment. But you will not forget the password.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
"Any password policy sufficiently complex to be secure is too complex to remember" is not a universally true statement. https://www.schneier.com/blog/...
Have a look at some of the documents (not the main page which is about a VMS security system). Some of those have a number of useful ideas about ways to authenticate safely. The gadgets mentioned can be a few bux each but will give much safer schemes than passwords.
I would suggest that it won't HURT to have passwords, as long as you do something besides. Just don't let the passwords be much more than saying a username. That is, treat them as part of the identifier, not part of the authenticator.
with smart cards, they can be used for building, room access, log into system, and digitally sign emails. Seems stupid not use them. Wonder if it would have helped Sony?
Protect against guessing attacks with a minimum 12 character length and a lockout after 10 failures. The lockout eliminates the need for symbols and numbers and such, so people can make passwords that they can remember.
Protect against long-term guessing attacks by requiring a password change once a year.
Protect against theft of the password file by hashing and salting the passwords.
We are kidding ourselves when we say that requiring special characters makes our passwords more secure.
I've found that there's a sweet spot to balancing system security and job security: recommend better practices than currently in place without becoming adamant about it.
If you get the attention of a caring boss, you'll get your implementations, so make sure it's really a good idea and will work well before recommending it. But, more importantly, if they decide not to do it, then you are basically off the hook for responsibility for *any* breaches that occur afterwards. "I recommended a two-factor authentication to prevent data breaches over two years ago, and every quarterly IT review ever since!"
What's odd for me as a developer is how many times I've talked to a tech guy who really "needs" us to add security feature X in our software, and we send over the information to turn it on after we write it, and they *still don't do it* even after they paid for the modification.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
XKCD already did a better job on just this issue.
http://xkcd.com/936/
What is it that you are safe-guarding? I'd bet that it's not something vital enough that it needs anything more than a normal password, but if it is, stop keeping in a place where it's so easily accessible with the password. Door locks are still the safest devices around, and it's not because they can't be picked, it's because they need to be picked -- in person.
That big importal vital data store? Air-gapped, in one room, with an attendant, and a lock on the door will do better than any 2-factor authentication system -- because it's got many more factors, including the biggest one: presence of person.
You aren't going to blend convenience and security and wind up with anything more convenient or more secure than a password. I'd recon that's why we have passwords.
FIDO alliance 2-factor hardware tokens, like YubiKey Neo.
Until browsers roll out FIDO protocol support, a mobile app with normal OATH TOTP 2-factor (implementations include Authy, Duo Mobile, Google Authenticator, etc) is the way to go. And use a password manager for the 1st factor. When support gets baked in, the FIDO serviceclienthardware token protocol will dramatically improve usability of the 2nd factor.
Employees get paid thousands of dollars every month, right? For that much, they can remember 8 characters of which one needs to be changed once in a while. If worst comes to worst, write down 4 that you change and remember 4 that you don't. That's kind of like two factor authentication - a post-it that you have and 4 characters that you know. Simpler passwords are unfortunately very vulnerable to dictionary attacks that consider what people most frequently used.
There is obviously room for improvement. A USB device in addition to a password is better than a password alone. But the premise that current situation is horrible may be flawed. If you are saying there is a master 6 character password that encrypts users' 8 character ones, then yes there is a problem.
That's two factor authentication, what you know and what you have.
You said:
password, and an 8 digit numeric password
That's precisely the same as saying:
All passwords end in 8 numeric digits.
So that's one factor, the password.
User names aren't secret, their NAMES. Knowing your name is not a security factor. Even if they WERE secret, you could equally well describe that as:
All passwords follow the form "name:letters:digits"
Knowing the string is one factor. Having the token is the second factor.
FreeIPA now supports OTP out of the box: http://www.freeipa.org/page/Releases/4.0.0
This includes full support for Kerberos, so you get OTP plus SSO!
According to your math, passphrases are a thousand times more secure and, unlike 10 random characters, users can remember their passphrase. Sounds like a win to me.
Seriously, are you insane? Are you in charge of security at your company? If not, you can make a few comments to 1 level up, and that's where it *must* stop. Only bring it up once. Don't repeat. Sony likely had people telling them about security. If you read the Fusion web site, there is an administrator who worked IT over at Sony Pictures. His take: Sony Pictures ran the whole outfit like a large small-office. Several executives were extremely high maintenance who insisted that security was for other people. Also, there were several well known attack vectors that could be easily used to break Sony's sites. All this after Sony tried to infect customers computers with rootkits, remove after-market functionality of products consumers already purchased (with the functionality as a selling feature). So unless you are completely prepared to fall on your sword when anything bad happens, keep your mouth shut.
'Authorised devices' (with a certificate/token authentication), with a -backup- password or other method. Every device has its own MAC address, why not take advantage of that? Of course, that doesn't eliminate -stealing- the device... but at least you can't do that from a distance ; ).
No, no sig. Really.
ThePromenader
"Any password policy sufficiently complex to be secure is too complex to remember so people write them down."
I just love it when someone states their personal belief as something that is an absolute truth.
use SMSPasscode
http://xkcd.com/936/
And you don't think the other methods won't have the same problems? you don't think you will see printed images on monitors for the graphical 'passwords'? also with 2 factor, how many people will loose their account for the token.. (yes 2 factor is slightly more secure ofcourse, but it certainly isn't as safe/monkeyproof as some people seem to think)
Keep your passwords with the other important pieces of paper you carry around daily: in your wallet
The best typed password system I've seen so far uses all characters and encourages sentences. A standard password would be something like: "What? Stop looking at my damn password!"
It is easier for the human mind to think in terms of typical language useage. Sure, that password could be shortened to: W?Sl@mdp! but you get a much longer and easier to remember password by letting them type it in plain English. Get away from the 6-12 character passwords permanently and go to sentences.
Deploy two factor authentication. Now if you're dealing with the Unix/Linux world I recommend setting it up so a min of 12 characters - and explain how to compose passwords. But better yet - ssh keys with passphrase. That's much better.
I use Lastpass. I get it to auto-generate random 16+ character passwords with a mix of alpha, numeric, upper / lower and special chars. The passwords are totally impossible to remember. Each password is totally unique to the site. I Then let it log me into everything after I give it my very long, easy to remember pass-phrase.
XKCD: https://xkcd.com/936/
All those moments will be lost in time, like tears in rain.
My favorite part is having to change the password every 30 days.
I agree. Passwords that have to be changed regularly AT ALL is a security risk. People can remember long complex passwords - if they don't have to change them. If they change yearly or every three months - they revert to very simple passwords after 3-4 changes. Or some sort of timestamp system that add NO security. If the last password was long_complex_password-november, guess what it is for december . . .
I've yet to understand this mentality of stopping the use of passwords.
I understand all the flaws, but here's the question.
If improving security is the goal, why not ADD to the security process.
Add a token generator (like the RSA keys most work places have for VPN)
Add fingerprint/iris scan (for convenience)
People are already used to passwords. As long as the second authentication method is easy and convenient, they will accept it.
This is why security will suck for the foreseeable future: it's easier to quantify definite costs than ambiguous potential losses, and the first person to set up an insecure system is rarely asked to justify its cost.
if you have a system that lets IT people reset your password on the basis that you know the last 4 digits of your SS number and the month and year of your hire, you might as well use the last 4 digits of your SS number and the month and year of your hire as your password. if you have a system that lets you reset your own password on the basis that you correctly answer some question like your mother's shoe size, then you might as well just use your mother's shoe size as your password. Etc.
Star Trek transporters are just 3d printers.
You can easily guess my master password if your dictionary includes Mohawk, Flemish and Malagasy.
Passwords are commonly used because they have a lot going for them -
* people understand them
* they're reasonably easy to implement (especially if you are savvy enough that you only store an md5 or whatever, not the password)
* most password interfaces are accessible
You mention phone-based - Google wants me to give them my mobile phone number to enable 2 factor security via SMS, but (1) I don't have a mobile phone, (2) if I did, there's no reception where I live, (3) when I did have one, SMS messages were not free to receive.
Picture-based systems don't work for people who can't see the pictures. So you need to research an alternative that works for blind users, and possibly also a low-bandwidth alternative that does not rely on audio or video as a fallback for blilnd users.
So your replacement should start out being accessible and should not cost money for the end user, and should not rely on unreliable external systems (phone netowrk) unless those are all Ok and a given in your environment - even then, locking out even a single blind or mobility impaired employee because they couldn't see the picture or didn't react quickly enough can open your company to a painful law suit large enough to make reverting to passwords seem like a win.
I don't want to put you off from innovating - but innovat to solve real problems that you've measured, with solutions that have been tested, and that introduce as few new problems as possible.
Live barefoot!
free engravings/woodcuts
For passwords to work they need three characteristics:
1) They need to be 12 characters or longer
2) They need to use digits and special characters as well as upper and lower case alphas
3) They need to be easy to remember.
The solution is to base your passwords on a street address known to you but not obvious to others.
For example the address of the White House is 1600 Pennsylvania Avenue NW Washington DC.
The password based on it might be "1600$Pennsylvania&Avenue*NW"
Eureka! A 26 character long password that is easy to remember and contains digits, special characters and both upper and lower case letters.