Slashdot Mirror
Ask Slashdot: Convincing My Company To Stop Using Passwords?
gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?
Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.
The reason I wonder if 2FA can be at least moved to the edge or used for VPN logins is that it makes things a lot less of a headache.
Usually for internal AD, having a third party authentication apparatus strapped on can bring about issues. For example, if the system is a challenge/response system and a Web app is authenticating from AD, it likely won't have a window to present the 2FA challenge. SecurID is the only one I know which gets around this since there is no challenge token presented... users just enter in their password and the number off their token, and it logs them in with the standard username/password box. However, the downside of SecurID is that it is not cheap, and requires at least two servers to authenticate the tokens.
Internal logins, I'd just stick with AD unless there was really a need for internal security (expensive). If so, I'd then go with CAC/PIV tokens because they are fairly standard, have a wide use with the US government, and work with most major applications.
Now the edge is a completely different beast. You can set up RADIUS servers to use the Google Authenticator, SecurID, smart cards, or one's flavor of choice. This way, users can log in via 2FA, but the internal network doesn't need to have any major changes done to it.
The way I did it was similar.
In casual conversations with managers about "cool geek" stuff, I shared stories about breaches and the consequences. Those were particularly scary because we're a law firm.
I sent breach stories to them via email saying, "These are things you should do for your HOME."
I spoon fed that stuff to the decision makers and then when I was ready to roll out best practice and mid-lower management and my coworkers bitched, upper management was all like, "Are you kidding? Do you guys ever actually read about password security or network breaches? This stuff he's recommending is a no-brainer!"
Done.
I have had some who balked and I just told them to comply or send upper management an email arguing their business case for using "12345678" as a password.
It little behooves the best of us to comment on the rest of us.
A password doesn't need to be overly complex to avoid brute force cracking, just sufficiently long. Most people are incapable of remember past 7 to 10 random character sequences. And any password system with limited character lengths is insufficient against brute force attacks.
And technology based ID systems are okay, if they are two factored solutions, which usually makes it much more difficult for automated verification processes.
My personal preference for most people is to have three or four sufficiently long random words as a password with a few random numbers and special characters: 7Alligator7Romances7Tombstone!
This is sufficient for all use cases, as long as it isn't shared. Generating a new password is as simple as finding three random words. In my example above, a person would only have to remember 5 things, three words, 1 number, one punctuation
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
There are a few minor tweaks that significantly increase entropy will still not being hard to remember:
1) Don't capitalize the first letter in a word used in a passphrase. Instead, capitalize something in the middle.
2) When adding numbers, add somewhere in the middle of a word rather than between words.
3) If security is really important, spell one longish word backwards before apply 1 and 2.
4) Another trick I've used many times (as a touch typist) is to type words with your fingers slid over one key, left, right, or upleft/upright. Thus a simple, common word like "login" becomes ";phom", "kifub", "o9t8h", or "p0y9j" .
Use of these tricks add tremendous amounts of entropy to otherwise crappy passwords while still being very easy to remember.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
All government agencies are transitioning to Smart Card based two-factor authentication. The Common Access Card (CAC) used by the military is one type of smart card that is supported by many other agencies. It eliminates the need for remembering passwords, can't be used if stolen, locks itself if the incorrect PIN is attempted, supports proximity-based readers like door locks, and contains certificates for encrypting email and digital signatures.
With the number of government agencies purchasing these cards, the per card cost is coming down quickly.