Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Convincing My Company To Stop Using Passwords?

Posted by timothy on from the you-forgot-duo dept.

gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?

16 of 247 comments (clear)

  1. Do you want to take the fall for the inevitable? by Anonymous Coward · · Score: 5, Insightful

    Your system will be breached. Do you get enough out of this to take the fall when that happens?

  2. It could be worse by rgbscan · · Score: 5, Interesting

    Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.

    1. Re:It could be worse by Anonymous Coward · · Score: 5, Insightful

      Just don't answer your voice mail.

    2. Re:It could be worse by Guspaz · · Score: 4, Funny

      Which one? 0118999881999119725...3?

    3. Re:It could be worse by hawguy · · Score: 4, Interesting

      Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.

      What's the point of a 7 digit numeric PIN? That's only around 24 bits worth of entropy (even less since the attacker knows that it doesn't have well known patterns and repeated digits so he can exclude those from his search). So 7 digits provides no real protection against an offline password hash attack.

      And hopefully the phone system itself can prevent an online attack by locking out accounts that have had too many incorrect guesses.

      So what's the advantage of such a long numeric PIN?

  3. Cost by axlash · · Score: 4, Insightful

    Have you considered how much it will cost your company to implement and manage such a solution?

    You'll need to be able to convince management that the likelihood and impact of your company's IT infrastructure is high enough to justify such an expense.

    --
    Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
  4. Consider Your User Base by AaronLS · · Score: 4, Insightful

    Anything you do that adds an additional step to an existing process they "appears" to be working perfectly fine will potentially earn you some enemies. Some of the people most likely to be frustrated by the process may also be in positions of great influence.

    A noble cause, but its success depends a lot on the existing culture of your workplace.

    Certainly coming to the table with a well thought out argument in favor of this isn't bad.

    But if the culture is right, you should be able to bring this up casually with superiors and discuss it with them candidly and THEN discuss putting together a formal document proposing a solution. If anything they are better equipped than we are to evaluate the user needs of the workplace and give you ideas of how to pitch this to the rest of the business.

    1. Re:Consider Your User Base by CaptainDork · · Score: 5, Interesting

      The way I did it was similar.

      In casual conversations with managers about "cool geek" stuff, I shared stories about breaches and the consequences. Those were particularly scary because we're a law firm.

      I sent breach stories to them via email saying, "These are things you should do for your HOME."

      I spoon fed that stuff to the decision makers and then when I was ready to roll out best practice and mid-lower management and my coworkers bitched, upper management was all like, "Are you kidding? Do you guys ever actually read about password security or network breaches? This stuff he's recommending is a no-brainer!"

      Done.

      I have had some who balked and I just told them to comply or send upper management an email arguing their business case for using "12345678" as a password.

      --
      It little behooves the best of us to comment on the rest of us.
  5. Make the business case by TubeSteak · · Score: 4, Insightful

    Figure out how much time and effort tech support spends on dealing with forgotten or compromised passwords.
    Factor in the time lost by employees while they wait for tech support to deal with password problems.
    Find some research discussing the cost of a compromise.

    Figure out how much a token based system will cost. Assume people will lose their tokens.
    Make the case that your solution is cheaper than the existing solution.

    Then prepare to deal with "but we won't get compromised, so this is a waste of money"

    --
    [Fuck Beta]
    o0t!
  6. Can the 2FA be put on the edge? by mlts · · Score: 3, Interesting

    The reason I wonder if 2FA can be at least moved to the edge or used for VPN logins is that it makes things a lot less of a headache.

    Usually for internal AD, having a third party authentication apparatus strapped on can bring about issues. For example, if the system is a challenge/response system and a Web app is authenticating from AD, it likely won't have a window to present the 2FA challenge. SecurID is the only one I know which gets around this since there is no challenge token presented... users just enter in their password and the number off their token, and it logs them in with the standard username/password box. However, the downside of SecurID is that it is not cheap, and requires at least two servers to authenticate the tokens.

    Internal logins, I'd just stick with AD unless there was really a need for internal security (expensive). If so, I'd then go with CAC/PIV tokens because they are fairly standard, have a wide use with the US government, and work with most major applications.

    Now the edge is a completely different beast. You can set up RADIUS servers to use the Google Authenticator, SecurID, smart cards, or one's flavor of choice. This way, users can log in via 2FA, but the internal network doesn't need to have any major changes done to it.

  7. Re:Do you want to take the fall for the inevitable by houstonbofh · · Score: 3, Funny

    Not to mention that stabbing yourself in the eye with a pencil will probably be less painful and result in more real security. And at least the eye-pencil is likely to make it to completion.

  8. Re:Every 30 days. by Archangel+Michael · · Score: 3, Interesting

    A password doesn't need to be overly complex to avoid brute force cracking, just sufficiently long. Most people are incapable of remember past 7 to 10 random character sequences. And any password system with limited character lengths is insufficient against brute force attacks.

    And technology based ID systems are okay, if they are two factored solutions, which usually makes it much more difficult for automated verification processes.

    My personal preference for most people is to have three or four sufficiently long random words as a password with a few random numbers and special characters: 7Alligator7Romances7Tombstone!

    This is sufficient for all use cases, as long as it isn't shared. Generating a new password is as simple as finding three random words. In my example above, a person would only have to remember 5 things, three words, 1 number, one punctuation

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  9. Re:Every 30 days. by __aaclcg7560 · · Score: 5, Informative

    When setting up a new computer for you they'll ask for your username/password so they can log in and setup your profile, so they are well aware that people do that.

    Asking a user for their password is against corporate policy at all the Fortune 500 companies that I worked for in Silicon Valley. The correct procedure is to inform the user that their password will get reset to a temporary password (i.e., Password123), and, after setting up their new system, check on the box on the AD account for the user to change their password when logging in. Under no circumstances should an I.T. technician know a user's passwords. That's ground for immediate termination.

  10. Re:Every 30 days. by hey! · · Score: 5, Insightful

    You laugh, but I once advised a friend to write (most of) her passwords down on a slip of paper and carry it in her wallet.

    Any policy has to take into account the circumstances and concerns of the user into account. In this case she was an author who was being cyberstalked buy someone who'd figured out her easy-to-guess password. She changed the password to her site and he promptly guessed that one too.

    So my advice was this: generate a moderately tough password, say a ten digit random number, and write it down twice: once for her files, once to carry around in her wallet. Then add to that an easy-to-remember part, say the name of her best friend's cat, but don't write that part down, keep that in her head. This results in a password that looks like this: "491-265-4743Fluffy". I chose ten digits and formatted it that way because if it looks like a phone number pretty soon she won't have to carry the paper around. I reckon that this adds something like 32 bits of entropy to her weak but easy to remember password. Even if you know how the password is generated, it's not trivial to guess or break by brute force, and it's certainly not practical to guess for someone who doesn't have physical access to her wallet.

    Is it secure enough for the Morgan Stanley family jewels or the nuclear launch codes of the United States? No. But it's good enough for most practical purposes where you're not that concerned about an adversary who has physical access to you.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  11. Re:Every 30 days. by neonleonb · · Score: 4, Insightful

    In that XKCD he doesn't treat characters independently. Instead, he assumes that each word provides 11 bits of entropy (i.e. assuming uniform draws from ~2000 words), giving a total of 44 bits. That's far less than the (26^20) you'd get if you treated the characters as independent random samples.

  12. Re:Every 30 days. by CaptQuark · · Score: 3, Interesting

    All government agencies are transitioning to Smart Card based two-factor authentication. The Common Access Card (CAC) used by the military is one type of smart card that is supported by many other agencies. It eliminates the need for remembering passwords, can't be used if stolen, locks itself if the incorrect PIN is attempted, supports proximity-based readers like door locks, and contains certificates for encrypting email and digital signatures.

    With the number of government agencies purchasing these cards, the per card cost is coming down quickly.