Slashdot Mirror
New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste
isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
The fact is, most of the accounts I have passwords for don't really matter. I don't give a shit if someone gets access to my slashdot account. Or if they get access to an old video game forum or two. So there's no reason to give those things really secure passwords. The things that need secure, unique passwords are your email, your bank/broker, and anything that would truly upset you if you lost access to. Give the rest some default password and stop caring.
I still have more fans than freaks. WTF is wrong with you people?
If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.
(caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)
(extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)
-- Tigger warning: This post may contain tiggers! --
Let's ask former Ashley Madison members.
A portable hardware device that generates one-time-only passwords. The master keys never leave the device and can be revoked in the event of the device getting lost. Hacking any individual device provides no clues that can be used to hack the other devices.
Must have a mix of upper case, lower case, numbers, and special characters. And it can't be any of my last eleventy-six passwords. "It's been a while since you've logged in from the mobile application. Please change your password." What the flying fuck?!? I just wanted to check my balance and now I have to change my password.
Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
That's what I do now, I basically classify things as low, medium, or high security. I don't want to remember a thousand different passwords and don't care to use a password manager for sites like Slashdot or other news sites I comment on. So low-impact sites all get the annual password when I register.
I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.
For a while I did something that might be better. I had an algorithm and a little utility program which generated a unique password based on my master password and the domain name. So something like sha1(mypassword, 'slashdot.org'). That gave me different passwords, without remembering them all, and without being tied to one specific password manager. I could "recall " my password on any device at any time. Actually, I chose an algorithm that I COULD compute in my head, though with considerable difficulty.
The British seemed to take it more seriously, and be smarter about it. This is part of why their human intelligence generally seemed superior to ours. Today, the new British government seems keen on sacrificing the security of its people on the altar of the false religion of national security.
I think it's the movies.
British intelligence had a string of high-profile successes, culminating in dropping that evil guy into the smokestack.
At least, that's what the public was led to believe.
In the modern world, the internet has a way of making the reality of the situation more plain.
Perceptions change.
Does this mean I won't have to change my password from password01 to password02, password03 ect?
You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
Simple1! fulfills most companys password requirements.
If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
It will have to stop changing on a arbitrary basis.
Minimum threshold fixed. Thanks!
RootPassword!1
RootPassword!2
RootPassword!3
and so on.
The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.
So what exactly can "they" do with my /. password?
Microsoft Research found that the maximum times people could change a password and have it secure is twice a year. This was the absolute limit where they suggested that a more realistic limit was once a year. Any more than twice a year and people had to start writing them down, or use insecure passwords that were easy to remember. A common one being an easy to guess word with an incrementing number after it.
The irony is that Windows Server defaults to having you change your password every 42 days. 8-9 times a year.
How do I know this? I studied for the Microsoft Security Test. They had one required book for studying and one recommended book for studying. The required book would help you pass the test. The recommended book was written by Michael Howard, Microsoft's top secure code specialist. In the book, Writing Secure Code, he would reference the research division's work. Basically the book said that everything on the test and the other book was wrong. I have taken courses in security which matched what Microsoft Research and what Michael Howard said. I would highly recommend reading Writing Secure Code, as even with taking courses on it, I learned a lot from that book.
For the record, I didn't pass the security test. I got 1 question "wrong." I don't know about now, or if the test still exists, but you used to have to 100% it.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
Someone mod this up. This is totally correct! Until my work started making us change our password once every 60 days, and required that the last five passwords can't be reused, I had a very secure password memorized. Now that they implemented these "security" protocols I have to have a list to keep track of what five passwords were used last, and what the current password is. It's the most retarded requirement ever!
Here's the problem in a nutshell:
When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.
So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever lost or stolen, I'd still be able to do work, but if one of those unique-cases came up, I'd have to lose the productivity then.
Other people keep passwords on stickynotes on their PC.
The problem, is, that passwords are bad.
With the advent of smartphones/watches, it should be possible to just start having PC's have NFC built into the computer screen, and placing the phone near the screen leaves the PC unlocked and all accounts accessible until the phone is moved two meters away from the monitor. Forget your phone at home? Did it get smashed? Then your boss can issue you a NFC ID card and temporary/permanently revoke the phone.
This also prevents password sharing because taking the phone or NFC card to another machine kicks out the previous login.
Good luck getting Google and such implementing a common NFC card access.
Now I don't always remember it 99.9% of the times but what I do is have a pattern that I use to extract 4 letters from a sites name and use 4 or so selected 4 number combos which I combine into a password. At least it gives me different passwords for different sites.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
So what exactly can "they" do with my /. password?
Not much. But if your /. password is also your Citibank password, they can do a lot.
Password reuse is dumb, and they should not be saying it is ok.
Writing a passphrase down is not necessarily insecure. It depends on where you keep it and who your adversary is (if there is one).
Considerations and recommendations about passphrases only make sense in the context of their use and with the overall security system and its purpose in mind.
Indeed, I have reached Hunter239 on my password now. It sucks having to change it every week.
I wonder if that's why they are saying "Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
No, your children are not the special ones. Nor are your pets.
Changing your passwords every so often is important, most password breaches go undisclosed, not all 'crackers' are releasing their findings.
The This is what AD and LDAP are for. This at least reduces the amount of passwords to a manageable level, mainly to environments. Of course, there are exceptions [1], but in general, SSO tends to be useful.
It isn't NFC card access, but the closest thing that comes in mind for this was something Blackberry offered back in 2008/2009, where the Blackberry device could function as a CAC/PIV card via a Bluetooth adapter.
What I'd be happy with would be a card that took the place of both a SD card and a SIM, and dual-SIM phones. This way, I'd have the ability to store stuff on each card, and each card would have an OTP generator with its own seed. An ideal would be some method of communication similar to client certificates for authentication, but it would have to have a robust mechanism of not being able to be MITM-ed or attacked during transit.
[1]: You want production boxes on their own AD domain, for example, so they can be locked up tighter than internal AD is done.
They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Your Karma sucks so bad?
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
https://xkcd.com/936/
I have a simple password. I increment. I use the same one at both jobs. They're actually incremented to the exact same digit at the moment.
I doubt it's secure, but it allows me to avoid hassles.
I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.
That's actually a nice idea
CLI paste? paste.pr0.tips!
You memorize a single strong password for a key storage program like Keepass, and only bother with 1 strong password being changed at your recommended frequency. I can change all of my other passwords randomly as often as I want and don't need to remember them all. I keep the encrypted DBs on a Thumb drive in my pocket, and a backup in a safe.
While not perfect this setup is safer due to the lack of a keylogger picking things up. No system is perfect so I go for "better" and "best practices". I would much rather have a 20+ character password for my DB I change every 9-12 months than try and remember dozens and dozens of various passwords I have for everything else.
Oh, I should add that I use multiple databases for multiple purposes. I don't mix business and pleasure.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
They caught onto us at our workplace. Now passwords have to be significantly different by some secret algorithm and incrementing a number is not different enough. Of course, that just means people think up other schemes.
I hope there's not some serious vulnerability to KeePass that I haven't heard about. That little program is a lifesaver for me. Unfortunately, the Mac version is rekt so I can't run it on any of our Apple hardware.
You are welcome on my lawn.
It's not and I've posted my password here before and nothing happened.
I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.
Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.
Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.
The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.
I left not long after that. I heard that he got fired a few years later, so at least there is a god.
Wow, you mean something like the smartcard I've been using for the last 15 years? Yeah, we really need some new and (more) insecure technology.
They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
If your bank hasn't provided you a token then find another bank. No excuse for forcing users to use using password logins at this point.
blindly antisocialist = antisocial
That's what I do now, I basically classify things as low, medium, or high security.
Me too so I set all my passwords to 'low', 'medium' and 'high' depending on security level so I won't forget which is which.
Damned websites keep complaining that my password has to be longer than three characters though - and I have no way to say 'but your site doesn't matter to me so three is just fine'.
blindly antisocialist = antisocial
Hmm. Relevant XKCD https://xkcd.com/936/
Oolite: Elite-like game. For Mac, Linux and Windows
Hey! That's the combination to my luggage!
You should only be changing passwords when you think you might be compromised.
And your good password is good because it is unmemorable, there's no shorter way of remembering it. So it gets written down. After a while you can sort of remember it and after some time more, you CAN remember it. But if you ever have to change it, you have to write it all down again and relearn.
So your good password should only be used when you think the resource locked by it worth that.
Otherwise MAKE UP A WORD. ginwitfanstable. No mix of case, since you have to remember which case you have, and if that is memorable, it's has no extra entropy. No numbers for the same reason. 1337 is only a simple substitution cypher that only helps if your cracker software is someone else's brain. Computers don't give a flying fuck.
So make up a word. You can remember that much easier, but there's a hell of a lot of ways of putting 5-8 phonemes together, and the programming isn't easy to make work.
If you speak a second language other than English, use that.
But that's the idea behind "frequent changing passwords a waste". I don't even know why changing your password is more secure than keeping a password. Normally you only get a limited amount of tries before your account gets locked anyway. So what does it matter when you keep the same password for the couple of years you use a particular service? And most service you keep for a longer time have better build in security anyway. Like the requirement to verify an e-mail when you log in on a new computer, or sending SMS codes that need to be entered after logging in x-amount of time.
I think login/password to authenticate a user was the first thing the first computer scientists came up with, but they never tried to find a better solution. The businesses who profited most from the IT-boom where never interested in security or privacy and only implemented it as an afterthought. Now x decades later we still use the first authentication system that was implemented and nobody questions its validity or user friendliness.
Especially now with the rise of smartphone usage, difficult password become a nightmare. How many people are able to type those difficult passwords on such a small screen without making a mistake? And how many people to really remember all different passwords? If you don't want to carry a paper notebook where you write down your passwords, than you will probably save them in the notebook app on your smartphone. That's even something I do, passwords I only need occasionally are on a notebook that is synced with my smart phone. Someone who has access to my smart phone (like at the work floor when you put your phone down after a call, without locking the screen yourself) also has access to all my password in my notebook, including the puk-codes of my cell chip, the sets passwords of my work account, the passwords for the download area of expensive software, etc...
I know I have this problem. I personally do not care about loosing access to any of those services, the loss can be repaired and it has no emotional value. But my employer probably thinks different and that's why they require us to remember 16 passwords with at least 2 numbers, 2 lower case, 2 upper case, 2 special chars, no repetition of characters and at least 16 characters long that have to be changed every month. Of course nobody remembers them. Of course you write them down. Of course you no longer use a paper notebook, but a notebook on the cloud. Of course that difficult password is only as secure as the password of my notebook which is only as reverse secure as my trust in my colleagues and friends, who might have a peek in my notebook when I leave my desk without locking my screen. I do not lock my screen when I have to reenter those annoying passwords that I never can remember and need to save in my notebook which is now on the cloud...
I would just drop all the other requirements and force them to use a 30+ character password. I would advise them to make it a phrase and throw in a word of |337speak somewhere.
Some sort of minimum security standard across the damn board would be greatly appreciated.
Set minimum password strength, length, type requirements. Set standards for hashing and storing login credentials, etc. You adhere to the standard and become certified to do business out on the web. No certification, no web business for you. Though, we sorely need the same standards applied to corporate networks that carry customer information as well. ( Eg: Home Depot, Target, etc )
Every site has different requirements. Password length, characters used, characters that cannot be used, password reuse, etc. etc. Password change day absolutely SUCKS because the password I choose to use for site X may or may not work for site Y. Like most of you, I have to keep a list of all the sites that are on the password rotation schedule because there are so damn many.
Related:
Passwords and encryption keys can be pretty strong but upon reaching a certain strength, will no longer be the focus of an attack. Keyloggers and the like pretty much negate the strongest encryption key or passwords you can come up with ( if using single factor authentication ) so I'm not sure what the charade by the government is about decrying strong encryption when all they have to do ( and they know it ) is exploit a bug or deploy malware into the software that drives your keyboard.
Encryption by default on the latest $smartphone is nice, but when the NSA's greatest buddy is responsible for updating your software ( say . . . AT&T ) then it's a pretty good chance your device is nowhere near as secure as you might like to think it is.
With all the password hacks/cracks/thefts, my cynicism has led me to believe that password policies are not about protecting the user, they are about protecting the company. With every damn website and store loyalty program asking you to create an account, it's to the point of absurdity. But they tell you that you need to create a unique password, of course. The uniqueness is not there to protect the user, it's to protect the company from liability when their crappy data policies (storing passwords in plain text in a file protected by changing the robots.txt rules, etc) lead to a data breach. "Oh, the password that was stolen from our yahoo storefront for customized puppy faced iphone cases, and allowed Elbonian hackers to drain your bank account and charge child porn to your credit card? We told you not to reuse passwords- it isn't our fault you're now a felon on a sexual predator list."
If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password [...]
It depends. If you use the same password on multiple systems, then it's only as secure as the least-secure of those systems. If you never change it, for all you know, someone has compromised one of the weaker links in that chain and been able to log on as you for months or years.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Yeah, it should. I've been using KeePass 2.x for over a year and KeePassX won't import or access those databases. And, of course, KeePass 1.x won't read my 2.x database either, so I can't move it over.
I keep watching KeePassX for KeePass 2.x support. Then, I'm golden.
You are welcome on my lawn.
As ubiquitous as smartphones are, especially in IT staff, I'd like to see a proximity tie. You walk in to your office, you sit down at your computer, the computer has already identified your phone and is waiting for a password that can be simple since your phone must be proximate -- it does not fully unlock until you do something at the keyboard. Maybe have a certificate exchange, or in the case of later model iPhones, add a fingerprint swipe. (Yes, I saw the Myth Busters on spoofing fingerprint scanners). Require an additional, stronger, password for out-of-normal-hours access.
I'm not sure what to do about a lost/stolen phone or how to prevent sniffing and spoofing (snoopfing?), but I think it has the potential to be a beginning.
I'd LOVE to see a crypto tie-in for laptops where I have to enter a code in my phone to open my laptop, though it could be a huge problem if your phone died or were lost while you were on the road.
When you sympathize with stupidity, you start thinking like an idiot.
I've always wanted to create 'red alert'/honeypot account names and passwords that I could put on sticky notes and any use of those would immediately disconnect the system in question from the network, shut it down, and trip security alarms. I'd frequently put such on the bottom of server console keyboards just to screw with people who bothered to look.
When you sympathize with stupidity, you start thinking like an idiot.
Don't forget to double ROT-13 for even more protection!
When you sympathize with stupidity, you start thinking like an idiot.
Why limit at 12? Why not let people use full sentences, also compatible with symbols and case sensitive?
X
I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.
Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.
Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.
The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.
I left not long after that. I heard that he got fired a few years later, so at least there is a god.
we just got yet another system added to our list of systems we need passwords for; this one expires after 90 days, with no warnings, and locks you out so you can't change it once it expires without going through the help desk. I think they'd be happiest if they could just keep everybody from accessing the system.
Star Trek transporters are just 3d printers.
Here's the problem in a nutshell:
When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.
So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever lost or stolen, I'd still be able to do work, but if one of those unique-cases came up, I'd have to lose the productivity then.
Other people keep passwords on stickynotes on their PC.
The problem, is, that passwords are bad.
With the advent of smartphones/watches, it should be possible to just start having PC's have NFC built into the computer screen, and placing the phone near the screen leaves the PC unlocked and all accounts accessible until the phone is moved two meters away from the monitor. Forget your phone at home? Did it get smashed? Then your boss can issue you a NFC ID card and temporary/permanently revoke the phone.
This also prevents password sharing because taking the phone or NFC card to another machine kicks out the previous login.
Good luck getting Google and such implementing a common NFC card access.
Here's the thing; when you forget your password, or it locks you out, you can just call the help desk, or go through some web page; and they ascertain your identity by a few different pieces of data; your social security number, your date of hire, your mother's maiden name, etc. So, basically, the insertion of a password into the chain of events grants you no extra security than just having you answer these questions when you want to log in. So come up with a slate of such challenge questions of which you have to answer a random three or four, if biometrics isn't an option.
Star Trek transporters are just 3d printers.
Writing a passphrase down is not necessarily insecure. It depends on where you keep it and who your adversary is (if there is one).
Considerations and recommendations about passphrases only make sense in the context of their use and with the overall security system and its purpose in mind.
every once in a while, a password writer downer realizes that instead of writing down the password they can write down the keys to the left of the actual ones in the password, or some such.
Star Trek transporters are just 3d printers.