Slashdot Mirror
New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste
isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
The fact is, most of the accounts I have passwords for don't really matter. I don't give a shit if someone gets access to my slashdot account. Or if they get access to an old video game forum or two. So there's no reason to give those things really secure passwords. The things that need secure, unique passwords are your email, your bank/broker, and anything that would truly upset you if you lost access to. Give the rest some default password and stop caring.
I still have more fans than freaks. WTF is wrong with you people?
If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.
(caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)
(extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)
-- Tigger warning: This post may contain tiggers! --
Let's ask former Ashley Madison members.
A portable hardware device that generates one-time-only passwords. The master keys never leave the device and can be revoked in the event of the device getting lost. Hacking any individual device provides no clues that can be used to hack the other devices.
Must have a mix of upper case, lower case, numbers, and special characters. And it can't be any of my last eleventy-six passwords. "It's been a while since you've logged in from the mobile application. Please change your password." What the flying fuck?!? I just wanted to check my balance and now I have to change my password.
Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
That's what I do now, I basically classify things as low, medium, or high security. I don't want to remember a thousand different passwords and don't care to use a password manager for sites like Slashdot or other news sites I comment on. So low-impact sites all get the annual password when I register.
I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.
For a while I did something that might be better. I had an algorithm and a little utility program which generated a unique password based on my master password and the domain name. So something like sha1(mypassword, 'slashdot.org'). That gave me different passwords, without remembering them all, and without being tied to one specific password manager. I could "recall " my password on any device at any time. Actually, I chose an algorithm that I COULD compute in my head, though with considerable difficulty.
The British seemed to take it more seriously, and be smarter about it. This is part of why their human intelligence generally seemed superior to ours. Today, the new British government seems keen on sacrificing the security of its people on the altar of the false religion of national security.
I think it's the movies.
British intelligence had a string of high-profile successes, culminating in dropping that evil guy into the smokestack.
At least, that's what the public was led to believe.
In the modern world, the internet has a way of making the reality of the situation more plain.
Perceptions change.
Does this mean I won't have to change my password from password01 to password02, password03 ect?
You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
Simple1! fulfills most companys password requirements.
If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
It will have to stop changing on a arbitrary basis.
Minimum threshold fixed. Thanks!
RootPassword!1
RootPassword!2
RootPassword!3
and so on.
The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.
Microsoft Research found that the maximum times people could change a password and have it secure is twice a year. This was the absolute limit where they suggested that a more realistic limit was once a year. Any more than twice a year and people had to start writing them down, or use insecure passwords that were easy to remember. A common one being an easy to guess word with an incrementing number after it.
The irony is that Windows Server defaults to having you change your password every 42 days. 8-9 times a year.
How do I know this? I studied for the Microsoft Security Test. They had one required book for studying and one recommended book for studying. The required book would help you pass the test. The recommended book was written by Michael Howard, Microsoft's top secure code specialist. In the book, Writing Secure Code, he would reference the research division's work. Basically the book said that everything on the test and the other book was wrong. I have taken courses in security which matched what Microsoft Research and what Michael Howard said. I would highly recommend reading Writing Secure Code, as even with taking courses on it, I learned a lot from that book.
For the record, I didn't pass the security test. I got 1 question "wrong." I don't know about now, or if the test still exists, but you used to have to 100% it.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
Someone mod this up. This is totally correct! Until my work started making us change our password once every 60 days, and required that the last five passwords can't be reused, I had a very secure password memorized. Now that they implemented these "security" protocols I have to have a list to keep track of what five passwords were used last, and what the current password is. It's the most retarded requirement ever!
Here's the problem in a nutshell:
When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.
So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever lost or stolen, I'd still be able to do work, but if one of those unique-cases came up, I'd have to lose the productivity then.
Other people keep passwords on stickynotes on their PC.
The problem, is, that passwords are bad.
With the advent of smartphones/watches, it should be possible to just start having PC's have NFC built into the computer screen, and placing the phone near the screen leaves the PC unlocked and all accounts accessible until the phone is moved two meters away from the monitor. Forget your phone at home? Did it get smashed? Then your boss can issue you a NFC ID card and temporary/permanently revoke the phone.
This also prevents password sharing because taking the phone or NFC card to another machine kicks out the previous login.
Good luck getting Google and such implementing a common NFC card access.
Now I don't always remember it 99.9% of the times but what I do is have a pattern that I use to extract 4 letters from a sites name and use 4 or so selected 4 number combos which I combine into a password. At least it gives me different passwords for different sites.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
So what exactly can "they" do with my /. password?
Not much. But if your /. password is also your Citibank password, they can do a lot.
Password reuse is dumb, and they should not be saying it is ok.
They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
https://xkcd.com/936/
I have a simple password. I increment. I use the same one at both jobs. They're actually incremented to the exact same digit at the moment.
I doubt it's secure, but it allows me to avoid hassles.
You memorize a single strong password for a key storage program like Keepass, and only bother with 1 strong password being changed at your recommended frequency. I can change all of my other passwords randomly as often as I want and don't need to remember them all. I keep the encrypted DBs on a Thumb drive in my pocket, and a backup in a safe.
While not perfect this setup is safer due to the lack of a keylogger picking things up. No system is perfect so I go for "better" and "best practices". I would much rather have a 20+ character password for my DB I change every 9-12 months than try and remember dozens and dozens of various passwords I have for everything else.
Oh, I should add that I use multiple databases for multiple purposes. I don't mix business and pleasure.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
They caught onto us at our workplace. Now passwords have to be significantly different by some secret algorithm and incrementing a number is not different enough. Of course, that just means people think up other schemes.
I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.
Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.
Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.
The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.
I left not long after that. I heard that he got fired a few years later, so at least there is a god.
But that's the idea behind "frequent changing passwords a waste". I don't even know why changing your password is more secure than keeping a password. Normally you only get a limited amount of tries before your account gets locked anyway. So what does it matter when you keep the same password for the couple of years you use a particular service? And most service you keep for a longer time have better build in security anyway. Like the requirement to verify an e-mail when you log in on a new computer, or sending SMS codes that need to be entered after logging in x-amount of time.
I think login/password to authenticate a user was the first thing the first computer scientists came up with, but they never tried to find a better solution. The businesses who profited most from the IT-boom where never interested in security or privacy and only implemented it as an afterthought. Now x decades later we still use the first authentication system that was implemented and nobody questions its validity or user friendliness.
Especially now with the rise of smartphone usage, difficult password become a nightmare. How many people are able to type those difficult passwords on such a small screen without making a mistake? And how many people to really remember all different passwords? If you don't want to carry a paper notebook where you write down your passwords, than you will probably save them in the notebook app on your smartphone. That's even something I do, passwords I only need occasionally are on a notebook that is synced with my smart phone. Someone who has access to my smart phone (like at the work floor when you put your phone down after a call, without locking the screen yourself) also has access to all my password in my notebook, including the puk-codes of my cell chip, the sets passwords of my work account, the passwords for the download area of expensive software, etc...
I know I have this problem. I personally do not care about loosing access to any of those services, the loss can be repaired and it has no emotional value. But my employer probably thinks different and that's why they require us to remember 16 passwords with at least 2 numbers, 2 lower case, 2 upper case, 2 special chars, no repetition of characters and at least 16 characters long that have to be changed every month. Of course nobody remembers them. Of course you write them down. Of course you no longer use a paper notebook, but a notebook on the cloud. Of course that difficult password is only as secure as the password of my notebook which is only as reverse secure as my trust in my colleagues and friends, who might have a peek in my notebook when I leave my desk without locking my screen. I do not lock my screen when I have to reenter those annoying passwords that I never can remember and need to save in my notebook which is now on the cloud...
As ubiquitous as smartphones are, especially in IT staff, I'd like to see a proximity tie. You walk in to your office, you sit down at your computer, the computer has already identified your phone and is waiting for a password that can be simple since your phone must be proximate -- it does not fully unlock until you do something at the keyboard. Maybe have a certificate exchange, or in the case of later model iPhones, add a fingerprint swipe. (Yes, I saw the Myth Busters on spoofing fingerprint scanners). Require an additional, stronger, password for out-of-normal-hours access.
I'm not sure what to do about a lost/stolen phone or how to prevent sniffing and spoofing (snoopfing?), but I think it has the potential to be a beginning.
I'd LOVE to see a crypto tie-in for laptops where I have to enter a code in my phone to open my laptop, though it could be a huge problem if your phone died or were lost while you were on the road.
When you sympathize with stupidity, you start thinking like an idiot.
I've always wanted to create 'red alert'/honeypot account names and passwords that I could put on sticky notes and any use of those would immediately disconnect the system in question from the network, shut it down, and trip security alarms. I'd frequently put such on the bottom of server console keyboards just to screw with people who bothered to look.
When you sympathize with stupidity, you start thinking like an idiot.