Spafford On Security Myths and Passwords 356
An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."
I don't need to REMEMBER passwords on sticky notes (Score:1, Informative)
Re:Password changing (Score:2, Informative)
No 94FE5spd is NOT my password for
Password "best practices" are counter-productive. (Score:3, Informative)
Re:Absolutely true (Score:4, Informative)
The part which should horrify you is the At. Their. Desks. part. If the paper with their password is in their wallet, protected as well as their ~$100 in cash, and especially if it doesn't have other login details on it -- well, some places need more security than that but not all. At that point the paper with the password on it becomes a strange kind of hardware token.
Even the At. Their. Desks. part should be kept in perspective. You should close attack paths on general principles of course but remember that anyone standing at the person's desk has physical access. Physical access gives you a lot of other worries though all of them require more motivation than reading somebody's password does.
Re:Couldn't agree more on some points (Score:3, Informative)
Yup, impossible, there's apparently this belief that hackers have no "1" and "3" on their keyboard so that every I should be written as 1, and every E as 3.
When, like 90% of the passwords are made that way, guess what, it's not harder to guess.
Re:APG (Score:4, Informative)
Distribution of this program in Source Code form is allowed, with or without modification, provided that this licence accompanies every copy of the program. Distribution in binary executable form, where applicable, is permitted only in conjunction with complete corresponding Source Code and build instructions.
Statement of Warranty: the copyright holders warrant that this program, when run on a properly-functioning computer, will perform substantially as indicated by the source code. No other warranty is made in respect of the program. If you are in doubt as to what this program does, you should consult a competent programmer.
This licence is in addition to, and is not to be construed as prejudicing, any statutory rights granted to you under the Law of the Land.
Re:Password changing (Score:4, Informative)
And yet, the same could be said for the installation of a USB keylogger if given physical access to the machine. The greater danger with writing the password down, I find, isn't so much unauthorized access as improperly authenticated access. You're not in danger of industrial espionage so much as someone logging in using a coworkers account to do something illegal/immoral. And if that's the case, well, it's the problem of the user who wrote down the password, not the sysadmin.
Re:I've (unfortunately) forced this on users befor (Score:1, Informative)
Most people kept their card attached to their belt by a chain to be damn sure. If I was ever head geek in a place where people had access to data of that security (I'm including credit card numbers at that level) I'll apply the same policy. Tokens that must remain physically attached to the user.
Re:Password changing (Score:5, Informative)
Re:Password changing (Score:4, Informative)
that's not entirely true. L0Phtcrack leveraged a brain dead authentication mechanism where in Windows NT using NTLM password. NTLM can be from 1 to 14 characters in length. What happens is the password is spit into two 7 character passwords and using an unsalted hash, concatenated and stored. If the password was under 7 characters a constant was use for the upper 7 characters, so by simply parsing the string you could tell if the password was more or less than 8 characters (which had great performance improvements).
I probably missed some steps in here, but that is essentially it.
Encrypted key exchange (Score:3, Informative)
Unfortunately, these algorithms are all patented.
As far as I can tell, the SRP system infringes on the EKE patent. The fact that Stanford got a patent for SRP means nothing - a patent grant says nothing about infringement of other patents. AT&T probably won't sue anyone using it in an open source project but they will not issue a statement that SRP does not infringe the Bellovin patent, either. Result: commercial users shy away from SRP.
The only widely deployed remote password authentication mechanism which is safe even with weak passwords is "plaintext over SSL" but it relies on PKI which has its own set of problems.
Kerberos tickets are pretty secure because they use machine-generated random keys instead of user-provided passwords. But this whole tower is built on a weak foundation because the initial authentication to the TGT does use the weak user password. If just this part was replaced by EKE all Kerberos services would benefit from increased security.
Microsoft domains use Kerberos. Is there any chance Microsoft would bite the bullet and pay the EKE or SPEKE patent license fees?