Spafford On Security Myths and Passwords

An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."

Password changing

[mikesd81]

I still think changing passwords periodically is a great idea. Even just to keep some cracker on his toes or incase you accidentally wrote it down or devulged it or typed it in the wrong field and is in clear text.

You have a more secure system if it's harder to use a password when un-authorized. Especially if the user is an Admin account.

Password change policy

[MichaelSmith]

We all know that its stupid. People write it down on post it notes etc. But when the luser gets hacked he is going to be gunning for the sysadmin who needs to be able to prove that he is serious about security so that he can put the onus back where it belongs.

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

Couldn't agree more on some points

[tanveer1979]

Monthly change policies. they are simple stupid. If your password is inherently weak, such as your car number, date of birth etc., it will be easy to crack. If you throw a monthly change policy at such people they will change their passwords to simple things. Other option is to educate them to choose good passwords, but that works with half the people. Best solution, let the users not choose a password. Let the machine generate random passwords. Then the user can choose out of those random combinations. At a place where I used to work, the web login system on internal network was set this way. You would click on a button saying, choose new password. Many options would appear and you choose one. If you dont like any of the options you could keep on generating new ones indefinitely. The change policy was that after 1 year you had to get a new password. Perfectly sane and secure. In those random 6 lettered words, sometimes easy to remember combinations would appear, like y1pl3t. Remeber it as yiplet!

If you dont have the benefit of a machine generator and want to specify something remembrable dont be too obvious. For example you have a poodle named fido(If you do I doubt you would be reading /.). So you can have a password which is easy to crack fidopoodle. But if you go as pfoioddole or better pf010dd0l3 only you can remember it and guessing it will be almost impossible.

Absolutely true

[Chairboy]

I worked at a company that rolled out increasingly stringent password policies. It got to a point where the passwords required upper and lower case characters, numbers, non-alpha numeric characters, and (this is the kicker) were required to be changed every few weeks.

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms. None of the people involved were bad, in fact, I worked with a fine bunch of people who really cared about security and individually had great ideas for making the company safer, but when they were all implemented simultaneously: Ka-BLAM.

A security policy cannot be a list of best practices, it has to be a designed holistic plan that takes into consideration the very human nature of the people it is protecting.

Advice on passwords

[Brandee07]

Advice my dear mother gave me a long time ago:

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

With that said, I'd like to argue the point made by the article about periodic changing of passwords. He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it. This actually happened in my high school, and then we had the admin password to every computer in the lab. And had that access until the last of us graduated. While periodic password changing won't protect you from a serious hacker, it will save you lots of grief from more petty mischief, especially if the person who has your password is clever enough to not let you know that he has it.

Re:Password changing

[Psychotria]

I would expect that if passwords are required to be changed on a regular basis, then that would be more reason to write them down (if they're secure they're probably harder to remember). In this case it would seem that less-regular changing would be beneficial, resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin.

My Rule of Thumb

[QuantumG]

I tell this to every sysadmin that turns on 100% of the annoying features of enforced password change policies:

      "You have to balance security with convenience."

Otherwise people will just circumvent your security by changing their password twice (or 10 times), resulting in the same password they started with, or just write their password down.

pass PHRASE

[Tumbleweed]

Doesn't anyone remember the 'pass phrase' thing from awhile back? You know - less complex but much longer passwords, so they're secure but easy to remember? "The quick fox jumps over the lazy brown dog" type of thing (though that should probably not be allowed :)

Just please, NO biometrics.

Re:Couldn't agree more on some points

[dgatwood]

Using a generator to force secure passwords may be the most insecure thing I've ever heard suggested to improve security. No, seriously.

If a user has to generate a password, it is something they can at least possibly remember. If a machine generates it, there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices will be able to access those people's accounts using the password reminder neatly affixed along the margin of the user's monitor.

Besides, 99% of security compromises aren't through guessed passwords anyway. They are through either social engineering (25% of people will give up a password when they receive a call that says "Hi, I'm Fred from the IT department, and I need to verify your account information"; try it if you don't believe me), buffer overflow attacks (l33t h4xx0Rz), or physical security compromises (while latency is terrible, it is difficult to overestimate the bandwidth of a pickup truck filled with backup tapes).

Seems to me that, generally speaking, admins are worried about entirely the wrong problems, and while this may help cover their a**es against being blamed for intrusion a bit, it does little to improve actual security.

Re:Advice on passwords

[dgatwood]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

Even if that's a real concern, the password shouldn't be typed in where someone can watch your fingers. In a lab, it might be of -slight- risk. In a private office, it basically is zero.

Thus, from this we can deduce that the #1 most serious security hole a company can have is the use of cubicle farms. :-)

No, seriously. It is.

Re:Absolutely true

[Barnoid]

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms.

If the people able to see your password are trustworthy, this is not necessarily only a bad thing. Firstly, you can write your password down without posting it to the monitor, and even so, a remote attacker still can't see your post-it notes on the screen.

In my lab, I don't worry about co-workers knowing passwords of their colleagues. I rather have them write it down if it withstands a brute force attack on the SSH/webmail interface.

Shoulder surfable.

[loqi]

You ever wonder why password fields don't echo the actual characters back to the screen?

Re:Advice on passwords

[wfberg]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

The problem lies with badly designed operating system/windowing system software that allow windows to grab focus. No window should be allowed to programmatically, without user intervention, pop to the foreground and get focus (whether it's a pop-up ad or any sort of dialogue). Unfortunately, this happens all the time. Especially windows applications love to pop up messages, dialogues, windows, and all allow you to quickly (without noticing) press OK and continue typing your password in plain sight in the application that just hijacked your focus! XP's "prevent applications from stealing focus" doesn't always work, and never works if an application happens to be spawning in the background (like during startup, which might be a good time to enter a password into putty's pagent for example).. *sigh*

I've (unfortunately) forced this on users before

[Corbets]

From a comment I just made on Spaf's blog....

I've mandated rotating passwords before. My thought was that I knew my users shared passwords over time (oh, I need to use your computer for a few minutes, but your screen is locked) so by forcing a change I was hoping that if a person left the company they wouldn't retain access to anyone's accounts. However, the better solution in that case would have been termination for people who shared passwords and/or forcing all users (only about 15-20 in the company) to change passwords everytime someone left.

And of course, there are times in larger companies where I simply got told by those higher up that passwords would be rotated.

Re:Admin passwords, generating passwords, passphra

[Anonymous Coward]

Not reading TFA is like not bothering to unzip, not bothering to point at the porcelain, just letting go in your pants.

Sure, it saves time, but everyone gets to see the big old wet patch.

Re:I've (unfortunately) forced this on users befor

[tbird81]

You'd fire people for sharing a password??

Seriously, what's more important to the company: people logging in as another employeee, or actually having employees with morale!

Who cares if people use the same password. I've worked in a hospital where everyone shares passwords, and in a lab where everyone's password was the same. (Won't say where, but it happens everywhere)

There's nothing worse than a stupid nerdy geek telling people off for following some geekhole paranoid rule that has only minimal risk in real life. Like the telltale at school who takes all the rules literally, without trying to understand their purpose and the spirit behind them.

Re:Password changing

[harborpirate]

I agree with the article, and not the parent post. Constant changing of a frequently used password is a complete failure in the exploration of logic regarding passwords. It is laziness, plain and simple; the reliance on the folklore of old to tell us what we should do. Frequent Password Changing Makes a System More Secure is an old wives tale.

Over time, even a hard password will be memorized by your average user. This password does not somehow become more insecure over time, because, as the article points out, the largest vulnerabilities are not due to the cracking of passwords, but rather human error, ignorance, and/or incompetance. These should decrease with time. The user should become better educated and better able to remember the password, thus less likely to give it out. Only the chance of human error increases slightly (typing password in login box and such). Of the three, this presents the least risk by far of those three, and generally the user is aware of this occurrance and with proper education will know to immediately change their password.

Forcing a user to change password frequently is likely to only cause them to alter one character (likely the last) in the password because committing another secure password to memory is difficult. This causes both usability and security to be comprimised in the same fell swoop. The other option is that they will write the password down or otherwise record it, thus defeating its security. If you've got users with photographic memories who instantly memorize a new hard password every month, you must be the luckiest damn admin in the world.

As the article points out, modern computing and cracking techniques expose vulnerabilities much more quickly, so passwords would have to be changed so frequently as to make a changing password policy useless in many environments anyway.

Caveat:
The opposite is true of Administrator passwords or others which are rarely used. These are generally not committed to memory, and likely documented in some fashion (hopefully they are, or when the admin leaves you're screwed). If they're meant to protect a truly important system, a biometric and/or time sensitive method (such as a synchronized continously changing key generator) should be used in addition to the password. Changing these passwords with some frequency is a good idea, as it forces someone to ensure the validity of the current password (the account is not locked or disabled) as well as provide the aforementioned small measure of protection against cracking.

Please, stop forcing password changes on user accounts. Its a stupid idea. It serves no purpose other than to ensure the latest user password is written down at every desk.

Rant complete.

Re:I've (unfortunately) forced this on users befor

[Corbets]

Yes, I would fire people for that. I'd fire people for any intentional violation of corporate policy. It's one thing if you don't know, it's another if you choose to break the rules, especially after repeated warnings. I've often found that people who break little rules will ocassionally break big ones - like those kids in school you mentioned, those who tell little lies will from time to time tell a whopper.

It's an issue of trust, not to mention security (why bother with multiple user accounts at all if people are going to have access to all accounts anyway?).

Being able to trust your employees leads to them being able to trust you (and yes, vice versa, I'm aware of that implication). This in turn creates an atmosphere with good employee morale.

There's nothing worse than a ./er trying to insult someone and having to pull from his own life example of being that poor little geeky kid that nobody liked....

Re:Password changing

[ObsessiveMathsFreak]

I still think changing passwords periodically is a great idea.

I think that idea sucks.

What's the advantage? Crackers find it harder to crack things? Why? Because the password will have expired by the time they crack it? Maybe, maybe not. Unless you rotate passwords every month, at this stage, rotation is useless.

Maybe a better solution would be to make passwords the first line of defense, not the last. Simply assume they will eventually be broken, no matter how many times you rotate and plan accordingly.

For that matter, why are admins still making things easy for the cracker? I read somewhwre that 90% of all military databursts are in fact, random noise, to frustrate the crackers bruteforce attacks. Why don't regular networks do this?

In the meantime, stop relying on passwords, or boimetrics, or passphrases, or usb-keys for access to the system. Passwords should get you one thing and one thing only, a prompt/desktop. Everything else should be subject to finely granulated access, with logs. At this current time, on most networks, the only thing higher than normal user level access is root/domain controller.

Re:Password changing

[Sique]

Everything that affects the machine compromises security by definition. So that's no argument as such, you have to elaborate. The connection made between 'written down passwords' and 'physical access to a machine' is very weak. Of course: If I got into the secured building with the computer desk, it may be easier to just root the computer and then access whatever you want than to break into the file cabinet and search for the password. But security by itself does not only contain prevention of a compromisation, but also detection of a compromisation. And a security breach by physical access to a machine is often much more easy and timely to detect than a physical access to the written down password. Stick-It notes don't log access, as far as I remember ;). So if it is an inside job, a security breach may go unnoticed if the attacker just reads the password while passing by and then trying it from another machine, or if he just seems to 'look for that one file I left on the desk' and searches for the password. In this case the first security breach (compromise of the password) is not necessarily time-connected to the second one (unauthorized access to the password protected entity), and such the detection of both is more complicated.

Three unsuccessful attempts and you're locked out

[rollingcalf]

Another useless rule of thumb is the one that locks you out after three unsuccessful login attempts. It was based on the theory that the authentic user would be able to remember the password within three attempts.

In reality, with passwords being case sensitive and people having to remember dozens of passwords for different systems at work and personal web sites, three attempts will end up locking out numerous legitimate users.

Caps lock is on... one failed attempt. You turn off caps lock and enter the password for a different system... another bad attempt. You think your bad attempt was due to a typo, so you re-enter the same password... you're locked out.

With so many people getting locked out, either they become lax with the password-reset procedures, allowing an intruder to take advantage of that. Or they stay strict, which results in numerous users losing hours of productive time.

Give 10 or 20 attempts, dammit.

Re:Picture Passwords

[Red Alastor]

Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

Forget security too. There is a limited number of points in a picture that are easy to spot and remember (windows, people heads, signs, whatever) so it's very easy to brute force.

Re:huh?

[Anonymous Coward]

Well, since Rainbow tables are a form of parallel computing (since separate processors were likely assigned different sections of the character space), or could even be thought of as a multi-lingual database. Those were just examples of different "power and resources brought to bear" (Rainbow tables being a fairly hefty resource to bring to bear, though largely useless against SSH keys, for now). Obviously 3 bad login attempts aren't going to do anything in this situation, but what about the case where you don't have the NTLM hash yet? Why go to all the trouble of grabbing an NTLM hash when the system is likely set up with username of adminstrator and a blank password? Wouldn't you at least check that first?

Re:Three unsuccessful attempts and you're locked o

[Alphi1]

Screw that. Give 500. Give a number so rediculously high that your help desk should practically never have to deal with another "locked account" again, but so stunningly low that a brute-force attack will never succeed. It turns out that these two boundaries are still pretty far apart from one another.

IMHO, I think a relatively-small artificial delay (after a certain number of attempts) should slow down the "brute-force" attack significantly as well...

After all, let's say that it has an artificial delay of 1 second after every 5 tries. Most human-entered attempts won't even notice the delay (and even if they do, it's a relatively minor inconvenience - much more minor than having to contact someone about unlocking the account after 3 unsuccessful attempts).

But a brute-force attack that would send, say, 1,000,000 passwords in quick succession will take at least 50 hours, or over two days. Not very practical. Especially when it may take more than 1,000,000 tries (assuming the password was set up to deliberately avoid things such as dictionary searches and things like that).

Not only that, but those two things (after how many "attempts" to have the delay, and the delay itself) could even be tweaked based on how much abuse the site is getting. Maybe a 2 second delay after 3 failed attempts, which would be even MORE effective (approx. 7.7 days if my calculations are correct) than a 1 second delay after 5, while only being slightly more intrusive for legitimate users.

Re:Absolutely true

[timbck2]

Yep, sure does. When I go home, my company-supplied laptop goes with me. I could leave my password taped to my monitor, and it wouldn't do anyone any good, unless they broke into my house...

... or steal your laptop out of your car, or off the subway, or from the coffee shop, or wherever you take it.

Re:APG

[ZeroExistenZ]

I had the idea that it might be more secure to use full-travel keyswitches with built-in OLED or LCD display elements {rather than a touchscreen, which creates errors through the absence of negative feedback} and scramble the key layout for each user {possibly even for each digit, though this might be too confusing}. This way, although you know what keys the person in the next checkout lane was pressing, you don't know what number they were entering.

I think you're absolutely right with this. It would be more secure, and I would applaud it and implement it myself where possible if that sortof added security were available...

It's just because of "habit" of typing my passwords that I memorized most my passwords by pattern. (as I often don't think anymore when I type about each what each individual finger is doing but I still type quite well.)

Just look at nearly every keyboard or input-device; the F and J have some sort of deviating surface to identify the position on your keyboard by touch. ("touch-typing"). On numerical input-devices you always have the 5 standing out. Which is a convenience which helps you orientate on your input-device, but as you pointed out it's a security risk as everything has such a standard "lay-out" it's possible to get to know passwords by observing not what, but how one enters a password. (this reminds me to this program which could capture passwords by "listening" how one entered a password)

It's a problem, definatly. I think authentication via eID's and other smart-cards are a plausable sollution, but it's kindof creepy privacy-wise. (and those can be quite easily stolen. And for the signature you again have a PIN... back to start.)

Context of article: new Purdue password policy

[mdpowell]

The author is a professor in the CS department at Purdue. At the beginning of 2005-2006, Purdue IT announced that they were going to require *every* password on *every* computer to be changed every 30 days. They made it clear that this policy was not restricted to administrator accounts, and in fact it has been pointed out in several articles that students will have to remember to change their passwords during summer and co-op sessions, or their accounts will be disabled. You also won't be allowed to re-use passwords for six replacement cycles. The policy isn't enforced yet but will be "real soon now."

This policy seems to be generally seen as idiotic by students, faculty, and staff. The IT people who talk about it seem to be made to "toe the line," and make up excuses about how this policy went through all the review/administrative processes. Nobody has an explanation for how this policy will be made practical for all the alumni and external accounts which might be accessed only a few times a year.

Many people see this policy as a copout response to the multiple security breaches in the past several years. On multiple occasions the whole university (30K+ studenets, plus faculty/staff) received orders to change passwords immediately because some database was compromised. Rumor had it that one database was storing passwords in plaintext because of incompatibility between hashing mechanisms used by different systems. Rather than take responsibility for and fix their security breaches, they are simply forcing this policy on everyone.

I suspect the author wrote this article largely as a condemnation of this policy.

Here's the link to the Purdue password policy: http://www.itap.purdue.edu/security/procedures/pas sguidelines.cfm [purdue.edu]

Re:Password changing

[harborpirate]

The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.

I have to disagree.

First of all, again: the most common method for password discovery is directly related to the user. If this was the discovery method, our enemy will easily use the same methodology to obtain the password again when it has been changed.

If the password is cracked through guessing, snooping, etc - the problem is that the user is likely to choose a new password which is very close, or just as insecure as their old password. The first thing I would try as a cracker, if someone had a reasonably hard password and changed it, would be to try every variation of the last character. If they had an easy password ("password" or some other dictionary word), I'd just know that I could run a speedy dictionary attack against their password and have it cracked in no time. These two methods of user password changing represent the vast majority - thus forcing a password change has not made the password significantly more secure because the original password was discovered.