Spafford On Security Myths and Passwords 356
An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."
Password changing (Score:2, Insightful)
You have a more secure system if it's harder to use a password when un-authorized. Especially if the user is an Admin account.
Password change policy (Score:5, Insightful)
We all know that its stupid. People write it down on post it notes etc. But when the luser gets hacked he is going to be gunning for the sysadmin who needs to be able to prove that he is serious about security so that he can put the onus back where it belongs.
Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.
Couldn't agree more on some points (Score:4, Insightful)
Monthly change policies. they are simple stupid. If your password is inherently weak, such as your car number, date of birth etc., it will be easy to crack. If you throw a monthly change policy at such people they will change their passwords to simple things. Other option is to educate them to choose good passwords, but that works with half the people. Best solution, let the users not choose a password. Let the machine generate random passwords. Then the user can choose out of those random combinations. At a place where I used to work, the web login system on internal network was set this way. You would click on a button saying, choose new password. Many options would appear and you choose one. If you dont like any of the options you could keep on generating new ones indefinitely. The change policy was that after 1 year you had to get a new password. Perfectly sane and secure. In those random 6 lettered words, sometimes easy to remember combinations would appear, like y1pl3t. Remeber it as yiplet!
If you dont have the benefit of a machine generator and want to specify something remembrable dont be too obvious. For example you have a poodle named fido(If you do I doubt you would be readingAbsolutely true (Score:5, Insightful)
I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.
Writing. Their. Passwords. Down.
It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms. None of the people involved were bad, in fact, I worked with a fine bunch of people who really cared about security and individually had great ideas for making the company safer, but when they were all implemented simultaneously: Ka-BLAM.
A security policy cannot be a list of best practices, it has to be a designed holistic plan that takes into consideration the very human nature of the people it is protecting.
Advice on passwords (Score:4, Insightful)
Passwords are like toothbrushes; change them every three months and don't share them with your friends.
With that said, I'd like to argue the point made by the article about periodic changing of passwords. He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it. This actually happened in my high school, and then we had the admin password to every computer in the lab. And had that access until the last of us graduated. While periodic password changing won't protect you from a serious hacker, it will save you lots of grief from more petty mischief, especially if the person who has your password is clever enough to not let you know that he has it.
Re:Password changing (Score:5, Insightful)
My Rule of Thumb (Score:5, Insightful)
"You have to balance security with convenience."
Otherwise people will just circumvent your security by changing their password twice (or 10 times), resulting in the same password they started with, or just write their password down.
pass PHRASE (Score:4, Insightful)
Just please, NO biometrics.
Re:Couldn't agree more on some points (Score:4, Insightful)
If a user has to generate a password, it is something they can at least possibly remember. If a machine generates it, there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices will be able to access those people's accounts using the password reminder neatly affixed along the margin of the user's monitor.
Besides, 99% of security compromises aren't through guessed passwords anyway. They are through either social engineering (25% of people will give up a password when they receive a call that says "Hi, I'm Fred from the IT department, and I need to verify your account information"; try it if you don't believe me), buffer overflow attacks (l33t h4xx0Rz), or physical security compromises (while latency is terrible, it is difficult to overestimate the bandwidth of a pickup truck filled with backup tapes).
Seems to me that, generally speaking, admins are worried about entirely the wrong problems, and while this may help cover their a**es against being blamed for intrusion a bit, it does little to improve actual security.
Re:Advice on passwords (Score:5, Insightful)
Even if that's a real concern, the password shouldn't be typed in where someone can watch your fingers. In a lab, it might be of -slight- risk. In a private office, it basically is zero.
Thus, from this we can deduce that the #1 most serious security hole a company can have is the use of cubicle farms. :-)
No, seriously. It is.
Re:Absolutely true (Score:2, Insightful)
Writing. Their. Passwords. Down.
It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms.
If the people able to see your password are trustworthy, this is not necessarily only a bad thing. Firstly, you can write your password down without posting it to the monitor, and even so, a remote attacker still can't see your post-it notes on the screen.
In my lab, I don't worry about co-workers knowing passwords of their colleagues. I rather have them write it down if it withstands a brute force attack on the SSH/webmail interface.
Shoulder surfable. (Score:4, Insightful)
Re:Advice on passwords (Score:5, Insightful)
Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.
The problem lies with badly designed operating system/windowing system software that allow windows to grab focus. No window should be allowed to programmatically, without user intervention, pop to the foreground and get focus (whether it's a pop-up ad or any sort of dialogue). Unfortunately, this happens all the time. Especially windows applications love to pop up messages, dialogues, windows, and all allow you to quickly (without noticing) press OK and continue typing your password in plain sight in the application that just hijacked your focus! XP's "prevent applications from stealing focus" doesn't always work, and never works if an application happens to be spawning in the background (like during startup, which might be a good time to enter a password into putty's pagent for example).. *sigh*
I've (unfortunately) forced this on users before (Score:3, Insightful)
I've mandated rotating passwords before. My thought was that I knew my users shared passwords over time (oh, I need to use your computer for a few minutes, but your screen is locked) so by forcing a change I was hoping that if a person left the company they wouldn't retain access to anyone's accounts. However, the better solution in that case would have been termination for people who shared passwords and/or forcing all users (only about 15-20 in the company) to change passwords everytime someone left.
And of course, there are times in larger companies where I simply got told by those higher up that passwords would be rotated.
Re:Admin passwords, generating passwords, passphra (Score:1, Insightful)
Sure, it saves time, but everyone gets to see the big old wet patch.
Re:I've (unfortunately) forced this on users befor (Score:4, Insightful)
Seriously, what's more important to the company: people logging in as another employeee, or actually having employees with morale!
Who cares if people use the same password. I've worked in a hospital where everyone shares passwords, and in a lab where everyone's password was the same. (Won't say where, but it happens everywhere)
There's nothing worse than a stupid nerdy geek telling people off for following some geekhole paranoid rule that has only minimal risk in real life. Like the telltale at school who takes all the rules literally, without trying to understand their purpose and the spirit behind them.
Re:Password changing (Score:5, Insightful)
Over time, even a hard password will be memorized by your average user. This password does not somehow become more insecure over time, because, as the article points out, the largest vulnerabilities are not due to the cracking of passwords, but rather human error, ignorance, and/or incompetance. These should decrease with time. The user should become better educated and better able to remember the password, thus less likely to give it out. Only the chance of human error increases slightly (typing password in login box and such). Of the three, this presents the least risk by far of those three, and generally the user is aware of this occurrance and with proper education will know to immediately change their password.
Forcing a user to change password frequently is likely to only cause them to alter one character (likely the last) in the password because committing another secure password to memory is difficult. This causes both usability and security to be comprimised in the same fell swoop. The other option is that they will write the password down or otherwise record it, thus defeating its security. If you've got users with photographic memories who instantly memorize a new hard password every month, you must be the luckiest damn admin in the world.
As the article points out, modern computing and cracking techniques expose vulnerabilities much more quickly, so passwords would have to be changed so frequently as to make a changing password policy useless in many environments anyway.
Caveat:
The opposite is true of Administrator passwords or others which are rarely used. These are generally not committed to memory, and likely documented in some fashion (hopefully they are, or when the admin leaves you're screwed). If they're meant to protect a truly important system, a biometric and/or time sensitive method (such as a synchronized continously changing key generator) should be used in addition to the password. Changing these passwords with some frequency is a good idea, as it forces someone to ensure the validity of the current password (the account is not locked or disabled) as well as provide the aforementioned small measure of protection against cracking.
Please, stop forcing password changes on user accounts. Its a stupid idea. It serves no purpose other than to ensure the latest user password is written down at every desk.
Rant complete.
Re:I've (unfortunately) forced this on users befor (Score:3, Insightful)
It's an issue of trust, not to mention security (why bother with multiple user accounts at all if people are going to have access to all accounts anyway?).
Being able to trust your employees leads to them being able to trust you (and yes, vice versa, I'm aware of that implication). This in turn creates an atmosphere with good employee morale.
There's nothing worse than a
Re:Password changing (Score:3, Insightful)
I think that idea sucks.
What's the advantage? Crackers find it harder to crack things? Why? Because the password will have expired by the time they crack it? Maybe, maybe not. Unless you rotate passwords every month, at this stage, rotation is useless.
Maybe a better solution would be to make passwords the first line of defense, not the last. Simply assume they will eventually be broken, no matter how many times you rotate and plan accordingly.
For that matter, why are admins still making things easy for the cracker? I read somewhwre that 90% of all military databursts are in fact, random noise, to frustrate the crackers bruteforce attacks. Why don't regular networks do this?
In the meantime, stop relying on passwords, or boimetrics, or passphrases, or usb-keys for access to the system. Passwords should get you one thing and one thing only, a prompt/desktop. Everything else should be subject to finely granulated access, with logs. At this current time, on most networks, the only thing higher than normal user level access is root/domain controller.
Re:Password changing (Score:5, Insightful)
Three unsuccessful attempts and you're locked out (Score:4, Insightful)
In reality, with passwords being case sensitive and people having to remember dozens of passwords for different systems at work and personal web sites, three attempts will end up locking out numerous legitimate users.
Caps lock is on... one failed attempt. You turn off caps lock and enter the password for a different system... another bad attempt. You think your bad attempt was due to a typo, so you re-enter the same password... you're locked out.
With so many people getting locked out, either they become lax with the password-reset procedures, allowing an intruder to take advantage of that. Or they stay strict, which results in numerous users losing hours of productive time.
Give 10 or 20 attempts, dammit.
Re:Picture Passwords (Score:3, Insightful)
Re:huh? (Score:1, Insightful)
Re:Three unsuccessful attempts and you're locked o (Score:2, Insightful)
IMHO, I think a relatively-small artificial delay (after a certain number of attempts) should slow down the "brute-force" attack significantly as well...
After all, let's say that it has an artificial delay of 1 second after every 5 tries. Most human-entered attempts won't even notice the delay (and even if they do, it's a relatively minor inconvenience - much more minor than having to contact someone about unlocking the account after 3 unsuccessful attempts).
But a brute-force attack that would send, say, 1,000,000 passwords in quick succession will take at least 50 hours, or over two days. Not very practical. Especially when it may take more than 1,000,000 tries (assuming the password was set up to deliberately avoid things such as dictionary searches and things like that).
Not only that, but those two things (after how many "attempts" to have the delay, and the delay itself) could even be tweaked based on how much abuse the site is getting. Maybe a 2 second delay after 3 failed attempts, which would be even MORE effective (approx. 7.7 days if my calculations are correct) than a 1 second delay after 5, while only being slightly more intrusive for legitimate users.
Re:Absolutely true (Score:3, Insightful)
Re:APG (Score:3, Insightful)
I think you're absolutely right with this. It would be more secure, and I would applaud it and implement it myself where possible if that sortof added security were available...
It's just because of "habit" of typing my passwords that I memorized most my passwords by pattern. (as I often don't think anymore when I type about each what each individual finger is doing but I still type quite well.)
Just look at nearly every keyboard or input-device; the F and J have some sort of deviating surface to identify the position on your keyboard by touch. ("touch-typing"). On numerical input-devices you always have the 5 standing out. Which is a convenience which helps you orientate on your input-device, but as you pointed out it's a security risk as everything has such a standard "lay-out" it's possible to get to know passwords by observing not what, but how one enters a password. (this reminds me to this program which could capture passwords by "listening" how one entered a password)
It's a problem, definatly. I think authentication via eID's and other smart-cards are a plausable sollution, but it's kindof creepy privacy-wise. (and those can be quite easily stolen. And for the signature you again have a PIN... back to start.)
Context of article: new Purdue password policy (Score:3, Insightful)
This policy seems to be generally seen as idiotic by students, faculty, and staff. The IT people who talk about it seem to be made to "toe the line," and make up excuses about how this policy went through all the review/administrative processes. Nobody has an explanation for how this policy will be made practical for all the alumni and external accounts which might be accessed only a few times a year.
Many people see this policy as a copout response to the multiple security breaches in the past several years. On multiple occasions the whole university (30K+ studenets, plus faculty/staff) received orders to change passwords immediately because some database was compromised. Rumor had it that one database was storing passwords in plaintext because of incompatibility between hashing mechanisms used by different systems. Rather than take responsibility for and fix their security breaches, they are simply forcing this policy on everyone.
I suspect the author wrote this article largely as a condemnation of this policy.
Here's the link to the Purdue password policy: http://www.itap.purdue.edu/security/procedures/pa
Re:Password changing (Score:3, Insightful)
I have to disagree.
First of all, again: the most common method for password discovery is directly related to the user. If this was the discovery method, our enemy will easily use the same methodology to obtain the password again when it has been changed.
If the password is cracked through guessing, snooping, etc - the problem is that the user is likely to choose a new password which is very close, or just as insecure as their old password. The first thing I would try as a cracker, if someone had a reasonably hard password and changed it, would be to try every variation of the last character. If they had an easy password ("password" or some other dictionary word), I'd just know that I could run a speedy dictionary attack against their password and have it cracked in no time. These two methods of user password changing represent the vast majority - thus forcing a password change has not made the password significantly more secure because the original password was discovered.