Password Complexity in the Enterprise? 216
andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"
Simpleton passwords are my friends at work (Score:3, Insightful)
Depending upon the system, that's sufficient. (Score:5, Informative)
The key is how will an attacker defeat it.
So, a simple password is sufficient if the attacker will not have enough chances (statistically) to defeat it. This is easy to accomplish by having a time delay between authentication attempts or a lock-out period. But this is only sufficient if you have a person actively monitoring the authentication logs.
Example: Suppose you have a list of 10,000 common words. You take a random word, a digit (0-9) and another word, that will give you 10,000 x 10 x 10,000 possible combinations (1,000,000,000 or "one billion"). So, if you get 3 guesses before you're locked out for 15 minutes, then you can guess 12 passwords an hour
As long as there is someone reviewing the logs, the attempts will be noticed and actions can be taken before there is any real chance of your password being cracked.
And WordNumberWord is not that difficult to remember.
Now, this is NOT a good practice for passwords for encrypted files or anything else that can be cracked off-line.
So lets ask a simple question... (Score:3, Insightful)
vs
How many times have backs/people lost money due to social engineering?
Forcing people to have crazy passwords may reduce the number of
times that password is cracked (from near zero to nearer zero).
But stopping social engineering will have a *far* greater impact -
because its actually pretty common for people to hand over their
passwords and account details to nigerians or email from pay pal.
So its not about the size of your password. For examp
Re:So lets ask a simple question... (Score:2)
Yes, but this then EASILY enables a denial of service attack. If I don't want you to be able to log in, all I need to do is fail to enter your password 3 times. That's why the temporary lock-out and active monitoring is a good thing (tm). -inco
Re:So lets ask a simple question... (Score:2)
brute force, but wont hinder a user (who needs to wait 60 seconds after
every 3 tries).
However that wont stop a DoS on an account. If DoS is the goal,
the hacker has a process that keeps entering your ID with a bad
password. Probably a better solution there is after 10 bad tries -
lock that IP out for an hour.
Anyone dealing with this? How are you doing it?
Re:So lets ask a simple question... (Score:2)
I agree with this general principle, but you have to be careful: This can easily turn into a Denial of Service situation. Anyone who'd like to lock out your account just has to fake three logins and you're stuck until you get an admin to unlock you. (This can get rather bad if the admins are swamped, or not available at the time you try to access the system.) I tend to prefer time-limited lockouts, or possibly a system where once you are
Make them come to you. (Score:2)
Re:So lets ask a simple question... (Score:2)
are pretty secure, but they are only 4 digits.
Incorrect. Go and call your bank
Re:So lets ask a simple question... (Score:2)
If you want to be able to use an ATM anywhere in the world, you'd better have 6, or even better, 4 digits in your PIN.
I travelled to France, intending to just withdraw cash, rather than deal with exchange houses, etc... machine would not accept my PIN because it had 7 digits, and their machines could only handle 6.
An inconvenience in my situation, but had potential to be a serious problem.
Re:Depending upon the system, that's sufficient. (Score:2)
If you're configured to lock an account after 3 bad attempts (like most systems I've ever been on), with the only account reset possible being a manual reset with administrator intervention, how can someone guess 3 billion (or whatever) times?
Well, anyway, in Windows, the SID-500 account (built in Administrator) can't be locked out. So I suppose someone could sit and hack away at that password all day long. Which is probably why it's a good idea
Re:Simpleton passwords are my friends at work (Score:2)
His password was qwer.
Needless to say, I restricted SSH access (which was the only remote access to the fileserver) to my user and my user alone.
Re:Simpleton passwords are my friends at work (Score:2, Funny)
Re:Simpleton passwords are my friends at work (Score:2)
Re:Simpleton passwords are my friends at work (Score:2)
Skroob. (Score:4, Funny)
"0123456789aBcDeF"
That's amazing. I've got the same password on my 6-piece luggage set!
Re:Skroob. (Score:5, Funny)
That's not too strange (Score:4, Insightful)
As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.
Example:
Slashdot is full of bad grammer,misspellings and inaccuracy
=
s1F0bgMaI
The phrase is easy to remember; the number and uppercase substitutions come with repetition.
Re:That's not too strange (Score:3, Insightful)
Re:That's not too strange (Score:4, Interesting)
Jane's birthday is on October 12th. (with puncuation)
or
Do or do not, there is no try.
Re:That's not too strange (Score:3, Funny)
Slashdot users are uneducated unemployed and overweight
=
SurU2a0
Slashdot users frequently complain about things, despite being overlooked and ignored because of their ignorance.
=
sUfcaTdb0a1b0t1
=
Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.
=
ga5e2pcntd31g1719905
Diabetes is god's way of telling you to lose weight, and that you look disgusting.
=
d1gW0tyT1w47yLd
Re:That's not too strange (Score:2)
Re:That's not too strange (Score:4, Funny)
Hey, I resemble that remark!
Re:That's not too strange (Score:2)
This is one of my faves.
It's immune to a dictionary attack, and any good password will be. It's also largely immune to social engineering, i.e. somebody looking over your shoulder as you type. You think "Now I'm possessive it isn't nice. You've hea
So what's to keep you... (Score:4, Insightful)
Jan: 0123456789abcDE_
Feb: 123456789abcDE_0
Mar: 23456789abcDE_01
You get the idea
No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.
Re:So what's to keep you... (Score:4, Interesting)
You start off with "1qaz2wsx3edc" and then when it expires, you change it to "qaz2wsx3edc4", etc. Depending on how intelligent the password system is -- in this particular case, not very -- you could get away with it. I think more secure systems probably pick up on the lack of difference between the two and would prohibit it.
It's easy to create very complex, seemingly-random passwords that include numerics and punctuation this way, but it's very prone to shoulder-surfing. If anyone sees you enter it even once, they'll know what you're doing.
Re:So what's to keep you... (Score:2)
Suggested to me: (Score:5, Interesting)
Writing them down in a safe location is a helpful aide-memoir. You could just have a lyrics file saved to a thumb drive or scrawled in a diary.
Re:Suggested to me: (Score:2)
"... okay, now for the root password, did i use the chorus from broken, the bridge from coin-operated boy, or the intro from engel?"
Re:Suggested to me: (Score:2)
hehehe... even with the song good luck figuring those out... and anyone else seeing them will think they are line noise
Re:Suggested to me: (Score:2)
Only took about 15 seconds to work out.
Re:Suggested to me: (Score:2)
Awesome job!
Ok... so evidently I need to choose some of the old Celtic tunes instead
1dmp,1d7r... @@7w1bmb... Umpswmd.
Re:Suggested to me: (Score:3, Funny)
Re:Suggested to me: (Score:2)
Another suggestion I've heard is to use a combination of visual patterns on a keyboard, i.e. "pl,12#edc" is a good password that you can follow visually without having to necessarily remember it exactly.
On the Enterprise? (Score:5, Funny)
I know a few...
"Theta alpha two seven three seven blue"
"One one A"
"One one A two B"
"One B two B 3"
"Zero zero zero destruct zero"
But usually, voice identification is enough.
Re:On the Enterprise? (Score:4, Funny)
Re:On the Enterprise? (Score:2)
Well, this is a classic dilemma (Score:5, Interesting)
Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.
Myself, I use muscle memory to store mine. I make up an entierley random password and spend 20 minutes typing it over and over again until my hands remember how to make that sequence of twitches. Works great; and no risk of me acidentally telling someone my password because I don't know what it is.
Re:Well, this is a classic dilemma (Score:4, Funny)
Of course writing your password down and keeping it in your wallet or purse is better ... follow the MONEY!.
Just use the serial number off a piece of currency, and a few letters, and you're gold. Just don't spend your password,
Re:Well, this is a classic dilemma (Score:2)
Not only that, it has a quantifiable value, allows you to choose an arbitrarily complex password, and protects against the self-administered DoS of a forgotten password: http://www.berylliumsphere.com/security_mentor/200 4/03/heresy-write-down [berylliumsphere.com]
Re:Well, this is a classic dilemma (Score:4, Insightful)
To improve security and make the users happy at the same time, this is what we are currently doing:
1) Enforce "good" passwords but do not let them expire (do lock it out upon 3 incorrect passwords). Instead, notifying the user of his last login time and last workstation used.
2) Look for Single Sign-on solutions. Some applications can leave user authentication up to the OS: being logged in to Windows NT (for instance) is good enough for the application to trust that you are you. If you are writing an application that requires controlled access, consider implementing SSO.
3) If you cannot get around the fact that users will have to deal with multiple password, consider a Password Vaulting solution. Basically this is nothing more than a bit of client-side code that remembers passwords as they are entered once, and then enters them automatically the next time you come across the same login window. Sounds crummy, but there are a few secure enterprise-level password vault applications that store passwords centrally and encrypted.
4) Use sudo or kerberos or similar for functional accounts.
Re:Well, this is a classic dilemma (Score:2)
Re:Well, this is a classic dilemma (Score:2, Insightful)
This would probably work well for me even though I have about 20 passwords. My wife on the other hand has 1 password and 20 purses. I can see her going to work and claiming she has to go home and change purses.
Re:Well, this is a classic dilemma (Score:2)
In UK English, a purse is literally "a bag for holding coins"; more practiacally these days a woman's purse is a large wallet that has a coin holding compartment. Wallet is optimised for people with trouser pockets; purse is optimised for people with bags.
Anyhow, what I mean is, keep the password in the same palce as your credit
Re:Well, this is a classic dilemma (Score:4, Interesting)
1) The ones I deal with on a daily basis. These number in the range of about 1 dozen, but are still easily rememberable. Length varies from 12-30 characters, includes digits, mixed-case and is comprised of multiple words. Memorable, typeable, and fairly secure. Some of the longer ones are 40-80 characters in length, but they are ones that I only use when booting up the laptop every few weeks. I use them all frequently enough that they're memorable (although I still back them up in a GPG-protected file).
2) The ones that I let the web browser remember. Such as forum passwords. Since I use a laptop that I keep secure, I'm not terribly worried about letting the web browser remember these. Those passwords are generated by a random algorithm and are usually 20-40 characters in length with random caps and symbols inserted into the middle / ends / beginning. I keep track of these by placing them in a text file prior to encrypting to contents of the text file with my GPG key. If I ever need to look them up, I open the text file, copy the contents to the clipboard and decrypt it.
3) Other seldom used passwords. These are almost all randomly generated (30+ characters with random sybols, digits and caps). Again, I simply store them in plain text files where the contents of the file is a GPG encryption block. To get at the password, I copy the contents into the clipboard, decrypt and there I have it.
The plain text file with GPG encrypted contents works well for many reasons. It's backup-friendly (I could even put the contents into source code control), I can e-mail the blocks to myself on other machines without worries or I can make backups of all of my passwords by mailing them to a webmail account. I can setup the contents of the file to be readable by my co-workers for cases where multiple of us need access to the password.
Re:Well, this is a classic dilemma (Score:2)
I have three, and manage withouot a card - my password, my root password, and an insecure password I use on web sites etc. where I won't loose any critical data (and where obviously i don't want the web site to have my real password) Oh, and a variant on my insecure password for sites that have more complex password rules than my insecure password meets.
Of course, this means that CmdrTaco could hijack my Flickr accou
Re:Well, this is a classic dilemma (Score:2)
Never assume your company won't be targeted. (Score:2, Insightful)
While your company's password policy is much more stringant than my company's, it doesn't sound too paranoid at all. As far as remembering the password, you should write it down and carry it with you if you're having trouble remembering it. It should only take a couple days of logging in before you have it down, so then make sure y
Re:Never assume your company won't be targeted. (Score:3, Insightful)
Re:Never assume your company won't be targeted. (Score:2)
I'd argue that. Nowadays it's pretty hard to crack the corporate firewall to be able to attack the machines you could try a password attack on, and moderately risky to get physical access to the building and the network wiring. It's dead easy, though, to e-mail a trojan or other malware masquerading as some suitably-attractive bait (new screensaver, porn, etc.) and count on at least a few people in the company getting bit by it. Note that that malware doesn't need to crack your password, it's already logged
Re:Never assume your company won't be targeted. (Score:3, Insightful)
Given a 6 character password from that scheme, I know the following always holds true:
Minimum of 1/3 of the password is uppercase, dictionary attacks are weak, limiting to non dicti
Picture, picture on the wall. (Score:2, Interesting)
unlikely (Score:3, Insightful)
this is an exaggeration. I can believe 8-character password every 45 days that cannot be the same as any of the previous 6, but there's no way that the stated requirements are correct. every user would have sticky notes on the bottom of their keyboard or phone or on their laptops in order to remember their password.
no real enterprise security shop would condone such a moronic password policy.
if a company were that paranoid, they'd have invested in PKI or use SecurID.
tell us what the real requirements are and maybe we can offer some concrete suggestions.
Re:unlikely (Score:5, Interesting)
In my job, I talk to network administrators very frequently while supporting our software. Generally the problem is, our product's default password doesn't meet their complexity requirements. The solution is simple, I ask them what their requirements are and make one up that meets them.
Those requirements are absolutely not unlikely. I run into requirements at least as idiotic about once a month. Some of the stuff I've heard, I didn't even think it was possible to create a password that met them, and they had to be changed once a month. I've also run into stuff that probably reduces the keyspace (requiring 2 numbers, 2 special characters, 2 upper, 2 lower tells you a lot about every password when minimum length is 8). That one also had to be changed monthly.
These requirements are for ... well, I'm not going to even say what type of company that last particular one was in order to protect my job, but trust me, you'd be very surprised, and probably upset. The fact is, the type of critical thinker that can actually come up with a good password policy is somehow a rare person, even in IT. Since the people doing the hiring generally have no idea how to interview, you'll find that person with almost perfect random distribution at small and large companies, government offices, schools, banks, consultants, mom-n-pop stores, you name it. It's a sad, sad situation.
Re:unlikely (Score:2)
no real enterprise security shop would condone such a moronic password policy.
Never underestimate the power of human stupidity. Or corporate stupidity, for that matter.
Re:unlikely (Score:2)
Easy Solution (Score:2)
Re:Easy Solution (Score:3, Insightful)
At my former employment i had at least as many, with the same problem, and much the same solution. Several of my coworkers kept the usual piece of paper in their desk with passwords, and many just kept text files on the system they used most often.
I complained at one point and was told i should just use th
Passwords Are Not The Problem (Score:2)
Physical access to systems is a much more pressing concern. I work in a college, and there is no way I'd be able to enforce a strict password scheme in such an enviroment. Students can't remember a simple password, let alone something designed to beat a determined attacker.
So, rooms are locked, laptops are secured, and accounts are locked down so that any attacker hacking an account is left with nowhere to go.
Obviously, I enforce strict passwor
My method (Score:3, Insightful)
(1) I pick a word or pair of words and convert them to 31337. Example: supersecure->sp3rs3cur3. This is 10 chars long, which is Good Enough for a commonly rotated password, easy to remember but hard to guess.
(2) I choose a phrase, such as a quote I like, and use the whole thing, For a while my root password was: myvoiceismypasswordverifyme. Now, technically that's not very secure because it's all lower case letters. But due to the length the amount of time it would take to crack is quite high. Again, good for a commonly rotated password.
For added security I use method 2 with method 1. Here's a secure password I no longer use: Iseemt0behavingtremend0usdifficultywithmylifestyl
You get the idea.
Re:My method (Score:2)
How is forcing them to write them on post-its any better?
What I like (Score:3, Interesting)
Re:What I like (Score:2)
Re:What I like (Score:2)
That's statistically as secure as a four and one half letter password, assuming 96 usable characters. Does that qualify for a flaw you don't know about?
Yes, that's true. But what is the goal of a password? If it can be that easily defeated with brute-force methods, I suggest that password complexity is just a red herring for bigger flaws in the security system. It should not be possible to feed 1.6 billion combinations of something into a security system without someone noticing.
If we're talking about
Re:What I like (Score:2)
And no, none of those work on my slashdot ID.
It's easier than you think to brute force (Score:2)
I worked at a place a couple years back that had a dodgy .php script on a web server. And wouldn't you know it, there was a ginourmous .htpasswd file sitting in the docroot. And, as luck would have it, some of those passwords were also system passwords (yes, this was against policy, but the terminally obstinate could and would get around the rule).
Since I don't have access to his
My policy (Score:4, Interesting)
I've found that, while you need to think about it at the start, it doesn't take too long before you're used to using it. Of course you can (as I have) obfuscate it even more. For example, you could change the case (upper/lower) on alternate letters, type your memorable word/phrase in backwards, alternate above and below keys, etc.
Just an idea, real good for the corporate logins... you can easily remember a word or name, and quickly turn it into something the IT Dept. would approve of.
Re:My policy (Score:2)
For the GPG method, create a new text file for each resource. Open it up in notepad, type in the access information. Then copy the contents to the clipboard and encrypt it before pasting it back into the text file. Now you have a secure secret that you can put anywhere (shared folder, mailed to y
Re:My policy (Score:2)
Also, if you're going to go the stored-and-encrypted route, there are a number of small shareware typ
complex password algorithm (Score:2)
Take a simple phrase or word, and apply your own standard cipher.
I take input (like "frankenfurter") and apply:
- reverse letters "retrufneknarf"
- substitute numbers for vowels "r1tr2fn3kn4rf" or "r4tr3fn2kn1rf"
I can write this original word right on my monitor, or in my wallet, and it still doesn't give my folks enough to hack in quickly. Each time i need a new password, I pick a new input word, but keep the cipher the same.
Pick your own cipher, but there are lots of standard
Pray tell, how? (Score:2)
The first person to suggest a system that both makes sense and is actually secure will be rich overnight. Don't ask for something if you don't know anyone who can provide it, and can't say how yourself. It's like whining that GM hasn't made a car that gets a bujillion miles per gallon and has pretzels for exhaust.
Re:Pray tell, how? (Score:2)
Re:Pray tell, how? (Score:2)
That won't get us very far. It's actually need that drives invention, not the other way around. So ask all you want, and maybe one day someone will be clever enough to supply the solution to your problem.
Much more secure than the alternative (Score:2)
If you have an easy to guess password, anyone with an Internet connection is a threat. If you have a hard one (not guessed in one month) and have to write it down, the only people who could log in as you are people with physical access to your piece of paper.
Yes, you do have a right to complain as that system seems to be a bit overkill, but writing down a hard password is infinitely better than having to use an easy one
My solution (Score:2)
Next, I create a pgp-encrypted (symetric -- with a good password) text file with the account info for all my accounts. I email that to my gmail account for online backup and to ha
Re:My solution (Score:2)
Re:My solution (Score:2)
In my ideal world, there would be a port of it to the BlackBerry, as I carry that more than my Palm Pilot nowadays.
Re:My solution (Score:2)
Most passwords that I use are randomly generated using a custom script that I wrote (a dictionary of 300k words combined with numbers, caps and symbols).
Re:My solution (Score:2)
Write it down (Score:4, Insightful)
This is surprisingly secure, as long as you write it somewhere safe. Security pioneer Dorothy Denning does this, as do a number of other "security professionals". There are simply too many places a password is needed now to follow good security rules for all of them. The human-factor limitations lead to the obvious conclusions that people must either:
Writing down a password is safe if nobody can get hold of what it's written on. Storing it online is pretty much just like writing it down, except there are opportunities to make it safer. There's really no safe way to use the same password lots of different places or a really simple password.
Use a password generator to create some truly horrific 20-character monster and write it down. Keep that paper safe!
At one company we used passwords you dare not say (Score:2)
She was lucky she didn't use the other password "sofakingwetodddid".
That's how you ensure your passwords don't get around.
hidden vulnerabilities (Score:4, Informative)
so basically, passwords are irrelevant, but are a tangible element to everyone. so when the boss asks for better security, the IT admin implements greater password complexity, the boss notices because he has to type the damn password every day, and the IT admin get kudos. because of course, if user convenience decreased, security obviously increased. yay.
what is the value of having a complex password? it should be complex enough an attacker can not guess it. everything else relates to an attacker's ability to *crack* passwords, which is irrelevant in the world of windows these days. in a few years, NTLM will have died and kerberos will rule the day. then things might be different.
dollar password (Score:2)
Alternative password expiry schemes (Score:2)
Re:Alternative password expiry schemes (Score:2)
And as an attacker, if I could find out this information (knowing which accounts expire frequently), that would tell me which accounts to attack (due to having less complex passwords). Not outside the realm of possibility, however unlikely, and it provides information on the pas
Securid (Score:2)
The key is lockout. (Score:2)
At the same time, we lockout after three unsuccessful attempts, and we don't allow password reuse for more than 2 years. So while the passwords tend to be on the simple side for the average user, the danger for brute forcing is nonexistent because of the low lockout.
I myself believe in obscene passwords. "Strong" password validators ligh
Re:The key is lockout. (Score:2)
Assuming, of course, that you've analyzed all of the methods that the password could be used to make sure that they're not vulnerable to offline cracking attempts. Most things (like passwords sent over an SSL connection) are such that offline cracking attempts turn into offline cracking attempts on the underlying encryption, but some things (like WPA passphras
I can one-up you (Score:2)
Though probably unethical, it was very interesting to see what everyone used as pas
Hashapass! (Score:2, Interesting)
http://www.hashapass.com/ [hashapass.com]
and enter your "parameter" (e.g. "march2006") and "master password" (e.g. "mysecretpassword") and you get a password (e.g. "K0u4CUXG") generated from the two. Of course you still have to remember the password, but at least if you forget it you can recover it from
I use my Tecra's thumbscanner (Score:2)
So get a complex password, and put it in a piece of paper in your wallet. Then use the thumb device to 'remember' it and just use your thumb. Its faster than typing the password, and breaking it is currently hard (not enough hacker culture knowledge out there to break it quickly).
My friend spent a little while yesterday trying to break it and f
Forget passwords, use passphrases (Score:4, Informative)
Re:Forget passwords, use passphrases (Score:2)
Overkill (Score:2)
Passwords suck (Score:3, Insightful)
I just went through this (Score:2)
at least 8 characters
both upper and lower case letters
at least one number or symbol
can't contain a dictionary word of 4 characters or longer
none of your last 6 passwords
not any account name
no date or year
no sequentially repeating characters
no space, editing, field-separator or quote marks
no letters in forward/reverse alphabetic sequence
no letters in forward/reverse keyboard pattern
no diction
Re:I just went through this (Score:2)
My idea of a convenient and secure solution is a smart card based USB token with a PIN code. Unfortunately, from the management point of view, forcing employees to memorize 16 character passwords each
If you want security... (Score:2)
Gain access to PC
Blank all passwords
Tell someone
???
Profit!
Remembering a password is easy (Score:2)
Re:Character Reuse? (Score:2)
Columns.
Re:Passwords ... ugh. (Score:2)
If someone manages to steal or forge my finger prints, my life is over. I c