Spafford On Security Myths and Passwords

An anonymous reader writes "In a recent blog post, Eugene Spafford examines password security along with related issues and myths. In particular, he discusses how policies that may not necessarily make much sense anymore end up being labeled 'best practices,' and then propagated based on their reputation as such."

Password changing

[mikesd81]

I still think changing passwords periodically is a great idea. Even just to keep some cracker on his toes or incase you accidentally wrote it down or devulged it or typed it in the wrong field and is in clear text.

You have a more secure system if it's harder to use a password when un-authorized. Especially if the user is an Admin account.

Re:Password changing

[Psychotria]

I would expect that if passwords are required to be changed on a regular basis, then that would be more reason to write them down (if they're secure they're probably harder to remember). In this case it would seem that less-regular changing would be beneficial, resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin.

Re:Password changing

[mikesd81]

But if you can find a way to remember them (ex: 94FE5spd - 94 Ford Exploer 5spd) or if you must write them down, lock them in a desk drawer or lock box of hide them in that secret compartment in the bookshelf, then it's a little more acceptable..

No 94FE5spd is NOT my password for /. :)

Re:Password changing

[mattkinabrewmindspri]

"94 Ford Explorer 5-speed" would be a better password, and would be a lot stronger than "94FE5spd".

A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.

Re:Password changing

[somersault]

If someone caught a couple of the words you were typing, they'd be more likely to be able to guess the whole password than if it was a 'random' sequence of characters, though the punctuation and capitals would help. I don't usually look when people type passwords, but if I saw that they were typing proper words then I would expect it's easier to tell exactly what they wrote than if they had just typed '94FE5spd'. Just playing devil's advocate a bit.. mixing techniques is usually better.

Re:Password changing

[Phleg]

A sentence would be an even better password, because it's easier to remember, has spaces, capitals, and punctuation.

You must be new here.

Re:Password changing

[hal9000(jr)]

Have a look at LophtCrack (think that was it's name) which did exactly this for windows systems.

that's not entirely true. L0Phtcrack leveraged a brain dead authentication mechanism where in Windows NT using NTLM password. NTLM can be from 1 to 14 characters in length. What happens is the password is spit into two 7 character passwords and using an unsalted hash, concatenated and stored. If the password was under 7 characters a constant was use for the upper 7 characters, so by simply parsing the string you could tell if the password was more or less than 8 characters (which had great performance improvements).

I probably missed some steps in here, but that is essentially it.

Re:Password changing

[LordSnooty]

Use a computer program to store them - e.g. PasswordSafe [sourceforge.net] - the logic of storing all your passwords in a program may seem strange, but if you can keep the database in a safe place - on your USB key, for example - it should be a lot more secure than writing them down. A "cracker" would still need a password to open the database. At least you only have to remember one password.

Re:Password changing

[c_forq]

resulting in less passwords being scribbled on pieces of paper and left around on the desk, or in the bin

I still don't see why this is a problem. To me if a person is able to get to where the password is written down that means they can have physical access to the machine (unless the computer is somehow locked inside a desk or something, which isn't very practical). With physical access it would be trivial to hook up a key-logger (I believe one of the OSTG sights, thinkgeek maybe, carries them). Or if

Re:Password changing

[Sique]

Because there are environments, where physical access to your machine is no problem, and it still shouldn't compromise security (think: large office rooms with several desks). And if you have shared desks, then writing down passwords and keeping them near the computer is a quite bad idea.

Then there is another aspect in server environments: Password recovery always requires a reboot or at least a service disruption, so this is very likely to be noticed by people. Entering a password you just found on a stick

Re:Password changing

[LordLucless]

I think the GPs point was that physical access to a machine compromises security by definition. If you have physical access to a mchine, you can install a keylogger to find the password (as simple as an inline USB dongle on the keyboard), remove the harddrive and crack at your leisure (a bit more noticable) or anything in between. Hell, you could just cart off the machine.

If you're in a place where security is sufficiently tight to have mechanisms to prevent this (ie: Security Guards) then they're likely to be sufficient to cover the little password notes in the top drawer as well as the machine itself.

Re:Password changing

[Sique]

Everything that affects the machine compromises security by definition. So that's no argument as such, you have to elaborate. The connection made between 'written down passwords' and 'physical access to a machine' is very weak. Of course: If I got into the secured building with the computer desk, it may be easier to just root the computer and then access whatever you want than to break into the file cabinet and search for the password. But security by itself does not only contain prevention of a compromisation, but also detection of a compromisation. And a security breach by physical access to a machine is often much more easy and timely to detect than a physical access to the written down password. Stick-It notes don't log access, as far as I remember ;). So if it is an inside job, a security breach may go unnoticed if the attacker just reads the password while passing by and then trying it from another machine, or if he just seems to 'look for that one file I left on the desk' and searches for the password. In this case the first security breach (compromise of the password) is not necessarily time-connected to the second one (unauthorized access to the password protected entity), and such the detection of both is more complicated.

Re:Password changing

[LordLucless]

In this case the first security breach (compromise of the password) is not necessarily time-connected to the second one (unauthorized access to the password protected entity), and such the detection of both is more complicated.

And yet, the same could be said for the installation of a USB keylogger if given physical access to the machine. The greater danger with writing the password down, I find, isn't so much unauthorized access as improperly authenticated access. You're not in danger of industrial espionage so much as someone logging in using a coworkers account to do something illegal/immoral. And if that's the case, well, it's the problem of the user who wrote down the password, not the sysadmin.

Re:Password changing

[Pollardito]

And a security breach by physical access to a machine is often much more easy and timely to detect than a physical access to the written down password. Stick-It notes don't log access, as far as I remember ;)

the solution is simple! cover your desk in a sea of Post-It notes containing various usernames and passwords, make some of the usernames be accounts with no real password listed on the desk, and check those accounts regularly for attempted logins. it's like personal steganography. if it's too har

Re:Password changing

[MrLizardo]

The biggest threat to security is often from within the corporation/organization itself. And there's a big difference between being able to walk by someone's desk and see the sticky note with the password on it versus climbing under their desk and putting a key-logger between the system and the keyboard. Think about the following two scenarios:

Scenario 1:
Worker: What were you doing going through the drawers in my desk for while I was away?
Cracker: Sorry. I was looking for a stapler.

Scenario 2:
Worker: What w

Re:Password changing

[somersault]

A lot of people here will work in IT depts, and would actually have an excuse for screwing around with someone's computer. Of course since I'm an admin here I can access anyone's files anyway, but I dont *shrug*

Re:Password changing

[TCM]

To conquer this whole password mess of mine (dozens of password for forums/shops/accounts/etc.) I use a scheme I came up with. I'm certainly not the first to do this, but it goes like this:

I remember only one password, let's call it master password. Then I use the following algorithm to derive all passwords I need from it:

$ echo -n "$USER:$DOMAIN:$ITERATION:$MASTERPASS" | openssl ripemd160 -binary | openssl base64 |

USER and DOMAIN are just reminders of where I logged in with which username. ITERATION is a

Re:Password changing

[TCM]

$ echo -n "$USER:$DOMAIN:$ITERATION:$MASTERPASS" | openssl ripemd160 -binary | openssl base64 |

Preview, preview, preview. Anyway, there sould be a final pipe element that reads "< remove all non-alphanumeric characters and truncate the result to 16 chars >"

Re:Password changing

[tazan]

I disagree with his reasoning that the cracking method is obsolete. A couple of years ago I ran our password database through a cracker just out of curiousity. Of course 99% cracked immediately during the dictionary attack, but the ones with odd characters did in fact take over a month to crack. Iirc it took 6 weeks to get all of the users passwords.

Re:Password changing

[harborpirate]

I agree with the article, and not the parent post. Constant changing of a frequently used password is a complete failure in the exploration of logic regarding passwords. It is laziness, plain and simple; the reliance on the folklore of old to tell us what we should do. Frequent Password Changing Makes a System More Secure is an old wives tale.

Over time, even a hard password will be memorized by your average user. This password does not somehow become more insecure over time, because, as the article points out, the largest vulnerabilities are not due to the cracking of passwords, but rather human error, ignorance, and/or incompetance. These should decrease with time. The user should become better educated and better able to remember the password, thus less likely to give it out. Only the chance of human error increases slightly (typing password in login box and such). Of the three, this presents the least risk by far of those three, and generally the user is aware of this occurrance and with proper education will know to immediately change their password.

Forcing a user to change password frequently is likely to only cause them to alter one character (likely the last) in the password because committing another secure password to memory is difficult. This causes both usability and security to be comprimised in the same fell swoop. The other option is that they will write the password down or otherwise record it, thus defeating its security. If you've got users with photographic memories who instantly memorize a new hard password every month, you must be the luckiest damn admin in the world.

As the article points out, modern computing and cracking techniques expose vulnerabilities much more quickly, so passwords would have to be changed so frequently as to make a changing password policy useless in many environments anyway.

Caveat:
The opposite is true of Administrator passwords or others which are rarely used. These are generally not committed to memory, and likely documented in some fashion (hopefully they are, or when the admin leaves you're screwed). If they're meant to protect a truly important system, a biometric and/or time sensitive method (such as a synchronized continously changing key generator) should be used in addition to the password. Changing these passwords with some frequency is a good idea, as it forces someone to ensure the validity of the current password (the account is not locked or disabled) as well as provide the aforementioned small measure of protection against cracking.

Please, stop forcing password changes on user accounts. Its a stupid idea. It serves no purpose other than to ensure the latest user password is written down at every desk.

Rant complete.

Re:Password changing

[harborpirate]

The article cites the following risks: disclosure, inference, exposure, loss, guessing, cracking, and snooping, and I'll agree that regular password changes only helps minimize the risk of compromise due to guessing and cracking, and then, only somewhat. But regular password changes can also help to minimize the damage when a password is compromise via other methods.

I have to disagree.

First of all, again: the most common method for password discovery is directly related to the user. If this was the discover

Re:Password changing

[ObsessiveMathsFreak]

I still think changing passwords periodically is a great idea.

I think that idea sucks.

What's the advantage? Crackers find it harder to crack things? Why? Because the password will have expired by the time they crack it? Maybe, maybe not. Unless you rotate passwords every month, at this stage, rotation is useless.

Maybe a better solution would be to make passwords the first line of defense, not the last. Simply assume they will eventually be broken, no matter how many times you rotate and plan accordingly.

For

APG

[wuzzeb]

I have found that using APG [nursat.kz] is a great way to generate passwords. They are easy to remember since you can pronounce them. For example, I just ran the generation and these are the passwords that popped out. I have found that most users can remember these kinds of passwords.

lewcyHirUx6 (lew-cy-Hir-Ux-SIX)
drywaWrop2 (dry-wa-Wrop-TWO)
ScekGul4 (Scek-Gul-FOUR)
lacWaup7 (lac-Waup-SEVEN)
IphIaft3 (Iph-Iaft-THREE)
glidTevPos8 (glid-Tev-Pos-EIGHT)

Re:APG

[MichaelSmith]

I have found that using APG is a great way to generate passwords

In OpenVMS you can go set password/generate which combines the generation with normal passwd functionality. When I moved to unix I was surprised that you can't do this as standard.

Re:APG

[Nutria]

In OpenVMS you can go set password/generate which combines the generation with normal passwd functionality.

I've been using VMS for 16 years, and never knew that... Now I must hate you forever.

CompuServe had the best password generation policy, which I still follow:

word digit word

Thus, I am able to use easily remembered words, but there is enough variation in combinations that guessing and dictionary cracking is well-nigh impossible.

Re:APG

[ajs318]

Unix is a bit more "self assembly" than VMS. Try this. It's a little Perl script I wrote to generate passwords. The standard form is CCVCDCVC which is fairly "pronounceable", obviously you can customise it. To get around issues with letters looking like numbers and vive versa, it will never use a capital letter O nor a small letter L in a password. Save it in /usr/local/bin/pwgen and chmod it 755.

Usage:

pwgen [username]

If a username is not specified, generates a "pronounceable" password of the form consonant, consonant, vowel, consonant, digit, consonant, vowel, consonant and displays it on STDOUT; along with its scrambled form suitable for usermod(8) or direct editing of the password file.
If a username is specified, and that user actually exists, then pwgen sets the new password using usermod(8).

NB. My careful indenting was spoiled by Slashdot. Feel free to un-spoil it. Good job it's written in Perl and not That Other Language!

#!/usr/bin/perl -w
# this is /usr/local/bin/pwgen

my ($password, $salt, $scram, $user, @stuff);

$user = shift || "";

sub vowel {
$_ = substr "aeiou", int rand 5, 1;
tr/aeiu/AEIU/ if rand > .75;
return $_;
};
sub consonant {
$_ = substr "bcdfghjkLmnpqrstvwxyz", int rand 21, 1;
tr/a-z/A-Z/ if rand > .75;
return $_;
};
sub digit {
$_ = int rand 10;
};
sub saltchar {
$_ = substr "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ./", int rand 64, 1;
};

$password = consonant . consonant . vowel . consonant . digit . consonant . vowel . consonant;
$salt = '$1$';
foreach (1 .. 8) {
$salt .= saltchar;
};
$salt .= '$';
$scram = crypt $password, $salt;

print "\nAJS's password generator - now with no Os or ls!\n";
print "-" x 48 . "\n\n";
print "Password is $password.\n";
print "Scrambled form is '$scram'.\n";

if ($user) {
if (@stuff = getpwnam $user) {
system "usermod -p'$scram' $user";
print "Set password for '$user' to '$password'.\n";
}
else {
print "There is no such user as '$user'.\n";
};
};

print "\n";

exit;

Copyright 2005-2006 AJS.

Distribution of this program in Source Code form is allowed, with or without modification, provided that this licence accompanies every copy of the program. Distribution in binary executable form, where applicable, is permitted only in conjunction with complete corresponding Source Code and build instructions.

Statement of Warranty: the copyright holders warrant that this program, when run on a properly-functioning computer, will perform substantially as indicated by the source code. No other warranty is made in respect of the program. If you are in doubt as to what this program does, you should consult a competent programmer.

This licence is in addition to, and is not to be construed as prejudicing, any statutory rights granted to you under the Law of the Land.

Re:APG

[dgatwood]

Blech. There's no way in H*LL I would be able to remember any of those. They're completely random crap. It's hard enough to remember the twenty-plus passwords I have to keep track of that -I- created -without- somebody forcing me to use bloody line noise for one of them.

Re:APG

[ZeroExistenZ]

There's no way in H*LL I would be able to remember any of those.
After typing a certain random generated password for a few times, its engraved in your memory, no?

I find myself unable to "pronounce" most of my passwords, but I remember them without much thinking. (It's more remembering how to move my hands over my keyboard as to actually remember what I'm actually typing.)

It's the same with my PIN-codes. I just remember a figure and how to draw it in a certain order. Not the numbers themselves..

Re:APG

[ZeroExistenZ]

I had the idea that it might be more secure to use full-travel keyswitches with built-in OLED or LCD display elements {rather than a touchscreen, which creates errors through the absence of negative feedback} and scramble the key layout for each user {possibly even for each digit, though this might be too confusing}. This way, although you know what keys the person in the next checkout lane was pressing, you don't know what number they were entering.

I think you're absolutely right with this. It would be m

MOD PARENT +5 Funny!

[WoTG]

Uh... yeah, those passwords look easy enough to remember.

Heck, I forgot my 4 digit alarm code about 6 months ago... and you want me to remember how to "spell" glid-Tev-Pos-EIGHT???

Re:APG

[woolio]

Well, maybe YOU can pronounce them!!!!

And for the viewing audience, which one if your root password?

Easy for a Star Trek Fan Maybe...

[Qybylance]

They do sound an awful lot like planet names... "Scotty, beam me down to Lac Waup 7!" "Can we recover the team on Sek Gul 4?" "The colony of Ip Laft 3 is under Romulan attack!"

Diceware

[krunk4ever]

Another common one is Diceware: http://world.std.com/~reinhold/diceware.html [std.com]

Example

Suppose you want a five word passphrase, as we recommend for most users. You will need 5 times 5 or 25 dice rolls. Let's say they come out as:

            1, 6, 6, 6, 5, 1, 5, 6, 5, 3, 5, 6, 3, 2, 2, 3, 5, 6,
            1, 6, 6, 5, 2, 2, and 4

Write down the results on a scrap of paper in groups of five rolls:

            1 6 6 6 5
            1 5 6 5 3
            5 6 3 2 2
            3 5 6 1 6
            6 5 2 2 4

You then look up each group of five rolls in the Diceware word list by finding the number in the list and writing down the word next to the number:

            1 6 6 6 5 cleft
            1 5 6 5 3 cam
            5 6 3 2 2 synod
            3 5 6 1 6 lacy
            6 5 2 2 4 yr

Your passphrase would then be:

            cleftcamsynodlacyyr

There's also rules on top of that where you can find which character to capitalize and where to add symbols and spaces.

Re:Diceware

[surprise_audit]

The braindead password policy around here is: at least one alphabetic, one numeric and one punctuation character. No subset of the word can be in the dictionary, and it has to be 8 characters (or more if supported by the OS).

The problem with that is that *some* systems have slightly stricter rules than others, so you can get partway through Password Change Day with a perfectly good word and then run into a machine where it isn't allowed.

Perhaps the nuttiest part of the policy is that you can't go back and

Re:APG

[Captain Zep]

Sounds like I'm in the minority, but I think this APG thing looks pretty good, assuming it generates from a large enough space.

Despite what everyone is saying, these passwords are pronounceable, and for the really important passwords that you use frequenctly, you can memorise them fairly easily.

I currently use completely random character sequence passwords for my main accounts. I keep them written down until I've learnt them (after a week maybe), then destroy the piece of paper. Since the passwords are st

Password change policy

[MichaelSmith]

We all know that its stupid. People write it down on post it notes etc. But when the luser gets hacked he is going to be gunning for the sysadmin who needs to be able to prove that he is serious about security so that he can put the onus back where it belongs.

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

Re:Password change policy

[KiloByte]

Thats just how politics work in a corporate environment. People will cover their arses first, do the sensible thing second.

I'm afraid that you have never seen a corporate environment; otherwise you wouldn't mention "doing the sensible thing".

Re:Password change policy

[shawb]

Alot of people eventually do the second thing... but it usually requires two weeks of notice.

Re:Password change policy

[einhverfr]

Well.... I think the author misses one real reason to change passwords every so often (monthly is good): If a password is compromised, then it is a good idea to have a periodic change so that the compromise may be at least somewhat limited automatically after a period of time. I think that in many environments, a change of a month is reasonable.

This doesn *not* mean you are necessarily reducing the chance of a breakin. What it does mean is that a break-in is going to be more limited in its impact even i

Re:Password change policy

[ehrichweiss]

I only have one question. What if the cracker is the one who gets the "it's time to change your password" message, they change it to something they know and then back again to the original? Think anyone's gonna notice? Depending on the host OS, it could be trivial to exploit a man in the middle attack to acquire the password from that user when they logon, just have a script that checks for a value on a webpage(or a million other things) that you control..if it finds it then it puts the user right back infr

One attack he didn't mention...

[patio11]

... getting your server brute-forced by a Slashdotting.

Couldn't agree more on some points

[tanveer1979]

Monthly change policies. they are simple stupid. If your password is inherently weak, such as your car number, date of birth etc., it will be easy to crack. If you throw a monthly change policy at such people they will change their passwords to simple things. Other option is to educate them to choose good passwords, but that works with half the people. Best solution, let the users not choose a password. Let the machine generate random passwords. Then the user can choose out of those random combinations. At a place where I used to work, the web login system on internal network was set this way. You would click on a button saying, choose new password. Many options would appear and you choose one. If you dont like any of the options you could keep on generating new ones indefinitely. The change policy was that after 1 year you had to get a new password. Perfectly sane and secure. In those random 6 lettered words, sometimes easy to remember combinations would appear, like y1pl3t. Remeber it as yiplet!

If you dont have the benefit of a machine generator and want to specify something remembrable dont be too obvious. For example you have a poodle named fido(If you do I doubt you would be reading /.). So you can have a password which is easy to crack fidopoodle. But if you go as pfoioddole or better pf010dd0l3 only you can remember it and guessing it will be almost impossible.

another trick

[tanveer1979]

Wish I had pressed preview! Anways this will work with non english speakers or if you know a language other than english. Well best are the languages like Punjabi, Hindi, Arabic etc., which are not popular in the web. You can have a word from those languages. Like bh44gj4. This is pronounced as Bhaag Ja. Which means Run away. Long time back I had a password which was t0g4dh4. This means To gadha, or "you donkey".

Re:Couldn't agree more on some points

[dgatwood]

Using a generator to force secure passwords may be the most insecure thing I've ever heard suggested to improve security. No, seriously.

If a user has to generate a password, it is something they can at least possibly remember. If a machine generates it, there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices will be able to access those people's accounts using the password reminder neatly affixed along the margin of the user's monitor.

Besides, 99% of security compromises aren't through guessed passwords anyway. They are through either social engineering (25% of people will give up a password when they receive a call that says "Hi, I'm Fred from the IT department, and I need to verify your account information"; try it if you don't believe me), buffer overflow attacks (l33t h4xx0Rz), or physical security compromises (while latency is terrible, it is difficult to overestimate the bandwidth of a pickup truck filled with backup tapes).

Seems to me that, generally speaking, admins are worried about entirely the wrong problems, and while this may help cover their a**es against being blamed for intrusion a bit, it does little to improve actual security.

Re:Couldn't agree more on some points

[tanveer1979]

It will be the most insecure thing if people are writing down their passwords. I suggested choose an easy to remember combination which can be guessed by nobody but you. For example h4r4m1. In an office environment its social engineering but with internet spreading you form a parallel identity. Sombody could hijack that identity and cause you lot of grief. Case in point. http://news.google.com/news/url?sa=t&ct=:ePkh8BM9 E 2IFGm_AIgSzKgkkUGLAituezDwjgWL1DQKJ3Pxeu2LZfMLctqk CAEoGDEE/2-0&fp=444d61803016 [google.com]

Re:Couldn't agree more on some points

[iabervon]

I think IT departments concerned about security should make it a stated policy that they will try to find out your password, and, if they succeed, they'll reset it and prevent you from ever using that one again, and you have to figure out yourself that it's been changed, and ask them to let you set it to something you know. That would quickly make people a lot more resistant to social engineering and less likely to write passwords down or choose obvious ones. It would also show that the IT department is doi

Re:Couldn't agree more on some points

[cyborch]

... there is a nearly 100% chance that anyone sneaking into 3 out of 4 offices ...

... 99% of security compromises ...

... 25% of people ...

In other news: 87.3% of all surveys are made up on the spot.

Re:Couldn't agree more on some points

[suv4x4]

"So you can have a password which is easy to crack fidopoodle. But if you go as pfoioddole or better pf010dd0l3 only you can remember it and guessing it will be almost impossible."

Yup, impossible, there's apparently this belief that hackers have no "1" and "3" on their keyboard so that every I should be written as 1, and every E as 3.

When, like 90% of the passwords are made that way, guess what, it's not harder to guess.

Absolutely true

[Chairboy]

I worked at a company that rolled out increasingly stringent password policies. It got to a point where the passwords required upper and lower case characters, numbers, non-alpha numeric characters, and (this is the kicker) were required to be changed every few weeks.

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms. None of the people involved were bad, in fact, I worked with a fine bunch of people who really cared about security and individually had great ideas for making the company safer, but when they were all implemented simultaneously: Ka-BLAM.

A security policy cannot be a list of best practices, it has to be a designed holistic plan that takes into consideration the very human nature of the people it is protecting.

Re:Absolutely true

[MichaelSmith]

had begun writing their passwords down at their desks.

The ITS department where I used to work had a similar policy. One time I had to get a file or something from one of the civil engineering teams. The team leader was out but one of his staff knew the algorithm they had decided on for the password. It was something like initials+year+month.

I write passwords down...

[cirby]

Well, they *look* like passwords.

They're not actually *to* the systems they're next to, but it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Re:I write passwords down...

[MichaelSmith]

it's funny how long some baby cracker-d00d will just sit there and keep fiddling with them, trying to get them to work.

Maybe honeypots will become a standard security thing. The password will always work but it won't get you anywhere useful.

Re:Absolutely true

[Barnoid]

I asked around, and gradually discovered that most of the people I worked with had ended up (after months of dilligently trying to adhere to this policy properly) had begun writing their passwords down at their desks.

Writing. Their. Passwords. Down.

It's like this well intentioned security policy had short-circuited itself and put the company in a position far worse than it had been before the reforms.

If the people able to see your password are trustworthy, this is not necessarily only a bad thing. Firstly,

Re:Absolutely true

[Beryllium Sphere(tm)]

>Writing. Their. Passwords. Down.

The part which should horrify you is the At. Their. Desks. part. If the paper with their password is in their wallet, protected as well as their ~$100 in cash, and especially if it doesn't have other login details on it -- well, some places need more security than that but not all. At that point the paper with the password on it becomes a strange kind of hardware token.

Even the At. Their. Desks. part should be kept in perspective. You should close attack paths on general principles of course but remember that anyone standing at the person's desk has physical access. Physical access gives you a lot of other worries though all of them require more motivation than reading somebody's password does.

Re:Absolutely true

[jrumney]

Physical access to a desktop PC doesn't give you much in many corporate situations. The valuable information is on network drives, and the password hands the intruder this on a plate. Given the number of activities companies outsource these days, physical access is the easy part.

Re:Absolutely true

[timbck2]

Yep, sure does. When I go home, my company-supplied laptop goes with me. I could leave my password taped to my monitor, and it wouldn't do anyone any good, unless they broke into my house...

... or steal your laptop out of your car, or off the subway, or from the coffee shop, or wherever you take it.

Re:Absolutely true

[Vo0k]

Login: bugmenot
Password: Bugm3n.+
Reminder: http://www.bugmenot.com/ [bugmenot.com]

Re:Absolutely true

[shmlco]

FYI: A company I know of that relies on user registrations automatically flags email addresses, usernames, and passwords that contain anon, bugme, spam, asd, sdf, and other key words. Most such accounts are automatically closed.

Re:Absolutely true

[shmlco]

"... untill the [sic] implemented that policy..."

Yeah, it's obvious you're in their primary demographic.

Advice on passwords

[Brandee07]

Advice my dear mother gave me a long time ago:

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

With that said, I'd like to argue the point made by the article about periodic changing of passwords. He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it. This actually happened in my high school, and then we had the admin password to every computer in the lab. And had that access until the last of us graduated. While periodic password changing won't protect you from a serious hacker, it will save you lots of grief from more petty mischief, especially if the person who has your password is clever enough to not let you know that he has it.

Re:Advice on passwords

[dgatwood]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

Even if that's a real concern, the password shouldn't be typed in where someone can watch your fingers. In a lab, it might be of -slight- risk. In a private office, it basically is zero.

Thus, from this we can deduce that the #1 most serious security hole a company can have is the use of cubicle farms. :-)

No, seriously. It is.

Re:Advice on passwords

[raftpeople]

It happened to me. I was logging onto some box after having passed through a few different operating systems on various boxes to get there, when I keyed in my password the damn thing got echoed back to the screen and the person behind me started laughing (it was one of those passwords you wouldn't tell your mom about!).

Re:Advice on passwords

[dgatwood]

Heheheh. At least it was something so offensive that you'd know it if anybody found it out. :-)

Anyway, this is why I make it a point to only connect via ssh anymore. Telnet had lots of those issues (and was usually in the clear anyway).

Re:Advice on passwords

[loqi]

No, seriously. He's talking about the cleartext username box.

Re:Advice on passwords

[wfberg]

Yeah, but when is the last time you saw ANY software that actually echoed passwords to the screen? Basic security says that this should never occur. Unless you're really good at reading keystrokes, that isn't a real concern.

The problem lies with badly designed operating system/windowing system software that allow windows to grab focus. No window should be allowed to programmatically, without user intervention, pop to the foreground and get focus (whether it's a pop-up ad or any sort of dialogue). Unfortunately, this happens all the time. Especially windows applications love to pop up messages, dialogues, windows, and all allow you to quickly (without noticing) press OK and continue typing your password in plain sight in the application that just hijacked your focus! XP's "prevent applications from stealing focus" doesn't always work, and never works if an application happens to be spawning in the background (like during startup, which might be a good time to enter a password into putty's pagent for example).. *sigh*

Re:Advice on passwords

[wildsurf]

Passwords are like toothbrushes; change them every three months and don't share them with your friends.

Passwords are like toothbrushes. Don't get too enameled with yours, or it'll cause a dentin security and may even expose your root.

Re:Advice on passwords

[LarsWestergren]

Advice my dear mother gave me a long time ago:
Passwords are like toothbrushes; change them every three months and don't share them with your friends.

That is great advice! Your mother works with security I take it?

Re:Advice on passwords

[ArsenneLupin]

He gave the (not so) hypothetical situation of a password being typed in a login box where someone might see it.

Yeah, saw one such incident too. A slideshow presentation about the library catalog system, before a room full of people. At a certain point in the presentation, the library lady decides to do a small demo of the system, and proceeds to log in to her account. Of course, she accidentally types here password (which has admin privileges...) into the login box, where everybody could see it on the h

Merifs of the one password per site policy

[Beryllium Sphere(tm)]

Porn sites, in fact, were Bruce Schneier's idea for large-scale password theft. A crook could send out spam advertising a free porn site, simply requiring a no-cost signup. Umpteen suckers sign up, they choose umpteen passwords, some fraction f uses the same password for everything, and your "porn site" has just accumulated f*umpteen valid passwords and associated IP addresses.

My Rule of Thumb

[QuantumG]

I tell this to every sysadmin that turns on 100% of the annoying features of enforced password change policies:

      "You have to balance security with convenience."

Otherwise people will just circumvent your security by changing their password twice (or 10 times), resulting in the same password they started with, or just write their password down.

Re:My Rule of Thumb

[bhima]

Years ago a new admin saddled us with ridiculous & onerous password requirements and when numerous people complained and wanted an explanation the official party line was that it was up for discussion. So more or less instantly they alienated anyone with any tenure and passwords have been on post-it notes on desks ever since. Because we have no input in these sorts of decisions most of us feel like it's not our problem. When the story broke about people giving their passwords to strangers who asked f

Re:My Rule of Thumb

[jonwil]

In my workplace (which shall remain nameless), to get into the building during normal hours you need a photo badge passcard.
To get in after hours, you need a photo badge passcard and a pin number.
I also have an individual key to my desk to keep any confidential paper or other physical materials secure plus several different access passwords for different parts of the system (email, login, corporate intranet, other locations), all of which have to be changed periodically.

Without passwords, there would be not

Re:My Rule of Thumb

[Beryllium Sphere(tm)]

Your keycard should be your login token.

The technology is available.

The real myth about passwords is that they still make sense. Passwords are dead. Passwords that can hold up to a good cracking program are outside the memory capacity of normal people. (I memorized a 10-word Diceware [diceware.com] passphrase with 129 bits of entropy once, but that only proves I'm abnormal).

Your employer would improve both their security and your convenience by letting you have a hardware login.

Re:My Rule of Thumb

[jonwil]

What about systems that remember every password you ever use (or remember so many that its unfesable to go to one you used before)?

pass PHRASE

[Tumbleweed]

Doesn't anyone remember the 'pass phrase' thing from awhile back? You know - less complex but much longer passwords, so they're secure but easy to remember? "The quick fox jumps over the lazy brown dog" type of thing (though that should probably not be allowed :)

Just please, NO biometrics.

Re:pass PHRASE

[Vo0k]

> Doesn't anyone remember the 'pass phrase' thing from awhile back?
> "The quick fox jumps over the lazy brown dog"

Way too long to type.

> D'tart'pp;tfawb?
> Tqfjotlbd

Passphrase-based passwords (take each first leter, caps and semigraphics retained) are a good option.

Thank you!

[Pfhor]

Thank you!

I have been looking for ways at new password generation for system administration, and that is brilliant. Throw in some l33t speak for number / letter swaps and the suggestion you mentioned is golden.

Re:Thank you!

[Vo0k]

For better remembering effect and to help your imagination at 'inventing' the passphrases have it "written" somewhere around the workplace. Use a sentence from a cover of some user's manual, writing on some poster, "safety regulations notice" or such lying around. Just sit at given computer and look around for some text. If you feel especially rude, swipe the text right from the login screen, like from the standarised footer of the login page with a copyright notice and such :) Especially helpful if you giv

He's wrong

[gvc]

There was never any rational basis for rotating passwords. Spafford's 70's rationale is amusing but bogus.

Re:He's wrong

[honkycat]

I think you're right -- even if you assume it takes a month for the systematic password search on the mainframe to try every password combination, changing your password doesn't help much.

It does buy you a tiny bit, if they are actually trying every combination. Suppose it takes them two months to try every combo and after one month, your password is still unknown. They are now guaranteed to have it within the next month if you do not change it. If you do change it, then there's a 50% probability that yo

Picture Passwords

[Metabolife]

I always thought the picture based passwords shown here [bbc.co.uk] were a creative way of making passwords.

Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

Shoulder surfable.

[loqi]

You ever wonder why password fields don't echo the actual characters back to the screen?

Re:Shoulder surfable.

[Rob the Bold]

You ever wonder why password fields don't echo the actual characters back to the screen?

I used Lotus Notes for a while, and it had a "cool" feature of echoing seemingly-random numbers of heiroglyphics when you typed each character of a password. You never knew if your finger slipped or if you did just type bird-bird-eye-"guy going like this"-bird-ankh-ankh-ankh. Worse then single stars, worse than nothing, really.

Re:Picture Passwords

[Red Alastor]

Basically you click a few spots on a random image, and next time you login, you have to pick those same spots again. Forget remembering your password.

Forget security too. There is a limited number of points in a picture that are easy to spot and remember (windows, people heads, signs, whatever) so it's very easy to brute force.

Passwords?

[bm_luethke]

The last supposed "high security" place I worked (Oak Ridge National Labs) had a pretty sane password scheme - computer generated every 6 months or year (too long ago, I do not remember now). They generated a big list and you picked one so you could get one you could remember. It was good combination of stuff, not really something that was attackable by a dictionary and they watched external requests pretty hard (ad most of the service providers did also).

But, the problem was that every single hack/intrusion we knew of (either on our machines or lab wide) had nothing to do with password and all to do with users desktops on SSH key management. Everyone wanted symetric keys so they never needed to type a passphrase of password. No one wanted to mess with keeping thier computer updated. So once one computer was violated nearly all in the lab were - even those of us who tried to patch and watch were brought down by what the users demanded. We were really damned when an offsite place (say a university) was weak and a user had symmetric keys installed.

That ended up being a VERY difficult issue to educate on - it's a fairly abstract idea. Very very very few of the people there were unintelligent but few were educated enough in that field to even really understand the issues (no reason why a chemist should understand key management any more than I should know how carbon rings react in some random environment). Password management is pretty obvious, heck many of us even had "secret" clubs in elementary school that did similar stuff. However strong encrypted keys tend to be something different, offering the ease of no password and the security of really strong ones (when done correctly). It take some amount of knowledge to "get it" along with thinking about having the private keys stored in unsafe places.

*shrug* I think that password management (in secure business processes) is becoming much less important. Even hotel reservation systems are mostly moving over to SSH and key management. For logging into your credit card service? SSH key and passphrase is great. For much of business practice, as SSH and similar type things become the standard password management this is MUCH more important. Right now we are horrid in that area of education.

Less articles about password management, if it has not been beat into your head by now you are a lost cause. Lets spend some time on key management and other security issues that are becoming MUCH more useful.

I've (unfortunately) forced this on users before

[Corbets]

From a comment I just made on Spaf's blog....

I've mandated rotating passwords before. My thought was that I knew my users shared passwords over time (oh, I need to use your computer for a few minutes, but your screen is locked) so by forcing a change I was hoping that if a person left the company they wouldn't retain access to anyone's accounts. However, the better solution in that case would have been termination for people who shared passwords and/or forcing all users (only about 15-20 in the company) to change passwords everytime someone left.

And of course, there are times in larger companies where I simply got told by those higher up that passwords would be rotated.

Re:I've (unfortunately) forced this on users befor

[tbird81]

You'd fire people for sharing a password??

Seriously, what's more important to the company: people logging in as another employeee, or actually having employees with morale!

Who cares if people use the same password. I've worked in a hospital where everyone shares passwords, and in a lab where everyone's password was the same. (Won't say where, but it happens everywhere)

There's nothing worse than a stupid nerdy geek telling people off for following some geekhole paranoid rule that has only minimal risk in real life. Like the telltale at school who takes all the rules literally, without trying to understand their purpose and the spirit behind them.

Re:I've (unfortunately) forced this on users befor

[Corbets]

Yes, I would fire people for that. I'd fire people for any intentional violation of corporate policy. It's one thing if you don't know, it's another if you choose to break the rules, especially after repeated warnings. I've often found that people who break little rules will ocassionally break big ones - like those kids in school you mentioned, those who tell little lies will from time to time tell a whopper.

It's an issue of trust, not to mention security (why bother with multiple user accounts at all if

Password "best practices" are counter-productive.

[Symphonix]

The company I work for enforces a lot of these password "best practice" rules. Most of our systems require passwords to be exactly 8 characters long, contining one digit but not in the first or last position, and must be changed every month. I'm certain this only makes things less secure, as users have a tendency to use even dumber and less secure passwords under these rules. For instance, if you instruct ten thousand users to change their password every month, then at least 500 of them will have "APRIL" or "APR" in their password at this very moment - even if you expressly forbid them to do this. Having complicated rules like "You must use 8 characters, including a digit in the middle" means that helpdesk staff often need to explain to the user several times what their password can be, and what they might or might not be able to have. When the average luser is now spending 3 minutes asking helpdesk - quite loudly in a crowded office - whether "BENJIDOG4" is a good password or not - then you've instantly lost the security of the password. Would it be more secure to let the user set a password without any requirement for it to contain numbers, or is it more secure to include the requirement and have every second user holding a long and loud discussion with everyone around them about what they're putting in and why won't it frickin work?

Re:Password "best practices" are counter-productiv

[mark-t]

There are two dangerous policies that they implement.

One, the requirement that passwords be exactly 8 characters long. An minimum length specification is fine, but it shouldn't be the same as the maximum.

Further, changing every month is too often. You end up with people having to write them down because they don't have time to get used to any one. I'm all for changing passwords reguarly, but that's waaaaay too often. On average, I think the ideal number of times that you should change a password is

We knew this already. They don't. Won't change.

[jthill]

TFA:

In summary, forcing periodic password changes given today's resources is unlikely to significantly reduce the overall threat -- unless the password is immediately changed after each use.

Security is one of those things that complete ignoramuses believe they understand without benefit of thought or experience. ~Just make it too hard~. Experience says there is simply no reaching these people. I can actually find some sympathy for them: the least whiff of an implication that their existing security pol

Requirements...

[Vo0k]

A real error message from a real e-store registration, denying access for a customer who entered his actual, legit personal data:

"Your surname name is too short. Surname must be at least 4 characters long."

Passwords + Physical securoty + SE

[Ajehals]

I used to be responsible for IT security at for my previous employer and find that the biggest danger to any password based security is the user. When I started there were no passwords in use anywhere, After about a month and a half I implemented a password policy (nothing strenuous, just the requirement for a 6+ char password, with a monthly change requirement. I was not popular. (this may have been the passwords or possibly the pave and nuke job I did on all the corporate desktops killing at least 3 of t

Three unsuccessful attempts and you're locked out

[rollingcalf]

Another useless rule of thumb is the one that locks you out after three unsuccessful login attempts. It was based on the theory that the authentic user would be able to remember the password within three attempts.

In reality, with passwords being case sensitive and people having to remember dozens of passwords for different systems at work and personal web sites, three attempts will end up locking out numerous legitimate users.

Caps lock is on... one failed attempt. You turn off caps lock and enter the password for a different system... another bad attempt. You think your bad attempt was due to a typo, so you re-enter the same password... you're locked out.

With so many people getting locked out, either they become lax with the password-reset procedures, allowing an intruder to take advantage of that. Or they stay strict, which results in numerous users losing hours of productive time.

Give 10 or 20 attempts, dammit.

Re:Three unsuccessful attempts and you're locked o

[rjstanford]

Give 10 or 20 attempts, dammit.

Screw that. Give 500. Give a number so rediculously high that your help desk should practically never have to deal with another "locked account" again, but so stunningly low that a brute-force attack will never succeed. It turns out that these two boundaries are still pretty far apart from one another.

Passwords Suck

[esme]

We should all be using public keys.

-Esme

Encrypted key exchange

[XNormal]

Encrypted key exchange protocols (e.g. EKE, SPEKE) allow the safe use of relatively weak passwords. They resist all known passive sniffing, man-in-the-middle and offline dictionary attacks. How can a system be secure with weak passwords? Think of your ATM card's 4-digit PIN: it's pretty safe because it's limited to only a couple of unsuccessful attempts and you can't do an offline dictionary attack that would bypass this limit.

Unfortunately, these algorithms are all patented.

As far as I can tell, the SRP system infringes on the EKE patent. The fact that Stanford got a patent for SRP means nothing - a patent grant says nothing about infringement of other patents. AT&T probably won't sue anyone using it in an open source project but they will not issue a statement that SRP does not infringe the Bellovin patent, either. Result: commercial users shy away from SRP.

The only widely deployed remote password authentication mechanism which is safe even with weak passwords is "plaintext over SSL" but it relies on PKI which has its own set of problems.

Kerberos tickets are pretty secure because they use machine-generated random keys instead of user-provided passwords. But this whole tower is built on a weak foundation because the initial authentication to the TGT does use the weak user password. If just this part was replaced by EKE all Kerberos services would benefit from increased security.

Microsoft domains use Kerberos. Is there any chance Microsoft would bite the bullet and pay the EKE or SPEKE patent license fees?

Context of article: new Purdue password policy

[mdpowell]

The author is a professor in the CS department at Purdue. At the beginning of 2005-2006, Purdue IT announced that they were going to require *every* password on *every* computer to be changed every 30 days. They made it clear that this policy was not restricted to administrator accounts, and in fact it has been pointed out in several articles that students will have to remember to change their passwords during summer and co-op sessions, or their accounts will be disabled. You also won't be allowed to re-use passwords for six replacement cycles. The policy isn't enforced yet but will be "real soon now."

This policy seems to be generally seen as idiotic by students, faculty, and staff. The IT people who talk about it seem to be made to "toe the line," and make up excuses about how this policy went through all the review/administrative processes. Nobody has an explanation for how this policy will be made practical for all the alumni and external accounts which might be accessed only a few times a year.

Many people see this policy as a copout response to the multiple security breaches in the past several years. On multiple occasions the whole university (30K+ studenets, plus faculty/staff) received orders to change passwords immediately because some database was compromised. Rumor had it that one database was storing passwords in plaintext because of incompatibility between hashing mechanisms used by different systems. Rather than take responsibility for and fix their security breaches, they are simply forcing this policy on everyone.

I suspect the author wrote this article largely as a condemnation of this policy.

Here's the link to the Purdue password policy: http://www.itap.purdue.edu/security/procedures/pas sguidelines.cfm [purdue.edu]

Re:Auto change?

[Zantetsuken]

I think Lenovo is starting to sell a lot of finger-print-biometric-scanner notebooks now, it seems to be one of their big selling points for business buyers - not sure if it would work under Linux, but if its something where you have to scan your finger before it gets through with BIOS it oughta be something embedded into CMOS or some other part of the motherboard, in which case I would think it would still work whether you run Windows or Linux on it...

Re:Dupe

[Warg! The Orcs!!]

If I recall correctly, posts pointing out duplicate posts have been posted before.