Forgot your password?
typodupeerror
Security

Passwords - 64 Characters, Changed Daily? 645

Posted by timothy
from the too-much-overkill-is-never-enough dept.
isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

This discussion has been archived. No new comments can be posted.

Passwords - 64 Characters, Changed Daily?

Comments Filter:
  • by thammoud (193905) on Sunday August 08, 2004 @05:27PM (#9915331)
    password1 password2 password3 password4 based on the month that you are in.
    • by Anonymous Coward on Sunday August 08, 2004 @05:32PM (#9915376)
      just checked, you don't do that.
    • by Abcd1234 (188840) on Sunday August 08, 2004 @05:35PM (#9915406) Homepage
      This should be modded insightful. These kind of forced password-change policies do one thing only: encourage people to choose easy-to-remember (and hence, likely easy-to-crack) passwords. Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.

      Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, more than just alphabetic characters, etc), but don't force them to change it. After all, brute-forcing a complex, 8-character password is still a fairly difficult process.
      • Re:Just do what I do (Score:5, Informative)

        by Antique Geekmeister (740220) on Sunday August 08, 2004 @05:59PM (#9915562)
        What you are describing encourages universal passwords. Unfortunately, it's not merely password cracking that is a real risk. It's password sniffing, via keyboard monitoring or packet sniffing over unencrypted protocols like FTP, POP3 or IMAP or HTTP without SSL turned on, etc. People are terrible about changing them, and they do tend to rotate them among a very small number of passwords to deal with this.

        Universal sign-on systems such as Kerberos can help this, by encorcing decent password selection and then making it available everywhere without permitting re-use of that small set of passwords. But it's a bear to set up in a small or mixed environment.

        Also, for the original article's point: the difficulty of cracking passwords goes up nominally as the exponent of the password length, the complexity of verifying them or encrypting with keys goes up linearly or maybe as N*logN with the length of the key. Selecting a long enough password, and system keys, to defeat this kind of brute force cracking is quite trivial to do. But getting it adopted, especially in the face of federal policies that prohibit the export of encryption technologies as a "material of war", has crippled encryption techniques for years.

        Get the federal government out of that line of regulation and hardware based encryption to protect your logins from man-in-the-middle password sniffing will be quite cheap, even possible to incorporate as a part of common motherboards and network cards. Until then, though, we're going to have a real risk of people using the same password for years and having it sniffed and used by crackers.
        • by arminw (717974) on Monday August 09, 2004 @01:34AM (#9917922)
          Some systems do not allow any more tries at logging in after a few unsuccessful attempts. After an hour or so, the systems resets and gives the user another chance to try to get in. If that also fails, the user must call the system admin. This process goes a long way toward thwarting multiple access atempts.

          None of this helps of course if the user's system is breached and some sort of keyboard sniffer is active.
          • by robosmurf (33876) *
            The problem with a strict lock-out policy is that it leaves you vulnerable to a denial-of-service attack. All an attacker needs to do is guess your password a few times to cause a lot of trouble.
            • Re:Just do what I do (Score:3, Informative)

              by JWSmythe (446288) *

              APC masterswitches do that. Well, it locks you out after x attempts for x minutes.

              It became a pain in the ass when some winner started trying to password scan one of the masterswitches. A machine went down, and everyone was locked out from it. They had just left the scanner running, so after the lockout time, it would get locked out again.

              We moved them to a private network, and voila, everything works fine now. :)

              People try to brute force so many various passwords, this seems like a really
      • This should be modded insightful. These kind of forced password-change policies do one thing only: encourage people to choose easy-to-remember (and hence, likely easy-to-crack) passwords. Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.

        Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, mor

        • Re:Just do what I do (Score:5, Informative)

          by Harald Paulsen (621759) on Sunday August 08, 2004 @06:19PM (#9915693) Homepage
          The problem isn't having a policy, or having a boss tell you to use safe password. The problem is that the boss somehow feels he should be exempt from the password policy. Ironically enough, the people in command that wears a suit usually has the simplest password. They also have access to most of the sensitive information.
          • Re:Just do what I do (Score:3, Interesting)

            by Inda (580031)
            We had a change of policy here not so long back. Dictionary words and proper names were disallowed. Of course I was the only one that read the email about this.

            The boss's secretary was presented with the change password dialog one morning. It would not accept any of her desired new passwords.

            I said "You can't use your son's name anymore". The look on her face was priceless. I was amazed too; I thought this sort of thing only happened on the TV.

            The really sad thing is that a cleverly crafted spoofed email
      • Re:Just do what I do (Score:5, Interesting)

        by Pharmboy (216950) on Sunday August 08, 2004 @06:01PM (#9915576) Journal
        What I never got was this: If I have a password, and no one else ever knows it, AND I check my logs so I know if someone is trying to hack my account, what good does changing it anyway?

        As soon as I see at attempt to hack it, I would change it. Until then, I have a great password that my wife doesn't even know about. If someone tries to hack it on Wednesday, it doesn't matter that I changed it on Monday, or last year: It will still take more time to crack than will pass before I check the logs.
        • What if the logs are forged? What if they got some hash of your password and they're locally trying to decrypt it?
        • by FireFury03 (653718)
          What I never got was this: If I have a password, and no one else ever knows it, AND I check my logs so I know if someone is trying to hack my account, what good does changing it anyway?

          Yep, I don't think there is a need to change passwords until someone uses one to compromise your system: if you change passwords every 6 months, what are the chances that someone cracking it coincides with you changing it. If someone cracks your password they're going to use it immediately, not wait 6 months until you chan
      • Re:Just do what I do (Score:4, Interesting)

        by Megor1 (621918) on Sunday August 08, 2004 @06:13PM (#9915653) Homepage
        Since password cracking relies on having access to the password hash, simply make the hashes an order of magnitude longer to calculate.
        • by rsmith-mac (639075)
          This is only good against dynamically calculated hashes; if you pre-hash the english dictionary or something like that, then once everyone has the hash table, we're back to square one when it comes to poor passwords.
      • Re:Just do what I do (Score:3, Interesting)

        by eric76 (679787)

        ... easy-to-remember (and hence, likely easy-to-crack) passwords

        Those two are not necessarily related.

        You can have easy to remember, well, relatively easy to remember, passwords that would be tough to crack.

        My favorite approach is to create nonsense type phrases with some odd punctuation.

        For example, something like:

        I borrowed all the books from the library! and read them both.

        or

        An ultranet in a test tube is truly a fine thing to behold?

        Or you could also take a favorite quote and modify it somewhat

      • >hoose easy-to-remember (and hence, likely easy-to-crack) passwords

        Not necessarily. I mean depending on what the max character limit is he could be using pass-phrases. The password is becoming obselete and the pass-phrase will be the next step. That is if the next step isn't smart card keys, challenge response you can do on a PDA, etc.

        Of course the pass-phrase has its flaws too like using famous quotes, but that could be screened out the same way common words are. There might be some side benefits to
      • by FireFury03 (653718)
        Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, more than just alphabetic characters, etc), but don't force them to change it. After all, brute-forcing a complex, 8-character password is still a fairly difficult process.

        I agree with this, although the people enforcing the passwords should really be asking what level of security do they need. Forcing people to have the most complex passwords possible all the time encourag
      • Wallet = secure (Score:3, Insightful)

        by IncohereD (513627)
        Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.

        Someone I work with asked about how he should protect a key to a secured area, and the response was "How often do you lose your car or house keys? Keep it with those." I'd say the same applies to your wallet and keeping passwords in it, if worse comes to worse and you can't remember them.

        Considering I've never lost my wall
      • Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location!

        Hold on, are you saying that the post-it note labled "network password" on my cubicle wall is insecure?
  • by usefool (798755) on Sunday August 08, 2004 @05:28PM (#9915338) Homepage
    Wasn't there a joke that if users are required to change password every second, hackers just need to keep on trying the same password until users themselves changed to match the hacker's password?
  • One day we'll have Biometrics, so we won't have to remember our passwords.
    • by wkitchen (581276) on Sunday August 08, 2004 @05:32PM (#9915375)
      Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".
      • well, you can synthesize finger and palm prints, so the whole finger-choppy bit isn't necesary. but who doesn't want to keep eyeballs around in jars, eh?
      • by Roofus (15591)
        Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".

        Holy great hell, I'd love to see the social engineer that can convince somebody to chop off a finger voluntarily. They would put Mitnick to shame!
      • Re:Biometrics (Score:3, Insightful)

        by shadow_slicer (607649)
        Why chop off fingers or pluck eyeballs when
        "Scraped up my fingers this weekend in a bicycle accident, and the stupid scanner doesn't recognize me. Can you open the door for me?"
        or
        "'Contacts have been irritating my eyes lately so the damn machine won't validate, can you buzz me in?"
        work just as well?
      • Re:Biometrics (Score:3, Informative)

        by Coryoth (254751)
        Oh, that'll be just great. Chopping off fingers and plucking out eyeballs will be the new definition of "social engineering".

        No need for that. I saw a presentation at AsiaCrypt a couple of years ago where a guy sucessfully managed to create an artificial fingerprint good enough to fool pretty much all the commercial fingerprint scanners tested using only a fingerprint left begind on a glass, and pretty much commodity hardware (he did use one somewhat obscure device but that was still only a couple thousa
    • Re:Biometrics (Score:5, Insightful)

      by Blastrogath (579992) on Sunday August 08, 2004 @05:37PM (#9915423)
      If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.
      • Re:Biometrics (Score:3, Interesting)

        by molafson (716807)
        If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.

        That is why it is better to use both: a good pass-phrase that you change from time to time, which is hashed together with your retinal scan, finger print, etc.
    • Biometrics are a nice idea, but what happens when someone compromises your account? You have to start using your other thumb...and if that is compromised?

      No, we need multi-element authentication systems that challenge users on more fronts. Tools like the ACE server, where you need you login, password and token number from a frob is a start. More work needs to be done on this problem, though.

      ttyl
      Farrell
    • Yeah right... (Score:4, Insightful)

      by imsabbel (611519) on Sunday August 08, 2004 @05:53PM (#9915521)
      Biometrix is just like passwords, just you cant change your fingerprint/iris scan/voice pattern after someone has exploided/stolen/copied yours.
      Great.
  • One time use? (Score:5, Informative)

    by slykens (85844) on Sunday August 08, 2004 @05:29PM (#9915344)
    SecurID and its like are your friends.

    While you maintain a reasonably secure password you're not logging in without the token.
  • Use a CueCat (Score:5, Insightful)

    by Safety Cap (253500) on Sunday August 08, 2004 @05:29PM (#9915348) Homepage Journal
    , as each one has a unique serial number encoded into its output. When you're ready to log in, plug in your :Cat, and use it to scan that barcode that only you know is the right one.

    Even if some one steals your :Cat, they can't get in, and if someone steals your copy of "Learning the VI Editor" that you've used for the barcode without stealing your :Cat, again they can't get in.

  • by Oculus Habent (562837) * <oculus.habent@gmail . c om> on Sunday August 08, 2004 @05:30PM (#9915353) Journal
    I could see a password of substantial length made of a phrase. Say, 64+ characters, changed every two weeks might be fine. Especially if you have a well-read workforce, which might enjoy making note of significant passages.

    You might want to [optionally] be able to use the first letter of each word as a "shorthand" password for re-verification moments, because typing in a 64+ character phrase everytime you lock your station could become tedious if you are away from your desk often.

    Alternately, if you have a number of services at work that should have different password, some sort of secure password comparison tool could be employed to at least ensure that employees aren't using the same password for everything. Not sure about an architecture for that, though.
  • Pointless (Score:5, Insightful)

    by jolyonr (560227) on Sunday August 08, 2004 @05:30PM (#9915358) Homepage
    The harder a password is to remember, and the more frequently it is changed, the more likely people are going to forget it, and resort to insecure tricks such as writing it on a post-it note stuck to their monitor.

    I can't see any good reason to change passwords frequently, other than to limit the damage done from a succesful intrusion. And then, is one month any worse than three months? All your data is 0wned regardless.
  • How about a password that you don't know and changes every 60 seconds? [rsasecurity.com]
  • Delays (Score:2, Insightful)

    by bobintetley (643462)

    just because a computer can crack a 32 char password in 10 seconds

    And will all software in the future not have any kind of delay to prevent this sort of attack? Even now, we have login/ssh services that delay a couple of seconds between failed attempts.

  • by Kufat (563166) <kufat.kufat@net> on Sunday August 08, 2004 @05:31PM (#9915369) Homepage
    Every time you add another character onto an alphanumeric, case-sensitive password, the total number of possibilities is multiplied by 62. CPU throughput takes a very long time to increase 62-fold. So going from 8 to 10 characters increases the passwordspace 3844 times, and that's assuming only uppercase, lowercase, and numbers.

    There's nothing to worry about until quantum computers can handle problems like this AND are available by someone you don't want accessing your data.
    • You are probably reasonably right on the basic probabilistic mathematics of this approach. However, I still take issue with your conclusions because:

      1) Trojan back-doors could be used to covertly do a distributed crack on a password. Thus you have to deal both with the exponential growth in processor power *and* the exponential growth of the internet. So Moore's law gets beat.

      2) I find that about 8 characters is the best for my general security. If use 8 character passwords, I use a lot of mnemonic devices. An 8 character password can then contain shortened versions of two strings which are far longer and are more likely to contain non-alphanumeric characters (!,@, &, #, etc). If I get longer passwords, I tend to write out the phrases which although they tend to be in obscure languages still allow for an avenue of dictionary attack which might be otherwise difficult if I am using contractions.

      IMO, the future of security is in public key authentication. In this model, you will carry with you a key AND have to provide somesort of passcode to unencrypt the key. This passcode could be biometric, passphrase-based, etc. They key can be lengthened transparently to the user so that they don't have to be aware of it, or replaced when lost.
  • Just pick a long easy to remember password...?

    It's much harder to brute force crack a 11 character password than a 10 character and so on, so I don't really see the problem.

    A good way to make it easy to remember without restorting to mangled ASCII is to pick the first letter in a sentence you know (or the two first... you get the idea). You can end it with some other code you know since before, and you're set.
  • Bad assumption (Score:5, Insightful)

    by Phexro (9814) on Sunday August 08, 2004 @05:32PM (#9915373)
    You're assuming we won't have a better, harder-to-crack hashing mechanism by then.

    This has been a process of incremental improvements - first crypt(), then shadow passwords, then MD5 hashes, and so on. We will certainly have something harder to crack in the future.
    • Re:Bad assumption (Score:5, Insightful)

      by grumbel (592662) <grumbel@gmx.de> on Sunday August 08, 2004 @05:51PM (#9915509) Homepage
      Shadow passwords aren't a hashing mechanism, all they do is store the hashes in a file that the users can't read. Just Unix permissiosn, pretty trivial after all.

      About crypt() vs MD5, I don't think that they make much different when it comes to cracking actual passwords, all MD5 does is allow you to use longer passwords, it doesn't enforce it by any means. If your password is in a dictonary, no matter what hashing algo you use, I can brute force it in a few seconds.

      The only advantage a good hashing algorithm provides is that it ensures that you can't from a given hash calculate back the original password by other means than brute force. Brute force, however, will always work, no matter what algorithm you use. The only way to make a more secure password, is to use a better password, a better hash algo won't help a damn.
  • by D3 (31029)
    Our company uses tokens that change every 60 seconds. Try and guess that one with your computer. Password length is a minimum of 11 characters.

    It isn't that hard.

  • How about a (some large number)-bit DSA key on one of those USB thumbdisk thingamabobbers? Sun has those smart cards that get used for authentication, I'm sure one of those might come in handy too.

    As for passwords your average Joe six-pack/soccer mom is going to remember... they're easily cracked anyway, I fail to see what difference the future will bring.
  • It strikes me that if you have to require your end users to constantly change their passwords in order to prevent them from being cracked, that's your entire problem.

    Instead, you should be securing your system to prevent password lists being downloaded and to prevent multiple subsequent incorrect logins.

    Secure your own system. Don't expect your users to do it for you.
  • I really don't want [...] some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

    In order to crack a password you need to know the hashing formula and the expected result. If either is unknown then the only way to perform an attack (dictionary or otherwise) is to ask the protected service to validate each attempt. In that case, a simple time delay in the authentication procedure would stop most brute-force attacks. In *nix

  • I have my own system here: instead of learning one or more passwords, I've learned a small formula that I made up, that use the first 5 letters in a hostname and the date, and spews out a alphanumerical string.

    On my main box, where I log in often, the script never updates my password and the date is always set to the epoch, so I always use the same password. On boxes on which I log in infrequently, I have a small program to change the password every day, and I have to recalculate the password for the day.

  • typing
    kGNisksUI725K-{P#~iuiILl896&Tui@'p;p'HHP O~9yu* *(

    is going to be a pain in the ass for anyone if the input method is always going to be a qwerty keyboard...

    on the other hand a 20 dollar mongrel dog that I feed every day will never mistake me for anyone else...

    _electronic_ based biometrics however will completely suck
  • by G4from128k (686170) on Sunday August 08, 2004 @05:37PM (#9915414)
    At what point in time do employees spend more time (= money) creating, remembering and retreiving inscutable passwords than they spend recovering from hacker incursions. An employee's ability to handle rapidily changing, complex passwords is fixed by evolution whereas, hackers abilities to break or phish passwords is only going to increase. At some point the curves will cross and organizations will spend more to keep things locked than they lose with leaky passwords.
    • I used a security failure at my office last week to make exactly this point...

      No, nobody broke into the place. It's just that at 8am in the morning (when everybody's supposed to have shown up for work) stood myself (at that time, too new to have been issued keys) the summer intern (who will be never issued keys) and the sales rep (who thought he had been issued keys to open both the building and suite doors, but turns out to have been handed two building keys instead)... it'd fourty-five minutes before the
  • Normal users (Score:5, Interesting)

    by Skiron (735617) on Sunday August 08, 2004 @05:37PM (#9915416) Homepage
    In my opinion as a Sysadmin, it doesn't matter what device[s] you bring in to try to 'secure' users and passwords.

    They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.

    Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.
  • Anderson's formula. (Score:5, Informative)

    by Anonymous Coward on Sunday August 08, 2004 @05:37PM (#9915419)
    How long does it take? Use Anderson's formula to figure it out.

    T = N/(PG)

    In this:
    1. T: The time units needed to guess the password
    2. G: The guess rate, or the number of attempts to guess the password in a single time unit
    3. P: The probability you want that the password is guessed. (Or use '1-P' to go the other direction.
    4. N: The number of possible passwords, usually A^l, where
      1. A: Alphabet used for passwords. E.g., There are 96 printable ascii characters often used in passwords. Or maybe its case insensitive, so subtract 26.
      2. l: The number of characters in the minimum password.


    So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly. :)

    Read more on Anderson's formula by googling. :)
  • who uses passwords to crack into systems?

    there are SO DAMNED MANY easy exploits that will get you root or admin, that you don't usually need passwords to crack into systems...

    that said, there is still a balance to maintain. passwords like "password" are just lame and too easy... a good 6-8 character password with letters, numbers, other will keep anyone from guessing passwords at random.

    but you still have to lock down your systems to keep out those pesky remote sploits.

    (also, the best password in the w
  • You can tell how long a person has been with the department by the numbers at the end of thier password.

    myLittlePony24 They've been there at least 4 years

    darthVaderRulez4 Newbie


    What I don't like about all the new password rules like miniumum of 8 characters, must have a special character and a number, change ever X days, etc... is:
    They ignore the social engineering aspect.

    Walk around where I work after hours and after fun logging in as other people simply by reading the post-it notes stuck on
  • I think Moore's law only makes a difference when the attacker has a copy your password shadow file. What is stopping me from changing what is stored in that file into something much more difficult to attack (a stronger hash)? Moore's law doesn't attack password strength, it attacks the strength of the algorithm that turns your password into the hash in shadow.
  • I prefer the concept of storing a large key on your thumbdrive, which you then need to plug in in order to log into your machine.
  • I mean, quite frankly, even as processing power increase, the human ability to remember password is not exactly getting better. There are techniques, such as mnemonics to help with remember long generally difficult to guess/remember passwords, but these techniques are already there. Typed in password formats themselves can't really change much anymore. Biometric authentication will probably have to be the way to go.

    There's just no foreseeable way that existing password systems can be used to maintain
  • makemeapassword.com (Score:5, Interesting)

    by mgkimsal2 (200677) on Sunday August 08, 2004 @05:40PM (#9915451) Homepage
    Not a perfect system, but is something which can help people come up with something more secure than 'password' while incorporating numbers and punctuation marks.

    makemeapassword.com [makemeapassword.com]
  • a simpler solution would be to make the password hashing algorithm much more complex and CPU-intensive.

    MD5 and SHA1 are just too fast. If a new hashing algorithm was used that took a second to compute rather than the microsecond or less that an MD5 hash takes, it would make brute-force or dictionary attacks on the password much much more difficult, but wouldn't really get in the way of people logging in - it's only a second.
  • by t_allardyce (48447) on Sunday August 08, 2004 @05:45PM (#9915476) Journal
    Windows XPs new password policy manager: "Im sorry, that password has already been taken by user john, please choose another"

  • by termos (634980) on Sunday August 08, 2004 @05:47PM (#9915489) Homepage
    Luckily I have Gator [gator.com] for remembering all my passwords!
  • Hmm (Score:4, Insightful)

    by Erwos (553607) on Sunday August 08, 2004 @05:51PM (#9915514)
    I was reading a textbook about this very issue just a couple days ago at work (I was bored, and there it was in lost and found pile). Don't recall the name, but it was basically about biometrics for security purposes.

    The book stated near the very beginning that, basically, passwords are useless because the really secure ones are hard to remember, and that little problem causes people to do other things that mostly destroy the security of a "secure" password anyways (such as the infamous post-it note on the monitor).

    The book's solution was fairly common-sense: implement different layers of security. That is to say, a password on its own is bad, but a token+password (say, USB memory stick with accesss code) can actually be a lot better.

    The best stated was "bio+token+password". Seems reasonable to me, at least.

    -Erwos
  • crack ratio (Score:3, Informative)

    by epine (68316) on Sunday August 08, 2004 @05:52PM (#9915515)
    Good grief, people. The size of the password space determines the ratio of the time it takes to check the *entire* password space vs checking only the correct password (normal logon).

    The *absolute* time taken to crack the password space is therefore a function of how long it takes to check a *single* password. This can be any length of time the password validation system wishes to implement (relative to a fixed processing resource).

    There's no reason at all why passwords need to evolve to greater lengths as computers become faster. However, this inflation happens by default if the authentication system does not compensate by implementing constant time password validation as systems become faster.

    A modern computer can validate a password in one microsecond that would have taken one millisecond back in the VAX days. This is one case where increased speed is not, in fact, a good thing.
  • by jncook (4617) on Sunday August 08, 2004 @05:52PM (#9915519) Homepage
    To quote Bruce Perens, if security really matters, you should base it on three things:

    * Something you know (password or PIN)
    * Something you have (badge or bank card)
    * Something you are (thumbprint, hand scan, voice check)

    This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)

    Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.

    For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.

    James
  • by sanermind (512885) on Sunday August 08, 2004 @05:55PM (#9915534)
    As computers get faster, simply use more difficult and time consuming algorithims to verify passwords. If you use a verification step that takes 256 times a long [even for the same old 6-character password], when computers get eight times faster, they are worse off then they were before in trying to brute-force the password.
  • by BeerSlurpy (185482) on Sunday August 08, 2004 @06:35PM (#9915811)
    Where to begin?

    First off, the root password for the main application server is a straight alpha password that hasnt changed in about 5 years and is known by most of the operators and developers.

    Second, there are trust relationships between most of the hardware in the company such that gaining root on one server effectively grants root on all of them.

    Thirdly, many of the important infrastructure pieces (routers and stuff) have been given identical admin passwords that are well known (this was at least recently changed for the routers).

    Fourth, much of the software we use to perform infrastructure functions is hopefully out of date, such that there are many published root level vulnerabilities for nearly every service running on our network.

    And we are a medical device company under FDA regulation. No audit has ever turned up a single discrepency. How's that for reassuring?
  • by ecloud (3022) on Monday August 09, 2004 @02:26AM (#9918106) Homepage Journal
    Every computer needs either a smart-card slot or an iButton reader, and by logging in with that, you ought to be able to do challenge-response or rolling-code authentication on every system to which you are allowed access, with the key doing the computations on board. Passwords ought to be obsolete by now, or supplementary in ultra-high-security systems only. Certainly by the time the sysadmins decide that they have to be so long and changed so often, that you haven't a prayer of remembering them, then it's high time to replace them with something else.
  • by routerwhore (552333) * on Monday August 09, 2004 @06:21AM (#9918707) Homepage
    I have been thinking of a way to deal with complex passwords for simple users lately and it has lead me to keyboard patterns. For instance, if you look at the password 12qwas!@QWAS, it is a 12 character password that includes 2 numbers, 4 lowercase letters, 4 uppercase letters and two punctuation. It would take forever and a day to break it...but look how easy it is to type.

    This leads me to the conclusion though that there are probably much fewer intuituve keyboard patterns then there are characters in the passwords. If someone created a dictionary based on keyboard patterns, I expect that it would be a significant way to overcome a lot of complex passwords.

  • Live example (Score:3, Interesting)

    by bolix (201977) <bolix@h[ ]ail.com ['otm' in gap]> on Monday August 09, 2004 @11:17AM (#9920279) Homepage Journal
    Recent research [cam.ac.uk] supports the belief that one well chosen password will defeat most intruders and that enforced rotation leads to weak passwords.

    Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
    Passwords:

    * Vary between Upper and Lower case
    * Contain at least 1 number
    * Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
    * Forced change every 90 days
    * Differ from the 3 passwords used previously

    In addition we encourage users to pick strong passwords:

    Good Passwords contain:

    * Multiple small words (let me in now: LetM3In0w)
    * Unusual keys (open at eight : 0pEn@Ate)
    * Personal Acronyms (open now please : 0pN0Plez)
    * Replace letters with numbers (close please : C7o53p7z)
    * Misspelled or nonsense words (close please : klOz3PeaZ)
    * Offset the Number/Word (to home sweet : H0m325we3t)
    * Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
    * A combination of the above!

    Bad Passwords contain:

    * Countries or Place names
    * Names (First or Last)
    * Anything Workplace related
    * Historical events and Dates
    * Personal information: Phone numbers, Birthdays or Social Security numbers
    * Dictionary (English and Foreign language) words
    * Consecutive numbers
    * Popular phrases separated by spaces, underscores or a hyphen

    I recently conducted an audit using the excellent @stake LC5 [atstake.com]. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.

    It got many "strong passwords" chosen using the above methodology which is similar to the previous post [makemeapassword.com]. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.

    The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.

    I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer [itconversations.com] and evidently vindictive successive OSX disclosure [securityfocus.com] campaign.

The superior man understands what is right; the inferior man understands what will sell. -- Confucius

Working...