Passwords - 64 Characters, Changed Daily? 645
isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"
"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.
What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"
Cost of Passwords vs. Cost of Incursion (Score:3, Interesting)
Normal users (Score:5, Interesting)
They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.
Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.
Re:Use a CueCat (Score:3, Interesting)
Heh heh... ironically, the CueCat wasn't exactly the height of security back in the day, and most Slashdotters who have one have probably long since removed the eeprom that transmitted the cat's real unique id.
makemeapassword.com (Score:5, Interesting)
makemeapassword.com [makemeapassword.com]
Re:Just do what I do (Score:2, Interesting)
Re:Biometrics (Score:3, Interesting)
That is why it is better to use both: a good pass-phrase that you change from time to time, which is hashed together with your retinal scan, finger print, etc.
Something you know, you have, and you are (Score:4, Interesting)
* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)
This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)
Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.
For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.
James
Moores law needn't require longer passwords... (Score:4, Interesting)
Tracking Usage as Verification (Score:2, Interesting)
tracking this sort of statistical information could be useful in verifying that the current user is who they should be. there is no password to remember or forget. after the computer is statistically "sure" that the user isn't who it should be, there are several steps that could be taken. one of such would be to simply notify an admin. another would be to immediately lock the user out. or, what i think is the best idea - offer a challange question: "What month were you born in?" If they cannot answer the question correctly with a fair amount of rapidness, lock them out.
I think this sort of toll could be the ubercool way to ensure the user is who they say they are. Of course the possible downsides to this is not being able to have someone login and check something for you (maybe a good thing?)
Has this been tried, developed, or thought of? If not, I call prior art on anyone who patents it
Re:Just do what I do (Score:5, Interesting)
As soon as I see at attempt to hack it, I would change it. Until then, I have a great password that my wife doesn't even know about. If someone tries to hack it on Wednesday, it doesn't matter that I changed it on Monday, or last year: It will still take more time to crack than will pass before I check the logs.
Re:Just do what I do (Score:2, Interesting)
Re:Just do what I do (Score:4, Interesting)
Re:Exponential growth problem (Score:4, Interesting)
1) Trojan back-doors could be used to covertly do a distributed crack on a password. Thus you have to deal both with the exponential growth in processor power *and* the exponential growth of the internet. So Moore's law gets beat.
2) I find that about 8 characters is the best for my general security. If use 8 character passwords, I use a lot of mnemonic devices. An 8 character password can then contain shortened versions of two strings which are far longer and are more likely to contain non-alphanumeric characters (!,@, &, #, etc). If I get longer passwords, I tend to write out the phrases which although they tend to be in obscure languages still allow for an avenue of dictionary attack which might be otherwise difficult if I am using contractions.
IMO, the future of security is in public key authentication. In this model, you will carry with you a key AND have to provide somesort of passcode to unencrypt the key. This passcode could be biometric, passphrase-based, etc. They key can be lengthened transparently to the user so that they don't have to be aware of it, or replaced when lost.
Re:Moores law needn't require longer passwords... (Score:2, Interesting)
sweet someone should tell my company (Score:4, Interesting)
First off, the root password for the main application server is a straight alpha password that hasnt changed in about 5 years and is known by most of the operators and developers.
Second, there are trust relationships between most of the hardware in the company such that gaining root on one server effectively grants root on all of them.
Thirdly, many of the important infrastructure pieces (routers and stuff) have been given identical admin passwords that are well known (this was at least recently changed for the routers).
Fourth, much of the software we use to perform infrastructure functions is hopefully out of date, such that there are many published root level vulnerabilities for nearly every service running on our network.
And we are a medical device company under FDA regulation. No audit has ever turned up a single discrepency. How's that for reassuring?
Re:Just do what I do (Score:3, Interesting)
Smart people are also the ones who ask questions like "Why are we doing this", while the dumb one say "Because we have always done it this way". Just because a smart person suggests something, that doesn't guarantee its a smart thing to do.
Forcing changes in passwords that guarantee that users will write the new password on post it notes on their monitors is not smart either. I know, I see it all the time, and the users simply do NOT get why this is dangerous. They don't even care, if the system is screwed, they will just bitch until its back up again. There is no *PRICE* for their ignorance, so they don't learn.
This is why I try to put a price on it. When users do stupid things, it always causes the firewall to go down. (hint hint) You installed a screensaver? It made the firewall go down, you cant get on the net for a day. You launched an attachment? It messed up the firewall, your station cant get on the net for a day until I fix it. You installed a game on your system? Man, that may take a couple days to fix the firewall then... Don't even think about using your own mouse, keyboard, or software programs. That will probably crash the computer, and it will be down for a week. Shitty, yes, but as an admin, its easier to generate fe3r from idiots than it is to educate them, and it certainly requires less work on my part.
I am a self professed asshole admin. Its only a small part of my job description, so I can't spend all day fixing things. I should write a journal on this, I can make BOFH look like a freaking sweetheart, except mine isn't fiction. And yes, it works wonderfully.
Re: Or what I do (Score:4, Interesting)
Use visual passwords rather than mnemonic ones. My standard-prescribed solution is to teach this to all new users; I set them next to a computer and give them some strips of coloured paper (not necessary but helpful with complete newbs). They'll get the gist fast and be able to be pretty savvy shortly -and changing a password is exceedingly easy.
Here's a visualization for the letter A starting from the key V: The plain password is: vgy7ujmh
Using alternate shift: VgY7UjMh or vGy&uJmH
This can easily be expanded to even more secure ones by adding more letters. A good scheme for variant passwords is to use something that identifies with the realm -for example for Slashdot, a password could be made from letters 'slash' (on a dvorak here, sorry):
qJkU.#4%kUp$xBjUy^fDbIxBmHf^7*xIy%mHg&f
Variation made easy. Try it.
USB key. (Score:2, Interesting)
Put the processor in a USB device and have some biometrics verification on the device.
Re:Just do what I do (Score:3, Interesting)
Seems like the perfect place to advertise my open source Strong Password Generator [mytsoftware.com].
Re:makemeapassword.com (Score:2, Interesting)
to get a new passwd if I cant think of one and store it in a gpg encrypted file on a (rather) secure location until I can remember it
Crypticide - (Score:1, Interesting)
Alec Muffett [crypticide.com], author of Crack, the password cracker [crypticide.com] has an ongoing project [crypticide.com] to document & educate why reusable passwords are bad [crypticide.com].
Oh, and no, I'm not Alec, just a friend [csamuel.org] who happens to agree that they're well passed their use by date.
Re:Just do what I do (Score:3, Interesting)
Those two are not necessarily related.
You can have easy to remember, well, relatively easy to remember, passwords that would be tough to crack.
My favorite approach is to create nonsense type phrases with some odd punctuation.
For example, something like:
I borrowed all the books from the library! and read them both.
or
An ultranet in a test tube is truly a fine thing to behold?
Or you could also take a favorite quote and modify it somewhat.
For example, instead of
The pen is of no avail against the sword, but the pen and the sword will always prevail over the sword alone.
by Albert Camus, how about
The cat is of no avail against the skunk, but the cat and the skunk will always prevail over the skunk alone.
Of course, you don't want to have to enter passwords like that too often.
Writing a password down is not that much of a problem. Most people will achieve greater security if they use a password complex enough that they really do need to write it down than if they choose an easy to remember password that they can easily remember.
But your point about the secure location is valid.
Re:Just do what I do (Score:3, Interesting)
The boss's secretary was presented with the change password dialog one morning. It would not accept any of her desired new passwords.
I said "You can't use your son's name anymore". The look on her face was priceless. I was amazed too; I thought this sort of thing only happened on the TV.
The really sad thing is that a cleverly crafted spoofed email from me is all it would take to gain half of the passwords in here. People already know I spoof emails using the webserver. I've told them how easy it is to do. They would still hit that reply button and tell me their password.
Still amazes me to this day.
Is complex better than long? (Score:2, Interesting)
Complex passwords for Simple Users (Score:3, Interesting)
This leads me to the conclusion though that there are probably much fewer intuituve keyboard patterns then there are characters in the passwords. If someone created a dictionary based on keyboard patterns, I expect that it would be a significant way to overcome a lot of complex passwords.
Re:Just do what I do (Score:3, Interesting)
Re:decent compromise between security and convenie (Score:4, Interesting)
You mean those locking drawers where the key number is stamped on the lock?
I usually place a sticky note with a ramdom number of characters under my keyboard. It looks like a password, and may even BE someones password.
But it is not MY password and is it not close to my password. This entertains whoever is trying to break into my computer for hours....
Live example (Score:3, Interesting)
Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
Passwords:
* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously
In addition we encourage users to pick strong passwords:
Good Passwords contain:
* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!
Bad Passwords contain:
* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen
I recently conducted an audit using the excellent @stake LC5 [atstake.com]. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.
It got many "strong passwords" chosen using the above methodology which is similar to the previous post [makemeapassword.com]. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.
The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.
I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer [itconversations.com] and evidently vindictive successive OSX disclosure [securityfocus.com] campaign.