Are Strong Passwords All That Strong? 44
pondering-on-passwords asks: "I work at a company that is planning to implement strong passwords to increase network security. Personally, I think that this may be counter productive since the passwords will tend to be more cryptic than most people are used to and I believe that they will write them down and leave them very close to their computers. I think this will be a greater risk for our traveling people using laptops. A strict security policy that is enforced may help some, but I still believe that people will end up making their passwords more accessible in the end. I am trying to find some information for or against implementing strong passwords, statistics on security breaches, etc. to back up my beliefs. Of particular interest would be material specifically on strong passwords, types of security breaches (i.e. social engineering, exploiting system vulnerabilities, password cracking, password theft, etc.), and possible alternative security methods (i.e. hardware tokens)."
Re:Easy to remember, hard to crack passphrases (Score:1)
determined attacker. [who can use a computer to generate all possible first letter (last letter, second letter, etc) combinations]
An improvement is to MAKE UP the phrase that you are using for your password, and do so using "funny" notions. "The Red car flies over the clocktower at 9:15" = TRcfotc915
(I suggest you don't use exactly that particular one
Writing Down Passwords (Score:1)
What I would prefer is a hardware token, like those gadgets that the gasoline companies are advertising for instant service at their pumps. The token could store a large number of random bits, and a processor that could use those bits to encrypt a response to a challenge from the computer.
Re:Differing opinion (Score:1)
The real reason is so to set a time limit on theoretical brute force attacks against your passwd file. Its still an open question if this is needed. Obviously you should have some variant of cracklib in your passwd program to thwart dictionary attacks.
hardware token (Score:1)
Here's [ibutton.com] a very nice hardware token implementation.
Should be easier to sell to corporate as a combined physical security and network security solution. (Replacing keycards and network passwords.)
Re:Easy to remember, hard to crack passphrases (Score:1)
I think you probably mean John the Ripper [openwall.com]
Re:Think process (Score:1)
A friend of mine is a prison officer. He told me he has inmates who can view a door key for a few seconds and then make a working copy from memory.
If you can get your hands on a key for a few seconds you can make a wax impression (assuming you planned in advance).
--
Re:Creating easy to remember, yet secure passowrds (Score:2)
Yeah, but cracking a 5-word DiceWare passphrase on any UNIX system is no more difficult than cracking an 8-character password on UNIX - crypt() uses 8 characters at most. That's it. The following 'passwords' are equivalent.
This space for rent. Call 1-800-STEAK4U
Re:Creating easy to remember, yet secure passowrds (Score:2)
And if the only UNIX flavor you run at your company is Linux, then you will be fine. However, crypt() is still the default method on most other unixes out there.
This space for rent. Call 1-800-STEAK4U
Use SSH|SSH2 with key authentication (Score:2)
Using SSH|SSH2 with RSA|DSA authentication eliminates having to type passwords and is *much* more harder to beat than guessing passwords.
Ta da! I'm in.
grub
Re:Use SSH|SSH2 with key authentication (Score:2)
These boxes are all OpenBSD behind a strong FreeBSD firewall. No, I'm not blind to the risks, but I've decided that they are minimal. If I were running Linux then I would be concerned and would password protect my local machines.
Re:Differing opinion (Score:1)
Changing passwords the problem (Score:1)
If the company you work for wants to exceed the above requirements they should consider biometrics, smart cards, or any number of physical security methods. Not longer passwords.
Re:Creating easy to remember, yet secure passowrds (Score:1)
What's the exposure? (Score:4)
What is the exposure to risk?
System-level root passwords need to be *hard*, if you use them at all. I generally create them with a recursive MD5 hash (with random salt mixed in) until I have a password with two uppercase, two lowercase, 2 punctuation, one digit, and one wildcard character. NOBODY will remember it, but nobody has to - these passwords are written onto a 3x5 card, sealed in an envelope, and locked up in a desk agaist truly dire circumstances.
Anyone with root access via sudo should be able to choose their own password intelligently. If their password is compromised, it's a mandatory written reprimand. This tends to make them careful about ensuring that they NEVER use unencrypted channels - no telnet, no ftp. This might seem harsh, but if a sysadmin is sloppy about choosing their password or tools then they're probably sloppy elsewhere, and repeated violations are grounds for serious concern.
As for everyone else - if an attacker can do much damage with these accounts then the finger still points at the sysadmins. The problem, in this case, isn't the bad password, it's the bad file permissions, unapplied security patches, etc.
For other reasons these users should still have reasonable passwords, but until you have shut off every single service that uses unencrypted or trivially encrypted traffic (telnet, ftp, pop3/imap, etc.) then you're just pissing in the wind if you're counting on them to protect your system. Check the password against cracklib to get users in the habit of choosing good passwords (e.g., no "bob2" passwords), but otherwise put your attention someplace where it will do some good.
Re:Think process (Score:1)
Re:Some programs (Score:1)
Re:Think process (Score:2)
If you require a complex password, you must give people time to think about it and let them know the rules or else they will pick a bad password every time. Nothing will get a password written down faster than a computer insisting on complex password. The ones that won't tell you why a password is bad are even worse since people will give up and end up with "asdf" (which is in most crack dictionaries) and will be written down.
A written down password is a waste of time and effort -- you might as well just say the terimal is ok for that user and skip the user authentication step.
From time to time I have run experiments on getting users to gennerate their own good passwords. They tend to fail. In one US Gov department there were at least 25% of the people all picked (independatly as far as I could tell) "eagle1" as their password when given the wording "a password must be at least 5 characters and must contain a digit or a symbol".
Some rules for "good passwords" are just stupid. For example the rule that you can't use the same letter twice. That is a good way to keep the sholder surfers guessing.
If you start checking passwords aginst a dictionary, you end up getting most people that know a forien language to use a non-english word that is very likly to be "password" translated.
A friend of mine used to "hack" systems when he
was in high school. He had a list of 25 passwords that would get him in most places. He also is very good at socal engneering and had no real problem playing with anything he wanted.
I guess when it comes to passwords, we all know you can lose but it looks like you can't win either.
Re:Think process (Score:2)
I have to disagree. I only need to view the paper for a second to break the security, while I'd have to remove your key, go get it copied, and return it.
If you're consulting that paper every time you log in, shoulder surfing becomes a real possibility.
Tom Swiss | the infamous tms | http://www.infamous.net/
Written passwords are not much of an issue. (Score:2)
It is not a matter of whether the user is going to write the password down or not. It is a matter of physical security.
-Adam
This sig 80% recycled bits, 20% post user.
How about passface? (Score:2)
Re:BOOK (Score:2)
As a side note, if you want to see for yourself just how bad seemingly good passwords are, go download one of the many password cracking/checking programs out there and run the passwords you use through it. See just how fast it can be done. When we did our "break-in" lab for my Information Warfare class last semester, even most of the passwords that had been uncrackable in past semesters were broken. Gets that point across real fast. Basically, if your company is serious about increasing authentication security, they need to look at better ways than just requiring "strong" passwords.
---
Weakest link (Score:1)
As it turns out, his strategy was useless, because he *did* get cracked, but the attacker got in through a service vulnerability (the portmap bug in Red Hat Linux a few months ago).
So always remember that a security strategy is only as strong as its weakest part; and if you're going to use strong passwords (strong enough that even you have problems remembering them), you also have to make sure the rest of your security is as strong as that. Otherwise, just don't bother; use your own name as your password. :)
Obvious password detector (Score:2)
Easy to remember, hard to crack passphrases (Score:3)
Pass phrases are probably the easiest remedy.
Just have your users pick a phrase from a current song that they like, and use the first letter from each word as a character in the password. Substitute numbers for certain characters, capitalize proper nouns etc. (e.g., She was a Sour Girl the day that she left me == SwaSGtdts1m)
Very easy to remember, but still pretty darn hard to crack. This way, they'll also be more forgiving about changing their password every few months. Leave Jack the Ripper running on a spare machine to audit weak passwords.
signature smigmature
Keystrokes (Score:1)
It's also a good idea to include different cases, numbers and quotations in the password. Of course if you use the method above remembering the right combo will be no problem.
Re:Think process (Score:2)
__
Think process (Score:3)
I have to object to the usual assumption that users should never write down their passwords. Yes, it's a bad idea to leave it on a PostIt affixed to your monitor. But a slip of paper isn't that hard to secure -- no harder than, say, your front door key. So the question of making the password memorizable is really moot.
__
Inform users of failed logins (Score:1)
Add as many layers as you can think of to your security. For instance, I've set up /etc/profile so that it runs lastb|grep `id -un` for the user at login time. This lets the user see all failed logins and what time the attempt was made. When /var/run/btmp gets big enough, logrotate moves it and invokes a script to mail me the old one. A common variation on this is to print out a message, "There have been 35 failed attempts since your last successful login."
I think beyond a certain point, password strength is a joke. If passwd(1) is set up to disallow the usual variations on a username and dictionary attacks, the attacker will either have to either get lucky and find a user with a relatively weak password, or get ahold of /etc/shadow (in which case you'd have more serious problems to worry about...)
Password Nazis (Score:2)
At my shop, we require 8 digit passwords with at least 1 number and a punctuation symbol for most workers, which seems to be accurate enough.
I interviewed at one place where employees were issued a random sequence of characters that was changed every month. That is a complete waste of everybody's time and accomplishes nothing.
In my view, it makes more sense to increase security by moving to client-server apps and web-enabled applications versus granting shell access to as few as possible (in a Unix env).
In a windows environment, strict domain permissions and security policy are the only way to secure workstations.
Commercial systems that have worked (Score:3)
One problem with many out-of-the-box password schemes is that they have too few characters. We are starting to see a trend to reasonable-length passwords (usually incorporating the use of a hash algorithm like MD5 to reduce the password to 64 bits) so that people can use a system of strong but easy-to-use passwords.
One scheme that seemed to work quite well was the system that Compuserve first started using, back when they were H&R Block: the password generator would select two words (each four to six characters long) and a punctuation mark, and combine them into a string. For example:
This scheme took advantage of the fact that the PDP-10 operating system H&R Block was using allowed for 12 characters in a password.
The key was that there were never two nouns, or two verbs, or two adjectives, or two pronouns. Sometimes the generated password would look like something from the original Adventure game, but it was still very hard to guess, and the dictionary attack required the attacker to try pairs of words coupled with selections from the punctuation mark string ".,/?+=*&$@!" and you have a fairly large universe of passwords to try -- around 640 million if you assume a total of 8000 words in the dictonaries. (Much of this is from memory; excuse me if I'm getting some of the details wrong.)
I never heard of a Compuserve password that was cracked in a pristine way. Every single crack I was aware of involved either social engineering or monitoring the user. Oh, I suppose that someone may have been able to do the job, but I never heard about it.
Now, if you have only eight characters to work with, you are out of luck. Sorry.
Re:Differing opinion (Score:2)
      possible keys in various key spaces
Letter type             4-byte    6-byte   8-byte
Lowercase letters        460,000   3.1E8    2.1E11
Lowercase letters/digits 1.7E6     2.2E9    2.8E12
Alphanumeric Characters  1.5E7     5.7E10   2.2E14
Printable Characters     8.1E7     7.4E11   6.6E15
ASCII characters         2.7E8     4.4E12   7.2E16
8bit ASCII Chars         4.3E9     2.8E14   1.8E19
You can figure out what kind of passwords that you wish to implement from this table. Remember that one order of magnitude is a huge difference, thus 8 length ASCII characters are *far* more secure than anything else.
offtopic rant... Rob, making tables on slashdot sux. You have to make it easier to do tables.
Writing down passphrases isn't so bad (Score:2)
The main caution is, don't write your passphrase down and leave it near your computer. Carry it with you.
Here's a Javascript page that I wrote [nightsong.com] to generate secure random passphrases, by the way.
Some programs (Score:2)
gpw [debian.org] "generates pronounceable passwords. It uses the statistics of three-letter combinations (trigraphs) taken from whatever dictionaries you feed it."
makepasswd [debian.org] "generates true random passwords by using the
pwgen [debian.org] "generates random, meaningless but pronounceable passwords. Depending on how the program was installed, these words contain either only lowercase letters, or upper and lower case mixed, or digits thrown in. Uppercase letters and digits are placed in a way that eases remembering their position when memorizing only the word."
Re:Some programs (Score:1)
Creating easy to remember, yet secure passowrds (Score:1)
Re:Differing opinion (Score:2)
Run each password via a password cracker (there is an old but good one called crackerjack). and then run it via lophtcrack ( www.atstake.com ). If they crack easy then try something harder.
ONEPOINT
Re:Easy to remember, hard to crack passphrases (Score:2)
Yay. You've just reduced the phrase dictionary to 100KB of lyrics. And posted the same idea every IT whackjob has had since the first luser said "but I can't remember long passwords..." So it's going to be a well-thumbed dictionary.
An edict that limits password choice to create "strong" passwords actually weakens the system by reducing the pattern space that must be tiled by the cracker. "8*&ks-c%" is only secure if 8 tabs is secure, and vice versa.
And, as always, password guessing is an idiotic thing to fear. Any system that permits or fails to report more than a few login attempts per minute is broken. Any system that lets the cracker copy out a statically encrypted password for later cracking is broken.
Then again, this oft-repeated organizational boondoggle is handy. It lets us know which of our IT and management people have a clue, and which have been faking it and are trying to get their noses all the farther up our asses by renting an urban legend of a clue. Time to look for ways to can them.
--Blair
Re:Differing opinion (Score:1)
I had not considered that! That is insightful, good modding. But then why do we only have to change passwords every 90 days? (typical policy at most companies I know, some are 60). How long does a brute-force attack take?
And if an intruder has a copy of your passwd file, doesn't that mean they got in? Doesn't everyone use shadow passwords? Don't you need common sense to get a job in computing security?
Differing opinion (Score:4)
The counter arguement (which prevails at most companies) is that frequent password changes increase security. I've never seen any imperical data to support this claim. The logic is that if someone gains access via a stolen/guessed password, then forcing users to change passwords will close the intruder's door. Yeah, after 90 days! Meanwhile, they've had full access and could have created countless new accounts for themselves.
I've never seen a situation where this policy was coupled with required strong passwords, for the simple reason that (as you said) people who must frequently change strong passwords tend to forget them or, worse, write them down. That doesn't mean some places don't do this, just that I haven't seen it. I'd hate to work at a place like that.
Passwords alone are not enough. Sure, strong passwords are better than letting Bob's father pick "Bobby" or "R0b3r7" as a password, but how secure is a system where an intruder can roam undetected until their stolen password is changed? If you argue that frequent password changes are necessary, then you're admiting that you can't detect an intruder.
If you're paranoid about security and willing to consider other options, you should look into a physical system, such as the iButton [ibutton.com]. There are others, but this is a link I can quickly find :-)
Re:You are only as secure as your weakest link! (Score:1)
Passphrase FAQ (Score:2)
BOOK (Score:2)
Re:How about passface? (Score:1)
This should work fine as long as you're limiting the usage to graphical browsers, not things like lynx or ftp.
And if you get a bump on the head so that you don't know who you are or anyone you know you'll have problems. (Should apply only to a sitcom universe where the characters spend a lot of time logging in to things.)
Social Engineering is your worst enemy (Score:2)