Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Businesses Encryption Security IT

Ask Slashdot: Convincing My Company To Stop Using Passwords? 247

gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Convincing My Company To Stop Using Passwords?

Comments Filter:
  • by Anonymous Coward on Thursday December 04, 2014 @06:16PM (#48526321)

    Your system will be breached. Do you get enough out of this to take the fall when that happens?

    • by houstonbofh ( 602064 ) on Thursday December 04, 2014 @06:27PM (#48526443)
      Not to mention that stabbing yourself in the eye with a pencil will probably be less painful and result in more real security. And at least the eye-pencil is likely to make it to completion.
      • My favorite part is having to change the password every 30 days.

        A LOT of people will use base password+date. EG:
        Slashdotnov2014
        Slashdot1114
        etc.

        Gee. I wonder what it might be in December...

        I even know people in IT with passwords like that. When setting up a new computer for you they'll ask for your username/password so they can log in and setup your profile, so they are well aware that people do that.

        • Re:Every 30 days. (Score:5, Informative)

          by __aaclcg7560 ( 824291 ) on Thursday December 04, 2014 @08:19PM (#48527213)

          When setting up a new computer for you they'll ask for your username/password so they can log in and setup your profile, so they are well aware that people do that.

          Asking a user for their password is against corporate policy at all the Fortune 500 companies that I worked for in Silicon Valley. The correct procedure is to inform the user that their password will get reset to a temporary password (i.e., Password123), and, after setting up their new system, check on the box on the AD account for the user to change their password when logging in. Under no circumstances should an I.T. technician know a user's passwords. That's ground for immediate termination.

          • by vux984 ( 928602 )

            Asking a user for their password is against corporate policy at all the Fortune 500 companies that I worked for in Silicon Valley. The correct procedure is to inform the user that their password will get reset to a temporary password (i.e., Password123), and, after setting up their new system, check on the box on the AD account for the user to change their password when logging in. Under no circumstances should an I.T. technician know a user's passwords. That's ground for immediate termination.

            Its my policy

            • My policy lately is to have the user login with *their* credentials without me resetting them, and then I'll remote in and do any additional setup that must be done.

              That works, if the user is around. Most times they aren't. Or sometimes they're uncooperative ("I just changed my password 89 days ago!"). If I don't have time to bark up the org chart because of a dead line, I'll do what I need to do. All the users are forewarned that this might happen via emails, fliers at their desks and verbal communications.

              So if the user writes their password on a sticky on their laptop and you see it they just they fire YOU? ;-

              I'm a contractor. So everyone suspects I'm going to roll up to the back door with a delivery truck and steal all the computers. Never mind that regular employees ca

              • by vux984 ( 928602 )

                That works, if the user is around. Most times they aren't.

                Like I said, I usually do it remotely.

                Or sometimes they're uncooperative

                Yeah... when that happens you just do what you have to do.

                I've just found that resetting someone's password is often a PITA for them... and in turn for me, and then I spend the next month getting follow up calls because some ipad or intranet app stopped working.

                And with employees that are literally almost never around, and never / rarely log into a windows dekstop -- setting the

        • by l810c ( 551591 ) *

          There is a good way around that that I have used for years. Don't use the current date. Use M-1 and Y-1(that's not exactly how I do it, but similar).

          Also pick a couple of words and abbreviate them.

          If your favorite Ice Cream is Cookies and Cream, you might choose a monthly password like this
          Cok1113Crm#g - google password
          Cok1113Crm#e - espn password

          Easy to remember and always gets very secure score and a similar but not exact password across sites.

  • It could be worse (Score:5, Interesting)

    by rgbscan ( 321794 ) on Thursday December 04, 2014 @06:17PM (#48526329) Homepage

    Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.

    • by Anonymous Coward on Thursday December 04, 2014 @06:23PM (#48526375)

      Just don't answer your voice mail.

      • Just don't answer your voice mail.

        Hell, years ago I decided to permanently unplug the phone at my desk.

        As long as the computer is functional, the phone at the desk is a solution in search of a problem unless you work in helldesk (in which case you have my sympathy).

        Anything that can't be answered in two sentences gets an email. Anything too laborious to email works better face to face in a meeting or conference call with all the stakeholders (i.e. not at my desk).

        • by mysidia ( 191772 )

          Anything that can't be answered in two sentences gets an email. Anything too laborious to email works better face to face in a meeting or conference call

          I had to work with a higher-up IT manager who "never reads e-mail" and works at a remote site; also, whenever I do send an e-mail, the reply is always "Call to discuss; I don't use e-mail".

          He doesn't do video conferencing either; in fact, it's impossible to schedule a meeting, because he either has no time available for that, or he misses the me

          • Sounds like it's time for a firing. At most companies, an employee that "doesn't use email" or "doesn't use voicemail" is quickly saying that they "don't work there anymore."
        • My employer's office has far too few conference rooms for face-to-face meetings. Instead, the company has an internal VOIP/XMPP server. (Though for a meeting with 4 or less people, we often just use our cubicles.) We have VOIP phones on our desks, though easier to use PC VOIP app.

    • Damn it. Now I have that song stuck in my head.
    • I lost my voicemail password about 2 years ago, I quit checking voicemails. I figured out how to make the message light solid instead of blinking so I can comfortably ignore voicemail for years to come.

    • Re:It could be worse (Score:5, Interesting)

      by hawguy ( 1600213 ) on Thursday December 04, 2014 @06:52PM (#48526661)

      Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.

      What's the point of a 7 digit numeric PIN? That's only around 24 bits worth of entropy (even less since the attacker knows that it doesn't have well known patterns and repeated digits so he can exclude those from his search). So 7 digits provides no real protection against an offline password hash attack.

      And hopefully the phone system itself can prevent an online attack by locking out accounts that have had too many incorrect guesses.

      So what's the advantage of such a long numeric PIN?

    • by frisket ( 149522 )
      People still use voicemail?
      • by AK Marc ( 707885 )
        I used my VM password once. To log into the web interface and configure my VM to forward to email. Never logged in again. I'm supposed to change my outgoing message when I'm on vacation, but I never do. Nobody has complained.

        Though my out of office replies to the VM system come back undeliverable. Too bad you can't set out of office to not reply to DoNotReply@example.com.
    • changing them all now... Post-1t.

    • by Greyfox ( 87712 )
      Or you could just let your voicemail fill up and never check it. I don't actually even know where my phone is. Last time I moved, it didn't get moved with me. I filed a ticket requesting it get moved and the queue it ended up said something to the effect of "We don't do that and we can't be bothered to requeue it to someone who can." I thought about it for all of about a second and decided I couldn't be bothered either. So I now have sitting on my desk a phone that never rings and never has voicemail. In my
  • As soon as you succeed with the paperless office, and don't forget to get rid of the fax machine too, then it'll be time for the password-less office. Just sayin'
  • Cost (Score:5, Insightful)

    by axlash ( 960838 ) on Thursday December 04, 2014 @06:20PM (#48526351)

    Have you considered how much it will cost your company to implement and manage such a solution?

    You'll need to be able to convince management that the likelihood and impact of your company's IT infrastructure is high enough to justify such an expense.

    • by brunes69 ( 86786 )

      Find out the cost of IT constantly resetting forgotten passwords and also the projected cost of a security breach because everyone has to write them down.

      If you want a REAL wake up call, pay a college kid $100 to show up to the office with a tool belt and tell the front desk he is there to check out the thermostat, and get him to grab a password off of a post-it note on someones desk. Bring that password to your director and say that if you wanted to, you cold have just cost your department X hundred thousa

  • by AaronLS ( 1804210 ) on Thursday December 04, 2014 @06:20PM (#48526353)

    Anything you do that adds an additional step to an existing process they "appears" to be working perfectly fine will potentially earn you some enemies. Some of the people most likely to be frustrated by the process may also be in positions of great influence.

    A noble cause, but its success depends a lot on the existing culture of your workplace.

    Certainly coming to the table with a well thought out argument in favor of this isn't bad.

    But if the culture is right, you should be able to bring this up casually with superiors and discuss it with them candidly and THEN discuss putting together a formal document proposing a solution. If anything they are better equipped than we are to evaluate the user needs of the workplace and give you ideas of how to pitch this to the rest of the business.

    • by mlts ( 1038732 )

      The first time any glitches happen with the authentication system (and they will), the people mentioned by the parent will come down like a ton of bricks, asking why a system that costs productivity without obvious security merits is in place.

      Replacing a core authentication mechanism takes a lot of buy-in, not just from management, but by users who have management's ear. One "this is keeping me from doing my work" E-mail from someone with some cloud in a company can sink a project like this.

    • by CaptainDork ( 3678879 ) on Thursday December 04, 2014 @06:42PM (#48526583)

      The way I did it was similar.

      In casual conversations with managers about "cool geek" stuff, I shared stories about breaches and the consequences. Those were particularly scary because we're a law firm.

      I sent breach stories to them via email saying, "These are things you should do for your HOME."

      I spoon fed that stuff to the decision makers and then when I was ready to roll out best practice and mid-lower management and my coworkers bitched, upper management was all like, "Are you kidding? Do you guys ever actually read about password security or network breaches? This stuff he's recommending is a no-brainer!"

      Done.

      I have had some who balked and I just told them to comply or send upper management an email arguing their business case for using "12345678" as a password.

      • What is the exposure?
        If your company was ever hacked, what would the consequences be?
        If the consequences could be serious, follow the advice of educating your decision makers as brilliantly outlined by Captain D, above.
        Otherwise, what difference does it make if your company's machines and network(s) were actually compromised?
        I mean, what difference will a few more zombies in some bot-net actually make?
    • My first though is all the times I need to use a password where a physical device can not be used. Ie, log into my email from home over a web-only https connection. I can't wave a token at the web page, it wants me to type in the password. Similarly the same password is used when I use the email from my phone, and I presume it could use some expensive app but it's MY phone and I'd rather not get email than be forced install someone else's app.

      Right now there is not the functionality and technology to be

  • by TubeSteak ( 669689 ) on Thursday December 04, 2014 @06:21PM (#48526357) Journal

    Figure out how much time and effort tech support spends on dealing with forgotten or compromised passwords.
    Factor in the time lost by employees while they wait for tech support to deal with password problems.
    Find some research discussing the cost of a compromise.

    Figure out how much a token based system will cost. Assume people will lose their tokens.
    Make the case that your solution is cheaper than the existing solution.

    Then prepare to deal with "but we won't get compromised, so this is a waste of money"

    • Make the case that your solution is cheaper than the existing solution if it is in fact cheaper.

      It may not be. Don't assume that everyone who came before you is an idiot - they may well have ended up where they are now due to a series of compromises to work around issues that you know nothing about. Why not ask someone who's been involved in the security decisions for a few years why things are the way that they are first?

      • if it is in fact cheaper.

        Well, it doesn't have to be cheaper if you can sell some VP or an influencer on the idea of never having to enter a password again.
        "Cheaper" is just the easiest way to argue your cause. "It's worth the extra money" is usually harder, but not always when it's some gee whiz technology stuff that the users will physically interact with.

        Why not ask someone who's been involved in the security decisions for a few years why things are the way that they are first?

        The answer is almost always inertia.
        Someone setup (or worse, paid consultants to set up) the current system and that's what everyone is stuck with because no one will/can propos

    • by mlts ( 1038732 )

      Of course, there is the issue of getting locked out by forgetting one's PIN. Again, picking on SecurID, people forget if they put their PIN before the number or after, so this can blow one password entry attempt. Fumble-finger again, and that can easily use up three attempts, locking someone out indefinitely.

      Don't forget scenarios. The senior sales person is out at a client site, he lost his token, and has to have access to the internal company's network for some charts or demos, or else he may lose a sa

  • by NotInHere ( 3654617 ) on Thursday December 04, 2014 @06:22PM (#48526363)

    use u2f [slashdot.org], its the best authentication token on the market. Either as second factor, or as lone factor. It doesn't enforce any lock-in at all, and its experience is just like keys: you have cheap tiny things you stick into holes (please spare me with any childish dick/buttplug/etc comparisons).

    If they only need to survive online attacks, the 8 character limit is enough for Passwords. However you would need to add some meaningful brute-force and weak pw recognition.

    • Oh I've forgotten U2F's best point: its cheap.

    • However you would need to add some meaningful brute-force and weak pw recognition.

      A lot of systems and settings to prevent "weak passwords" are pretty dumb. I've seen things that failed to have a problem with me using my own username (or 'password') as a password as long as I substituted in some symbols and added numbers. So "P@ssw0rd" is fine but "correcthorsebatterystaple" is not allowed.

    • by Guspaz ( 556486 )

      Best on the market? Errm, it has a bunch of deal-killer restrictions. It requires that the device that you're trying to log in on have USB ports (sorry smartphone/tablet users) and you need to carry around a physical token for you to lose/forget instead of having an app on your smartphone. And while it doesn't require any software be pre-installed on the computer (since the device basically simulates a keyboard), it still requires that the system be configured to let random keyboards/USB devices be plugged

      • The app also needs to be installed on a smartphone, which you can also lose/forget. If the app allows you to log in from arbitrary devices, its just passwords again.

        • by Guspaz ( 556486 )

          The smartphone can be lost/forgotten, but at least smartphones tend to be encrypted/locked with the option to remote-wipe. A U2F dongle that is lost would seem to offer no such protection.

          The apps for 2FA services tend to offer a rotating key, so it's not a fixed password that can be guessed.

          • The smartphone can be lost/forgotten, but at least smartphones tend to be encrypted/locked with the option to remote-wipe. A U2F dongle that is lost would seem to offer no such protection.

            What is a phone encrypted/locked with? A password. So thats a second factor. Whether you enter it at the companies computer or at the smartphone is no big difference. As a company, I wouldnt rely my security on unlock passwords. How often do you enter your unlock password when other people could, in theory, watch you? How can you as company ensure your employees do this never?

            Same for remote-wipe. You set it up with a password. When your dongle (or phone) is lost you don't even need remote wipe, as you can

            • by Guspaz ( 556486 )

              What is a phone encrypted/locked with? A password.

              And what is the U2F protected by? Nothing. Anybody who gets hold of the dongle can use it, at least getting into the system protected by a mobile app would require them to steal the device *AND* get the password. And not all phones are locked with a password. There are phones locked with biometrics, or patterns that couldn't quite be called a password.

              As a company, I wouldn't rely my security on unlock passwords.

              So you wouldn't rely on a system that requires a device be stolen and then its password cracked

      • it still requires that the system be configured to let random keyboards/USB devices be plugged in.

        I'm sure that when the need arises, some smart company will develop an USB adapter that only allows U2F devices to communicate with the host.

  • by mlts ( 1038732 ) on Thursday December 04, 2014 @06:25PM (#48526405)

    The reason I wonder if 2FA can be at least moved to the edge or used for VPN logins is that it makes things a lot less of a headache.

    Usually for internal AD, having a third party authentication apparatus strapped on can bring about issues. For example, if the system is a challenge/response system and a Web app is authenticating from AD, it likely won't have a window to present the 2FA challenge. SecurID is the only one I know which gets around this since there is no challenge token presented... users just enter in their password and the number off their token, and it logs them in with the standard username/password box. However, the downside of SecurID is that it is not cheap, and requires at least two servers to authenticate the tokens.

    Internal logins, I'd just stick with AD unless there was really a need for internal security (expensive). If so, I'd then go with CAC/PIV tokens because they are fairly standard, have a wide use with the US government, and work with most major applications.

    Now the edge is a completely different beast. You can set up RADIUS servers to use the Google Authenticator, SecurID, smart cards, or one's flavor of choice. This way, users can log in via 2FA, but the internal network doesn't need to have any major changes done to it.

  • by stephanruby ( 542433 ) on Thursday December 04, 2014 @06:27PM (#48526441)

    What ever happens!! Do not start your proposal with "Let's stop using passwords."

    Besides, in every system I've seen with 2-factor authentication, passwords could still be used, but 2-factor authentication would only get triggered if the employee was accessing the network from an unknown computer, or an unknown ip address, or if the employee had forgotten his original password.

    • by Greyfox ( 87712 )
      Yeah! Instead, start it "Did you know you can use your willy to unlock you Iphone's fingerprint scanner*?" It sells itself!

      * I'm told. I have an android phone.

  • by Keruo ( 771880 ) on Thursday December 04, 2014 @06:35PM (#48526523)
    I would encourage users to write down their password on a piece of paper.
    That paper should contain only the password, no hint to what it belongs to.
    The paper will then be stored inside the persons wallet, and looked at when neccessary, but not taken out.
    If that person manages to loose their wallet, they have bigger problems than the company password.
    • by slapout ( 93640 )

      They're also more likely to notice that their wallet is missing than their post it note with the password stuck to the desk.

    • Write each new password on a separate post-it and keep them all posted around your desk. Let an intruder guess which one (if any) is the correct one! It will provide minutes of entertainment! MINUTES!
  • I work in schools.

    I'd be interested in any cheap, Windows-logon compatible system that I can supply my own RFID reader hardware for.

    RFID readers are stupid-cheap. Nobody's going to go to the effort of copying an RFID tag just to get on a system as a child user. And I can buy tags for about 10p each.

    Every logon system I see is stupendously priced (either per reader, per card, or per seat software licence) or doesn't work on Windows logon. Those are useless to me.

    I've been looking since the XP GINA days, s

    • Nobody's going to go to the effort of copying an RFID tag just to get on a system as a child user.

      Until somebody does.

  • I used to work for an oil company that used smart cards to login to a PC.

    Sure, you still need a PIN but you also need the card. It's not foolproof but it is somewhat more secure.

    The real challenge would probably be convincing your company to purchase new hardware and update their security policy.
    • Chevron's SmartBadge system was kind of nice - it was just a pain when you needed to log into more than one machine at a time...

  • You have a few challenges ahead of you; political ones, technical ones, and fiscal ones.

    Are you just hoping to be the initial voice of inspiration and get everyone behind you? Or are you ready to be the advocate for the two factor auth you're proposing? Unless you've done your research and you know a lot of others in your department are on board with this proposal already, your proposal is going ground itself without much more than a candle flicker.

    People tend to be really resilient to change, even really b

  • by robbo ( 4388 ) <slashdot@@@simra...net> on Thursday December 04, 2014 @06:50PM (#48526653)

    Complexity matters mainly if your attacker gains offline access to your hashes. Far and away the main source of password compromise is non-uniqueness (using the same password elsewhere). This is actually the main benefit of forcing a periodic password change. Graphical and gesture passwords are horribly insecure from shoulder surfers.
    If you can, support as many factors as possible. Multiple factors gives your users flexibility- they may not always be able to receive an SMS or have a card reader handy. TPM-based virtual smart cards are super handy for remote auth from a domain-joined device- no cards or readers required.

  • My routine way of logging onto anything that I hit less than once a week is to automatically click on the "I forgot my password" button and reset via email without even attempting to remember it. That basically makes all passwords equivalent to my gmail password, but since anyone with the gmail could do that any time they wanted it's no loss of security. It's a little inconvenient, but not as inconvenient as trying to remember 100 unique passwords.
  • The first step in trying to figure this out is to figure out what systems and services you're trying to secure. Are you trying to secure a web application? A specific file server? Are you trying to make it so people don't have to remember passwords for Dropbox? Are you trying to include your phone system, physical security to your systems, and the network AD login? Make a list of everything you're trying to secure, and then figure out what alternatives those systems support. Then cross-reference all t

  • Its the solution that's been touted for decades to the 'single sign on' solution. It does work - I know police forces and similar that use them without fuss.

    There are plenty around, and sure you have to remember a pin, but its usually way less complicated than remembering a huge long password, plus its the start of a single-signon solution that no-one can argue against once you're using them.

    If you use Windows, Microsoft has a lot of resources about smart card login [microsoft.com]

  • With regards to the actual posted question, you should find out if the company has any sort of insurance policy relating to data/security breaches that might be dictating things like the password policy. If the company has insurance to cover problems from insurance company X, and insurance company X is saying "You must do passwords, and like this, or else no insurance!", then you have a monumental task ahead of you because you have to convince your workplace to address the insurance policy/company - as wel

  • What is the risk of continuing to use passwords?

    What is the cost to the business if the risk of continuing to use passwords is realized?

    What is the cost of implementing an alternate system? Be sure to include the costs in training, process re-engineering, systems re-engineering, etc.

    What value, if any, is generated by replacing passwords?

    Unless the money you are going to spend is either going to generate more money for the business than the dozens of other projects that are competing for resources, you pra

  • No, it's not too hard. I'm really sorry that you can't figure out how to train users on how to use strong passwords, but this is not an overly complex thing to do. It does take persistent training because nobody walking into the company will have received such training but passwords are not "bad" or "too hard".

    14 years ago I implemented a full Unix based LDAP system enforcing complex passwords with aging, history, and controls on admins that could change passwords without being "Directory Admin". I have

  • Verisign VIP is one ( commercial ) system that uses soft tokens, and the same token works on your ebay and paypal and other accounts, making it useful to users outside of work - since they start to introduce the same security to their outside-of-work use - Soft tokens are free and work on phones and PCs, hard tokens can be ordered ( they even have credit cards with the hardware token built in, and can print name badges with them ) -

    Generally, it's a pretty good system - you can download and try it too -

    GrpA

  • if you're giving your users a token, get the thing jabbed inside their hand so they don't lose it.

  • First understand your position in the company and whose turf you're going to piss on if you make a move like that. You don't want your efforts to fail because you rubbed some manager the wrong way and he sabotages everything just because he can.

    Secondly, make sure your system is really better in all regards, especially the failure cases. People leaving the company or getting ill for a long time? Password sharing (no matter what your policy says, people are doing it, especially bosses and secretaries)? Passw

  • by Karmashock ( 2415832 ) on Thursday December 04, 2014 @08:37PM (#48527277)

    Very long passwords are very easy to remember if you use mnemonics.

    For example:

    412a7YaoFbfotCanNciladthptaMace

    Completely impossible to remember that password right? Wrong:

    ""Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty, and dedicated to the proposition that all men are created equal.""

    You just have a set of rules for turning text into a password.

    In this case, all numbers are written as numbers and all words are lower case except nouns which are capitalized.

    Substitute that quote for any other and you can generate another very long password that is impossible to forget. You can even write the quote down prominently and no one is going to break into your system unless they know the system by which the quote is turned into a password. The system I cited above is very very simple but you can use a much more complicated one.

    The system usually should not change. You can keep that static. The quotes or text strings should change every so often. And when you do, you can put a sticky note on your computer with the quote right there. No one will break in.

    You can make the password as long or as short as you like.

    The downside is that the decoding process does take a moment. But you will not forget the password.

  • "Any password policy sufficiently complex to be secure is too complex to remember" is not a universally true statement. https://www.schneier.com/blog/... [schneier.com]
  • by loxosceles ( 580563 ) on Friday December 05, 2014 @12:23AM (#48528387)

    FIDO alliance 2-factor hardware tokens, like YubiKey Neo.

    Until browsers roll out FIDO protocol support, a mobile app with normal OATH TOTP 2-factor (implementations include Authy, Duo Mobile, Google Authenticator, etc) is the way to go. And use a password manager for the 1st factor. When support gets baked in, the FIDO serviceclienthardware token protocol will dramatically improve usability of the 2nd factor.

Nothing makes a person more productive than the last minute.

Working...