Ask Slashdot: Convincing My Company To Stop Using Passwords? 247
gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?
Do you want to take the fall for the inevitable? (Score:5, Insightful)
Your system will be breached. Do you get enough out of this to take the fall when that happens?
Re:Do you want to take the fall for the inevitable (Score:4, Funny)
Every 30 days. (Score:3)
My favorite part is having to change the password every 30 days.
A LOT of people will use base password+date. EG:
Slashdotnov2014
Slashdot1114
etc.
Gee. I wonder what it might be in December...
I even know people in IT with passwords like that. When setting up a new computer for you they'll ask for your username/password so they can log in and setup your profile, so they are well aware that people do that.
Re:Every 30 days. (Score:5, Informative)
When setting up a new computer for you they'll ask for your username/password so they can log in and setup your profile, so they are well aware that people do that.
Asking a user for their password is against corporate policy at all the Fortune 500 companies that I worked for in Silicon Valley. The correct procedure is to inform the user that their password will get reset to a temporary password (i.e., Password123), and, after setting up their new system, check on the box on the AD account for the user to change their password when logging in. Under no circumstances should an I.T. technician know a user's passwords. That's ground for immediate termination.
Re: (Score:3)
Asking a user for their password is against corporate policy at all the Fortune 500 companies that I worked for in Silicon Valley. The correct procedure is to inform the user that their password will get reset to a temporary password (i.e., Password123), and, after setting up their new system, check on the box on the AD account for the user to change their password when logging in. Under no circumstances should an I.T. technician know a user's passwords. That's ground for immediate termination.
Its my policy
Re: (Score:2)
My policy lately is to have the user login with *their* credentials without me resetting them, and then I'll remote in and do any additional setup that must be done.
That works, if the user is around. Most times they aren't. Or sometimes they're uncooperative ("I just changed my password 89 days ago!"). If I don't have time to bark up the org chart because of a dead line, I'll do what I need to do. All the users are forewarned that this might happen via emails, fliers at their desks and verbal communications.
So if the user writes their password on a sticky on their laptop and you see it they just they fire YOU? ;-
I'm a contractor. So everyone suspects I'm going to roll up to the back door with a delivery truck and steal all the computers. Never mind that regular employees ca
Re: (Score:2)
That works, if the user is around. Most times they aren't.
Like I said, I usually do it remotely.
Or sometimes they're uncooperative
Yeah... when that happens you just do what you have to do.
I've just found that resetting someone's password is often a PITA for them... and in turn for me, and then I spend the next month getting follow up calls because some ipad or intranet app stopped working.
And with employees that are literally almost never around, and never / rarely log into a windows dekstop -- setting the
Re: (Score:3)
There is a good way around that that I have used for years. Don't use the current date. Use M-1 and Y-1(that's not exactly how I do it, but similar).
Also pick a couple of words and abbreviate them.
If your favorite Ice Cream is Cookies and Cream, you might choose a monthly password like this
Cok1113Crm#g - google password
Cok1113Crm#e - espn password
Easy to remember and always gets very secure score and a similar but not exact password across sites.
Re: (Score:2)
They would probably come up with a compromise: Print your username and password on your id badge.
Re:Every 30 days. (Score:5, Insightful)
You laugh, but I once advised a friend to write (most of) her passwords down on a slip of paper and carry it in her wallet.
Any policy has to take into account the circumstances and concerns of the user into account. In this case she was an author who was being cyberstalked buy someone who'd figured out her easy-to-guess password. She changed the password to her site and he promptly guessed that one too.
So my advice was this: generate a moderately tough password, say a ten digit random number, and write it down twice: once for her files, once to carry around in her wallet. Then add to that an easy-to-remember part, say the name of her best friend's cat, but don't write that part down, keep that in her head. This results in a password that looks like this: "491-265-4743Fluffy". I chose ten digits and formatted it that way because if it looks like a phone number pretty soon she won't have to carry the paper around. I reckon that this adds something like 32 bits of entropy to her weak but easy to remember password. Even if you know how the password is generated, it's not trivial to guess or break by brute force, and it's certainly not practical to guess for someone who doesn't have physical access to her wallet.
Is it secure enough for the Morgan Stanley family jewels or the nuclear launch codes of the United States? No. But it's good enough for most practical purposes where you're not that concerned about an adversary who has physical access to you.
Re: (Score:2)
The PCs my employer issues to its workers have "smart card" readers built in, but they (a) they require cards with contacts (which our standard badges don't have and (b) (according to the security dept) cards that are compatible with both the PCs and the door lock system are very expensive. As such, the company only issue those cards to the finance and HR depts (and the execs and their assistants).
Of course, to prevent anyone in possession of one of these cards from being able to log in, passwords would sti
Re:Every 30 days. (Score:4, Interesting)
With the number of government agencies purchasing these cards, the per card cost is coming down quickly.
Re:Every 30 days. (Score:4, Interesting)
A password doesn't need to be overly complex to avoid brute force cracking, just sufficiently long. Most people are incapable of remember past 7 to 10 random character sequences. And any password system with limited character lengths is insufficient against brute force attacks.
And technology based ID systems are okay, if they are two factored solutions, which usually makes it much more difficult for automated verification processes.
My personal preference for most people is to have three or four sufficiently long random words as a password with a few random numbers and special characters: 7Alligator7Romances7Tombstone!
This is sufficient for all use cases, as long as it isn't shared. Generating a new password is as simple as finding three random words. In my example above, a person would only have to remember 5 things, three words, 1 number, one punctuation
Re: (Score:2)
Re: (Score:2)
To be fair, as long as you're the only one in your c
Re:Every 30 days. (Score:5, Insightful)
In that XKCD he doesn't treat characters independently. Instead, he assumes that each word provides 11 bits of entropy (i.e. assuming uniform draws from ~2000 words), giving a total of 44 bits. That's far less than the (26^20) you'd get if you treated the characters as independent random samples.
Re: (Score:2)
Why do random words? Use a sentence. I do that for many of my passwords. You get upper and lower case letters, symbols, and maybe even numbers, and it's not hard to go past 20 characters. It's highly customizable for each user and much easier to remember.
The problem with this is that there are still too many systems that have length caps that are too short. Not really many solutions for limits of 16, 10, or even 8 characters.
Re: (Score:3)
Maybe, as long as the sentence isn't a quotation from anything online or exceeds 50 characters or so. Dictionary attacks use entire phrases now, but they still don't go beyond a character limit that's fairly low compared to entire sentences.
Some additional password fuzzing techniques to consider.
- Putting nums or special characters between syllables in words, not just between the words.
- Using multiple specials/nums between each word.
- Strange uses of spaces and punctuation.
- There are 2 additional ways to
Re: (Score:3, Interesting)
There are a few minor tweaks that significantly increase entropy will still not being hard to remember:
1) Don't capitalize the first letter in a word used in a passphrase. Instead, capitalize something in the middle.
2) When adding numbers, add somewhere in the middle of a word rather than between words.
3) If security is really important, spell one longish word backwards before apply 1 and 2.
4) Another trick I've used many times (as a touch typist) is to type words with your fingers slid over one key, left,
Re: (Score:3)
A secure password depends largely on what you're priorities are. Personally I wouldn't put brute force attacks too high on my concerns list. My workplace locks out accounts after 3 incorrect attempts. Personally I think one of the big
Re: (Score:3)
One problem with this approach though is that many apps or sites don't allow spaces, or they have the counterproductive 'policy' that forces you to use a number, a spe
It could be worse (Score:5, Interesting)
Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.
Re:It could be worse (Score:5, Insightful)
Just don't answer your voice mail.
Re: (Score:2)
Just don't answer your voice mail.
Hell, years ago I decided to permanently unplug the phone at my desk.
As long as the computer is functional, the phone at the desk is a solution in search of a problem unless you work in helldesk (in which case you have my sympathy).
Anything that can't be answered in two sentences gets an email. Anything too laborious to email works better face to face in a meeting or conference call with all the stakeholders (i.e. not at my desk).
Re: (Score:2)
Anything that can't be answered in two sentences gets an email. Anything too laborious to email works better face to face in a meeting or conference call
I had to work with a higher-up IT manager who "never reads e-mail" and works at a remote site; also, whenever I do send an e-mail, the reply is always "Call to discuss; I don't use e-mail".
He doesn't do video conferencing either; in fact, it's impossible to schedule a meeting, because he either has no time available for that, or he misses the me
Re: (Score:3)
Re: (Score:2)
My employer's office has far too few conference rooms for face-to-face meetings. Instead, the company has an internal VOIP/XMPP server. (Though for a meeting with 4 or less people, we often just use our cubicles.) We have VOIP phones on our desks, though easier to use PC VOIP app.
Re: (Score:3)
Re:It could be worse (Score:5, Funny)
Which one? 0118999881999119725...3?
Re: (Score:2)
That's the combination to my luggage!
Re: (Score:3)
Turn in your nerd card. [youtube.com]
Re: (Score:2)
Re: (Score:2)
The solution?
Just pick up a phone,
I'm always home,
Call me any time...
Dial 362-4360
I lead a life of crime!
Re: (Score:3)
I lost my voicemail password about 2 years ago, I quit checking voicemails. I figured out how to make the message light solid instead of blinking so I can comfortably ignore voicemail for years to come.
Re:It could be worse (Score:5, Interesting)
Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.
What's the point of a 7 digit numeric PIN? That's only around 24 bits worth of entropy (even less since the attacker knows that it doesn't have well known patterns and repeated digits so he can exclude those from his search). So 7 digits provides no real protection against an offline password hash attack.
And hopefully the phone system itself can prevent an online attack by locking out accounts that have had too many incorrect guesses.
So what's the advantage of such a long numeric PIN?
Re: (Score:3)
Job Security for the Consultant (likely outside)?
Re: (Score:2)
Re: (Score:2)
Though my out of office replies to the VM system come back undeliverable. Too bad you can't set out of office to not reply to DoNotReply@example.com.
hey, that's a damn good password! (Score:2)
changing them all now... Post-1t.
Re: (Score:2)
Re: (Score:2)
Simple fix: don't ever set your voicemail password.
I went over 10 years without enabling my dreaded voicemail, some people complained but I never budged. My current Director told me to set it up about six months ago. I did and used a random integer set from random.org as the password.
I can honestly say "I forgot my voicemail password" and let the thing fill up.
Re: (Score:3)
First things first (Score:2)
Cost (Score:5, Insightful)
Have you considered how much it will cost your company to implement and manage such a solution?
You'll need to be able to convince management that the likelihood and impact of your company's IT infrastructure is high enough to justify such an expense.
Re: (Score:2)
Find out the cost of IT constantly resetting forgotten passwords and also the projected cost of a security breach because everyone has to write them down.
If you want a REAL wake up call, pay a college kid $100 to show up to the office with a tool belt and tell the front desk he is there to check out the thermostat, and get him to grab a password off of a post-it note on someones desk. Bring that password to your director and say that if you wanted to, you cold have just cost your department X hundred thousa
Re: (Score:3)
Re: (Score:2)
Damned white knights :)
Re: (Score:2)
People are the weakest link. Social Engineering is the best cracking tool available.
Consider Your User Base (Score:5, Insightful)
Anything you do that adds an additional step to an existing process they "appears" to be working perfectly fine will potentially earn you some enemies. Some of the people most likely to be frustrated by the process may also be in positions of great influence.
A noble cause, but its success depends a lot on the existing culture of your workplace.
Certainly coming to the table with a well thought out argument in favor of this isn't bad.
But if the culture is right, you should be able to bring this up casually with superiors and discuss it with them candidly and THEN discuss putting together a formal document proposing a solution. If anything they are better equipped than we are to evaluate the user needs of the workplace and give you ideas of how to pitch this to the rest of the business.
Re: (Score:2)
The first time any glitches happen with the authentication system (and they will), the people mentioned by the parent will come down like a ton of bricks, asking why a system that costs productivity without obvious security merits is in place.
Replacing a core authentication mechanism takes a lot of buy-in, not just from management, but by users who have management's ear. One "this is keeping me from doing my work" E-mail from someone with some cloud in a company can sink a project like this.
Re:Consider Your User Base (Score:5, Interesting)
The way I did it was similar.
In casual conversations with managers about "cool geek" stuff, I shared stories about breaches and the consequences. Those were particularly scary because we're a law firm.
I sent breach stories to them via email saying, "These are things you should do for your HOME."
I spoon fed that stuff to the decision makers and then when I was ready to roll out best practice and mid-lower management and my coworkers bitched, upper management was all like, "Are you kidding? Do you guys ever actually read about password security or network breaches? This stuff he's recommending is a no-brainer!"
Done.
I have had some who balked and I just told them to comply or send upper management an email arguing their business case for using "12345678" as a password.
exposure? Re:Consider Your User Base (Score:2)
If your company was ever hacked, what would the consequences be?
If the consequences could be serious, follow the advice of educating your decision makers as brilliantly outlined by Captain D, above.
Otherwise, what difference does it make if your company's machines and network(s) were actually compromised?
I mean, what difference will a few more zombies in some bot-net actually make?
Re: (Score:3)
Totally inappropriate on so many levels.
My workplace has a policy that prohibits recording on the premises using any electronic method without written permission from me. This includes, but is not limited to, deposition and mediation.
We also have a policy that disallows removal of work product to offsite.
Common sense would inform that it's not nice to piss off your coworkers.
In a law firm, dirty laundry is a controlled substance.
Re: (Score:2)
My first though is all the times I need to use a password where a physical device can not be used. Ie, log into my email from home over a web-only https connection. I can't wave a token at the web page, it wants me to type in the password. Similarly the same password is used when I use the email from my phone, and I presume it could use some expensive app but it's MY phone and I'd rather not get email than be forced install someone else's app.
Right now there is not the functionality and technology to be
Make the business case (Score:5, Insightful)
Figure out how much time and effort tech support spends on dealing with forgotten or compromised passwords.
Factor in the time lost by employees while they wait for tech support to deal with password problems.
Find some research discussing the cost of a compromise.
Figure out how much a token based system will cost. Assume people will lose their tokens.
Make the case that your solution is cheaper than the existing solution.
Then prepare to deal with "but we won't get compromised, so this is a waste of money"
Re: (Score:3)
Make the case that your solution is cheaper than the existing solution if it is in fact cheaper.
It may not be. Don't assume that everyone who came before you is an idiot - they may well have ended up where they are now due to a series of compromises to work around issues that you know nothing about. Why not ask someone who's been involved in the security decisions for a few years why things are the way that they are first?
Re: (Score:2)
if it is in fact cheaper.
Well, it doesn't have to be cheaper if you can sell some VP or an influencer on the idea of never having to enter a password again.
"Cheaper" is just the easiest way to argue your cause. "It's worth the extra money" is usually harder, but not always when it's some gee whiz technology stuff that the users will physically interact with.
Why not ask someone who's been involved in the security decisions for a few years why things are the way that they are first?
The answer is almost always inertia.
Someone setup (or worse, paid consultants to set up) the current system and that's what everyone is stuck with because no one will/can propos
Re: (Score:2)
Of course, there is the issue of getting locked out by forgetting one's PIN. Again, picking on SecurID, people forget if they put their PIN before the number or after, so this can blow one password entry attempt. Fumble-finger again, and that can easily use up three attempts, locking someone out indefinitely.
Don't forget scenarios. The senior sales person is out at a client site, he lost his token, and has to have access to the internal company's network for some charts or demos, or else he may lose a sa
U2F (Score:3)
use u2f [slashdot.org], its the best authentication token on the market. Either as second factor, or as lone factor. It doesn't enforce any lock-in at all, and its experience is just like keys: you have cheap tiny things you stick into holes (please spare me with any childish dick/buttplug/etc comparisons).
If they only need to survive online attacks, the 8 character limit is enough for Passwords. However you would need to add some meaningful brute-force and weak pw recognition.
Re: (Score:2)
Oh I've forgotten U2F's best point: its cheap.
Re: (Score:2)
However you would need to add some meaningful brute-force and weak pw recognition.
A lot of systems and settings to prevent "weak passwords" are pretty dumb. I've seen things that failed to have a problem with me using my own username (or 'password') as a password as long as I substituted in some symbols and added numbers. So "P@ssw0rd" is fine but "correcthorsebatterystaple" is not allowed.
Re: (Score:3)
Best on the market? Errm, it has a bunch of deal-killer restrictions. It requires that the device that you're trying to log in on have USB ports (sorry smartphone/tablet users) and you need to carry around a physical token for you to lose/forget instead of having an app on your smartphone. And while it doesn't require any software be pre-installed on the computer (since the device basically simulates a keyboard), it still requires that the system be configured to let random keyboards/USB devices be plugged
Re: (Score:2)
The app also needs to be installed on a smartphone, which you can also lose/forget. If the app allows you to log in from arbitrary devices, its just passwords again.
Re: (Score:3)
The smartphone can be lost/forgotten, but at least smartphones tend to be encrypted/locked with the option to remote-wipe. A U2F dongle that is lost would seem to offer no such protection.
The apps for 2FA services tend to offer a rotating key, so it's not a fixed password that can be guessed.
Re: (Score:2)
The smartphone can be lost/forgotten, but at least smartphones tend to be encrypted/locked with the option to remote-wipe. A U2F dongle that is lost would seem to offer no such protection.
What is a phone encrypted/locked with? A password. So thats a second factor. Whether you enter it at the companies computer or at the smartphone is no big difference. As a company, I wouldnt rely my security on unlock passwords. How often do you enter your unlock password when other people could, in theory, watch you? How can you as company ensure your employees do this never?
Same for remote-wipe. You set it up with a password. When your dongle (or phone) is lost you don't even need remote wipe, as you can
Re: (Score:3)
What is a phone encrypted/locked with? A password.
And what is the U2F protected by? Nothing. Anybody who gets hold of the dongle can use it, at least getting into the system protected by a mobile app would require them to steal the device *AND* get the password. And not all phones are locked with a password. There are phones locked with biometrics, or patterns that couldn't quite be called a password.
As a company, I wouldn't rely my security on unlock passwords.
So you wouldn't rely on a system that requires a device be stolen and then its password cracked
Re: (Score:2)
it still requires that the system be configured to let random keyboards/USB devices be plugged in.
I'm sure that when the need arises, some smart company will develop an USB adapter that only allows U2F devices to communicate with the host.
Can the 2FA be put on the edge? (Score:4, Interesting)
The reason I wonder if 2FA can be at least moved to the edge or used for VPN logins is that it makes things a lot less of a headache.
Usually for internal AD, having a third party authentication apparatus strapped on can bring about issues. For example, if the system is a challenge/response system and a Web app is authenticating from AD, it likely won't have a window to present the 2FA challenge. SecurID is the only one I know which gets around this since there is no challenge token presented... users just enter in their password and the number off their token, and it logs them in with the standard username/password box. However, the downside of SecurID is that it is not cheap, and requires at least two servers to authenticate the tokens.
Internal logins, I'd just stick with AD unless there was really a need for internal security (expensive). If so, I'd then go with CAC/PIV tokens because they are fairly standard, have a wide use with the US government, and work with most major applications.
Now the edge is a completely different beast. You can set up RADIUS servers to use the Google Authenticator, SecurID, smart cards, or one's flavor of choice. This way, users can log in via 2FA, but the internal network doesn't need to have any major changes done to it.
Re (Score:3)
What ever happens!! Do not start your proposal with "Let's stop using passwords."
Besides, in every system I've seen with 2-factor authentication, passwords could still be used, but 2-factor authentication would only get triggered if the employee was accessing the network from an unknown computer, or an unknown ip address, or if the employee had forgotten his original password.
Re: (Score:3)
* I'm told. I have an android phone.
Write it down (Score:3)
That paper should contain only the password, no hint to what it belongs to.
The paper will then be stored inside the persons wallet, and looked at when neccessary, but not taken out.
If that person manages to loose their wallet, they have bigger problems than the company password.
Re: (Score:2)
They're also more likely to notice that their wallet is missing than their post it note with the password stuck to the desk.
Alternately (Score:3)
I want something simpler. (Score:2)
I work in schools.
I'd be interested in any cheap, Windows-logon compatible system that I can supply my own RFID reader hardware for.
RFID readers are stupid-cheap. Nobody's going to go to the effort of copying an RFID tag just to get on a system as a child user. And I can buy tags for about 10p each.
Every logon system I see is stupendously priced (either per reader, per card, or per seat software licence) or doesn't work on Windows logon. Those are useless to me.
I've been looking since the XP GINA days, s
Re: (Score:2)
Nobody's going to go to the effort of copying an RFID tag just to get on a system as a child user.
Until somebody does.
Smart Cards (Score:2)
Sure, you still need a PIN but you also need the card. It's not foolproof but it is somewhat more secure.
The real challenge would probably be convincing your company to purchase new hardware and update their security policy.
Re: (Score:2)
Chevron's SmartBadge system was kind of nice - it was just a pain when you needed to log into more than one machine at a time...
You're fighting a few fronts here (Score:2)
You have a few challenges ahead of you; political ones, technical ones, and fiscal ones.
Are you just hoping to be the initial voice of inspiration and get everyone behind you? Or are you ready to be the advocate for the two factor auth you're proposing? Unless you've done your research and you know a lot of others in your department are on board with this proposal already, your proposal is going ground itself without much more than a candle flicker.
People tend to be really resilient to change, even really b
Complexity is a red herring (Score:3)
Complexity matters mainly if your attacker gains offline access to your hashes. Far and away the main source of password compromise is non-uniqueness (using the same password elsewhere). This is actually the main benefit of forcing a periodic password change. Graphical and gesture passwords are horribly insecure from shoulder surfers.
If you can, support as many factors as possible. Multiple factors gives your users flexibility- they may not always be able to receive an SMS or have a card reader handy. TPM-based virtual smart cards are super handy for remote auth from a domain-joined device- no cards or readers required.
I've long since given up (Score:2)
First step: what are you trying to secure (Score:2)
The first step in trying to figure this out is to figure out what systems and services you're trying to secure. Are you trying to secure a web application? A specific file server? Are you trying to make it so people don't have to remember passwords for Dropbox? Are you trying to include your phone system, physical security to your systems, and the network AD login? Make a list of everything you're trying to secure, and then figure out what alternatives those systems support. Then cross-reference all t
Smartcards (Score:2)
Its the solution that's been touted for decades to the 'single sign on' solution. It does work - I know police forces and similar that use them without fuss.
There are plenty around, and sure you have to remember a pin, but its usually way less complicated than remembering a huge long password, plus its the start of a single-signon solution that no-one can argue against once you're using them.
If you use Windows, Microsoft has a lot of resources about smart card login [microsoft.com]
Corporate Liability Insurance, etc. (Score:2)
With regards to the actual posted question, you should find out if the company has any sort of insurance policy relating to data/security breaches that might be dictating things like the password policy. If the company has insurance to cover problems from insurance company X, and insurance company X is saying "You must do passwords, and like this, or else no insurance!", then you have a monumental task ahead of you because you have to convince your workplace to address the insurance policy/company - as wel
Built the Business Case (Score:2)
What is the risk of continuing to use passwords?
What is the cost to the business if the risk of continuing to use passwords is realized?
What is the cost of implementing an alternate system? Be sure to include the costs in training, process re-engineering, systems re-engineering, etc.
What value, if any, is generated by replacing passwords?
Unless the money you are going to spend is either going to generate more money for the business than the dozens of other projects that are competing for resources, you pra
Ahh fuck, the ole "it's too hard" line again... (Score:2)
No, it's not too hard. I'm really sorry that you can't figure out how to train users on how to use strong passwords, but this is not an overly complex thing to do. It does take persistent training because nobody walking into the company will have received such training but passwords are not "bad" or "too hard".
14 years ago I implemented a full Unix based LDAP system enforcing complex passwords with aging, history, and controls on admins that could change passwords without being "Directory Admin". I have
Soft tokens... (Score:2)
Verisign VIP is one ( commercial ) system that uses soft tokens, and the same token works on your ebay and paypal and other accounts, making it useful to users outside of work - since they start to introduce the same security to their outside-of-work use - Soft tokens are free and work on phones and PCs, hard tokens can be ordered ( they even have credit cards with the hardware token built in, and can print name badges with them ) -
Generally, it's a pretty good system - you can download and try it too -
GrpA
Tokens will be lost. Frequently. Daily. (Score:2)
if you're giving your users a token, get the thing jabbed inside their hand so they don't lose it.
office politics (Score:2)
First understand your position in the company and whose turf you're going to piss on if you make a move like that. You don't want your efforts to fail because you rubbed some manager the wrong way and he sabotages everything just because he can.
Secondly, make sure your system is really better in all regards, especially the failure cases. People leaving the company or getting ill for a long time? Password sharing (no matter what your policy says, people are doing it, especially bosses and secretaries)? Passw
mnemonics (Score:3)
Very long passwords are very easy to remember if you use mnemonics.
For example:
412a7YaoFbfotCanNciladthptaMace
Completely impossible to remember that password right? Wrong:
""Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty, and dedicated to the proposition that all men are created equal.""
You just have a set of rules for turning text into a password.
In this case, all numbers are written as numbers and all words are lower case except nouns which are capitalized.
Substitute that quote for any other and you can generate another very long password that is impossible to forget. You can even write the quote down prominently and no one is going to break into your system unless they know the system by which the quote is turned into a password. The system I cited above is very very simple but you can use a much more complicated one.
The system usually should not change. You can keep that static. The quotes or text strings should change every so often. And when you do, you can put a sticky note on your computer with the quote right there. No one will break in.
You can make the password as long or as short as you like.
The downside is that the decoding process does take a moment. But you will not forget the password.
Starting with a false premise (Score:2)
2-factor (Score:3)
FIDO alliance 2-factor hardware tokens, like YubiKey Neo.
Until browsers roll out FIDO protocol support, a mobile app with normal OATH TOTP 2-factor (implementations include Authy, Duo Mobile, Google Authenticator, etc) is the way to go. And use a password manager for the 1st factor. When support gets baked in, the FIDO serviceclienthardware token protocol will dramatically improve usability of the 2nd factor.
Douchbags (Score:2)
Re: (Score:2)
Blocking "all" filesharing sites? If your company is like mine, both federal regulators and clients regularly perform third party security audits. "How do you protect our data from exfiltration?" is a stock question. I've also seen "demonstrate you block viral vectors" lead to similarly unnecessary
Re: (Score:2)
The same company blocks web access to dictionary.com, archive.org and anything related to computer security (hacking) and 3D graphics (games), as well as anything deemed to be file sharing (dropbox, google drive, pastebin - but not gist.github.com or thousands of other similar sites).
Why are such douchebags in charge of IT at such large companies that employ technically competent staff?
It, like everything else, is about breaking even in terms of time versus exposure.
You can block the top 10 file sharing/storage sites (drive, dropbox, whatever) in 10 minutes, and prevent 95% of your employees from transferring files. Or, to get to 99%, you can spend a couple hours a week adding new sites to the list. Want 99.5%? Just hire a full-time guy to review every TLD visited by employees.
Re: (Score:2)
I've generally come to the conclusion, that it isn't IT that is doing this, but Clueless Executives demanding IT do this, even after repeated cries from the IT department not to do it.
Re: (Score:2)
RSA SecurID is one of the standard 2FA methods that can be used, and it works well without needing a special dialog on the screen (which may be needed for some challenge/response systems.) It has been around for a long time.
Of course, there is one major problem: The cost. The keyfobs are not cheap. The seeds which are required for apps on smartphones are also not cheap. The RSA Authentication Manager servers are not cheap, and you need multiples of these at the core office and branches.
Then there is th
Re: (Score:2)
This is not three-factor authentication. Username is not a factor because it is not considered secret.
A username is not a secret piece of information.
A stored hash is not a secret piece of information.
A password is a secret piece of information.
A salt is not a secret piece of information.
An RSA clock's seed is a secret piece of information, but the user doesn't know it, and it lies exposed on the validating server.
The only thing RSA clocks prevent is remote, delayed attacks. An attacker acting at the same
Re: (Score:2)
Propose a solution that lets them recover employee data after they leave the company.
Re: (Score:2)
This got a lot of publicity but it doesn't really add all that much security. Supposing you choose 4 words from a dictionary of 200k (roughly the order of magnitude of the OED), you arrive at about 70 bits of entropy. Conversely, choosing a 10-character password from a 62 letter alphabet (a-zA-Z0-9) yields 59 bits of entropy- the difference is only a factor of 1024. Attackers aren't so dumb as to just try choosing random characters- they have very good priors on how common any particular character sequen
Re: (Score:2)
"This got a lot of publicity but it doesn't really add all that much security"
When you don't have a clause starting with "relative to" and/or "given that" this always reads like a sentence fragment. Increasing resistance to certain attacks 1000x may well be worth it in a number of circumstances.
Not to mention you appear to misunderstand the point the cartoon is making. People need to remember passwords. People can remember four entirely random common words but are unlikely to remember ten entirely rando