Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

Change 'password'.....

[Anonymous Coward]

... to 'passphrase'.

Then tell your users to think of a phrase like 'my son's name is Jim', and get them to use it as their password.

Putting in pucntuation makes it harder to crack too. Although it still won't stop social engineering.

Picking a strong password....

[which way is up]

Here are some good techniques for picking a strong password. It helped me out. http://www.macosxhints.com/article.php?story=20040 920120520528/ [macosxhints.com]

Single Sign On

[Anonymous Coward]

Ideally, you have a centralized authentication system like Kerberos, and one password is good for all the network services you need. Also, password storage utilities like Bruce Schneier's Password Safe [schneier.com] or Apple's Keychain help a lot, since you can use a single master password to store (in crypted form) all those other passwords you don't want to remember.

Re:Integrate the pin with securid

[Longstaff]

... I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

SecurID's are not limited to a 4 digit PIN. I have to use them to log into various client machines and my PINs are always 7+ chars that are alpha/numeric. You type in the PIN - which is really a password at this point - and follow it with the 6 digit number on the SecurID.

Re:Integrate the pin with securid

[Z00L00K]

I have also been working some with different security systems, and I have found a device that is fairly nice to have and fits onto your keyring. It is the Aladdin eToken [ealaddin.com]. The only disadvantage I have found this far is that Windows XP doesn't support it with device drivers automatically. You need to install from a CD. It's somewhat annoying for something that is supposed to be a key to the system.

This token allows you to use a full password, not only a PIN code as most smartcards do, and you can install your own certificates on it.

For the security paranoid, the maximum key size is only 1024 bits, which may be considered a little low in some applications.

Stupid Policies, Not Stupid Users.

[Hank Reardon]

What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.

For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.

I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.

The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.

What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.

I wish we'd switch to RADIUS.

Re:I only have 2 passwords

[Not_Wiggins]

We have a similar policy at work... and it is applied (with random expire times) on over 40 different server boxes.

Since our dev environment is on a Windows platform, I use Password Safe [sourceforge.net] and have it generate/store new passwords for me for all of the production machines.

Sure, it is a pain because I have to fire it up and put in my one secure password to get to the other passwords. But, at least it limits my security exposure to one bastion host (the shared drive on the LAN, so my encrypted password database is backed-up).

Card reader can be hostile - put PIN-pad on card

[CrystalFalcon]

Even better is to integrate the PIN pad onto the card itself, and use encrypted communication between the card and the authenticating server. The card reader would just see encrypted traffic.

Also works against hostile ATMs.

A solution like this exists, see Cypak PIN-on-Card [cypak.com]

Re:Integrate the pin with securid

[gioan]

Your example has to be the worst use of SecurID (if you're referring to the RSA product) imaginable. Whoever paid for that equipment and implemented it so poorly should be fired for spending money and achieving no benefit.

The whole point to SecurIDs is that they provide you with easily manageable two-factor security, including for legacy applications without needing a hardware re-outfit of biometrics, smart cards, redesigning custom prompts, readers, etc. They have agents for most popular things you'll integrate to it if Radius or native SecurID isn't compatible. They have a stable, documented API.

You do however need to use your brain while deploying it. Specifically, you must inform the user they should pick a unique pin/password (which the admin has no access to by the way) to use with the code on the card that changes every 60 seconds. This ensures anyone logging in has either PIN+card code, or Pin + live video feed to fob, (insert other unrealistic scenarios here). The fact the PIN doesn't require frequent/regular changes allows the user to actually use something complex that they end up remembering.

For what it's worth, the system is based on public/private key encryption and timesyncs between the servers and fobs. No, you can't hack it, not unless you have access to the SecurID server and then your actions are likely to be more obvious. There is no realistic server-side known exploit for it that doesn't involve somehow stealing the fob keys from the server, then guessing the user's pin in order to make a similar one-way hash and response to the challenge from the system requesting login validation. Finding a card/fob gives you access to nothing. Keylogging the pin is useless without stealing the card. It's secure. It's easy to use. It does require work on the admin's side to integrate various authentication systems to the SecurID architecture, but then that's a lot more fun than complaining about users, right? There is a reason it's been used in the banking industry for a long time.

Of course, if the admin does the right thing, it also assumes the user isn't stupid enough to put their username, login URL (or relevant), and Pin on a Postit note on the back of the SecurID fob. But then, that's what HR departments and involuntary separations are for.

And no, I (no longer) sell the stuff. Simply a knowledgeable user.

Anyone else use STRIP?

[DerficusRex]

It's a GPL utility for PalmOS that stores your pw list encrypted with 256 bit AES. It's also got a decent password generator, and can do S/Key OTPs. Here's the site [zetetic.net].