Password Security Not Easy 674
mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...
Change 'password'..... (Score:2, Informative)
Then tell your users to think of a phrase like 'my son's name is Jim', and get them to use it as their password.
Putting in pucntuation makes it harder to crack too. Although it still won't stop social engineering.
Picking a strong password.... (Score:2, Informative)
Single Sign On (Score:1, Informative)
Re:Integrate the pin with securid (Score:3, Informative)
SecurID's are not limited to a 4 digit PIN. I have to use them to log into various client machines and my PINs are always 7+ chars that are alpha/numeric. You type in the PIN - which is really a password at this point - and follow it with the 6 digit number on the SecurID.
Re:Integrate the pin with securid (Score:2, Informative)
This token allows you to use a full password, not only a PIN code as most smartcards do, and you can install your own certificates on it.
For the security paranoid, the maximum key size is only 1024 bits, which may be considered a little low in some applications.
Stupid Policies, Not Stupid Users. (Score:5, Informative)
What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.
For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.
I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.
The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.
What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.
I wish we'd switch to RADIUS.
Re:I only have 2 passwords (Score:3, Informative)
Since our dev environment is on a Windows platform, I use Password Safe [sourceforge.net] and have it generate/store new passwords for me for all of the production machines.
Sure, it is a pain because I have to fire it up and put in my one secure password to get to the other passwords. But, at least it limits my security exposure to one bastion host (the shared drive on the LAN, so my encrypted password database is backed-up).
Card reader can be hostile - put PIN-pad on card (Score:3, Informative)
Also works against hostile ATMs.
A solution like this exists, see Cypak PIN-on-Card [cypak.com]
Re:Integrate the pin with securid (Score:3, Informative)
The whole point to SecurIDs is that they provide you with easily manageable two-factor security, including for legacy applications without needing a hardware re-outfit of biometrics, smart cards, redesigning custom prompts, readers, etc. They have agents for most popular things you'll integrate to it if Radius or native SecurID isn't compatible. They have a stable, documented API.
You do however need to use your brain while deploying it. Specifically, you must inform the user they should pick a unique pin/password (which the admin has no access to by the way) to use with the code on the card that changes every 60 seconds. This ensures anyone logging in has either PIN+card code, or Pin + live video feed to fob, (insert other unrealistic scenarios here). The fact the PIN doesn't require frequent/regular changes allows the user to actually use something complex that they end up remembering.
For what it's worth, the system is based on public/private key encryption and timesyncs between the servers and fobs. No, you can't hack it, not unless you have access to the SecurID server and then your actions are likely to be more obvious. There is no realistic server-side known exploit for it that doesn't involve somehow stealing the fob keys from the server, then guessing the user's pin in order to make a similar one-way hash and response to the challenge from the system requesting login validation. Finding a card/fob gives you access to nothing. Keylogging the pin is useless without stealing the card. It's secure. It's easy to use. It does require work on the admin's side to integrate various authentication systems to the SecurID architecture, but then that's a lot more fun than complaining about users, right? There is a reason it's been used in the banking industry for a long time.
Of course, if the admin does the right thing, it also assumes the user isn't stupid enough to put their username, login URL (or relevant), and Pin on a Postit note on the back of the SecurID fob. But then, that's what HR departments and involuntary separations are for.
And no, I (no longer) sell the stuff. Simply a knowledgeable user.
Anyone else use STRIP? (Score:2, Informative)