Password Security Not Easy 674
mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...
Just get rid of them... (Score:4, Insightful)
Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.
Known for quite some time... (Score:4, Insightful)
Special Characters != More Secure (Score:3, Insightful)
If the required dongle is a note under your kb... (Score:5, Insightful)
It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.
Yes. (Score:2, Insightful)
Absolutely it is. This is one of those examples of culture clash: the tech-inclined, and not. Absolutely it's too much to ask, just like asking mom or dad to "just open the command line.. it's so easy!" Yeah, it is too much.
Re:I only have 2 passwords (Score:3, Insightful)
I noticed that the article mentions... (Score:2, Insightful)
Whether they do or not, the FDIC auditors emphasize this policy strongly. If it's not written in stone yet, it will be.
To be honest, I approve such a measure. It disturbs me to think that our local bank's security policy might be more lax than Yahoo's.
Re:I only have 2 passwords (Score:5, Insightful)
Re:Special Characters != More Secure (Score:3, Insightful)
Also note that requiring special characters does far more than add "an extra 12 hours". In most cases the brute force attack would be many *times* longer when you increase the possible characters by 1, let alone a bunch of special characters. Of course, users tend to just append the characters, so brute forcing may take advantage of that, but at that point you're getting away from what a "brute force" attack implies.
The problem isn't so simple (Score:3, Insightful)
Re:Biometrics (Score:4, Insightful)
Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.
You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).
Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.
(As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)
Re:Biometrics (Score:5, Insightful)
There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.
Re:Just get rid of them... (Score:3, Insightful)
John: 0000
If there is a easy way they will take it.
Re:Biometrics (Score:3, Insightful)
Fingers can be cut off (ok, new ones are supposed to detect if there's blood circulating), or you could leave your fingerprint on something, then someone comes along and takes it, wouldn't be too hard to make fake fingertips which you could use. Your retina 'metrics' would be harder to steal, maybe contact lenses, I dunno. But whatever technology we can come up with, crackers can find a way to break or exploit it. Biometrics by themselves are probably far more dangerous than having just passwords, imo at least.
But.. a mix of things;
something you are (biometrics),
something you have (dongle),
something you know (password)
would be a much safer combination.
Re:I only have 2 passwords (Score:3, Insightful)
Of course it's a good idea. But like everything else in life, it, too, is subject to the "Too Much of a Good Thing" syndrome. The trick is to change passwords often enough to maintain security and protect against those who will, inevitably, give-away there passwords in exchange for trinkets or favors, and to balance that against not making the change so often as to be more trouble than it is worth. Depending on the environment, 2-5 times a year is sufficient.
Remember, a login/password scheme is there to ensure limited access to a limited number of systems (usually one) is granted to a known, limited number of individuals (usually just one per login). As soon as you don't have this, you don't have security. The best firewall in the world won't save you from the dumbass user who calls the vendor directly and gives their login & password to the tech support drone on the phone.
Does anybody crack passwords any more? (Score:3, Insightful)
Re:My take : three zones (Score:1, Insightful)
You should treat ANY user account that includes your bank details as requiring high security - unique passwords for each; or else the folks at xyzonlineshop can log into your amazon account and get themselves some nice xmas presents.
-J
Re:My take : three zones (Score:3, Insightful)
Look at it as a backup password, in case the original broke into bits by some strange mishap.
Re:Yes. (Score:3, Insightful)
Absolutely it is. Just like asking mom or dad to "just open the command line.."
I've got to agree with you there. It is the non-techies that have the most problems with this, but how old is the internet culture among non-techies? Five years? Maybe less? The point is that until the internet made everything accessible from a single computer, you didn't need a dozen different passwords. Before that, the only people who needed to even think about the possibility of keeping multiple passwords were sys admins.
The general public simply isn't comfortable yet either with passwords or computer security in general, and it'll probably take another ten years for it to truly get ingrained. In the meanwhile, the criminally inclined will continue to have an easy time of things.
Re:Picture Passwords (Score:2, Insightful)
Re:I only have 2 passwords (Score:1, Insightful)
So I do one of the following:
People who put security policies in place don't give a rats ass whether what they are securing gets broken into. They only care that in the event of a breakin, they can't be blamed for being too lax. Being so strict about passwords that users are *practically* if not actually limited to a tiny keyspace in choosing their passwords is better than leaving open a channel through which blame can find them.
Re:Biometrics (Score:2, Insightful)
Not to say biometrics are great, but humans aren't actually that hot at it.
At one company I worked we had a security guard who was notoriously bad at remembering anybody. Seriously, the entire staff would discuss this fact. He saw all of us every single day, but damned if he seemed to be able to remember that fact. He also wasn't too hot at comparing IDs and more than once people on the staff would swap IDs just to test this theory. He always let them in.
Plus, above and beyond people who are just bad at facial recognition... you still have the problem that passwords, biometrics, or even human guards with big guns can all be gotten by if the right person is handed a $10 bill. This fact hasn't changed since ancient times and despite all the technology we throw at it, never will.
Re:I only have 2 passwords (Score:4, Insightful)
The problem is caused by a complete and utter lack of grip on reality. A total inability to understand human nature, and worse, expect people to bend to the system, rather than designing the system to facilitate its use by people.
Ill say this in capital letters so you get it this time.
CHANGING PASSWORDS EVERY 60 DAYS IS TOO HARD YOU DICKFUCK!
And if you arsehole IT fucks cant get your brains around that, and design a system the recognises that fact then you shoudl really get a job shovelling manure or something.
If you really think that something is easy, merely because its easy to write an algorithm to solve it, you need help. People are not computers, and something as trivial as generating a password becomes an onerously difficult task when asked to perform repeatedly.
Rather than cursing the l-users, get off your fat arse, and start doign your Job - provide them with the tools to do their jobs.
Re:Science Tables and Lookup Values (Score:3, Insightful)
Re:I only have 2 passwords (Score:4, Insightful)
When I read this, I seriously started thinking this was great sarcasm.
Unfortunately I've since changed my mind.
There has been a lot of research in the area of password usability here is a short summary:
Fact 1: human memory is fallible
Fact 2: people cannot forget on demand
Fact 3: non meaningful things (i.e. random) are amongst the hardest things to remember
Fact 4: items in human memory interfere with each other making 100% recall very hard
Fact 5: unaided (no prompts) recall is much harder than providing prompts (which becomes a recognition exercise - passfaces is an interesting technology for example)
Fact 6: ambushing a user to change their passwords stops them from doing their work (which they get paid for) and encourages them to bypass the system as quickly as possible - i.e. write the password down
CONGRATULATIONS you are following rules which were laid out in the original FIPS guidelines (1985) for password management... Maybe you ought to revisit their document, they have updated it and it makes a LOT more sense now (check out FIPSPUB112)... I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.