Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

Integrate the pin with securid

[stecoop]

required dongle is a note under your keyboard

There are more advanced security schemas. I know some places I have worked use securids where if you get possession of the key chain and know their userid, then you can become them. This isn't any good.

A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

The best password schema I have seen so far is where the securid and pin are integrated so that the seed in the random number generator for synced securids is the pin - the securids are just random numbers where the next number is based on some fixed patter and the number is only good for 60 seconds. But this still this has a few holes, I could figure out the pattern in securid and brute force the pin then re-add the pin as the seed. But for nowadays, this is best I have.

I only have 2 passwords

[xyeeyx]

2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?

Password expiration

[crow]

This goes along with my other pet peeve--password expiration. Here at work, the Windows passwords must be at least 8 characters, with mixed case and numerals. They expire after 90 days, but can't be changed for at least 10 days when new.

My password is written on my whiteboard.

For serious security, passwords shouldn't expire. They shouldn't even have to be that obscure. The security effort should go into making a brute force attempt impractical.

And the IT department needs to recognize that once someone has physicall access to the network, there's not much left to secure, anyway.

My take : three zones

[Ars-Fartsica]

My approach is to separate passwords into three zones: low, medium, high security. I always use an eight char passphrase with numbers and letters mixed. My zones work as follows:

Low: content sites like slashdot. I don't care if you get this passphrase, I will never change it.

Medium: logins for machine accounts, email and online shopping sites. I care somewhat if this is known, and I will change it yearly.

High: financial sites - bank and brokerage. I care deeply that this phrase is secure, and it is changed once a month no matter what.

Re:Integrate the pin with securid

[wfberg]

The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.

Even "good" passwords are bad

[bitslinger_42]

Between Moore's Law and modern cracking techniques (dictionary attacks, hybrid attacks using both dictionary and brute force, and hash precalculation), nearly any 7-8 character password that will be easy for Joe User to remember is crackable in a very short period of time. Rather than blaming the users for security failure, we should be looking to improving the overall system.

There are a number of things that can be done. First, and most importantly, eliminate the use of protocols that pass usable credentials (password, reversable password hashes, etc.) across the network in the clear. This means no longer using telnet and FTP (except for kerberized versions), doing something with/about Microsoft's NTLM/LanMan hashes, and probably using client certificates as well as server certs for encrypted web traffic.

Beyond that, there are proven techniques that aren't too hard for users to understand. Time sequence tokens (i.e. RSA's SecurID) have been around for a long time and have yet to be broken except for when the attacker has access to the critical seed records. There was an article a while back (sorry, can't remember where) about a bank using a short list of PINs that they mail to the customers. Each time the customer logs in, they use one and cross it off. The system keeps track of it and automatically send a new list before the old one is exhausted.

The point here is that unless we get rid of the users, we will never be able to educate all users all the time. The best way to get the security levels that appear to be needed is to take the human element out of the process as much as possible.

Re:I only have 2 passwords

[maskedbishounen]

Yes. :)

I have two different sets. One specifically for online site like PayPal, my bank, etc. The other is for generic internet thing.

The important stuff set is then further split into one of two passwords, chosen depending upon how "important" the site is. So my Amazon account won't use the same as my bank, and such.

The generic set is split into three, or occassionally four, also based on importance.

The rare fourth is my root password, the third my normal login, second for general web usage, and last for throw away usage.

I tend to use the throwaway one a lot. /., IRC, Gmail. In fact, all my friends know it, and I'd yet to have them play around with my stuff. YMMV, and you should still rotate passwords every so often . . . or so I'm told.

Re:I only have 2 passwords

[99BottlesOfBeerInMyF]

anyone else have a few standard passwords?

For low security operations, like your online accounts, using a standard password is not too unreasonable. With just a hair more effort, however, you can use a standard password scheme. For example, instead of using "8dogs8food" as your password for all of the random online accounts you have, prepend or append the first letter of the web site you are accessing. For Amazon.com you can have "a8dogs8food" and for slashdot you can have "s8dogs8food." This gives you a better idea if your password is leaked, and keeps insiders from using your userid/passwd on other consumer sites. I think that a password scheme like this strikes a good balance of security and ease of use.

Picture Passwords

[spun]

One method I like is to pick a simple figure: a wavy line, a j shape, a box, a star or whatever. Then pick a starting character and 'draw' the password on the keyboard. For example, lets use a wavy line and start on e. Our 8 character pasword would be e4rft6yj. Or a box starting on f: fr456yhg. These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

Bookshelf Steganography

[BurritoJ]

My solution to secure passwords is to look around my office, at my bookshelf, at the documents/notes/references on my desk and pick an unusual set of words, hAx0r the spelling, and mix in some special chars *$&% as appropriate and out comes a secure password, with locational mnemonics if I forget it. If someone manages to brute force 3tt3r_4Tran77 then I have got lots of other problems. Fortran77 w/ Numerical Methods by Etter if you're curious, and no... it's not actually a password in use.

Re:If the required dongle is a note under your kb.

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a E9 b ?p c &m
d 6K e aY f eP
g !S h gn i D=
j Hd k vw l Cb
m W5 n 4$ o R3
p x% q 7M r NF
s +2 t s* u Ay
v fL w zG x Zu
y cX z Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

re: password security

[Rage Maxis]

I gave up on password security after working for a health management company that had name/same name as login and password on the SQL servers on real IP's. "they were behind the firewall!" BUT THE FIREWALL IS FORWARDING ALL THE PACKETS TO THE SQL PORTS!

The best part was after sending a note around on the new policy of 12 digit case sensitive alpha numeric mkpwd (or mkpasswd i forget which one is which) that were FORCED on the user. The 2nd point on the note was that "PASSWORDS ARE NOT TO BE STUCK ONTO MONITORS USING YELLOW STICKIT NOTES."

I found 42 examples of where the note was posted on the bulletin board the password was changed back to flully or dave or whatever typical passwords they usually used, and then that was on the monitor with a message like "Darlene, look at my case files, my password is DAVE" -- even though she can look at them from her user account and thus TRACK CHANGES FOR COURT LIABILITY ... no, instead the password goes on the monitor.

The real kicker was that they worked with a major canadian bank and as such had a Lotus Notes over SHIVA connection into the bank core network. The bank was furious that our insecure network was allowed to connect to their with Shiva being run on the same windows 98 or ME (not my idea to install that, believe me) machines that were running with no admin kits, no policies, no proces watchers or anything else resembling security -- and when I arrived no updated antivirus and no patching.

No wonder, especially since the bank used ultra-hard to remember 6 digit capital-letter + numeric passwords. Once again the 50-something women couldn't remember those so they were on the monitor to.

When they finally did get rooted (and massively I might add, the best was the windows NT 4.0 SP2 unpatched server which had a IP in the external range and an internal IP with routing turned on and telnet with a guest account enabled.) it was because of "evil hackers intent on disrupting legitimate commerce"

In reality the problem is consultants who want to get things rolled out as quickly as possible. The next problem are managers who are more worried about the whining of their staff in regards to the ENSLAVEMENT of having to remember 10+ digit alpha numeric passwords (I have trained myself to do it in 8 looks.) and not be able to run their solitaire web games at lunch and things like that.

The next problem is that even with passwords being there there are countless machines where people just go around the password mechanism using exploits.

Personally I dictate anyone using my personal mailserver, etc. use 12-byte alpha-numeric case-sensitive passwords generated with whatever that app is mkpwd or mkpasswd, I usually hae to type it twice to get the one I want. They work really well and take forever to brute force.

I've tried playing with other mechanisms like finger print ID (at a old venture place I worked at they spent 2 years messing with this) and smart cards and the like. Nothign has really been satisfactory especially when you add any degree of road warrior (which is the place where security of IP and passwords is really important) the solutions are generally worthless as it is VERY expensive and inefficient to give authentication validation hardware to even a road warrior to carry with them.

Also in teh end many of the security validation tools work using internally a hash that is effectively a password anyways. Use the scene in star wars return of the jedi as an example when they are breaking into the power station for the shield. Enough blaster will open anything. Inside most fancy locks is a acuator which if given power will open the door. Thus a however expensive panel with fancy computer inputs and strong passwords can just be torn out and a battery with two wires used from k-mart in its place. Keep this in mind.

Additionally, if you've ever seen the output of dsniff running on mirror channel traffic on a master switch in a large IT shop the passwords just scr

Re:Picture Passwords

[gowen]

These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

Unfortunately, they're really easy to brute force. 40-odd starting positions, but then a maximum of only 8 directions in which to move for the next letter.

With means the size of the 8-character password space has been reduced by a factor of about 80,000. Yuck.

Science Tables and Lookup Values

[INetEngineer]

Perhaps integrate science table codes into your password or other known reference "codes" to known items (such as dates for historic events). What's the number for Einsteinium? Use that in your password...

For example, the following uses the atomic weight of Einsteinium, year the Human Genome Project completed, traditional formula for Einsteinium (III) iodide, and a hint that the formula both references the III iodide and not II and is not the Hill system formula.
"My252BrainWasMapped2003WithThe3rdColorE SI3NotHill "

Of course, this password is incredibly long, but things like dates, chemical formulas, periodic table mappings, physics formulas, or algebraic formulas, all provide a concise means of generating short passwords that can be looked up if you ever forget them.

Similiar to encryption, you have now encoded your password with keys that are easy to remember, or lookup if you can't remember (Date of Mt. Rushmoore Dedication ceremony + Formula for Benzene).

Re:I only have 2 passwords

[Lumpy]

no kidding....

the IT gurus that pide themselves at security at the HQ were bragging that most of our company users were using good passwords.

I suggested they let me have a crack at it.

I broke over 40% of the passwords by simply adding the YYMM as in last 2 digits of the year and the month as digits to the end of every password tried from the dictionary.

they were suprised and I said, "your fault for forcing 30 day password expiration on the domain."

this was 1 year ago.

they still have not changed their policies, and now want everyone to have their last 4 social security number in their username..

now i can spoof tech support easily as they ask you for validating who you are.....

the last 4 of your Social security number.

we have complete morons running our IT department.

Re:Stupid Policies, Not Stupid Users.

[jdreed1024]

Amen to that. Now, admittedly, having one password for all your services is kind of bad, since it's a single point of failure. But what's worse is the obscure requirements some websites have. Here's a list of the password requirements for all sites I use ona daily basis:

• 6-8 characters, containing at least 1 number and 1 letter, the number must not be the first or last character. No special characters. Password cannot be the old one if you change it.
• 4 character maximum, only letters and numbers.
• 6 characters, only capital letters and numbers, no lowercase
• 8 characters, may not share any characters with your login id

And that's just the ones I can think of off the top of my head. Of course, my main account that I use daily, uses Kerberos, so I can have passwords up to 255 characters, including punctuation. My bank website also has a sane system that allows me to use my usual password-derivation method (pick interesting phrase or sentence, take first letter of every word, and punctuation marks, and combine with a number.

The thing that really got me was the 4 character password. I called them and they said it was "more secure". Alas it was only a phone droid, so there was no point arguing, but wow.

Of course, the most insecure password for anyone in the US is probably their PIN for their ATM card. It's only 4 digits, each from the set 0-9. That's pretty trivial to brute-force. The only reason not to is because all ATMs have cameras, so the more you visit (most ATMS eat the card after 3-4 incorrect PINs), the more chance you have of being caught on camera. Why we can't move to variable length PIN numbers is beyond me.
<troll> Probably because Diebold is too busy rigging elections to come out with better ATMs </troll>

Stupidity finds a way

[jdfox]

I used to be on the networks team at a very large corporation, where we implemented SecurID and PIN for offsite dial-in.

We did everything right, got the clock sync working, got all the managers to buy lots of pricey SecurID cards, found and forcibly removed insecure dial-in boxes scattered around, did all the right audit and test of firewalls, etc.

But the sales group had a bunch of pooled laptops, which sales people used to take out to customer sites. So they would store a SecurID card in the bag, along with a yellow PostIt note showing the PIN code for that SecurID.

That way, not only was the SecurID compromised, but since they were effectively using shared SecurIDs and PINs, we wouldn't even know which idjit sales droid had compromised it.
Doooo, ya stupid idjit rabbit! [barbneal.com]

State-of-the art tech is no match for the apparently limitless stupidity of users.

In the end, we did the only sensible thing, and revoked offsite dial-in for that group.

Re:Science Tables and Lookup Values

[TykeClone]

This guy from Microsoft agrees with you http://blogs.msdn.com/robert_hensing/archive/2004/ 07/28/199610.aspx [msdn.com]

Pass phrases are at least easier to remember than long passwords (compare "I am the walrus, koo-koo-kachoo!" to your example) and are long enough to be more problematic for passowrd cracking programs.

Re:Card reader can be hostile - put PIN-pad on car

[Anonymous Coward]

Doesn't matter since the PIN-on-Card scheme uses a challenge/response. You need the physical card and its PIN; you can't swipe the magstripe like today's hostile ATMs and make a copy of the card.

So you need to take the physical card, at which point you might as well take the money instead. The owner will know and will block the card immediately.

8?! I wish.

[Derekloffin]

I had about 8 passwords when I first entered college. I'd guess I'm way over that now, nevermind the obscure user names on top of these.

I mean, let's just see:

At Work:

general network, 1 email, 5 account passwords.

At Home:

1 email, about 3 one's for various online games, and 2 for instant messaging programs.

Online:

About 4 for various online vendors, 1 for a website I commonly goto, and probably another dozen I just got along the line for sites I rarely vist.

Out and about:

Can't forget that pin number

I'm not a school anymore, but when I was:

1 network

3 computer science account passwords

1 library

So, what's that, 20+? I'm not even a heavy online shopper so I could expect many other people to easily break 30+. And again, this doesn't consider that many sites demand some cryptic username too, and stupid security protocals that demand you change your password every other week.

No shit!

[lorcha]

I know the feeling. I just started a new job and I needed to come up with a login password. The password I wanted to choose was a pretty-much unguessable 'wkxudf1'.

But nooooooo that was not acceptable. It needed a capital letter and a special character. By the time I was done fighting with the password change program, my password was 'Abcdef-1'. Take a wild guess what my password will be when I have to change it next month?

Totally insecure, but at least I can fucking remember it. And if I ever forget, I can just look at my /. comment history!

Or just use a Palm Pilot

[Dr. Manhattan]

There are tons of encrypting password apps for handhelds. At various times I've used:

• Strip [zetetic.net]
• Keyring [sourceforge.net]
• Cryptopad [sourceforge.net]

Lots easier to work with multiple places (home, work, web, etc.)

what about session passwords ?

[Anonymous Coward]

There are password generators available which calculate session passwords against a user name in combination of a password. If you want to login you get a passphrase which has to be put into a session password calculator whithin 30 seconds. Otherwise the session password is denied by the system. On the other hand using a different user administration (like LDAP) than system default in combination to a hardened system (like Trusted Solaris) makes it more secure against hackers. Such a system uses role based access to the system. Even the root user doesn't have rights to access user directories of other users on that system.

"New Password Every n Days" == t3h lame

[Anonymous Coward]

At my job as a DoD contractor on an Army post, we recently had to start using DoD's new uber-leet password schema, as seen on the Army webmail site--(at least) two upper, two lower, two numeric, two alpha, two punctuation--and change them every 90 days. Guess how we've been told to do it? Have the two numeric at the end, and increment them. (posting A/C for obvious reasons)

My password is Pi

[Archangel Michael]

I just won't tell you the starting offset. :D

I always imagined that Pi or one of the other irrational numbers would be a great encryption hash. Easy to gererate, remember etc, but hard to hack, since we don't know the starting offset.

It could be a nonrepeating hash or even a repeating one. All you would need to know is the starting offset, you could encrypt a very long document, with a singular and easy to remember hash point, ie Pi x 259313 r1024 would mean Pi hash starting at 259313 repeating 1024 numbers.

I am sure that some pointy head math wizard will explain why this will not work.