MS Employee Calls for No More Passwords 614
BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."
Offer Void on pre-2000 MS operating systems. (Score:5, Informative)
Therefore, if you have any legacy systems to support, these password tips don't apply to you, and that's got to be part of the reason there hasn't been much of a movement to suggest that users use longer passwords.
People are lazy (Score:4, Informative)
I have convinced a majority of my friends & family to at least stop using dictionary words and names of pets. Instead, I have them pick some favorite line from a movie or book and then use the first letter of each word. It's easy to remember, so they don't stick it on the bottom of their keyboard. It also is not a word in the dictionary so at least Crack & friends can't be used to guess it.
For example, if one of my friends is a Dead Head, he might use "stlasom.oticbs" If you're a Dead Head you'll probably be able to guess the lyric. But you *won't* be able to find it in a dictionary.
Re:Offer Void on pre-2000 MS operating systems. (Score:1, Informative)
Irresponsible journalism (Score:2, Informative)
Instead, the Microsoft employee is merely suggesting the use of longer passwords. I am shocked and appalled that a respectable forum such as Slashdot is stooping to "sexing up" its material in this manner.
For generation of strong and easy to remember ... (Score:3, Informative)
It's not LoftCrack (Score:3, Informative)
Re:Biometrics (Score:5, Informative)
Not to mention that fingerprints are left EVERYWHERE.
Re:Biometrics (Score:5, Informative)
It's a lot easier to remember a series of words than a series of digits that have no obvious relationship to each other.
Passphrases are MUCH easier (Score:5, Informative)
1. Must contain at least 8 characters
2. Must contain at least 2 lowercase letters
3. Must contain at least 2 capital letters
4. Must contain at least 2 numbers
Since a lot of people cant grok this we start to see passwords like 34erdfCV. If you are using a QWERTY keyboard take a look at that password and tell me whats wrong with it.
Since I saw this article in a MS Security newsletter I've started using passphrases. Here is an example of my Windows Server 2003 administrator login (local only, not going to help you). "Rent is due on the 5th". Now I see many comments already talking about how that is so much harder to type than "34erdfCV" but I beg to differ. For me at least it is much easier to type a coherent sentense than a bunch of random letters and numbers.
This password is not only easy to type, but it is very secure. I'm sure some mathematician is going to come down on my with a bunch of stats about how I'm wrong and what not but just the fact that the LM hash is not stored when you use a password larger than 14 characters helps significantly. Sure you can tell windows not to store a LM hash by editing the registry but do you really expect all employees of a mid size company to follow directions that start out like "Click Start, then Run. Type 'regedit' and click OK"?
Now of course this isn't going to defend you against the ol' linux bootdisk trick, or that awesome "NT Password Recovery" bootdisk, which is basically linux which allows you to overwrite the password, but thats what NTFS and encryption is for. And if you've got physical access all bets are off anyway. At least you know they wont be able to run a rainbow table lookup on your LM hash and figure it out in a few seconds.
Also, passphrases are easier to remember, harder to guess, harder to figure out by watching someone type them, and if your really that dense you can just pick up a book off your shelf, turn to a page, type in the first sentense and remember the book and page number.
And there is an added bonus to having a passphrase over 14 characters that you are all completely missing here. When the hot chick in accounting sees you keying in some enormously long password she will think your smart and savy and will want to have hot sex with you right there in the server room.
Well, maybe not the hot chick and sex part.
Now, what would be a good long slashdot post without a question for you to ponder. If you havent figured yet I'm the sysadmin at this company and am trying my hardest to find a way to "sell" this passphrase idea. It seems that the easiest thing to do in IT is configure complex servers and firewalls and support ID10T's. The hard part is "selling" common sense stuff like SSL and passphrases.
"You mean we're going to have to add an 's' to the end of 'http', do you really expect 100 people to change their bookmarks! They've been using those bookmarks all year!"
Insight from other admins very welcome.
Re:Biometrics (Score:5, Informative)
Here's a link to a Norwegian article about one successful breach:
http://www.tu.no/nyheter/ikt/article30692.ece [www.tu.no]
The article links to this Swedish one on the same story:
http://www.nyteknik.se/pub/ipsart.asp?art_id=3739
and this concerning some Japanese experiments:
http://www.rootsecure.net/content/downloads/pdf_d
(mind the
Re:Biometrics (Score:5, Informative)
Even worse, some fingerprint-based biometric sensors that were being toted as secure were able to be broken by simply blowing warm breath on the reader, much like when you go up to a cold, glassy window and fog it with your breath. The biometric sensors, for one reason or another, read the previous fingerprint.
Again, it all depends on which system is in question, but my research found that most biometric systems were able to be broken, sans bloody, cut-off fingers or jelly replicas. Of course, they are toted as super-secure.
That is why the fundamental rule for using biometrics for authentication is as follows:
Biometrics aren't meant to replace passwords/passphrases. They are meant to be used as an added layer of security in addition to the password.
(As a side note, if you wanted to do more than just get the copy of fingerprints, invite someone out for beer and french fries at the local bar and bring some scotch tape with you. When they are done and leave, take their greasy, finger-print covered glass and apply the scotch tape to it. You will lift the oily fingerprint. Depending on how the system works, you can now use watery ink to get a negative of the fingerprint. Print this onto the old boards they used to hand-make printed circuit boards, etch the board with chemicals, and come out with a fairly 3-D version of the fingerprint. Now, make your standard flat, thin jelly mold and, when set, wrap it on your finger. Viola!)
Re:Offer Void on pre-2000 MS operating systems. (Score:3, Informative)
Works just fine on password-size challenged systems.
One of the article's points (and a topic of discussion in the security field for some time now) is the practice of pre-computing the hash of every possible password up to a certain length - a.k.a. "rainbow tables". Against this kind of attack, every password of a given length is equally secure.
Long passphrases, however, (15-20 characters or more) should be safe at least until the advent of quantum computing.
Re:Biometrics (Score:4, Informative)
Nonsense. I recall the phrase "Whan that April with his showres soote" from 20 years ago when I read it for the first and last time. 3 years before that I memorized pi to 21 decimal places --- I still know them. How about "Now is the winter of our discontent"? or "The lord is my shepherd. I shall not be in want"? or thousands of others?
Memorizing a phrase -- particularly a phrase that means something to you, is not as difficult as memorizing the first 3 entries in the phone book.
Re:Offer Void on pre-2000 MS operating systems. (Score:5, Informative)
Took a bloody age to authenticate though.
absolutely! (Score:5, Informative)
For more information on this, this [google.com] Google search produced some good sites explaining tihs.
Also, in just conducting that search, I learned that 2000 and XP is apparently immune from this particular problem, according to this site [securityfocus.com].
"With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes.
But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.
With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."
Re:two obvious problems with this idea (Score:3, Informative)
Correct and insightful.
What I use for high-security applications and recommend to clients is a genuinely random passphrase. You generate it one word at a time without regard to grammar by using 5 dice and the list of 6**5 short words at the Diceware [diceware.com] page. Then you make up some kind of story to go with a phrase like "cleft cam synod yr" (hey, challenges are good for you) so you can remember it.
Bruce Schneier wrote that passwords are dead because normal people can't memorize enough randomness to defeat a brute force attack. I took that as a challenge and memorized a 10-word Diceware passphrase, which has about 129 bits of entropy. Of course that doesn't prove Schneier wrong, just that I'm abnormal :-)
Broken implementation, not broken technology (Score:4, Informative)
Everybody else mixes random salt bytes into passwords prior to hashing. Unix was doing this over 20 years ago. Modern systems use long (16+ character) salts that make precomputed hash tables infeasible for many years to come.
Some platforms use a better system [openbsd.org] still, that makes it more difficult for password guessers now and well into the future.
The only intrinsic problem with passwords is that people choose dumb ones, but again this can easily be fixed with a little technology [openwall.com]
It's getting crazy out there... (Score:3, Informative)
Come up with a tool to help users choose a quality password and have them change it less frequently. OS X has a password strength indicator which is accessible from the change keychain password dialog box. Click the little i button next to the ? button. It will measure the quality of your password.
We are working on SSO - Single Sign On because the users swamped the outsourced help desk with thousands of extra calls every month due to passwords getting locked out. Most users have an average of 12-20 passwords with admins having many more.
SSO should reduce the number of passwords to 4-5. We will also be implementing something like an RSA hardware key at the same time, this gives you two distinct checks.
Personally, I like the idea of a USB based device that works like a smartcard. Plug it in and type a high quality pass-phrase and then you can access everything and never type another password. Time it out with the screensaver. Auto-lock everything if you unplug the USB device.
If the USB key is lost, replace it and invalidate the keys that were on it. Of course, this sucks if the device is lost and you are traveling.
IBM's running an ad with a biometric scanner built into their ThinkPad's. Now that's an idea, the user can't lose their USB key or RSA token that way, just the whole laptop!
The Guy The Microsoft Plagerist Copied is Right (Score:3, Informative)
That won't stop Microsoft from taking credit for this "new, revolutionary idea in computer security," or the Microsoft apologists accusing everyone else from "copying Microsoft instead of innovating" when it becomes more common practice among everyone, some percentage of which will include Linux and OS X users. Nevermind the PAM modules supporting this have been around forever, or that pretty much anyone with half a brain using GnuPG or PGP has been doing this forever either.
Encrypted Key Exchange protocols (Score:3, Informative)
These methods are immune to sniffing and offline dictionary attacks and don't require long passphrases to be secure. You just need a password that can't be guessed in the number of attempts allowed by the server.
Examples of such protocols include Bellovin and Merritt's EKE and David Jablon's SPEKE. The Stanford SRP algorithm is related. These methods have been around since 1992. Unfortunately, all of them are patented and none of them is in widespread use. The patent status of SRP is unclear as it may infringe the EKE patent.
Re: It's no joke! (Score:5, Informative)
Keepass (Score:2, Informative)
Re:No one will ever break my password! (Score:2, Informative)
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them.
Hoch SeHmeH wa' Qeb 'ej bIH maghmeH wa' Qeb,
Hoch qemmeH 'ej ramDaq bIH baghmeH wa' Qeb
H0(h $3Hm3H w4' Q3b '3j b1H m49hm3H w4' Q3b,
H0(h q3mm3H '3j r4mÐ4q b1H b49hm3H w4' Q3b
Re:Biometrics (Score:3, Informative)
You are correct that it is iris scanning.
Now, there isn't much I can say about your attitude about my simple mistake except that I have written papers regarding biometric systems (and I promise they had much more thought and care put into them than my quick Slashdot post) and I apologize because that really did make me look like an ass. (Cue the AC trolls making stupid ass comments)
But I do think you were a bit harsh over a simple mistake. We can discuss this like professionals without having to be snitty. (Although admittedly...that was a pretty silly thing I wrote.)
Also, one correction (or, I guess, addition?): not all eye-based "biometrics" systems (at least, that are sold as such) look at the actual physical metrics of the eye. I can promise you that a good part of them actually only take a single image (camera/image-based) and compares them with a stored image, much like the old facial systems did. With a high-resolution scan of the eye, these have been easily fooled. (They are also terrible as far as false negatives.)
I find that the biggest problem with biometrics (and I am not against using them as a complementary authentication system) is getting the vendors to be honest about how their particular system works. Frankly, though, in businesses you market everything as though it has gold legs on it, so I can't really blame them.) When their sales hype of "Ooooo, Biometric!" works, people don't give much ado to the fact that an image on a piece of paper or a fogged glass can work. These aren't Star Trek solutions, these are proven-in-the-lab red team analysis of these systems. Now, while mom and pop shops probably don't have to worry about someone following them to the bar to lift fingerprints, yes, there are "high-security" situations where espionage is a concern.
I bid you good day.
Password Safe (Score:1, Informative)
Don't forget to use a good, long passphrase as the database's Master Password.