MS Employee Calls for No More Passwords 614
BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."
Biometrics (Score:5, Interesting)
converting to all passphrases. First, the person will probably use the same passphrase for everything because it's too difficult
to remember multiple passphrases. Second, it's difficult to remember passphrases! Phone numbers (In the US, at least) are limited to
10 digits because research shows the average person can only memorize 10 digits, as a result...we tend to write things down, or in the case of
data people are likely to store their passphrases in a central location that is still prone to theft/decryption.
Biometrics, on the other hand, requires that you only have your body present at the time! No special USB keys to lug around, no pieces of
paper with important passwords/phrases. This won't solve the problem of possible data interception when talking about remote
authentication--but every form of authentication is prone to such attacks when transmitted.
good news, everybody (Score:3, Interesting)
*yeah, right*
this "idea" is described in every single tutorial/howto/paper/note about password security. it's a good idea, i've been doing it for years, it has most likely been mentioned on slashdot countless times, but here we go again.
at times i forget why i am such an avid reader; it provides me with "stuff that matters" and makes me feel like i know more than all the others, from time to time
jethr0
Bible as the next crack dictionnary? (Score:3, Interesting)
IMHO, passphrase would make it easier for a hacker to successfully hack a system. For example, myself:
- Make a google search for my name
- See that The White Stripes is among my favourite groups
- Add The White Stripes lyrics to the crack dictionnary
- Attack, and probably succeed (password = "Why can't you be nicer to me?").
The list of all quotes in imdb mustn't be THAT big. Thus "I will have my vengeance, in this life or the next" would be a bad password. (not to mention "whoa"
Of course, IANASB (security blogger), I could be wrong.
Re:Biometrics (Score:5, Interesting)
I agree that biometrics can't be changed, but will you ever need to?
passwords? passphrases? (Score:3, Interesting)
A password is a string you know, a passphrase is a string you know.
One is probably longer than the other, big deal.
2, or 3, or 4 factor authorisation schemes are the only way forward. Like those used by some banks in, erm, Sweden ?
Re:Offer Void on pre-2000 MS operating systems. (Score:2, Interesting)
It combines the best of both worlds.
i) a 'complex' password because it can't be broken by a dictionary-based attack
ii) easy to remember (sentence-based)
Add to the mix some tranposition of characters (use 1's instead of i's etc etc) and you've got yourself a fairly decent password, at least better than most.
Works just fine on password-size challenged systems.
how about public key authentication? (Score:5, Interesting)
Passphrases are just long passwords with (usually) low entropy. They still have the same problems... You have to have a separate passphrase for each account, and you have to trust the computer you're using not to log your keystrokes. I would much rather carry around a device that can authenticate me and never have to remember a password again.
Why don't we all just switch to USB tokens [rsasecurity.com] for authentication? You have one device that can authenticate you by generating an RSA signature without divulging any information that would allow someone else to pretend to be you. It amazes me that more people don't use these things. I've never used one, but have considered ordering one. Does anyone out there have experience with USB tokens? Is there a good model/brand to buy? Is it easy to get them to work with Linux and ssh? Do any brick-and-mortar stores sell them?
Yah right (Score:3, Interesting)
Except for that Indian guy in the next office who never misses a key. Should have been a pianist.
It doesn't matter. (Score:2, Interesting)
From TFA: I'll use his last one ("Mean people suck!").
Given a vocab of 25,000 words, that gives us
25,000*25,000*25000=15,625,000,000,000
Roughly the same security as provided by a 9 letter password using only lower case letters.
26*26*26*26*26*26*26*26*26=5,429,503,67
Swapping 3's for e's and so forth will only mean that a couple different versions of each word would have to be searched. Each such variant (e-3, a-4, i-1) doubles the number of passwords. But it ONLY doubles them. Just adding an additional lower case letter to the end would make it 26 TIMES more complex.
He makes the mistake of assuming that each word would have to be cracked character by character. That isn't the case.
You only have to crack the largest unit of information. That's why dictionary attacks are so effective. They can crack the entire password as a single unit because it is a single unit (word or name).
Passwords/passphrases both share the same limitations. They can be cracked fairly easily (unless they're too complex in which case they get written down and completely defeated).
The simplest solution is to tie each user to a single computer and limit the password attempts to 5 or so before that user is locked out.
Or, have a physical device that plugs into the computer that allows that person to use his password on that box (with the same 5 shot limit).
Re:Biometrics (Score:5, Interesting)
Re:Biometrics (Score:3, Interesting)
Wouldn't solve the problem completely, but might make it harder to crack.
Don't enter the entire passphrase (Score:2, Interesting)
I use a passphrase such as "EDMONTONOILERSHOCKEYTEAM"
Now when you telnet to this device it answers you with a challenge of 15 random numbers displayed in three groups like this:
1 15 24 5 6
3 20 2 19 7
6 23 10 9 17
Now your response is 5 digits comprised of the character held in position X.
IE a valid response to the above challenge would be (picking group 1) IHMNT, of course you can respond to any group displayed on the screen.
This makes it hard for any keylogger device as the passphrase is never sent in it's entirety, only portions of it and if you were sniffing the traffic you dont know wich group of letters I am responding too.
This is good for a one time only password, if you talk to someone over the phone and want them to go in and do some tweaking you can give them the "password" and the password they just used will most likely not come up again so once they disconnect the system is once again secure.
Big drawback is you generally have to write the passphrase down in front of you so you can count what position the letters are in.
Re:Biometrics (Score:2, Interesting)
Total number of possible passwords... (Score:3, Interesting)
Simple Strategy (Score:3, Interesting)
2: put them together
3: l337'ify it.
Example:
ViewSonic
\/][eW5()n|K
hard to crack, easy to remember.
Low entropy (Score:2, Interesting)
It bothers me that few people seem to be appreciating that a 4 or 5 _word_ passphrase (as given as examples in the original article) really doesn't have much entropy at all.
Robert points out it contains capitalisation. Yes, the first letter of the first word of the sentence! And also that it contains punctuation - grammatically correct punctuation, thus so predictable as to hardly register!
He then goes on to claim how amazingly secure these 20 or so character long strings are. But in fact he's now counting in the wrong units - its number of words that matter, not characters. To crack his examples, all it takes is a different approach. It would take a dictionary (online? there's enough of them!) of common words and some simple grammatical rules and you could begin to brute force pass-phrases. And then it comes back to the old obscurity rules - made-up words, random punctuation, etc.
I admit it could work for a while, but if the world adopts this in a year's time there will be computer scientists (and linguists) the world over wowwing everyone by guessing their passwords.
One Time Passwords. (Score:4, Interesting)
I use s/key or opiekey (depending on OS) for ALL my remote logins. Both of these programs use a pass phrase but (even better) this pass phrase is never transmitted across the network... encrypted or not. What happens is the pass phrase is used to generate a one time pass phrase.
In practice it looks like this:
ssh localhost
otp-md5 498 la7365 ext
Password:
I then open another window: type in
opiekey 498 la7365 ext
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
type my passphrase at the prompt and it spits out:
GIG DIRE EGG HISS HUB COOK
I type that at the password prompt and go on my way (cut and paste between xterms is best here). Even if I was not using an encrypted protocol the password is useless once it is used. You can even hit enter once so the phrase will be echo'ed back to you on the screen so you don't mistype it. Doesn't matter if someone reads over your shoulder because GIG DIRE EGG HISS HUB COOK will never work again.
Next time my password might be:
KNEW LARD ARGO LARD BARE YOGA
Or whatever. The point is that it is a mixture of pass phrases with the ability to avoid sending your pass phrase over an untrusted connection. You can even print out a list of the next 10 pass phrases you will have so you can log in from a computer where you wouldn't trust it enough to run the opiekey program.
How exactly is this an insecure linux system, at least in regards to passwords?
lol, besides that... I think pass phrases are a good idea. Just a little anoying at first.
Re:Biometrics (Score:2, Interesting)
entropy of passwords/passphrases (Score:2, Interesting)
The worst part of the argument is that it also shows that the "take your favorite song lyric and substitute first letters for the words" password technique is lousy. ("Waltzing Matilda, Waltzing Matilda, Who'll come a Waltzing Matilda with me" = WM,WM.WcaWMwm?) On the one hand you have all those wonderful lyric servers to start with. Then you have that the words aren't randomly distributed in a sentence, and even if you're too impatient to crack words at a time, the distribution of letters of first words in the English language is also really stacked. (yes, I know not everyone out there speaks English, but if a cracker has targeted a site, they can make a fair guess at which language is being spoken most prevalently).
Re:Biometrics (Score:3, Interesting)
But let's suppose for a minute that someone sets up a fake ATM machine. First you insert your card, providing them with your account information. Next you authenticate yourself with your fingerprint, retinal scan, DNA sample, or whatever else you choose. Assuming they've installed the same biometric reading equipment as our theoretically real ATM machine, they now have your biometric data in digital form and there's no need for them to recreate the original.
http://www.snopes.com/crime/warnings/atmcamera.
Even assuming that you didn't fall for that scam, it's not hard to think of multiple alternative methods of harvesting biometric data.