MS Employee Calls for No More Passwords

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

Biometrics

[nuclear305]

What about biometrics? Passphrases are nothing more than longer passwords. I can see several things resulting from
converting to all passphrases. First, the person will probably use the same passphrase for everything because it's too difficult
to remember multiple passphrases. Second, it's difficult to remember passphrases! Phone numbers (In the US, at least) are limited to
10 digits because research shows the average person can only memorize 10 digits, as a result...we tend to write things down, or in the case of
data people are likely to store their passphrases in a central location that is still prone to theft/decryption.

Biometrics, on the other hand, requires that you only have your body present at the time! No special USB keys to lug around, no pieces of
paper with important passwords/phrases. This won't solve the problem of possible data interception when talking about remote
authentication--but every form of authentication is prone to such attacks when transmitted.

good news, everybody

[jonastullus]

this is a simple idea I'm surprised more people haven't been doing this more often.

*yeah, right*
this "idea" is described in every single tutorial/howto/paper/note about password security. it's a good idea, i've been doing it for years, it has most likely been mentioned on slashdot countless times, but here we go again.

at times i forget why i am such an avid reader; it provides me with "stuff that matters" and makes me feel like i know more than all the others, from time to time ;-)))

jethr0

Bible as the next crack dictionnary?

[hsoft]

Bible dictionnary attack could work for a lot of passphrase if this kind of password were to become mainstream.

IMHO, passphrase would make it easier for a hacker to successfully hack a system. For example, myself:

- Make a google search for my name
- See that The White Stripes is among my favourite groups
- Add The White Stripes lyrics to the crack dictionnary
- Attack, and probably succeed (password = "Why can't you be nicer to me?").

The list of all quotes in imdb mustn't be THAT big. Thus "I will have my vengeance, in this life or the next" would be a bad password. (not to mention "whoa" :) )

Of course, IANASB (security blogger), I could be wrong.

Re:Biometrics

[Blindman]

The question is wheter or not one can spoof biometrics. I can probably get a copy of a lot of fingerprints, and I could post them on my wall. That doesn't mean I could make gloves with them. Despite how it appears in movies, I don't know how easy it would be to fake someone else's fingerprints or retina for that matter.

I agree that biometrics can't be changed, but will you ever need to?

passwords? passphrases?

[Gaima]

Perhaps I'm too sleepy to think (I'm too sleepy to read the article), but precisely what is the difference?
A password is a string you know, a passphrase is a string you know.
One is probably longer than the other, big deal.

2, or 3, or 4 factor authorisation schemes are the only way forward. Like those used by some banks in, erm, Sweden ?

Re:Offer Void on pre-2000 MS operating systems.

[rickt]

A variant of the "sentence as password" idea that I've been using for years, is to come up with a sentence (be it apropos to the system or not) and then use the first letter of each word in the sentence.

It combines the best of both worlds.

i) a 'complex' password because it can't be broken by a dictionary-based attack
ii) easy to remember (sentence-based)

Add to the mix some tranposition of characters (use 1's instead of i's etc etc) and you've got yourself a fairly decent password, at least better than most.

Works just fine on password-size challenged systems.

how about public key authentication?

[j1m+5n0w]

Passphrases are just long passwords with (usually) low entropy. They still have the same problems... You have to have a separate passphrase for each account, and you have to trust the computer you're using not to log your keystrokes. I would much rather carry around a device that can authenticate me and never have to remember a password again.

Why don't we all just switch to USB tokens [rsasecurity.com] for authentication? You have one device that can authenticate you by generating an RSA signature without divulging any information that would allow someone else to pretend to be you. It amazes me that more people don't use these things. I've never used one, but have considered ordering one. Does anyone out there have experience with USB tokens? Is there a good model/brand to buy? Is it easy to get them to work with Linux and ssh? Do any brick-and-mortar stores sell them?

Yah right

[tsotha]

This would never work at my company. If you mistype your password three times your account gets disabled and it takes all day to get it re-enabled. I figure passphrases would last about, well, one day.

Except for that Indian guy in the next office who never misses a key. Should have been a pianist.

It doesn't matter.

[khasim]

The mathematics just don't support it.

From TFA:

So here's the deal - I don't want you to use passwords, I want you to use pass-PHRASES. What is a pass-phrase you ask?
Let's take a look at some of my recent pass-phrases that I've used inside Microsoft for my 'password'.
"If we weren't all crazy we would go insane" (Jimmy Buffet rules)
"Send the pain below!" (I like Chevell too)
"Mean people suck!" (it's true)

I'll use his last one ("Mean people suck!").

Given a vocab of 25,000 words, that gives us ...
25,000*25,000*25000=15,625,000,000,000 ...or...
Roughly the same security as provided by a 9 letter password using only lower case letters.
26*26*26*26*26*26*26*26*26=5,429,503,678 ,976

Swapping 3's for e's and so forth will only mean that a couple different versions of each word would have to be searched. Each such variant (e-3, a-4, i-1) doubles the number of passwords. But it ONLY doubles them. Just adding an additional lower case letter to the end would make it 26 TIMES more complex.

He makes the mistake of assuming that each word would have to be cracked character by character. That isn't the case.

You only have to crack the largest unit of information. That's why dictionary attacks are so effective. They can crack the entire password as a single unit because it is a single unit (word or name).

Passwords/passphrases both share the same limitations. They can be cracked fairly easily (unless they're too complex in which case they get written down and completely defeated).

The simplest solution is to tie each user to a single computer and limit the password attempts to 5 or so before that user is locked out.

Or, have a physical device that plugs into the computer that allows that person to use his password on that box (with the same 5 shot limit).

Re:Biometrics

[JoeNotCharles]

Fuzzy memory can be a problem, though. Was it "...to come to their country's aid" or "...to come to the aid of their country"? Did you use punctuation, and if so, which? I created a gpg passphrase and stupidly used two sentences - was never able to recover my keys again, because I couldn't remember if I used one or two spaces between the sentences, or if the first ended with a period or an exclamation mark. (Actually, I tried all 4 variations of that, and none worked, so I must have forgotten something else - but with such a long passphrase, I couldn't even begin to think of the many possible variations on what I got wrong. With a password, I can at least try changing each letter at a time if I've gotten something wrong, on the assumption I only made one mistake. Of course, I'm not saying passwords are good either - I hate them.)

Re:Biometrics

[shawb]

I'd imagine the cadaver attack (I agree... great term) could be somewhat mitigated by a combination finger scan/retina scan, ensuring that the pulse is on target for the two. I assume that a sophisticated enough retinal scan can get a pulse, and many exercise machines these days have a finger or ear clip that reads pulse.

Wouldn't solve the problem completely, but might make it harder to crack.

Don't enter the entire passphrase

[DogsBollocks]

I have just done a web enabled embedded microprocessor (telnet into it) but because it's on the internet I need to protect it somehow.

I use a passphrase such as "EDMONTONOILERSHOCKEYTEAM"

Now when you telnet to this device it answers you with a challenge of 15 random numbers displayed in three groups like this:

1 15 24 5 6
3 20 2 19 7
6 23 10 9 17

Now your response is 5 digits comprised of the character held in position X.
IE a valid response to the above challenge would be (picking group 1) IHMNT, of course you can respond to any group displayed on the screen.

This makes it hard for any keylogger device as the passphrase is never sent in it's entirety, only portions of it and if you were sniffing the traffic you dont know wich group of letters I am responding too.

This is good for a one time only password, if you talk to someone over the phone and want them to go in and do some tweaking you can give them the "password" and the password they just used will most likely not come up again so once they disconnect the system is once again secure.

Big drawback is you generally have to write the passphrase down in front of you so you can count what position the letters are in.

Re:Biometrics

[SCVirus]

Its already been proved that fingerprints can be faked in a test environtment. For local security purposes, the lock would most likely be bypassable, and in some kinda remote 'send your fingerprint' authentication mechanism, it would have to have a pretty large fudge-factor to prevent a slight differences (caused by smudges, cuts and such) from making the authentication denied. It would most likely be possible to create an algorithm to attempt to crack the authentication mechanism by simply trying different lines.

Total number of possible passwords...

[Alex Belits]

that humans are capable of using (that is, they can remember and type them) is approximately the same as the number of pass phrases because phrases contain common words. If every pass phrase was replaced by an abbreviation ("Mary had a little lamb 88aapzF" -> "marhalilmb88aapzF"), there would be a pretty low number of collisions, and abbreviations would be usable as short passwords that are just as good as the phrases they were derived from. Therefore this idea produces nothing but an increased amount of typing.

Simple Strategy

[Mazem]

1: take 2 words
2: put them together
3: l337'ify it.

Example:
ViewSonic
\/][eW5()n|K

hard to crack, easy to remember.

Low entropy

[DuncanIdaho42]

It bothers me that few people seem to be appreciating that a 4 or 5 _word_ passphrase (as given as examples in the original article) really doesn't have much entropy at all.

Robert points out it contains capitalisation. Yes, the first letter of the first word of the sentence! And also that it contains punctuation - grammatically correct punctuation, thus so predictable as to hardly register!

He then goes on to claim how amazingly secure these 20 or so character long strings are. But in fact he's now counting in the wrong units - its number of words that matter, not characters. To crack his examples, all it takes is a different approach. It would take a dictionary (online? there's enough of them!) of common words and some simple grammatical rules and you could begin to brute force pass-phrases. And then it comes back to the old obscurity rules - made-up words, random punctuation, etc.

I admit it could work for a while, but if the world adopts this in a year's time there will be computer scientists (and linguists) the world over wowwing everyone by guessing their passwords.

One Time Passwords.

[frob2600]

I'm not sure why he was taking so many jabs at Linux. Well, okay... I know exactly why but this seemed especially odd to me since I have disallowed passwords on all my computers unless the user is sitting at the keyboard. And that is mainly because I haven't got X to work with one time passwords yet (besides... how would I calculate them without being able to run the program to generate one?).

I use s/key or opiekey (depending on OS) for ALL my remote logins. Both of these programs use a pass phrase but (even better) this pass phrase is never transmitted across the network... encrypted or not. What happens is the pass phrase is used to generate a one time pass phrase.

In practice it looks like this:
ssh localhost
otp-md5 498 la7365 ext
Password:

I then open another window: type in
opiekey 498 la7365 ext
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:

type my passphrase at the prompt and it spits out:
GIG DIRE EGG HISS HUB COOK
I type that at the password prompt and go on my way (cut and paste between xterms is best here). Even if I was not using an encrypted protocol the password is useless once it is used. You can even hit enter once so the phrase will be echo'ed back to you on the screen so you don't mistype it. Doesn't matter if someone reads over your shoulder because GIG DIRE EGG HISS HUB COOK will never work again.

Next time my password might be:
KNEW LARD ARGO LARD BARE YOGA

Or whatever. The point is that it is a mixture of pass phrases with the ability to avoid sending your pass phrase over an untrusted connection. You can even print out a list of the next 10 pass phrases you will have so you can log in from a computer where you wouldn't trust it enough to run the opiekey program.

How exactly is this an insecure linux system, at least in regards to passwords?

lol, besides that... I think pass phrases are a good idea. Just a little anoying at first.

Re:Biometrics

[SubS]

"My voice is my passport, verify me" --Sneakers

entropy of passwords/passphrases

[awilden]

So whatever happened to the argument that using English language passphrases was a lousy idea because the average entropy of an English sentence is very low (I recall something like only a couple of bits per word, but it's a pretty weak recollection so don't quote me).

The worst part of the argument is that it also shows that the "take your favorite song lyric and substitute first letters for the words" password technique is lousy. ("Waltzing Matilda, Waltzing Matilda, Who'll come a Waltzing Matilda with me" = WM,WM.WcaWMwm?) On the one hand you have all those wonderful lyric servers to start with. Then you have that the words aren't randomly distributed in a sentence, and even if you're too impatient to crack words at a time, the distribution of letters of first words in the English language is also really stacked. (yes, I know not everyone out there speaks English, but if a cracker has targeted a site, they can make a fair guess at which language is being spoken most prevalently).

Re:Biometrics

[StikyPad]

Not to mention, there's no reason to believe you'd actually need to fake biometrics, although that might turn out to be the easiest solution in most cases.

But let's suppose for a minute that someone sets up a fake ATM machine. First you insert your card, providing them with your account information. Next you authenticate yourself with your fingerprint, retinal scan, DNA sample, or whatever else you choose. Assuming they've installed the same biometric reading equipment as our theoretically real ATM machine, they now have your biometric data in digital form and there's no need for them to recreate the original.

http://www.snopes.com/crime/warnings/atmcamera.a sp

Even assuming that you didn't fall for that scam, it's not hard to think of multiple alternative methods of harvesting biometric data.