Strong Passwords Not As Good As You Think 553
Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.
I'll repeat what I've said before: Use sentences. (Score:4, Informative)
I advise people to use unusual sentences as passwords.
For example, look at the previous sentence.
It contains uppercase letters, lowercase letters, spaces and punctuation.
It's easy to remember, and hard to guess, so users are unlikely to forget it/write it down.
And even if you did write down your sentence/password near your computer, people might not even guess that it was your password.
Re:News at 11 (Score:3, Informative)
We have this policy on our timekeeping system. I re-use the same password with a number from 1 to 6 appended to the end. When it's time to change the password, I just change the last number. After 6, go back to 1.
Re:limited application (Score:4, Informative)
I have used passwords with spaces since the 1990's on AIX,IRIX,HPUX, Solaris and Linux and have only seen that happen on poorly written sql code (deliberatily put there by some ignorant web-developer).
Which environment would that be?
Re:News at 11 (Score:3, Informative)
Re:limited application (Score:3, Informative)
Some require uppercase, lowercase and numbers.
Some require specific complexity; most do not
Some require a symbol.
Some don't allow a symbol.
Some require at least 8 characters.
Some allow at most 8 characters.
Really, it's just stupid. Until some standards body issues requirements in internet password practices that financial institutions are required to implement, it is just a lost cause.
Re:HEY! (Score:3, Informative)
Thankfully I use KeePass [keepass.info] myself, so I have everywhere *different* ~20 chars totally random password. If you also use keyfile to protect the container, a trojan getting your master password doesn't matter. Some of them might also be stupid enough not to monitor the clipboard when you're pasting the password. And even if they do, you wont give out password to bunch of websites, services, email, servers etc at once and you're protected against malicious admins or people hacking servers to get passwords because you have different password everywhere.
I dont see why more people dont use KeePass or some other such software, it makes your passwords and accounts a lot more secure. And yes, stong passwords are better than short and easily guessed ones, specially in this case.
Re:News at 11 (Score:2, Informative)
If the person/group trying to crack your system know about these requirements (which isn't hard to find out if you plaster it on the logon screen) it greatly reduces the number of permutations they even have to try. You have basically handed them a filter and said Don't bother looking for anything that doesn't contain the following.....
Er, not really. Breaking 10-char password is takes so much longer time than breaking 6-char through 9-char passwords combined, so for computing the brute force time, you might as well assume that you have 10-char passwords (a sibling post assumes that one has 6-char password but that's just wishful thinking; I think most people have the ability to come up with at least 8-char passwords; at least people who do online banking should).
By having at least one upper case, you essentially require potential crackers to need to look for 52 possible letters for each position (remember: the requirement isn't that you need upper case letter in the first position; it's any position, so you can't really use that to generally rule out bunch of passwords), and by requiring at least one number, you essentially require potential crackers to look for 62 possible alphanumeric choice for each letter (again, the requirement isn't that you should have numbers at the end of passwords or the beginning; even if you assume exact 2 numbers, you don't know where they are), with that, the possible combination, in the optimal case is 62^10, and if it takes 1 second to try one password (which might be true, unless the hacker has access to the password hash), it would take the cracker 27 billion years.
Now, you complained about this specific requirement ruling out certain combinations. How many combinations do you think are ruled out? I haven't actually done the math, statistics, or Monte Carlo, but I'm willing to bet it's fewer than 50%, so the crakcer will now take somewhere around 13 billion years to crack the system instead of 27 billion years.
I think I still feel relatively safe, as long as the hash remains secret.
Re:Simple solution (Score:3, Informative)
In a word, no. Biometrics is only a part of identifying someone and controlling access. In essence, classic security thought says that there are three things to authorizing and authenticating a principal:
1. Something you are
2. Something you have
3. Something you know
So if biometrics provided #1, a smart card could be #2, and a password could be #3.
I've known of several high-security installations that required all three things. A thumb print, the smart card, and a passphrase (or passcode) to go through a door. Whether or not this really granted real security I don't know.
Certainly it's clear that biometrics cannot replace passwords as biometrics are not secret really (you leave your fingerprints everywhere). And as Mythbusters showed, you can fool even the most sophisticated fingerprint scanners quite easily. But they are still an important part of positively authorizing someone.
Re:News at 11 (Score:3, Informative)
So, use an acronym for your password, but write down the full sentence.
Use the password "Dftpu2jomaw!" and write yourself a note that says "Don't forget to pick up 2 jugs of milk after work!"
Re:I'll repeat what I've said before: Use sentence (Score:3, Informative)
You should set your password to,
I am a pedophile and this encrypted partition contains my child pornography.
That way, if a court orders you to reveal your password, you can plead the 5th Amendment.
-- 77IM
PS. I am not a pedophile, and my encrypted partition no child pornography, just pirated movies and TV shows.
Re:News at 11 (Score:1, Informative)
Add some CAPS, numbers etc and watch the times go in weeks, months, years.
Add a lockout after 10-20 failed attempts, and you approach infinity.
Probably not good for zip files, but remote logins that need "secure" passwords should also have lockouts. Then the passwords won't matter, and we won't have to change them all the time either.
Re:News at 11 (Score:3, Informative)
If people at your office can be trusted, you don't really take a huge risk by having a postit with the password.
Ahh, I see, so you hang out with the housekeeping staff and fully trust them too. You know, the ones who do the shitty job, are thoroughly underpaid but are easily smart enough to realize that somebody "out there" might find confidential information on your system very, very valuable? Same with the building owners your company leases to, right? You know, 16+ gig flash drives are very cheap and hold a lot of confidential information. Hell, if they're a little more technical than that they'll find a trojan on the internet and give themselves full access to your systems. There are plenty of IRC chat rooms with people willing to give you step by step advice to set it all up, especially if you're willing to share.
It's also suicidal to assume you know that nobody in your office would ever use your passwords to access your system, no matter how much you trust them. There are a lot of people who aren't as nice as you think they are, and there are even more situations that would sorely tempt even decent people to do not so decent things.
You can make systems invulnerable to brute-force attacks without making them vulnerable to social engineering. IT security demands balancing BOTH issues. As others have mentioned, 10 days to crack a password may as well be 100 years in most situations, especially when social engineering or security systems so complicated they force bad habits on the users can get you the password in minutes.
As an example, I worked helpdesk for an Army Guard armory with very strict security - they used biometrically locked smart cards with a 6 digit pin that had to be changed if it were ever locked out. There was also a password requirement should your smart card be locked out that would allow you access to your system, but it required 12 digits, 2 upper, 2 lower, 2 numbers and 2 special characters, it had to be changed every 90 days, and you couldn't use the last 20 passwords. The result? You could walk down the halway at any given time of day and find at least one or two offices with the smart card in the computer, a sticky note with the current pin on the monitor, and the user nowhere to be found.
Sure, the smart card system and password were essentially unbreakable, but they didn't need to be. Smart card resets, password resets, and sticky notes with passwords and pins were so common it was easilly the least secure system I've ever had the privilage of working with. It also severely hampered productivity.