Poor Passwords A Worse Problem Than Poor Antivirus 247
dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."
The Article is poor.... (Score:5, Informative)
The article repeats the same Myths of password security that we have been repeating for the last thirty years. Let me review them for you:
- Password Length is important
- Password Complexity is key (e.g. A-Z with at least one special, one number)
- Password Expiration is important
Like all good myths these have elements of truth in them but fail to really hit the nail on what the problems actually are, or namely:
- Strong login auditing is important (failed attempts, unusual patterns, etc)
- Login speed should be throttled (e.g. No 60/guesses per minute)
- Failed logins should be capped (e.g. Login wrong five times? Consult technical support)
Now we are talking about password security. You can also throw on a five length minimum. Now even if your password was "password" they would still find it extremely difficult to compromise the system since it would be slow and would break after the first five. If you tried to spread out the attempts over several weeks (making it slower still) the audit logs should be alerting the administrator to 14/failed attempts per week from China.
Re:Biometrics (Score:5, Informative)
Okay, I'll bite. Because you're too cheap. Seriously, biometrics that actually work (are hard to fool) are going to make your keyboard several hundred to several thousand dollars more expensive.
Those fingerprint readers that come for "free" build into laptops are snake oil.
Some educational reading:
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]
http://mythbustersresults.com/episode59 [mythbustersresults.com]
Re:Sunflowers aren't so bad (Score:4, Informative)
Try searching for "axis-cgi", you may be suprised what you can find.
Re:The Article is poor.... (Score:3, Informative)
Now we are talking about password security. You can also throw on a five length minimum. Now even if your password was "password" they would still find it extremely difficult to compromise the system since it would be slow and would break after the first five.
The reason length is important is because there are ways to crack most types of password that don't involve going through the same interface that an interactive user would.
For example, on Windows you can get ahold of the password hashes either off of a domain controller or with network sniffing software. Then you can make any number of cracking attempts offline. Or you can just use a rainbow table system like Ophcrack and do a reverse lookup in a matter of minutes on the hash of virtually any password less than 15 characters long.
Re:Fingerprints? (Score:3, Informative)
Biometrics work fine for in-person authentication, but they are terrible for network authentication because they are not secrets and because they cannot be changed. In person, they might be hard to fake (depending on the technology), but over the network, it's just data like any other and, as such, trivial to fake. I have a longer comment about this further down if you want more detail.
Re:Poor passwords in TV shows (Score:3, Informative)
Re:Author parrots common fallacy (Score:5, Informative)
Depending upon individuals to come up with strong passwords is utterly hopeless: you tell them what their password is. However, you can't just give them something like "pz039yq53t" because they'll get frustrated and stick it on a Post-IT note. Come up with an algorithm that generates strong but easy-to-remember passwords and you'll be in good shape.
Re:Sunflowers aren't so bad (Score:3, Informative)
You can certainly take a little responsibility for your own security. You don't have to write down the whole password, or you can obscure it in some way that you remember. If your password is aRgLeBaRgLe123 you can just write down "aRgLeBaRgLe" and remember that you glue 123 to the end of all your passwords, or write down "arglebargle123" knowing that you always cApItAlIzE eVeRy oThEr lEtTeR. For most people, the people who have physical access to their screens are less likely to be sophisticated attackers than your average network hacker.
Of course you still have to make sure that nobody learns any of your passwords, because they'll easily figure out your simple obscuration scheme.
Years ago I had all my various credit card PINs written and stored in my wallet with the cards, but I knew I had an offset to add to each before using it. The offset was the PIN for my main bank card, so it was something I already remembered. (I have since divested myself of all those extra cards, so I don't have the paper any more.)
All that said, I still don't write down or save my secure work or banking passwords. I'll write down stupid web site passwords, but not anything that puts me or the company I work for at risk.
Re:The Article is poor.... (Score:4, Informative)
Oh, come on.
If you're in a pure Windows 2000 or greater environment, you can turn off NTLM and LM altogether. This reduces you to sniffing Kerberos packets, which are substantially harder to crack - you're talking hours for a single weak password. And you've still got to be on the same network segment.
As for getting the hashes off the domain controller, by what magic do you intend to obtain sufficient remote access to a properly-secured DC? That's the equivalent of saying that if you don't use shadow passwords it's really easy to crack UN*X. Well, duh.
Keychain Access (Score:3, Informative)
I'm surprised no one has mentioned this yet, but Mac OS X has an application called "Keychain Access." Keychains store private keys, certificates, and arbitrary notes securely. I use one to store my passwords to all my e-mail and web accounts. They're encrypted using Triple DES.
Not only that, but it can generate passwords for you. Tell it how many characters you want, and whether the password should be memorable (comprised of dictionary words and a short string of numbers), letters and numbers, numbers only, something called "FIPS-181 compliant," or random. You can choose from the ones it generates from a pop-up menu, and if you don't like any of them, it can generate some more. Whatever password you choose, there's a gauge that tells you how strong it is.
I have to use it occasionally to look up a password to an infrequently visited web page. Entering my user password (that is, the one for my account on my computer) will unlock any one that is stored on the keychain.
Is it easy to use? Kind of, sort of; it takes a few seconds and more than a few mouse clicks to retrieve a password. Safari (perhaps Firefox as well, but I don't know) can be configured to remember your login information for a given page, and though it stores this information in the login keychain, the problem with Safari's implementation is that it works for some pages and not others, and doesn't require you to provide your user password--not exactly the most secure arrangement.
No one's ever compromised this scheme, as far as I know. Yet. Meanwhile, it works pretty well for me.
Re:Sunflowers aren't so bad (Score:3, Informative)
There's nothing wrong with ATMs running Windows, OS/2 or whatever as long as it's set up right.
But they're not. Many are run through the public Internet (and there are many known instances of them having been compromised, either directly by thieves or indirectly through worm infestations) and furthermore Diebold is not a company that can be trusted to set them up correctly. That's also pretty clear, given their track record. And I disagree with you that there's nothing wrong with an ATM running Windows. In fact, I don't really know where to begin a response to that statement.
Re:Keychain Access corruption (Score:2, Informative)
I'm surprised no one has mentioned this yet, but Mac OS X has an application called "Keychain Access.........
word of warning from experience, used to work for apple, make sure you have another copy of your passwords because as you say the keychain is encrypted and if the keychain gets corrupted you may have to reset the keychain.
I would get a keychain access issue about once a week and the person on the other end of the phone used to get very upset as they were unable to do there banking.