Poor Passwords A Worse Problem Than Poor Antivirus 247
dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."
It's all down to ridiculous password rules... (Score:5, Interesting)
Re:Sunflowers aren't so bad (Score:5, Interesting)
And there is no malware possible that can read what's written on a post-it note.
Security cameras. If you know what to Google you can find all sorts of security cameras on the internet.
Or just walk in and look yourself.
Arora (Score:5, Interesting)
It's good to see Arora getting some more attention now. I've been using it now for more than half a year and I must say it's the first webbrowser I have actually liked in several. I would definetly consider it the best OSS webbrowser on linux right now, particularly if you're running KDE (although Arora is desktop agnostic, it is Qt). I've been fed up with Firefox's bloat (ever try comparing Firefox and Seamonkey these days? Guess which is heavier...) for some time and Arora is a nice change from that.
Biometrics (Score:3, Interesting)
What's wrong with biometrics? Maybe somebody could explain to me why more keyboards don't ship with biometrics built in? Instead of remembering 25 different passwords each with their own ridiculous rules you could just scan your finger. It could even work when you want to make CC purchase or login to your email.
I have an idea. (Score:5, Interesting)
I'd like to make a proposition to everyone on slashdot.
For the greater good of humanity, we need to employ some social engineering. I suggest that all of us stop referring to it as a "password" and start referring to it as a "passphrase". With a little luck, it'll catch on and people will start using phrases instead of just words. This tiny change should cause people to create easily remembered passes that are in excess of 10 characters long.
poor password policies (Score:4, Interesting)
I remember when working for a major financial firm in Boston, they had the most ridiculous password policies for each password. We had to have at least four or five different passwords according to what you needed to access, each with their own rules and limitations (size, characters allowed etc...). Not only that, but each password expired in different intervals. So basically every week, you'd have to change at least one password making the whole damn thing impossible to remember.So, what did people do? They wrote them down in little sticky-notes. Sure, I came up with my own schemes to facilitate remembering them, but nevertheless a forgotten password was bound to happen. It amazes me how paranoid firms are about some policies, yet leave the back door wide open due to such stupidity
Due to a recent identity-theft scare I had the other day, it made me realize the importance of safe-guarding the data with good passwords. Since then, I've used KeePass to generate and store all my 20-digit random passwords that I've since never have to remember (a backup, of course, is constantly made and stored in a safe place). Either way, I'm no security expert, but it seems to me an approach like this would be much more sensible than inconsistent password policies that expire randomly. Just my $0.02
Re:Sunflowers aren't so bad (Score:5, Interesting)
OK so I went and searched for "office security cameras" and that pretty much just turned up companies selling cameras. I then tried "office security cameras HOT XXX ACTION" and that DID yield me some results... But no passwords on sticky notes :( Rule 34 should kick in eventually, through, right?
Seriously though, I'm guessing most office security cameras are too low-res and they give a wide-area view so as to make it pretty damn difficult to be able to get someone's PW that way.
"Good Enough Security" (Score:3, Interesting)
We all know most people will never use "proper" passwords, let alone "properly", quite aside from offices in which ridiculous password management policies drive people to drink^h^h^h^h^h simply writing their passwords on Post-it notes stuck to their monitors. Why not make the best of a bad situation by only insisting on reasonable passwords changed no more than once per six months, complete with freely available "wallet-sized password booklets", but which are accompanied by other methods such as once-per-session typing pattern analysis [wikipedia.org] verifications or cheap magnetic stripe cards? (The obvious security problem with a magnetic stripe card in the same wallet as a password booklet, for example, can be ameliorated by insisting that the magnetic stripe cards be kept in small employee lockers, and never allowed off-premises).
The point is that a little imagination is all that is needed to make security reasonably good or at least acceptable, given that the weak link will always be the kind of muppets who insist on shoving bricks between doorjambs and ultra-high-security triple-locked doors if they are at all allowed. Sure, any security method can be defeated, but it's far easier to educate (okay, frighten) people into not removing stuff from company premises (the magnetic stripe cards) or to make them perform once-a-day monkey tricks (the typing pattern analysis verifications) than it is to make them stop writing stuff down in very insecure ways. Security will tend to be more even, and problem employees will be easier to spot.
The old saying comes to mind, "The perfect is the enemy of the good."
Bad Passwords, and poor SysAdmin (Score:2, Interesting)
My singleton laptop often faces the internet un-firewalled but the bastard ssh attacks cannot do password-guessing against really secure passwords like "1", which I have never seen tried, but it will now
People can learn a __few__ strong passwords, remember them and use them in ways that stratify, and "Canary" risk, see John Patrick Ryan.
Especially for internet logins, and for the weakest you can use dictionary words, which helps with the Canary Trap. Hebrew, Maltese and Attic Greek, transliterated into Latin alphabets make very good Canary words, and help you to sue the leaker. Few guess that "Marsaxlokk" is a place name, unless they know Malta, and then you can easily make it harder by spelling it ".M1rs1xlokk.". If you you __consistently__ do this for admin passwords, and make your users pick high entropy passwords, then you have emplaced a good first line of defence; then close all un-necessary ports, and use a scanner eg "nmap" to ensure you have what you intended.
Finally, use iptables to ensure that the open ports are firewalled, so when I put my laptop on a net I dont want 'NO ARP, or ICMP packets' because I dont want to alarm any intrusion detection systems; but I want to allow outgoing PRINTER, SSH, POP3, and in some cases incoming SMTP.
Finally, while it takes more work, it is far more secure to use iptables than a generic firewall writing the rules to be minimal. There are LOTS of brute force SSH attacks, and one must assume SSL also out there. SMTP is no secure so you only want to allow it from your mail-server which should have a static address. Use TLS with fetchmail, and a proxy SMTP sender which caaan be configured to send mail securely to a mail-server. If you are mobile as I am that means, write your own sender that knows about the quirks of your ISPs.
Since most of the ISP inspired SMTP 'improvements' just open up new security holes, thanks Eric. Encrypt everything you can, and certainly anything that is important, or "potentially compromising". Never use commercial mail services, they are totally insecure and like as not have backups that can be _discovered_ in law, to your disadvantage.
Re:Sunflowers aren't so bad (Score:3, Interesting)
I spent time doing tech support for an ISP. As part of my job, I needed to log into a web page. The server was inside the office firewall, and nobody outside it could log in. Not only were we required to use ten-character passwords (Upper, lower, numeric and punctuation all required.) they expired every sixty days. There was no possible way for an outside attacker to reach that web server, no way that constantly changing our passwords made anything more secure, but we had to do it, probably because somebody in IT realized that they could set it up that way and decided that if they could force passwords to expire, they should, whether it helped or not. What made it worse was, all the Certificates expired and nobody ever bothered to update them. This wouldn't have been so bad (You tell your browser to accept it, and the problem goes away.) but our boxes were locked down so badly that telling the browser that the cert's OK didn't survive a reboot, meaning you had to go through the same song-and-dance several times a day.
Re:I have an idea. (Score:3, Interesting)
Agreed, but unfortunately it's not that easy. I just started a new job and got my AMEX corporate card in the mail today. The online account had a maximum password length of 8 characters with no special characters allowed. A phrase would never work when we have companies that are still limiting their passwords to 8 characters.
Re:Sunflowers aren't so bad (Score:1, Interesting)
If I was a dick, I could get probably 90% of my colleagues' secret PIN codes just by asking them. Who needs malware? People are the problem, not encryption levels.
passpack.com (Score:2, Interesting)
Having studied this issue at length professionally, supporting client-offices: the best solution I have found was using the web service Passpack (www.passpack.com). Every single requirement I was faced with, Passpack has met from a security standpoint.
On a user-friendly perspective, I'm having trouble with training folks like my mother how to be more secure with greater user-friendliness, and I am still looking forward to Passpack improving on their initial one-click-button; but essentially passpack is the most realistic to use solution I have found to-date.
Re:Sunflowers aren't so bad (Score:4, Interesting)
Strong, not written down, regularly changed
Pick Two.
Re:It's all down to ridiculous password rules... (Score:3, Interesting)
The wallet idea works safer if you don't write the password, but an 'un-mutated' version of the password, and you know the rule you use to mutate all your passwords. If you can disguise what's written down so it doesn't look like a password, even better. Jot some name (Lucinda Mott), and address (1630 N. Highway 33, Mesa City) on the back of a business card, with a note like 'carries Valmont brand 3/8ths tubing - closes early Fridays - call Dodge city branch', and let anyone who steals your wallet guess which part of all that is the cue to your password. You can even use dates with this system to let you pick out the current password, just leave the old ones in your wallet too - that actually makes it harder for a pickpocket to spot.
One way to make an actual word safer (at least from your cohorts at the office), is just to pick something you have no interest in, if you can avoid becoming interested in it just from picking it. If you are in your 20's, and learn the name of a song Frank Sinatra got a Grammy for, and the year, who's going to guess something permutated from that, by a rule such as "reverse the date and put it in the even numbered characters of the password.", especially if you don't write the rule down. Yet you can remember a system like this more easily by far than a truly random password.
I base this on having once cracked a machine on the first try, when a national guard NCO that was former Navy dared me to - (Hint, most sailors get assigned to just one ship their whole hitch, and it's a big deal to them, as in they usually have a picture or two around standing on the dock in front of their ship, and OMFG, those ships have names painted right on their bows!). I told this person some of the above methods, and kept testing until he got something I wouldn't guess quickly (which took about three tries - Hint 2, If you talk NASCAR all the time, don't be surprised when someone else tries a few variations on your favorite driver and their Car number.). I don't know what he came up with eventually, but it was evidently something actually tricky, because we had a change passwords every month rule and after the first few months, he got to where I couldn't get a one of them. (yes, it was part of my job description to bug half a dozen people this way).
Re:Sunflowers aren't so bad (Score:5, Interesting)
Go up to the bored and underpaid secretary/receptionist who doesn't really give a flock, and say you're there to fix the computer in the back, or to fix the printer, whatever. Most likely they'll say "yeah, sure, whatever" and let you go on because they don't care, don't know, and most places DID have problems with the computer/printer/whatever the day before, and she will assume the owner called you.
Memory stick with a few choice apps, clickety click, and you can own the place whenever you want and nab whatever you want.
Oh, and all the passwords are either on a post-it on the monitor, under the keyboard, or are some variant of Password. Or, everyone knows it because it's the dogs name and ALL the passwords are the same.
"Oh, hey, can you give me the password real quick for this workstation right here?" (wants to be helpful and is embarrassed because they don't know jack about computers) "Sure, it's password123!"
One time the manager of a chiropractic/PT place was giving me access to the server because she needed me to do something, and I watched her peck in the password at 1 WPM. The password was "SPRAIN". I about busted out laughing.
Way too many places that should have security - lawer offices, medical offices, have open AP's and crap security. Actually, NO security. No backup, either. I'm turning things around as I go.