Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Passwords May Be Weakest Link 529

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"
This discussion has been archived. No new comments can be posted.

Passwords May Be Weakest Link

Comments Filter:
  • by tshak ( 173364 ) on Wednesday May 22, 2002 @11:49AM (#3566181) Homepage
    Passwords May Be Weakest Link

    And in other news, "The Earth May Not Be Flat".
    • by Spazzz ( 577014 )
      Agreed! What good does the latest, greatest super-whizbang password hashing scheme do when users pick easily guessed usernames? I used to work for a dialup ISP who had approximately 10,000 entries in /etc/passwd. Just for the heck of it not long after I started working there, I ran Crack against it, and in a matter of about 30 minutes I had myself a nice little list of about 1,500 passwords. -J
    • A conflicting article at the Center for Stating the Bloody Obvious this week stated that infact:

      Humans are the weakest link. Without them there would be no need for passwords.
    • You do realize, of course, that passwords are not the weakest link in computer security?

      Users are.

      No matter how good a password is, it can be compromised *instantly* if someone can use social engineering to either get it from the owner (e.g., "Hey, I need your password to check if this works...") or get the Sysadmin to change it back (e.g., "I am thusandso and I forgot my password, could you reset it for me please? I need to get some work done this evening but cannot log on..."

      It's like with home security and a lock on a door. A weak lock can be forced or may even be left unlocked, but even a set of high-quality dead-bolts can fail if someone on the inside opens the door to let the intruder in or decides to leave a set of keys under the mat.

      Humans are the weakest link, not passwords.
  • by Anonymous Coward
    If you know the methods of forced passwords you can write a program around them. All of a sudden not only do you have a ton of passwords that are unnacceptable, you can predict patterns of tricks people will use to fool the force password picker into letting them choose an easy to remember password.
  • by Anonymous Coward on Wednesday May 22, 2002 @11:56AM (#3566191)
    ...people will write them down.
    Preferrably on post-it notes and stuck to the keyboard or the screen.

    I have seen it all.
    • ...people will write them down. Preferrably on post-it notes and stuck to the keyboard or the screen.

      But that's not always a problem. In some situations, where outsiders don't wander round offices, this can be a good technique. If the office is "secure", writing down passwords is fine. This can certainly be put to good effect in the home.

      Post-its stuck to monitors might not be the best place to write them down, I grant you.

    • by SCHecklerX ( 229973 ) <greg@gksnetworks.com> on Wednesday May 22, 2002 @01:02PM (#3566721) Homepage
      That's why, IMO, you force a strong password, but don't make the poor user change it every other friggin' day (ok, i'm exaggerating, but being forced to change a password for no good reason is a pet peeve of mine...system was hacked? fine, I'll change it)
    • by SomeoneGotMyNick ( 200685 ) on Wednesday May 22, 2002 @01:11PM (#3566770) Journal
      I use a dissected [airsoldier.com] CueCat for password entry. It allows me to use any bar code found on snack food, coupons, product ID's, etc. as a random sequence of alphanumeric characters of significant length. All I need to do is remember where I kept, stored, tucked, stuck, shoved the item with the code on it, scan it, and I'm logged onto the company network.

      People may find a myriad of scannable codes on or near my desk at any given time. The trick is to know which one it is unless I carry it with me. Five attempts at a wrong password locks out the account. Due to the significant amount of digits, the IT department STILL has yet to crack my password using their cracking tools.

      We're required (forced) to change our passwords at regular intervals. Since I've been scanning things, I have not found that an inconvenience.
  • Obvious (Score:5, Interesting)

    by aridhol ( 112307 ) <ka_lac@hotmail.com> on Wednesday May 22, 2002 @11:57AM (#3566198) Homepage Journal
    Did anybody think that passwords wouldn't be the weakest link in security? Remember that, in general, "easy-to-remember" and "secure" are mutually exclusive. And if we forgo "easy-to-remember" for "secure", we will have people writing their passwords on a piece of paper on their desk. There's security for you.
    • Not neccessarily (Score:3, Insightful)

      by enkidu ( 13673 )
      For instance: How about the first letters of phrases mixed in with numbers and symbols? "Tis not too late to seek a newer world" becomes "Tnt82saNW" which ain't gonna come up in any matching scheme. Or my sig "There is no trap so deadly as the trap you set for yourself" becomes "T1ntsDa%tys4y". Of course, none of these examples fit the 8 char limit (which personally I think we need to increase. Computers will become fast enough to brute force even totally random 8 char strings, but that's not the point of this post) but I'm sure you get the point.

      Now "dictionary word" -> "easy to remember" -> "insecure" but that doesn't imply "insecure" -> "easy to remember". Far from it in my opinion.

      EnkiduEOT

    • In the spirit of the Felt-Tip-Marker-Qua-DMCA-Illegal-Device, does this place electronic dictionaries under the same category?

      Cheers,
      Slak
    • Re:Obvious (Score:4, Funny)

      by sc00p18 ( 536811 ) on Wednesday May 22, 2002 @12:44PM (#3566596)
      This makes me so MAD! I mean, why can't people take their security seriously? It's not that hard to sit down one day and make up a few difficult passwords and memorize them. For example, I use one of

      ekk4H$2drPr3Q,
      Ltc4buX126w, and
      7ydEX92aSz3UIo

      for 90% of my passwords. Then all you have to do is not tell anyone about them. They're not hard to remember anymore, and it really wasn't that difficult to begin with. Sheesh, morons.
    • Re:Obvious (Score:3, Insightful)

      by ivan256 ( 17499 )
      A secure password on a post-it note on someone's monitor is much more secure then an easy password in someone's head if the premesis are secure, and you're worried about external attacks. Someone in another country, or even another building, likely won't be seeing the post-it or the slip of paper in your desk drawer. It depends on the circumstances.
    • Re:Obvious (Score:3, Interesting)

      I was in the car with a friend of mine one day when I noticed a post-it note on her notebook with words written on it in a list: "mom, god, love, peace, dad..." and I asked her about it and whether it was a list of values or goals or something... and of course it turned out to be her password list at work -- each time they forced her to change her password, she wrote the new one at the bottom of the list, which was then sitting on a post-it note on her notebook, which routinely sat on her desk.

      I tried to explain about the importance of selecting good passwords... and she agreed.

      Several weeks later, she called me to ask for my help -- she needed to know how to "bypass" the password and get to her files. When I asked why, she said she'd taken my advice and selected a more difficult password this time around, and hadn't written it down on a post-it note. Instead, she'd saved it in a file so that she could always print it out when she needed it, but of course now she'd forgotten it because it wasn't something she'd normally remember, and without it, she couldn't get to her file...

      The truth is that passwords are never going to work for most people. People only have the mental capital and patience to remember things that are important to them. But once you know someone, you know what is important to them, and pretty quickly you know their potential passwords. And of course, many humans find that the same things are important to them... so passwords as a group from anyone but computer professionals tend to be easy to guess.

      Just bring out the fingerprint scans or retina scans, etc. and be done with it.
    • Re:Obvious (Score:4, Insightful)

      by b1t r0t ( 216468 ) on Wednesday May 22, 2002 @04:39PM (#3568452)
      There's an easy way to make a relatively strong password that is also relatively easy to remember. How many of you have ever tried to make a cheezy D&D character name generator by having it generate cvccvc combinations (like say, keztul)? They can come up with some pretty wierd... but still pronounceable... stuff.

      So start with a random cvccvc (c=consonant v=vowel) combination. Yes, I know it's not quite as good as a fully random alpha combination (by a factor of 275625), but it's a lot easier to remember. Then add a punctuation character (especially a shifted one like !@#$%^&*() ) and you will get something like "kez#tul". That's a pretty decent password right there.

      If you have a truly fascist password policy to satisfy, change a letter to a l33t5p33k digit, and maybe make one letter uppercase. In this case, the result could be "k3z#t00L".

      If you come up with three or four cvccvc pseudo-words, you can even use them for various security levels. One for r00t passwords, one for "normal" passwords, and one for web passwords (like slashdot, etc.).

  • by vicviper ( 140480 ) on Wednesday May 22, 2002 @11:58AM (#3566202)
    Sounds like they put a password cracking utility against the NT sam file. The thing is that if your security is done right, you should at least need the Administrator password to access that file, no?
    • One word - SQLSnake

      The fact that you need "x" access in order to get to the password file is no protection against the password file being stolen and cracked.
    • Or on unix, they got /etc/shadow, which you'd normally need root privs to read anyway. That's why crypted pws are stored in /etc/shadow...

      However, hacked user passwords are useful if they give you user-level access to another system, since then you can use a non-remote root exploit to get root.

      Baz
    • Just get physical access to the machine. You can then use any number of filesystem readers to get at anything on an NTFS volume, regardless of permissions.
  • ...secure passwords are usually difficult to remember. Thus users tend to use the month (05 for may, etc) for the mandatory digits, and sometimes cusswords to vent their frustration at the secure password policy. Also, it's not too difficult to find sticky notes with obscure strings a la "h0tgr1tz99" stuck on people's monitors. Hmmmm, wonder what that could mean?

    Sources: interviews and sticky notes on monitors

    --
    martin
  • by antirename ( 556799 ) on Wednesday May 22, 2002 @11:58AM (#3566205)
    Are especially vulnerable when bonehead admins let you remotely dump the registry. I've seen that one a couple of times. They don't let the users change the time or date on their machine, but the users can dump the registry on the servers. One company told me that "of course, we know that could be a problem, but the users are'nt going to know how to exploit it". One of the dumbest examples of security by obscurity that I've ever seen.
  • by Kiaser Zohsay ( 20134 ) on Wednesday May 22, 2002 @11:58AM (#3566208)
    ...every 39 days, and it remembers an ungodly number of old ones, so you can't recycle. I don't have enough kids to come up with that many passwords.
  • I had my password tattooed on my forehead so I'll never forget it. Its much better then using a slip of paper that can get lost or stolen.

    However not everything is rosy. Its a pain to remember to bring a mirror with me all the time and reading mirrored letters can cause eye strain.

  • Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?

    IBM for one. Sure it's a pain keeping track of them all, but weak minds are no excuse for lack security.

  • 1. Have a program generate a random password for you.
    2. Write it down on a card, and put it in your wallet. Treat it like your credit card number - you wouldn't post that on your monitor, would you?

    • Passwords are not credit cards. If I steal your credit card, you have a much better chance of catching me when I try to use it. If I just copy your number, using that number will cause me to leave at least some kind of paper trail: shipping address, ip address, etc.

      If I steal your password out of your wallet, I can copy it down, go to a terminal on some other side of the building, log in, be a little sneaky, cause trouble.

      The difference is that if you loose a credit card, you will know relatively quickly. There is a better audit trail behind the cc as well. If someone ganks your password, you might be lucky to find out before the pressure drops.
  • people dont care (Score:5, Interesting)

    by digitalsushi ( 137809 ) <slashdot@digitalsushi.com> on Wednesday May 22, 2002 @11:59AM (#3566212) Journal
    They dont. They wonder why their websites get hacked. It's cause they INSIST on having HORRIBLE passwords. I know, I know, the counter argument is "so stop being a wuss and enforce a better password policy". Two things. The customer is always right, even when they're blatantly wrong. Second, is that a small call center can't battle today's new Internet user's unwillingness to accept that the Romanized alphabet has two cases, that a 1 is not an I, and well.. a lot of you know what I mean.

    So customers don't care. Then some kid tries their URL as the password or whatever and gets in. And the site goes down. The customer calls in and we tell them what the deal is. Restore the website, and suggest they choose a stronger password this time around. *sigh*

    But it doesnt matter. It's not one of those "change the settings" things. As long as people can pick their passwords, passwords are going to suck, and people will gain access they dont deserve. Period. Always, Always, Always.
  • by AMuse ( 121806 ) <slashdot-amuseNO@SPAMfoofus.com> on Wednesday May 22, 2002 @11:59AM (#3566216) Homepage
    My company is a service based company. We're a group of professional sysadmins who contract to large customers to take over network and SysAdmin duties. We are also responsible for security of our systems.

    The problem with password policy enforcement is that users want weak passwords. Ordinarily this is no problem, since security often trumps user needs.

    However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.

    It seems like we're caught between a rock and a hard place here, but since our customers are all senior civil servants, what're we to do? The more we enforce strong passwords, the closer they'll get to looking for someone who won't be so picky.
    • by Waffle Iron ( 339739 ) on Wednesday May 22, 2002 @12:13PM (#3566343)
      However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement.

      I wonder if holding something like a "password cracker demo meeting" would help. Set up a test machine, let everyone enter a password of their choice, then run crack or similar on the password file. Let people watch as the program guesses their passwords and spits them out. Maybe give a prize to the best/worst passwords. It might get people to understand the problem and help them become more interested in solving it.

      • by Darth_Burrito ( 227272 ) on Wednesday May 22, 2002 @01:32PM (#3566904)
        My university had a some sort of automated cracking script running weekly. If it cracked your password you were sent an email telling you your password had been cracked by their script. You were then instructed to change your password within 3 days (or something) or else your account would automagically be disabled.

        This system seemed to work well because users could see an actual threat. Also, since everything was handled via script, there was no one tangible to blame other than the user with the bad password.
      • Why have them enter their passwords into the computer? Why not just ask them their logins are, make a list, and then run the crack on what is already there, right in front of them on a projected screen, showing their passwords, or something similar, perhaps not showing an acutal password, but have john_doe pop up when his password cracked, then if the people dont believe it, they can ask you personaly.
    • Security (for your users, or at least me) is one aspect of an overall goal: getting our jobs done. If someone hacks into my system and trashes all of my files, that will time and energy away from other work. If I have to unlock the safe under my desk, pull out the notebook containing 16-character one-time passwords and punch one in every time I want to check my e-mail, that also will take time and energy from other work.

      Remember always to balance the security you use with the value of the secured valuables. For a health-services company the value of the information is (perhaps) much higher than for your average "senior civil servant".

      Also, don't put 15 deadbolts on the (virtual) front door while leaving the (virtual) window next to it wide open. I would guess that a lot of organizations have lost more proprietary information by viruses attaching documents to outgoing e-mails than by crackers breaking in.

    • What to do? (Score:2, Interesting)

      by delphi125 ( 544730 )
      Perhaps compromise a little, and educate too? I don't know what you consider strong, but if they have to choose and remember passwords like 'xh3*gH!P67' then I can understand why they are upset. Assuming you have full control over the software, why not continue to disallow 'britney', but allow 'brit54ney'. Not strong, can be brute-forced easier than most, but I expect with a little education you can manage this - even senior civil servants aren't that stupid, they simply haven't grown up with this issue at all.

      In my view, the real problem lies in the number of web sites which require (free) log in. Say you use 20 services and that they all require logins. Are the punters supposed to remember 20 different name/password combinations? No, they'll often reuse. And what is to stop billg/msft1234 who has logged in at both slashdot and the New York Times being compromised by CmdrTaco to read the NYT for even freer? I personally re-use passwords for sites where there is no risk involved, elsewhere I often create throw-away passwords which I'm happy to have in a cookie but forget before I'm ever asked to use them again (and thus create a new account).

      • Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.

      Is your firm being paid any less due to customer dissatisfaction?

      If the answer is no, then you are being abused by your management. They should throw out strong password complaints when evaluating customer satisfaction.

      Surely the civil service organization has a policy about the use of strong passwords. I believe all Federal organizations have such a policy, if this is state or local, maybe not, I guess. Not insisting on implementation of policy would possibly be a cause of legal action against your company should there be problems.

      I suspect this is a convenient way for your company to hold on to your bonuses.

  • by Raleel ( 30913 ) on Wednesday May 22, 2002 @12:00PM (#3566219)
    Users are the weakest link. Always has been. The user chose the password.
  • After dealing with multiple incidents of hacking at my former work, we formed a security policy that included enforced, complex passwords. Luckily we did the same analysis on existing passwords to justify the change because it caused quite an uproar.

    Our heuristic was simple (to me)- inlcude one character from each of the following subsets of characters; UPPERCASE, lowercase and Numbers, minimum of 8 digits.

    I must have spent at least 10 minutes with most people helping them choose passwords that fit the criteria. The worst ones of course were the executives, one made me sit with them for over a half an hour while they figured it out.

    Luckily it was a small company of 40 people or so, I might have gone crazy.
  • by Telastyn ( 206146 ) on Wednesday May 22, 2002 @12:01PM (#3566229)
    probably 60-75% were cracked within 8 hours.

    People do not understand how computers work. If they do not understand how computers work they cannot understand how computer security works. If they do not understand how computer security works, they will likely never ever understand the gravity of a password no matter how much it's explained to them.

    To users a password is an annoyance. And they are trained to not be secure with their identities. How many people just give out their SSN? Something that is a definative source of identity, and allows access to tons of things: bank accounts, medical info, home addy. People will just give this to pretty much any customer service Joe.

    Why shouldn't they do the same with a password?
  • Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it

    Mine did. Every 3 months our payroll server refused to let us in if we didn't send in a new Password, then and there. Same thing with the filesharing/print server. The cool thing is, they were staggered so that you've have to change one of your passwords every six weeks or so. Kept it regular, kept it part of routine.

    Triv
  • In my experience, in a large corporation, there are hundreds of independently managed password domains, at least a dozen of which any one person will usually have to deal with on an ongoing basis. Differences in password change frequency, minimum lengths, differentials from prior passwords (sometimes from ANY password used by ANYONE on that system in the last year), and digit inclusion rules vary in a tower of Babel that make it difficult to even maintain passwords, let along ensure they are all maintained securely.
    • The corporation that I work for has actually fixed this one a little. They're techno bastards but atleast they're enlightened bastards.

      They enforce good (i.e. hard to remember) passwords by refusing to let you set one that isn't good. On the other hand they have a system that actually synchronises all of the different domains to be the same password. I currently only have one system out of maybe 8 that has a different password. That way you use it all the time, so after a few days you have it down.

      However because the passwords are good in the first place, you don't have to change them quite so often (I think 90 days).

  • Expiring Passwords (Score:2, Insightful)

    by pz ( 113803 )
    In what way does changing a well-chosen password increase security on a non-compromised system?
  • by jehreg ( 120485 ) on Wednesday May 22, 2002 @12:03PM (#3566249) Homepage
    This is so tech-elitist... "The users are the problem!"

    Give a look at any paper by Sasse, Brostoff and Adams, such as this one [mdx.ac.uk], and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force- all-my-users-to-32-char-monthly-passwords bullshit attitude.

    The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.
    • The answer is not to forget the human aspect.
      This [cmu.edu] implementation of S/KEY includes a scheme for making machine-generated passwords that are supposed to be memorable by humans. Does anyone have any experience with such a system, as used in real life?

      Just because there's a tradeoff between ease of use and security, that doesn't mean that you can't sometimes improve both; most real-life systems are probably not optimal in either way.

      To give an example of a really retarded password system that's completely nonoptimal, I teach at a school where the faculty turn in their grades on a computer. Security is obviously an issue. The password policy is that your password must consist only of digits, at least six of them. Now this certainly will stop people from choosing "password" or "rover" or "aaa" as their password, but they'll probably end up using their birthdays, or writing their passwords on a post-it, because they can't remember a string of digits. And of course the idea of restricting it to a character set of only 10 digits is pathetic -- it just reduces entropy. (The people who wrote the software are so clueless, they even set up the default configuration so that you have to type in your password twice in order to log in -- I guess that was meant to increase security! It took a few months for the school's admins to change that.)

    • Users are lazy.

      If you have a small company with, say, fifty people, and you educate and assist all fifty of those people, a significant fraction will still say "there's no way my account would be cracked" and use set their password to "PASSWORD" or somesuch.

      The fact is, you do need to force users to enter cryptic passwords, or there will always be lazy, irresponsible types who just don't do it.
  • Can we have some evidence as to how harmful weak passwords really are? I know people that would be a lot more trouble if they were forced to remember good passwords (They'd probably end up wrighting it on a piece of paper). I think it's a lot better to make sure that the compromise of the account could not do much damage by restricting priviledges.
  • Haven't they heard of shadowed password files?

    THIS is what you get when you hire people with lots of experience and not fresh graduates. The more modern security measures that are taught in University in NetSecurity 101 such as using shadowed password files instead of using /etc/passwd for everything simply get "lost in the woodwork".

    Therefore by hiring only EXPERIENCED people these old security threats remain until these EXPERIENCED people retire.

    • This link [hackerthreads.org] gives further info. Scroll the the bottom, shadowed passwords can be enhanced by the administrator changing the encryption algorithm used to something strong like Rijndael or whatever plus a bigger salt to thwart dic attacks. Lazy *EXPERIENCED* admins.

      Talking to yourself is the first sign of going nuts. Heh

    • The problem is not that they were able to get the passwords, the problem is that the passwords were so weak that it didn't take the program long to figure them out.
    • by ergo98 ( 9391 )
      The point was not accessibility of the password file, but rather it just happened to be a easy method of testing against passwords : The same thing could be done remotely by slamming against an authentication server with username/password combos.

      Actually, truth be told they are over dramatising somewhat : Whilst (tribute to the other reply :-]) you can slam a password file several million times a second, you can authenticate against a reasonably configured server maybe three times against an account before the account will be locked out for a prescribed period of time (often permanently until someone in the IT department can figure out if you're just a moron with CAPS LOCKS on and reeneable your account), so such brute force attacks are irrelevant. I wonder if the hooplah about easily guessed password might be more drama than anything else. Admin accounts don't get locked out (the obvious reason being a DOS by continually locking you out of your own machine) so they would still require a very strong password and active security monitoring.
      • Re:Shadow passwords (Score:3, Informative)

        by Beliskner ( 566513 )
        Not so dramatic - the previous kerberos did give credentials to an unauthenticated session, quoting from here [www.brd.ie]
        In order to mount an offline dictionary or brute force attack, some data that can be used to verify the user's password is needed. One way to obtain this from Kerberos 5 is to capture a login exchange by sniffing network traffic.


        In Kerberos 5 a login request contains pre-authentication data that is used by the Kerberos AS to verify the user's credentials before issuing a TGT. The basic pre-authentication scheme that is used by Windows 2000 and other Kerberos implementations contains an encrypted timestamp and a cryptographic checksum, both using a key derived from the user's password.

        The timestamp in the pre-authentication data is ASCII-encoded prior to encryption, and is of the form YYYYMMDDHHMMSSZ (e.g. "20020304202823Z"). This provides a structured plaintext that can be used to verify a password attempt - if the decryption result "looks like" a timestamp, then the password attempt is almost certainly correct. A password attempt that recovers a plausible timestamp can also be verified by computing the cryptographic checksum and comparing it to that in the pre-authentication data.
        The moral of this story is, kids, update your kerberos, as kerberos v5 is partially decapitated.
  • The company I work for (large, national insurance company with over 50,000 users) has a "strong" password policy that is enforced by the system. A password for our domain must be a minimum of 8 characters with a mix of upper and lower case letters plus numbers. Password changes are forced every 2 months, and a previously used password is not able to be reused for the next dozen password changes. That being said, just yesterday I was working with a user whose password was their first name with a number one tacked onto the end of it. I imagine that she started with Firstname1 and then just incremented it on subsequent changes.

    The problem isn't just forcing "strong passwords" onto the end users, but making sure that end users understand the reasoning behind it. Making someone use complex password formulas is useless when a large number of the users are going to use something that can still be easily guessed that conforms to the formula.
    • The company I work for (large, national insurance company with over 50,000 users) has a "strong" password policy that is enforced by the system. A password for our domain must be a minimum of 8 characters with a mix of upper and lower case letters plus numbers. Password changes are forced every 2 months, and a previously used password is not able to be reused for the next dozen password changes.
      Dude, hate to break it to you, but with difficult passwords like that I'd estimate that 95% of people you admin have their password written down in 10 places including on post-it notes stuck to their monitors.
  • crack this with JTR:

    MIIBuwIBAAKBgQCvUCC9yWCa83yU3Ebjc5su9pFCoENwPEuK wa U3KprZ4oidOjSw
    J9Q4Or2FqIK9zd/VDvTsbW875/pKe13BNu UAWW/X1NxdC1Dog2 ra/sUWmNYClJWC
    vHz4JGz6HRSNWyW0KweCNN6oNAiICks870 LOXSfpvL8HgEBMG4 eibA124QIVAMzn
    RJxmFVhZ5gF4/Pt1GHkFSAyHAoGBAJ/7pc 3oJ/BAr7IMDyCBF1 Iidf0ou4PvaeBj
    VkcsSYMizrbP9O4Gwtt30MdWqUxY21NFAm ZyUyMT7zrCZtQC2C 7ZUbow5vPlVSbr
    7RWmzF4P+xN8zZABbHXlv01uDGZvnmK9WV Eb1Uko7F0Z/914Tc 4qx3/wW3eBheNm
    elSArUMLAoGAO4cO0FqefRT6VshGt4T3vF RHt/fL/6qgLhInab nXiOn4N8egBuuN
    7hBy56BNWMuP7Z/ixROhxv59gCJTsKEFtR 5p0icOY6L/zaBMqw iGn3gm3LgE9MkK
    Gk8LxtdRBPgpoK0BwmEQhZEAL5pfemW94y KAhM5hHU1GyoYUSe +OV6wCFCBN9faK
    BQG08IhGGotd8mBIfO4s

    no, of course that is not my private key. But it proves a point. Don't rely on false randomness to enforce security. Do it the right way.

    While you're at it, read Schneier's book(s) and subscribe to Crypto-Gram. I force-feed it to my network users every time it comes out...
  • In my experience password expiration just forces you to pick memorable passwords. I have several passwords thatt haven't changed in years, but they are secure by most definitions, 8 chars, upper lowercase and numbers. They would be impossible to remember except that I have been using them for years. The only thing password expiration protects against is limiting the damage of a password which has already been compromised.

  • That's no surprise (Score:3, Insightful)

    by Chardish ( 529780 ) <chardish@gmai[ ]om ['l.c' in gap]> on Wednesday May 22, 2002 @12:11PM (#3566320) Homepage
    In the corporate non-IT environment, you would be absolutely astonished at the stupidity of the passwords involved.

    • A great deal of passwords are simply PASSWORD. Try it, you'll be amazed
    • If you know the names of the target's immediate family (and possibly pets), you've just gained 1-5 more possible passwords.
    • Many people simply make their passwords 'qqqq' or some chain of identical letters. This is because they don't want to have to bother with remembering a password.
    • On a similar note, try QWERTY, ASDFGH, ZXCVBN, etc. Look for strings of letters on the keyboard that fit the minimum password length (typically either 4 or 6.
    • If you have access to the target's desk, you've hit pay dirt. The password is likely written down somewhere. It would be nice if most software didn't say write down your password, etc.
    Good password creation tips...

    Mother's maiden name is too obvious. But what about just any random name, or maybe a confirmation name (if you're Catholic)? For example, my confirmation name is Anthony. Here's what we do. We reverse the characters, and it becomes ynohtna. Let's remove the vowels. We get ynhtn. Screw around with case. Make it YnHtN. Then throw some easy to remember chain of numbers in there. For example, the last 4 digits of your phone number (0799 for me.) So it becomes Y0n7H9t9N - a password that would take weeks to bruteforce, and can be remembered fairly easily with a bit of practice.

    Also consider biometrics. But the problem with biometric input devices is if your password is cracked, you can't really change it...

    I've rigged up a :CueCat barcode scanner to just generate raw text input. This way, you can take another piece of paper that has a barcode on it and use that as a password. For instance, keep your library card in your wallet and use the barcode on that as your password by scanning it with a :CueCat. That's always a viable option.

    But hey, if you have your password set to PASSWORD, let me tell you, you're asking for it.

    -Evan
  • news, and in other news, Computer systems are 100% safe except for the users. Anyone who has been in any sort of IT environment can tell you this, and probably for a whole lot les money than the consulting firm charged. Unless your policy is enforced and dictionary used on passwords, (L)Users will compromise security for ease of use almost ALL the time.
  • At my company, I initiated a policy requiring strong passwords (8+ chars, at least 1 uppercase, 1 lowercase, 1 digit, one punctuation, no dictionary words beyond two characters in length allowed). The policy also requires monthly password audits (using programs like John the Ripper).

    I got the policy signed off on by the board, then I wrote a memo that explained the policy and showed how it is easy to come up with and remember good passwords (through the phrase --> password method, for example).

    So far, it's worked out well. There was some grumbling at first, but once people came up with their first passwords, they realized how easy it was and it didn't bother them any more.

    -Joe

  • Tokenized fobs, or one-time passwords are the best answer, I think. Too bad an ACE server costs so much. :-(

    ttyl
    Farrell
  • Here at work, the DBAs are setting up strong-password checks on all of the Oracle databases. Passwords are restricted to more than seven characters, and must contain an upper-case alpha, lower-case alpha, a numeric, cannot be one of your last 10 passwords, and cannot have similar substring matches with your last password.

    However, with Oracle versions 8.1+, there is a bug with the supplied verify function that rejects nearly ALL passwords supplied, even passwords that are completely random strings (such as g8kLK58sS). Anything used in the "ALTER USER [NAME] IDENTIFIED BY [PASS]" will fail, and we users are getting a bit angry that we've lost the ability to change our own passwords.

    What this has resulted in is an abundance of ORA-28003: password verification for the specified password failed messages. This is the default error message when your password is not complex enough. Note that by default, Oracle passwords are NOT case sensitive.

  • by YankeeInExile ( 577704 ) on Wednesday May 22, 2002 @12:13PM (#3566353) Homepage Journal
    This is a touchy area.

    You need to have a password policy that encourages better passwords without requiring a specific password makeup.

    If I encounter a system where my password must include mixed case and digits and punctuation, I'm going to make up a random string, and then have to write it down.

    Some Unices I've encountered had a passwd(1) that would NOT allow you to enter a "bad" password, while others would nag you gently depending on how "bad" it was, but would eventually relent and let you set your password to "flower" if that's what you REALLLY wanted.

    The REAL answer is not "password" but "pass phrase" where the text can be lengthy and meaningful to none but the user.

    Furthermore Opie [inner.net] is a neat project to avoid keyboard snooping.

  • The password is dead. Long live the passphrase. Tell people to chose a "word", and they'll pick their Mom's name. Tell people to pick a short phrase, and they'll very easily pick something that's orders of magnitude harder to guess.

    Phrases can have lots of entropy, and still be easier to remember than the equivalent entropy in 8 chars.

    Enforcing policies that make people choose random passwords just leads to people writing them down on postits stuck to their monitor. Just make sure it has a couples spaces in it and has a decent length, like more than 10 chars. If your system is still enforcing an 8 char limit, trash it, it sucks.

  • When I was sysadmin (for a Windows network), I would just run l0pht [l0pht.com]. If A) the dictionary could hack it, or B) if they didn't have a number or special character, then I forced them to change their password on the next round. (Here is a detailed explanation of the Microsoft vulnerability [hackingtruths.box.sk].)If they didn't change it to something better, I'd give them a quick phone call and politely explain the security policty I was implementing. (Most people are very cooperative if you tell them politely and don't shave your security policy down their throat.)

    There are other free programs out there (I forget the names) that generate nice reports based on l0pht findings. You can, for example, say that 80% of the users have passwords the same as their user names, 50% have passwords with one special character in it, etc.

    Perhaps CxOs should visit sites like Astalavista.com [astalavista.com]. They'd then see how easy it is for a cracker to compromise your network!
  • The most valuable standard to be set is not API but the authentication protocol.

    All Microsoft would need to have done is buy out Verisign before the anti-trust actions and before Verisign became a monster.

  • Lets face it: one of the weakest features of username/password authentication is the fact you must declare your ID and then your password. No matter how well you hide your password that fact you declare your ID into the system is probably just as bad as easily guessed passwords.

    Think about the difficulty in authenticating hacking if the all usernames were completely unknown or never declared. I could tell you there are 4 users on "login.supervaluable.com" all of which the passwords are "easy12remember". Unfortunately if you never figure out what the names of those 4 accounts are the passwords are worthless. However if you have a list of the 4 account names but don't know the passwords you have at least a place to start your intrusion.

    So just as much as easy to guess passwords are a problem I stipulate that easy to guess usernames are too. Does this mean the username/password scheme needs to be rethought? Anyone have alternative authentication schemes that requires minimal "declaring" of any information?
  • A long, long time ago, I wrote an obvious password detector [animats.com]. It's a tiny bit of C code, portable, free, and doesn't call anything or need any files. (It's so old it's K&R C.) If it were widely used, password guessing wouldn't be a problem.

    • The algorithm used requires that the length of the password be within configurable length limits, and that the password not have triplet statistics similar to those associated with words in the English language. This is an inversion of a technique used to find spelling errors without a full dictionary. No word in the UNIX spelling dictionary will pass this algorithm.

      Users should be advised to pick a password composed of random letters and numbers. Eight randomly chosen letters will pass the algorithm over 95% of the time. A word prefaced by a digit will not pass the algorithm, although a word with a digit in the middle usually will. Two words run together will often pass.

    That's enough to defeat the usual attacks. And it's one page of code, plus a few pages of table.
  • Single sign-on is a joke. There is no standard for this. There is no single solution to authentication that spans across all platforms. Take, for instance, a vendor of a turn key product, say a web based materials management system. They would probably role their own authentication system because they need authentication but can't rely on their customers to have a particular system in place to interface to for authentication purposes. So in addition to the ten other papsswords I need to remember for all of the other systems with custom authentication, I will need to add one more to my list. Thee solution is the development of a authentication standard that can be applied to future systems and retrofitted in to legacy systems. Kerboros? Seemed good at the time, but why hasn't is caught on more? Tall order? You bet! But how else are you going to solve the problem of having to remember multiple passwords. Most people just go back to remember one or two and use them for all the systems they log in too. Not a good idea, but let's face the truth, almost everyone is doing this and this won't change until a real single sign-on solution is delivered.
  • NT scores here (Score:3, Insightful)

    by Cally ( 10873 ) on Wednesday May 22, 2002 @12:20PM (#3566413) Homepage
    No, I'm not a Microsoft astroturfer!

    But this is definitely one of the few areas where NT/2K still scores over (most) Unices (as far as I know, please cluestick me if I'm wrong...) , namely it's trivially easy to enforce finely grained password policies. On NT, it's a case of find the dialog, check the options you want to apply , enter some numbers (length to time to remember old passwords and reject them, how often to force changes), minimum length, whether to force uppercase/ digits / alpha-numericals etc. I've been using Linux, BSD and Solaris for three years professionally, and tinkering at home for several years before that, and I frankly wouldn't know where to start to enforce password policies. (Well, OK, I'd use Google, the LDP, how-tos etc, but you see my point.)


    That said, I just installed Mandrkae 8.3 out of curiousity to see what a Windows-friendly distro looks like, and I'm VERY impressed. Bob Young is wrong - IMHO - I think Linux /IS/ going to take over the desktop. I just made a 50 quid bet with my manager on the subject anyway...

    • I've been using Linux, BSD and Solaris for three years professionally, and tinkering at home for several years before that, and I frankly wouldn't know where to start to enforce password policies.

      i think just about any linux and solaris system will come with PAM these days, and one of those libraries lets you configure these requirements.
    • Re:NT scores here (Score:3, Informative)

      by kervin ( 64171 )

      as someone else stated, PAM does this. More specifically, it's the cracklib PAM module, here's an intro http://linux.oreillynet.com/pub/a/linux/2001/10/05 / amModules.html [oreillynet.com].

      NT has actually the same type of deal. The dll that does the password check is just a generic password filter provided my MS, you can replace with your own. I wrote an NT password filter that catches the username and password of a user whenever they change their password and sends it to a an external program registered in the registry. Use it to keep Win2K and OpenLDAP server passwords in sync, http://acctsync.sf.net [sf.net] but the external program could obviously be anything.

      As usual, it's just that windows has a pretty GUI ( which should not be discounted btw. )


  • The story is rather obvious, everyone knows the human factor is always the weakest link, and that includes passwords people pick.

    On a side note, password policies can sometimes do more harm than good. Our company enforces password changing and password strength rules for NT logins. We change passwords once a month, and the requirements read "At least 6 characters, must contain capitals, numerals, or punctuation, cannot be any of your previous five passwords, cannot be based on username"...

    Well, someone goofed in the logic of the password ruleset. As it turns out, it requires the use of both capitals *and* numerals. They've actually managed to limit the number of possible passwords... as the majority of the passwords at this company now start with a capital letter and end with a numeral (most often "1"). Since they have to change passwords once a month, most employees erither write them down or pick very easy ones.

  • Wouldn't access to the password file be the weakest link? Who doesn't run a shadowed password file anymore? ..

    Without that - you're looking at brute force. So, start guessing at usernames, and start guessing at passwords for those users. At since the Unix login slows down the more you attempt to get in, well, it's pretty damn hard. :-) Oh, wait, every system has root! Well, show me a system that lets you login as root and I'll show you a sysadmin who should be shot.

    Windows - on the other hand - is no issue, they lock accounts after a couple failed logon attempts. Microsoft knows how to implement tight security controls.

    • Microsoft knows how to implement tight security controls.

      That <grin> didn't show up very well!!! Should have previewed my message. Hah.
  • My IT folks love to talk about the mandatory password change. I change my password once every 15 days. It has to include three of four character classes: numeric, uppercase, lowercase and symbols. And finally, it can't be any of your last five changes.

    And yet, we've been hacked a few times. How's that possible, you ask? Well, the same IT folks have set up a network that uses plaintext passwords for everything, unless you know how to properly tunnel things.

    The draconian password policy has created other difficulties. A few employees have a set list of five passwords that they rotate; one has his written on the calendar. Many of us have password lists under our keyboards, which in an open floor is about as secure as...well, it isn't secure. Finally, the majority of the passwords follow a simple theme: capitalize the first letter, add a numeral to the end. A dictionary attack for that would take what, five minutes?

    Rapidly changing passwords are a hassle for everyone but the paranoid, and that makes them insecure based solely on inconvenience. Want a nice, secure password? Change it once every six months (with a reset any time you suspect network funny business) and generate it yourself. Anybody can memorize any password given enough time -- and forcing the change only results in easier to crack passwords.
  • A good system (Score:2, Interesting)

    by Anonymous Coward
    I once work at a research institute where they have very nice policy regarding the passwords.

    They constantly run the best available password cracking program and when users password is cracked, he get either the warning or account lockout right away depending how long it takes to crack. No other restrictions were applied.

  • Weak password (Score:2, Interesting)

    by archie77 ( 520712 )
    A good method to create strong password I known is named "passphrase".
    People think a phrase (a statement) with 4-6 words and get the first (or latter, as you wish) chars off the words.
    For example:
    phrase: my linux box is equipped with an athlon 850

    Using the first 1 char, you get:
    mlbiewaa8

    which is a "strong" password but easy to remember. ;-)

    My 2 cents. ;-)))
  • The net impact of requiring monthly password changes is the majority of the user-base will work the month/year into their password. This means that your typical password will be bobmay02, or at best bob8mylf5, where 5 is the month. Making people change the password frequently causes them to split the password into the root, and either a time identifier or a monotonically increasing integer. Thus, your 8-char passwords are now really 3-7 char passwords.

    Has anyone written a cracking program to take advantage of this? Instead of having to decode the entire password, you merely look for transformations that result in the beginning or end of the password translating to a string resulting in a mnemonic for the current month/year.
  • This has been true since passwords were first used. I've run password cracking programs against all of my systems and projects as part of a standard assessment. I would say that finding 30% of passwords in less than a day would be a fairly typical result.

    The truth is that passwords are not a good security tool for all the reasons you would expect. The basic one is that memorable passwords are generally easily cracked passwords.

    I use tricks like passphrases where I take the third letter of each word, mix case, and numbers for certain letters, etc. Even with those tricks, the password is still fairly easily attacked (the frequency of letters in the english language is hardly random).

    IMHO the best solution is to combine authentication methods. Use a token system like SecureID combined with a password. Better yet, use password, token, and biometrics.

    If you have to use passwords and only passwords, run the attacks yourself and lock accounts you can crack. If you don't run them, someone else will.
  • by alouts ( 446764 ) on Wednesday May 22, 2002 @12:38PM (#3566568)
    Passwords are important. Fine. But why are they important? They protect sensitive information? They keep the infrastructure running? They will allow a web site to track who you are and pull up the appropriate marketing preferences? They will allow you to launch nuclear weapons?

    Depending on who you are, and what context you're in, the answers could be totally different. And depending on that context, the strength of your password may matter a lot, or not at all.

    If you're just some schmoe in marketing, with no access to change anything on your personal system, no access to anything on the company network except to alter files in a personal directory on one server, your company's network does not allow remote access, and your building requires a card to get inside and another one to get up the elevator, then the importance of you choosing a strong password is relatively small.

    Making people choose strong passwords is a computer based version of a tradition risk-reward scenario. Users are going to hate keeping track of multiple passwords, with mixed case, numbers, special characters, and then throwing it all away and remembering a new one every 60 days. The reward of doing it has to outweigh that risk. Unfortunately I haven't gotten the feeling that either in this article or on many of the people here take into account the relative nature of computer security.

    One of the key questions that need to be asked before a password policy is defined and implemented is what are we securing and how valuable is it? How devestating would it be if people got access to it, and how would one go about getting that access? In most of the cases that people have mentioned, the items being secured are potentially not that critical/confidential/valuable and therefore the importance of a strong password is significantly diminished.

    Similarly, writing down passwords is more or less of a problem depending on where your threats are coming from, and what that password secures. I am not worried that the root password to my linux box at home is written down and taped to the box itself. Or even that it says "Root Password" right above it. It's securely formatted and difficult to guess, there's not a whole lot of important/critical info on the machine, and my main threat is coming from a random person on the network outside, not from someone specifically targeting me and breaking into my room to read the paper taped to my machine.

    Memorizing multiple truly secure passwords on a rotating basis are a pain in the ass. Before you force everyone on your network to do it, sit down for a second, think about how your systems and permissions are set up, and make sure that that pain is truly necessary. If it is, you will have a solid, business based reason why, and will be easily able to explain and convince others of your position. But implementing it because it's what someone told you is the "right" way to secure a system is lazy, and because people won't see the value, they'll shortcut it anyway.

    • What you say is certainly true, but I want to put a big caveat on it:

      It's very difficult to answer the question " what are we securing and how valuable is it?" for a number of reasons. To do that, you need to define what it is you're afraid of losing and how much of it you might lose from a particular attack. Both are very difficult questions, and are often gotten wrong.

      Looking at the first, people often underestimate the risk from a security compromise because they're only thinking about the confidentiality (secrecy) of their data. At least as important to consider are integrity and availability, that is whether the system and data remain correct and usable. There are lots of things don't really need to be confidential, but do need to be right. Picture building design specs, for example. They're not secret at all - most of them will become matters of public record - so it doesn't really matter if they get stolen. God help you, though, if they get altered and you don't find out until halfway through construction.

      Supposing you can somehow estimate the total VAR (Value At Risk) of your information systems, it's still nigh impossible to figure out what portion of that would be endangered by any particular attack. An apparently minor attack can easily be a stepping stone to a much more serious one. Parlaying limited access - whether aquired legitimately or otherwiss - into greater power is generally called privilege escalation, and it's a common component of attacks. The "root kit" is a classic examples of this. A root kit won't get you onto a system, but if you can get unprivilleged access some other way, the kit will then get you root. You can't assume that the security of a given account is unimportant just because that person hasn't been granted access to anything sensitive. There's always the possibility that a user has, or could get, access to things way beyond what was intended. Consider your marketing schmoe whose password security you claim is relatively unimportant. It's entirely possible (even likely) that the network which "does not allow remote access" does indeed have a gap somewhere. And if it does, someone could telnet in, log in as Mr. (or Ms.) Schmoe, and escalate to root on their one server. At this point, the attacker can probably compromise the username and password of any other user on that server, one of whom may have access to something that does realy matter. This is just a hypothetical story, but it illustrates a very important point about computer security: A series of weaknesses, any one of which would be unimportant as long as everything else worked as intended, can often be strung together into a succesfull attack.

      As you said, security policies should be based on a rational economic evaluation of what's at risk and how much it would cost to mitigate that risk. The problem is that it can be difficult indeed to assess how much risk hinges on a given decision, so it's usually wise to be more conservative than you think you need to be.
  • zzzzzzzz (Score:5, Insightful)

    by sulli ( 195030 ) on Wednesday May 22, 2002 @12:40PM (#3566580) Journal
    Difficult to remember passwords -> password on a Post-It note on the monitor.

    Easy to remember passwords -> crackable.

    Heard it all before. Only thing that really works is SecurID, imho.

  • Duh!

    People at work hate me for enforcing hard passwords. (And other assorted security measures)

    Basically I am a BOFH [bofh.net] so I don't care.

    Unfortunately the common joe/jill user has no clue when it comes to computer security.

    You just have to resign yourself to the fact that people are not going to like you. (i.e. Security Nazi)

    A good way to help *push* them towards secure passwords is to crack your own systems passwords.

    You can use John the Ripper [openwall.com] for Unix passwords OR l0pht crack [atstake.com] for Windows systems.

    Nothing disturbs an end user more then when you email them their old password,

    (You have changed it to something hideous now...) and warn them that you can read their email.

    If you use Microsoft systems then use the password "Account Policies" options to increase password length/complexity values.

    If you use Unix try npasswd [utexas.edu] to enforce difficult passwords.

    The most important factor is to get Management buy in. Try cracking some VP's passwords during a "standard audit".
    Help them come up with a creative password. (First letters of a phrase work good. Throw in some numbers/metachars..)

    Once I had Management buy in it was smooth sailing. Just hold their hand for a while.

  • I strictly enforce "difficult" passwords on all of my clients - but I don't make them rotate them.Why? Because difficult passwords are by defenition hard to rememeber - and I don't want them to write their new-passwords-of-the-month on post-it notes.

    In this day in age, it's usually easy to add SSH/IPSec gateways to everything, and filtering all unknown ip addresses helps as well - I use these to augment any system that brain-dead enough to transmit passwords in the clear.

    Quite often, password rotation causes passwords to be transmitted in the clear - over help-desk phonelines, in un-secured palm devices and on sticky notes.

    Food for thought - and yes, I do know it's against your MCSE training.

  • by MarkedMan ( 523274 ) on Wednesday May 22, 2002 @12:48PM (#3566633)
    Everyone knows the first part of this. If a password is easy to remember, it is easy to crack. If a password is changed frequently, it is almost impossible to remember. Why are we still using passwords? Passwords rarely catch on in any of the other places we try to use them (car locks, electronic padlocks, electronic house locks, etc.) The few places they have caught on are typically a joke. I recently went to the side door of my sister in law's high security apartment. There were four keys on the entry pad with the numbers worn off. I didn't even bother to call up to her until I had the sequence figured out. Thirty years in trying to lock down systems seems to have taught us nothing. Why aren't we damanding something better, such as USB keys, fingerprint scanners, etc? Whenever I discuss this, there are quite a few who say it is the users fault, that they must be trained to use passwords that are secure, and then everything would be fine. Sure, and if everyone loved each other, there would be no more war. But let's deal with people as they really are, not in some theoretical alternate universe. I'll say it again - thirty years of experience has taught us that passwords do not work. At some point we need to stop trying to start that car and get a new one.
  • by Zathrus ( 232140 ) on Wednesday May 22, 2002 @01:04PM (#3566729) Homepage
    As many others have pointed out, it's between a rock and a hard place. Allow weak passwords and you'll get them. Force strong ones and they'll be written down where anyone can find them (I used to work at a company whose Unix admin wrote down all the root passwords on the bottom of his keyboard wrist rest. Yes, he sucked.)

    The forced password changes really piss me off though, especially when combined with long memories of "previous passwords". I use secure, uncrackable passwords for most things, and particularly for work. But when I'm forced to change them every 30 days you can bet I'll run out of things that I can easily remember, especially since I have passwords for work, for home, for email, for websites, my ATM card(s), the company's alarm system, and so forth. Eventually I end up relying on wonderful passwords like "abcdef1" which may as well be an invitation to use my UID.

    It really is a catch-22 situation. I suppose SecureID and the like are the "best" solution, but they're nearly as unwieldy for the user as strong passwords. But at least they can't just be written down -- just lost or stolen.
  • by duffbeer703 ( 177751 ) on Wednesday May 22, 2002 @01:11PM (#3566767)
    The problem users are bonehead sysadmins who use their authority to bypass the password policy or just don't set secure passwords.

    I'd be eating dinner and drinking expensive wine at a nice restaurant if I had a dollar for every time I've found an Oracle SYS password set to "change_on_install" or "oracle".

    The only solution to the password problem is to eliminate passwords. At my organization, we are moving to a smartcard-based system that removes the password problem completely.
  • by tapiwa ( 52055 ) on Wednesday May 22, 2002 @01:23PM (#3566854) Homepage
    OK, one password for life might be a bit extreme, but if a user is on to a good thing, do not get them to change.

    I have never understood why people think that passwords suffer from wear and tear. I have never seen evidence to convince me that the longer one uses a password, the more vulnerable it becomes.

    I remember in university, one of my courses had a module in something about maintenance/replacement of machinery, from a managerial perspective. One thing I recall is that with a lot of mechanical equipment, the older it got, the shorter the mean time between failure.

    Digital equipment was almost the opposite. New equipment had a high chance of failure. If it survived the first couple of weeks, then it became almost impossible to predict failure rates. It was entirely random. Hence replacing aging mechanical equipment made absolutely no sense, whereas replacing digital equipment actually introduced a danger of failure .. .. ok I have oversimplified things a bit but you get the point right?

    Well, passwords are like that. If you force users to change their passwords, and they change it from John, to Luke, to Mark to Peter, you have not really done much.

    If you get really funky, and force them to change from adf0708 to 1433lkh to kh432lk to 23HGLY9 then you are beginning to get somewhere. The problem with these is that users then tend to write them down, because just as soon as they remember them off by heart, they are force to change them. As long as a password is written down somewhere, it is not secure!

    A more thorough plan is to get users to choose one password, and set rules on numberics, caps, etc.. (or better yet issue passwords). At the same time, run a basic brute force dictionary cracker on the password file(s) and force *all* users with simple passwords to change them. Keep forcing them until they choose something sufficiently hard (or issue them with one that they can't change for the first 3 months or something).

    Once users have a robust password, allow them to use it indefinitely!
    • by edp ( 171151 ) on Wednesday May 22, 2002 @02:45PM (#3567572) Homepage

      "I have never understood why people think that passwords suffer from wear and tear."

      Using a password does indeed weaken it. Every now and then, a user will accidentally type a password into a user name field, and that results in a log entry with the incorrect password in plaintext. Every now and then, some users will give their passwords to a coworker or relative to "borrow" their account. Some users will use the same password on multiple systems. When a cracker gets into a system, they are likely to record the password file and attack it, or to collect passwords via spoofing or whatnot.

      So, the longer a password has been in use, the higher the probability it has been compromised. The password suffers from wear and tear. Changing passwords refreshes them. A cracker that formerly had access to the system would have to start from scratch (especially if all passwords are changed simultaneously). Also, that cuts the coworker off from access to other employees accounts. They might not have done anything with that access now, but, someday, maybe they'll be fired and would like to take some sort of revenge. Since you cut them off by a policy of regularly changing passwords, they can't do it that way.

  • by jregel ( 39009 ) on Wednesday May 22, 2002 @04:16PM (#3568284) Homepage
    We used to store our root passwords on printouts that the sysadmins kept in their top drawer - obviously not secure.

    The solution I came up with was to build a dedicated Linux password server. Each user has a login and is a member of certain UNIX groups. Their "shell" is a custom C program that when the user logs in, prompts for a machine and username combination. This input is only displayed as asterisks (so people looking over the shoulder won't know what machine the user is looking up). The program then tries to read a text file for that machine and user. If the permissions are such that the logged in user is a member of the right group, then the contents are displayed for 5 seconds and then the screen is blanked.

    This allows us to restrict who has access to what machines. The password server is pretty secure with no unnecessary daemon processes running, root cannot login through telnet (you need to login using a second account to get a prompt to su), there is a bios password and lilo password and the box is physically secure in the server room.

    In the case of fatality, a paper backup is stored in a secured envelope and kept locked away with human resources who have permission to give it to a select few only (managing director, director of operations and IT managers).

    It's working well for us and has been live for about three months now.

No spitting on the Bus! Thank you, The Mgt.

Working...