Passwords May Be Weakest Link 529
blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"
Very good analysis. (Score:5, Funny)
And in other news, "The Earth May Not Be Flat".
Re:Very good analysis. (Score:2, Interesting)
Re:Very good analysis. (Score:3, Funny)
Humans are the weakest link. Without them there would be no need for passwords.
Re:Very good analysis. (Score:3, Insightful)
Users are.
No matter how good a password is, it can be compromised *instantly* if someone can use social engineering to either get it from the owner (e.g., "Hey, I need your password to check if this works...") or get the Sysadmin to change it back (e.g., "I am thusandso and I forgot my password, could you reset it for me please? I need to get some work done this evening but cannot log on..."
It's like with home security and a lock on a door. A weak lock can be forced or may even be left unlocked, but even a set of high-quality dead-bolts can fail if someone on the inside opens the door to let the intruder in or decides to leave a set of keys under the mat.
Humans are the weakest link, not passwords.
The problem with forced passwords: (Score:2, Insightful)
The problem with strong passwords... (Score:3, Insightful)
Preferrably on post-it notes and stuck to the keyboard or the screen.
I have seen it all.
Re:The problem with strong passwords... (Score:2, Funny)
But that's not always a problem. In some situations, where outsiders don't wander round offices, this can be a good technique. If the office is "secure", writing down passwords is fine. This can certainly be put to good effect in the home.
Post-its stuck to monitors might not be the best place to write them down, I grant you.
Re:The problem with strong passwords... (Score:5, Insightful)
Re:The problem with strong passwords... (Score:5, Interesting)
People may find a myriad of scannable codes on or near my desk at any given time. The trick is to know which one it is unless I carry it with me. Five attempts at a wrong password locks out the account. Due to the significant amount of digits, the IT department STILL has yet to crack my password using their cracking tools.
We're required (forced) to change our passwords at regular intervals. Since I've been scanning things, I have not found that an inconvenience.
Obvious (Score:5, Interesting)
Not neccessarily (Score:3, Insightful)
Now "dictionary word" -> "easy to remember" -> "insecure" but that doesn't imply "insecure" -> "easy to remember". Far from it in my opinion.
EnkiduEOT
Re:Not neccessarily (Score:2)
Re:Obvious (Score:2)
Cheers,
Slak
Re:Obvious (Score:4, Funny)
ekk4H$2drPr3Q,
Ltc4buX126w, and
7ydEX92aSz3UIo
for 90% of my passwords. Then all you have to do is not tell anyone about them. They're not hard to remember anymore, and it really wasn't that difficult to begin with. Sheesh, morons.
Re:Obvious (Score:4, Funny)
Re:Obvious (Score:3, Insightful)
Re:Obvious (Score:3, Interesting)
I tried to explain about the importance of selecting good passwords... and she agreed.
Several weeks later, she called me to ask for my help -- she needed to know how to "bypass" the password and get to her files. When I asked why, she said she'd taken my advice and selected a more difficult password this time around, and hadn't written it down on a post-it note. Instead, she'd saved it in a file so that she could always print it out when she needed it, but of course now she'd forgotten it because it wasn't something she'd normally remember, and without it, she couldn't get to her file...
The truth is that passwords are never going to work for most people. People only have the mental capital and patience to remember things that are important to them. But once you know someone, you know what is important to them, and pretty quickly you know their potential passwords. And of course, many humans find that the same things are important to them... so passwords as a group from anyone but computer professionals tend to be easy to guess.
Just bring out the fingerprint scans or retina scans, etc. and be done with it.
Re:Obvious (Score:4, Insightful)
So start with a random cvccvc (c=consonant v=vowel) combination. Yes, I know it's not quite as good as a fully random alpha combination (by a factor of 275625), but it's a lot easier to remember. Then add a punctuation character (especially a shifted one like !@#$%^&*() ) and you will get something like "kez#tul". That's a pretty decent password right there.
If you have a truly fascist password policy to satisfy, change a letter to a l33t5p33k digit, and maybe make one letter uppercase. In this case, the result could be "k3z#t00L".
If you come up with three or four cvccvc pseudo-words, you can even use them for various security levels. One for r00t passwords, one for "normal" passwords, and one for web passwords (like slashdot, etc.).
Re:Obvious (Score:5, Funny)
Not really. I once worked (as a contractor) with a primadona / hot shot who thought he was the side the bread was buttered on (or something like that). Anyway, he left in a huff of wounded genius one day (someone had the audacity to challenge his expense report, IIRC). I had noticed a few months back that 1) his password was all numeric and 2) he typed it in a 3-2-4 pattern. After he was gone & everyone was in a panic because we were locked out of a few important things, I took it upon myself to look up his SSN in the payroll system.
After everyone was sufficiently worried about the fate of the company and all, I asked mildly "Mind if I take a stab at it?"
It worked the first time, and I deadpaned it like it was no big deal, with some Jeeves-ish quip about "the psychology of the individual" and tapped my forehead. It was quite fun.
-- MarkusQ
Re:Obvious (Score:3, Informative)
Doesn't matter. A black hat will ignore the sticky note and just use the default or backdoor [sans.org] BIOS password.
I've heard this before... (Score:3, Insightful)
Re:I've heard this before... (Score:2, Informative)
The fact that you need "x" access in order to get to the password file is no protection against the password file being stolen and cracked.
Re:I've heard this before... (Score:2)
However, hacked user passwords are useful if they give you user-level access to another system, since then you can use a non-remote root exploit to get root.
Baz
Re:I've heard this before... (Score:2)
just one problem (Score:2, Funny)
Sources: interviews and sticky notes on monitors
--
martin
Re:just one problem (Score:3, Funny)
It's probably their /. username...
Re:just one problem (Score:3, Funny)
Microsoft password files... (Score:5, Interesting)
Netware makes us change... (Score:3, Funny)
Re:Netware makes us change... (Score:3, Funny)
You must not be Catholic. >;-)
Not a problem. (Score:2)
However not everything is rosy. Its a pain to remember to bring a mirror with me all the time and reading mirrored letters can cause eye strain.
Re:Not a problem. (Score:2)
(sigh)
Ask a stupid question (Score:2)
IBM for one. Sure it's a pain keeping track of them all, but weak minds are no excuse for lack security.
Two things you might want to do: (Score:2, Interesting)
2. Write it down on a card, and put it in your wallet. Treat it like your credit card number - you wouldn't post that on your monitor, would you?
Re:Two things you might want to do: (Score:2)
If I steal your password out of your wallet, I can copy it down, go to a terminal on some other side of the building, log in, be a little sneaky, cause trouble.
The difference is that if you loose a credit card, you will know relatively quickly. There is a better audit trail behind the cc as well. If someone ganks your password, you might be lucky to find out before the pressure drops.
Re:Two things you might want to do: (Score:2)
people dont care (Score:5, Interesting)
So customers don't care. Then some kid tries their URL as the password or whatever and gets in. And the site goes down. The customer calls in and we tell them what the deal is. Restore the website, and suggest they choose a stronger password this time around. *sigh*
But it doesnt matter. It's not one of those "change the settings" things. As long as people can pick their passwords, passwords are going to suck, and people will gain access they dont deserve. Period. Always, Always, Always.
Here's the problem with that: (Score:5, Interesting)
The problem with password policy enforcement is that users want weak passwords. Ordinarily this is no problem, since security often trumps user needs.
However, since we're a service based organization, our salaries and bonuses are based on user satisfaction of our performance. Guess what our number one gripe is? You bet. Password enforcement. Our enforcement of the "Strong passwords only" policy has helped us be secure, but it's also eating into our employee bonuses because the users mark us off for it.
It seems like we're caught between a rock and a hard place here, but since our customers are all senior civil servants, what're we to do? The more we enforce strong passwords, the closer they'll get to looking for someone who won't be so picky.
Re:Here's the problem with that: (Score:5, Interesting)
I wonder if holding something like a "password cracker demo meeting" would help. Set up a test machine, let everyone enter a password of their choice, then run crack or similar on the password file. Let people watch as the program guesses their passwords and spits them out. Maybe give a prize to the best/worst passwords. It might get people to understand the problem and help them become more interested in solving it.
Re:Here's the problem with that: (Score:4, Interesting)
This system seemed to work well because users could see an actual threat. Also, since everything was handled via script, there was no one tangible to blame other than the user with the bad password.
Re:Here's the problem with that: (Score:3, Insightful)
Re:Here's the problem with that: (Score:2, Insightful)
Security (for your users, or at least me) is one aspect of an overall goal: getting our jobs done. If someone hacks into my system and trashes all of my files, that will time and energy away from other work. If I have to unlock the safe under my desk, pull out the notebook containing 16-character one-time passwords and punch one in every time I want to check my e-mail, that also will take time and energy from other work.
Remember always to balance the security you use with the value of the secured valuables. For a health-services company the value of the information is (perhaps) much higher than for your average "senior civil servant".
Also, don't put 15 deadbolts on the (virtual) front door while leaving the (virtual) window next to it wide open. I would guess that a lot of organizations have lost more proprietary information by viruses attaching documents to outgoing e-mails than by crackers breaking in.
What to do? (Score:2, Interesting)
In my view, the real problem lies in the number of web sites which require (free) log in. Say you use 20 services and that they all require logins. Are the punters supposed to remember 20 different name/password combinations? No, they'll often reuse. And what is to stop billg/msft1234 who has logged in at both slashdot and the New York Times being compromised by CmdrTaco to read the NYT for even freer? I personally re-use passwords for sites where there is no risk involved, elsewhere I often create throw-away passwords which I'm happy to have in a cookie but forget before I'm ever asked to use them again (and thus create a new account).
Re:Here's the problem with that: (Score:3, Insightful)
Is your firm being paid any less due to customer dissatisfaction?
If the answer is no, then you are being abused by your management. They should throw out strong password complaints when evaluating customer satisfaction.
Surely the civil service organization has a policy about the use of strong passwords. I believe all Federal organizations have such a policy, if this is state or local, maybe not, I guess. Not insisting on implementation of policy would possibly be a cause of legal action against your company should there be problems.
I suspect this is a convenient way for your company to hold on to your bonuses.
Password are not the weakest link (Score:3, Insightful)
Making complex passwords should be an IQ test (Score:2, Interesting)
Our heuristic was simple (to me)- inlcude one character from each of the following subsets of characters; UPPERCASE, lowercase and Numbers, minimum of 8 digits.
I must have spent at least 10 minutes with most people helping them choose passwords that fit the criteria. The worst ones of course were the executives, one made me sit with them for over a half an hour while they figured it out.
Luckily it was a small company of 40 people or so, I might have gone crazy.
What they don't tell you: (Score:3, Interesting)
People do not understand how computers work. If they do not understand how computers work they cannot understand how computer security works. If they do not understand how computer security works, they will likely never ever understand the gravity of a password no matter how much it's explained to them.
To users a password is an annoyance. And they are trained to not be secure with their identities. How many people just give out their SSN? Something that is a definative source of identity, and allows access to tons of things: bank accounts, medical info, home addy. People will just give this to pretty much any customer service Joe.
Why shouldn't they do the same with a password?
Mandatory Password changes (Score:2)
Mine did. Every 3 months our payroll server refused to let us in if we didn't send in a new Password, then and there. Same thing with the filesharing/print server. The cool thing is, they were staggered so that you've have to change one of your passwords every six weeks or so. Kept it regular, kept it part of routine.
Triv
Consistent Password Policies? (Score:2)
Re:Consistent Password Policies? (Score:2)
They enforce good (i.e. hard to remember) passwords by refusing to let you set one that isn't good. On the other hand they have a system that actually synchronises all of the different domains to be the same password. I currently only have one system out of maybe 8 that has a different password. That way you use it all the time, so after a few days you have it down.
However because the passwords are good in the first place, you don't have to change them quite so often (I think 90 days).
Expiring Passwords (Score:2, Insightful)
Yah! Stick it to the users! (Score:4, Insightful)
Give a look at any paper by Sasse, Brostoff and Adams, such as this one [mdx.ac.uk], and then re-think your sysadmin I-never-change-my-dictionary-password-but-I-force
The answer is not to forget the human aspect. Find a better way to help users generate better passwords, through education and assistance, not automated password rules, and forced password expiry.
memorable machine-generated passwords? (Score:2)
This [cmu.edu] implementation of S/KEY includes a scheme for making machine-generated passwords that are supposed to be memorable by humans. Does anyone have any experience with such a system, as used in real life?
Just because there's a tradeoff between ease of use and security, that doesn't mean that you can't sometimes improve both; most real-life systems are probably not optimal in either way.
To give an example of a really retarded password system that's completely nonoptimal, I teach at a school where the faculty turn in their grades on a computer. Security is obviously an issue. The password policy is that your password must consist only of digits, at least six of them. Now this certainly will stop people from choosing "password" or "rover" or "aaa" as their password, but they'll probably end up using their birthdays, or writing their passwords on a post-it, because they can't remember a string of digits. And of course the idea of restricting it to a character set of only 10 digits is pathetic -- it just reduces entropy. (The people who wrote the software are so clueless, they even set up the default configuration so that you have to type in your password twice in order to log in -- I guess that was meant to increase security! It took a few months for the school's admins to change that.)
Just a quick heads-up... (Score:3, Insightful)
If you have a small company with, say, fifty people, and you educate and assist all fifty of those people, a significant fraction will still say "there's no way my account would be cracked" and use set their password to "PASSWORD" or somesuch.
The fact is, you do need to force users to enter cryptic passwords, or there will always be lazy, irresponsible types who just don't do it.
Yeah...yeah (Score:2)
Shadow passwords (Score:2)
THIS is what you get when you hire people with lots of experience and not fresh graduates. The more modern security measures that are taught in University in NetSecurity 101 such as using shadowed password files instead of using /etc/passwd for everything simply get "lost in the woodwork".
Therefore by hiring only EXPERIENCED people these old security threats remain until these EXPERIENCED people retire.
Re:Shadow passwords (Score:2)
Talking to yourself is the first sign of going nuts. Heh
Re:Shadow passwords (Score:2)
Re:Shadow passwords (Score:2, Insightful)
Actually, truth be told they are over dramatising somewhat : Whilst (tribute to the other reply
Re:Shadow passwords (Score:3, Informative)
Mine does...sorta. (Score:2)
The problem isn't just forcing "strong passwords" onto the end users, but making sure that end users understand the reasoning behind it. Making someone use complex password formulas is useless when a large number of the users are going to use something that can still be easily guessed that conforms to the formula.
Re:Mine does...sorta. (Score:2)
Use RSA keys and SSH/SSL whenever possible (Score:2)
MIIBuwIBAAKBgQCvUCC9yWCa83yU3Ebjc5su9pFCoENwPEu
J9Q4Or2FqIK9zd/VDvTsbW875/pKe13BN
vHz4JGz6HRSNWyW0KweCNN6oNAiICks87
RJxmFVhZ5gF4/Pt1GHkFSAyHAoGBAJ/7p
VkcsSYMizrbP9O4Gwtt30MdWqUxY21NFA
7RWmzF4P+xN8zZABbHXlv01uDGZvnmK9W
elSArUMLAoGAO4cO0FqefRT6VshGt4T3v
7hBy56BNWMuP7Z/ixROhxv59gCJTsKEFt
Gk8LxtdRBPgpoK0BwmEQhZEAL5pfemW94
BQG08IhGGotd8mBIfO4s
no, of course that is not my private key. But it proves a point. Don't rely on false randomness to enforce security. Do it the right way.
While you're at it, read Schneier's book(s) and subscribe to Crypto-Gram. I force-feed it to my network users every time it comes out...
Password expiration -- Bad (Score:2)
That's no surprise (Score:3, Insightful)
- A great deal of passwords are simply PASSWORD. Try it, you'll be amazed
- If you know the names of the target's immediate family (and possibly pets), you've just gained 1-5 more possible passwords.
- Many people simply make their passwords 'qqqq' or some chain of identical letters. This is because they don't want to have to bother with remembering a password.
- On a similar note, try QWERTY, ASDFGH, ZXCVBN, etc. Look for strings of letters on the keyboard that fit the minimum password length (typically either 4 or 6.
- If you have access to the target's desk, you've hit pay dirt. The password is likely written down somewhere. It would be nice if most software didn't say write down your password, etc.
Good password creation tips...Mother's maiden name is too obvious. But what about just any random name, or maybe a confirmation name (if you're Catholic)? For example, my confirmation name is Anthony. Here's what we do. We reverse the characters, and it becomes ynohtna. Let's remove the vowels. We get ynhtn. Screw around with case. Make it YnHtN. Then throw some easy to remember chain of numbers in there. For example, the last 4 digits of your phone number (0799 for me.) So it becomes Y0n7H9t9N - a password that would take weeks to bruteforce, and can be remembered fairly easily with a bit of practice.
Also consider biometrics. But the problem with biometric input devices is if your password is cracked, you can't really change it...
I've rigged up a
But hey, if you have your password set to PASSWORD, let me tell you, you're asking for it.
-Evan
wow...this is really OLD (Score:2)
Strong Passwords (Score:2)
I got the policy signed off on by the board, then I wrote a memo that explained the policy and showed how it is easy to come up with and remember good passwords (through the phrase --> password method, for example).
So far, it's worked out well. There was some grumbling at first, but once people came up with their first passwords, they realized how easy it was and it didn't bother them any more.
-Joe
I've been saying this for years! (Score:2)
ttyl
Farrell
Complex Passwords... (Score:2)
However, with Oracle versions 8.1+, there is a bug with the supplied verify function that rejects nearly ALL passwords supplied, even passwords that are completely random strings (such as g8kLK58sS). Anything used in the "ALTER USER [NAME] IDENTIFIED BY [PASS]" will fail, and we users are getting a bit angry that we've lost the ability to change our own passwords.
What this has resulted in is an abundance of ORA-28003: password verification for the specified password failed messages. This is the default error message when your password is not complex enough. Note that by default, Oracle passwords are NOT case sensitive.
Draconian Password Policies Are Not The Answer (Score:3, Interesting)
You need to have a password policy that encourages better passwords without requiring a specific password makeup.
If I encounter a system where my password must include mixed case and digits and punctuation, I'm going to make up a random string, and then have to write it down.
Some Unices I've encountered had a passwd(1) that would NOT allow you to enter a "bad" password, while others would nag you gently depending on how "bad" it was, but would eventually relent and let you set your password to "flower" if that's what you REALLLY wanted.
The REAL answer is not "password" but "pass phrase" where the text can be lengthy and meaningful to none but the user.
Furthermore Opie [inner.net] is a neat project to avoid keyboard snooping.
Passphrase, passphrase, passphrase. (Score:2)
Phrases can have lots of entropy, and still be easier to remember than the equivalent entropy in 8 chars.
Enforcing policies that make people choose random passwords just leads to people writing them down on postits stuck to their monitor. Just make sure it has a couples spaces in it and has a decent length, like more than 10 chars. If your system is still enforcing an 8 char limit, trash it, it sucks.
l0pht for MS networks (Score:2)
There are other free programs out there (I forget the names) that generate nice reports based on l0pht findings. You can, for example, say that 80% of the users have passwords the same as their user names, 50% have passwords with one special character in it, etc.
Perhaps CxOs should visit sites like Astalavista.com [astalavista.com]. They'd then see how easy it is for a cracker to compromise your network!
All Microsoft Would Need To Have Done.. (Score:2)
All Microsoft would need to have done is buy out Verisign before the anti-trust actions and before Verisign became a monster.
New Authentication Schemes? (Score:2)
Think about the difficulty in authenticating hacking if the all usernames were completely unknown or never declared. I could tell you there are 4 users on "login.supervaluable.com" all of which the passwords are "easy12remember". Unfortunately if you never figure out what the names of those 4 accounts are the passwords are worthless. However if you have a list of the 4 account names but don't know the passwords you have at least a place to start your intrusion.
So just as much as easy to guess passwords are a problem I stipulate that easy to guess usernames are too. Does this mean the username/password scheme needs to be rethought? Anyone have alternative authentication schemes that requires minimal "declaring" of any information?
Obvious password detector (Score:2)
-
The algorithm used requires that the length of the password be
within configurable length limits, and that the password not
have triplet statistics similar to those associated with words
in the English language. This is an inversion of a technique
used to find spelling errors without a full dictionary. No
word in the UNIX spelling dictionary will pass this algorithm.
That's enough to defeat the usual attacks. And it's one page of code, plus a few pages of table.Users should be advised to pick a password composed of random letters and numbers. Eight randomly chosen letters will pass the algorithm over 95% of the time. A word prefaced by a digit will not pass the algorithm, although a word with a digit in the middle usually will. Two words run together will often pass.
Single sign-on : the big lie! (Score:2, Insightful)
NT scores here (Score:3, Insightful)
But this is definitely one of the few areas where NT/2K still scores over (most) Unices (as far as I know, please cluestick me if I'm wrong...) , namely it's trivially easy to enforce finely grained password policies. On NT, it's a case of find the dialog, check the options you want to apply , enter some numbers (length to time to remember old passwords and reject them, how often to force changes), minimum length, whether to force uppercase/ digits / alpha-numericals etc. I've been using Linux, BSD and Solaris for three years professionally, and tinkering at home for several years before that, and I frankly wouldn't know where to start to enforce password policies. (Well, OK, I'd use Google, the LDP, how-tos etc, but you see my point.)
That said, I just installed Mandrkae 8.3 out of curiousity to see what a Windows-friendly distro looks like, and I'm VERY impressed. Bob Young is wrong - IMHO - I think Linux
Re:NT scores here (Score:2)
i think just about any linux and solaris system will come with PAM these days, and one of those libraries lets you configure these requirements.
Re:NT scores here (Score:3, Informative)
as someone else stated, PAM does this. More specifically, it's the cracklib PAM module, here's an intro http://linux.oreillynet.com/pub/a/linux/2001/10/05 / amModules.html [oreillynet.com].
NT has actually the same type of deal. The dll that does the password check is just a generic password filter provided my MS, you can replace with your own. I wrote an NT password filter that catches the username and password of a user whenever they change their password and sends it to a an external program registered in the registry. Use it to keep Win2K and OpenLDAP server passwords in sync, http://acctsync.sf.net [sf.net] but the external program could obviously be anything.
As usual, it's just that windows has a pretty GUI ( which should not be discounted btw. )
Obvious (Score:2)
The story is rather obvious, everyone knows the human factor is always the weakest link, and that includes passwords people pick.
On a side note, password policies can sometimes do more harm than good. Our company enforces password changing and password strength rules for NT logins. We change passwords once a month, and the requirements read "At least 6 characters, must contain capitals, numerals, or punctuation, cannot be any of your previous five passwords, cannot be based on username"...
Well, someone goofed in the logic of the password ruleset. As it turns out, it requires the use of both capitals *and* numerals. They've actually managed to limit the number of possible passwords... as the majority of the passwords at this company now start with a capital letter and end with a numeral (most often "1"). Since they have to change passwords once a month, most employees erither write them down or pick very easy ones.
Password FILE maybe? (Score:2)
Without that - you're looking at brute force. So, start guessing at usernames, and start guessing at passwords for those users. At since the Unix login slows down the more you attempt to get in, well, it's pretty damn hard.
Windows - on the other hand - is no issue, they lock accounts after a couple failed logon attempts. Microsoft knows how to implement tight security controls.
Ooops! (Score:2)
That <grin> didn't show up very well!!! Should have previewed my message. Hah.
Mandatory Password Changes... (Score:2)
And yet, we've been hacked a few times. How's that possible, you ask? Well, the same IT folks have set up a network that uses plaintext passwords for everything, unless you know how to properly tunnel things.
The draconian password policy has created other difficulties. A few employees have a set list of five passwords that they rotate; one has his written on the calendar. Many of us have password lists under our keyboards, which in an open floor is about as secure as...well, it isn't secure. Finally, the majority of the passwords follow a simple theme: capitalize the first letter, add a numeral to the end. A dictionary attack for that would take what, five minutes?
Rapidly changing passwords are a hassle for everyone but the paranoid, and that makes them insecure based solely on inconvenience. Want a nice, secure password? Change it once every six months (with a reset any time you suspect network funny business) and generate it yourself. Anybody can memorize any password given enough time -- and forcing the change only results in easier to crack passwords.
A good system (Score:2, Interesting)
They constantly run the best available password cracking program and when users password is cracked, he get either the warning or account lockout right away depending how long it takes to crack. No other restrictions were applied.
Weak password (Score:2, Interesting)
People think a phrase (a statement) with 4-6 words and get the first (or latter, as you wish) chars off the words.
For example:
phrase: my linux box is equipped with an athlon 850
Using the first 1 char, you get:
mlbiewaa8
which is a "strong" password but easy to remember.
My 2 cents.
mandatory changing of passwords does not work (Score:2)
Has anyone written a cracking program to take advantage of this? Instead of having to decode the entire password, you merely look for transformations that result in the beginning or end of the password translating to a string resulting in a mnemonic for the current month/year.
To whom is this news? (Score:2)
The truth is that passwords are not a good security tool for all the reasons you would expect. The basic one is that memorable passwords are generally easily cracked passwords.
I use tricks like passphrases where I take the third letter of each word, mix case, and numbers for certain letters, etc. Even with those tricks, the password is still fairly easily attacked (the frequency of letters in the english language is hardly random).
IMHO the best solution is to combine authentication methods. Use a token system like SecureID combined with a password. Better yet, use password, token, and biometrics.
If you have to use passwords and only passwords, run the attacks yourself and lock accounts you can crack. If you don't run them, someone else will.
Necessary Strength is Relative (Score:5, Insightful)
Depending on who you are, and what context you're in, the answers could be totally different. And depending on that context, the strength of your password may matter a lot, or not at all.
If you're just some schmoe in marketing, with no access to change anything on your personal system, no access to anything on the company network except to alter files in a personal directory on one server, your company's network does not allow remote access, and your building requires a card to get inside and another one to get up the elevator, then the importance of you choosing a strong password is relatively small.
Making people choose strong passwords is a computer based version of a tradition risk-reward scenario. Users are going to hate keeping track of multiple passwords, with mixed case, numbers, special characters, and then throwing it all away and remembering a new one every 60 days. The reward of doing it has to outweigh that risk. Unfortunately I haven't gotten the feeling that either in this article or on many of the people here take into account the relative nature of computer security.
One of the key questions that need to be asked before a password policy is defined and implemented is what are we securing and how valuable is it? How devestating would it be if people got access to it, and how would one go about getting that access? In most of the cases that people have mentioned, the items being secured are potentially not that critical/confidential/valuable and therefore the importance of a strong password is significantly diminished.
Similarly, writing down passwords is more or less of a problem depending on where your threats are coming from, and what that password secures. I am not worried that the root password to my linux box at home is written down and taped to the box itself. Or even that it says "Root Password" right above it. It's securely formatted and difficult to guess, there's not a whole lot of important/critical info on the machine, and my main threat is coming from a random person on the network outside, not from someone specifically targeting me and breaking into my room to read the paper taped to my machine.
Memorizing multiple truly secure passwords on a rotating basis are a pain in the ass. Before you force everyone on your network to do it, sit down for a second, think about how your systems and permissions are set up, and make sure that that pain is truly necessary. If it is, you will have a solid, business based reason why, and will be easily able to explain and convince others of your position. But implementing it because it's what someone told you is the "right" way to secure a system is lazy, and because people won't see the value, they'll shortcut it anyway.
Indirectly important access (Score:3, Insightful)
It's very difficult to answer the question " what are we securing and how valuable is it?" for a number of reasons. To do that, you need to define what it is you're afraid of losing and how much of it you might lose from a particular attack. Both are very difficult questions, and are often gotten wrong.
Looking at the first, people often underestimate the risk from a security compromise because they're only thinking about the confidentiality (secrecy) of their data. At least as important to consider are integrity and availability, that is whether the system and data remain correct and usable. There are lots of things don't really need to be confidential, but do need to be right. Picture building design specs, for example. They're not secret at all - most of them will become matters of public record - so it doesn't really matter if they get stolen. God help you, though, if they get altered and you don't find out until halfway through construction.
Supposing you can somehow estimate the total VAR (Value At Risk) of your information systems, it's still nigh impossible to figure out what portion of that would be endangered by any particular attack. An apparently minor attack can easily be a stepping stone to a much more serious one. Parlaying limited access - whether aquired legitimately or otherwiss - into greater power is generally called privilege escalation, and it's a common component of attacks. The "root kit" is a classic examples of this. A root kit won't get you onto a system, but if you can get unprivilleged access some other way, the kit will then get you root. You can't assume that the security of a given account is unimportant just because that person hasn't been granted access to anything sensitive. There's always the possibility that a user has, or could get, access to things way beyond what was intended. Consider your marketing schmoe whose password security you claim is relatively unimportant. It's entirely possible (even likely) that the network which "does not allow remote access" does indeed have a gap somewhere. And if it does, someone could telnet in, log in as Mr. (or Ms.) Schmoe, and escalate to root on their one server. At this point, the attacker can probably compromise the username and password of any other user on that server, one of whom may have access to something that does realy matter. This is just a hypothetical story, but it illustrates a very important point about computer security: A series of weaknesses, any one of which would be unimportant as long as everything else worked as intended, can often be strung together into a succesfull attack.
As you said, security policies should be based on a rational economic evaluation of what's at risk and how much it would cost to mitigate that risk. The problem is that it can be difficult indeed to assess how much risk hinges on a given decision, so it's usually wise to be more conservative than you think you need to be.
zzzzzzzz (Score:5, Insightful)
Easy to remember passwords -> crackable.
Heard it all before. Only thing that really works is SecurID, imho.
As a Security Admin all I can say is..... (Score:5, Informative)
People at work hate me for enforcing hard passwords. (And other assorted security measures)
Basically I am a BOFH [bofh.net] so I don't care.
Unfortunately the common joe/jill user has no clue when it comes to computer security.
You just have to resign yourself to the fact that people are not going to like you. (i.e. Security Nazi)
A good way to help *push* them towards secure passwords is to crack your own systems passwords.
You can use John the Ripper [openwall.com] for Unix passwords OR l0pht crack [atstake.com] for Windows systems.
Nothing disturbs an end user more then when you email them their old password,
(You have changed it to something hideous now...) and warn them that you can read their email.
If you use Microsoft systems then use the password "Account Policies" options to increase password length/complexity values.
If you use Unix try npasswd [utexas.edu] to enforce difficult passwords.
The most important factor is to get Management buy in. Try cracking some VP's passwords during a "standard audit".
Help them come up with a creative password. (First letters of a phrase work good. Throw in some numbers/metachars..)
Once I had Management buy in it was smooth sailing. Just hold their hand for a while.
Another opinion.... (Score:2)
In this day in age, it's usually easy to add SSH/IPSec gateways to everything, and filtering all unknown ip addresses helps as well - I use these to augment any system that brain-dead enough to transmit passwords in the clear.
Quite often, password rotation causes passwords to be transmitted in the clear - over help-desk phonelines, in un-secured palm devices and on sticky notes.
Food for thought - and yes, I do know it's against your MCSE training.
Passwords cannot work. Why do we still use them? (Score:3, Insightful)
Forcing "strong" passwords (Score:3, Insightful)
The forced password changes really piss me off though, especially when combined with long memories of "previous passwords". I use secure, uncrackable passwords for most things, and particularly for work. But when I'm forced to change them every 30 days you can bet I'll run out of things that I can easily remember, especially since I have passwords for work, for home, for email, for websites, my ATM card(s), the company's alarm system, and so forth. Eventually I end up relying on wonderful passwords like "abcdef1" which may as well be an invitation to use my UID.
It really is a catch-22 situation. I suppose SecureID and the like are the "best" solution, but they're nearly as unwieldy for the user as strong passwords. But at least they can't just be written down -- just lost or stolen.
Who cares about regular user passwords. (Score:3, Informative)
I'd be eating dinner and drinking expensive wine at a nice restaurant if I had a dollar for every time I've found an Oracle SYS password set to "change_on_install" or "oracle".
The only solution to the password problem is to eliminate passwords. At my organization, we are moving to a smartcard-based system that removes the password problem completely.
one password for life (Score:5, Informative)
I have never understood why people think that passwords suffer from wear and tear. I have never seen evidence to convince me that the longer one uses a password, the more vulnerable it becomes.
I remember in university, one of my courses had a module in something about maintenance/replacement of machinery, from a managerial perspective. One thing I recall is that with a lot of mechanical equipment, the older it got, the shorter the mean time between failure.
Digital equipment was almost the opposite. New equipment had a high chance of failure. If it survived the first couple of weeks, then it became almost impossible to predict failure rates. It was entirely random. Hence replacing aging mechanical equipment made absolutely no sense, whereas replacing digital equipment actually introduced a danger of failure
Well, passwords are like that. If you force users to change their passwords, and they change it from John, to Luke, to Mark to Peter, you have not really done much.
If you get really funky, and force them to change from adf0708 to 1433lkh to kh432lk to 23HGLY9 then you are beginning to get somewhere. The problem with these is that users then tend to write them down, because just as soon as they remember them off by heart, they are force to change them. As long as a password is written down somewhere, it is not secure!
A more thorough plan is to get users to choose one password, and set rules on numberics, caps, etc.. (or better yet issue passwords). At the same time, run a basic brute force dictionary cracker on the password file(s) and force *all* users with simple passwords to change them. Keep forcing them until they choose something sufficiently hard (or issue them with one that they can't change for the first 3 months or something).
Once users have a robust password, allow them to use it indefinitely!
Re:one password for life (Score:4, Informative)
"I have never understood why people think that passwords suffer from wear and tear."
Using a password does indeed weaken it. Every now and then, a user will accidentally type a password into a user name field, and that results in a log entry with the incorrect password in plaintext. Every now and then, some users will give their passwords to a coworker or relative to "borrow" their account. Some users will use the same password on multiple systems. When a cracker gets into a system, they are likely to record the password file and attack it, or to collect passwords via spoofing or whatnot.
So, the longer a password has been in use, the higher the probability it has been compromised. The password suffers from wear and tear. Changing passwords refreshes them. A cracker that formerly had access to the system would have to start from scratch (especially if all passwords are changed simultaneously). Also, that cuts the coworker off from access to other employees accounts. They might not have done anything with that access now, but, someday, maybe they'll be fired and would like to take some sort of revenge. Since you cut them off by a policy of regularly changing passwords, they can't do it that way.
Use a password server (Score:3, Informative)
The solution I came up with was to build a dedicated Linux password server. Each user has a login and is a member of certain UNIX groups. Their "shell" is a custom C program that when the user logs in, prompts for a machine and username combination. This input is only displayed as asterisks (so people looking over the shoulder won't know what machine the user is looking up). The program then tries to read a text file for that machine and user. If the permissions are such that the logged in user is a member of the right group, then the contents are displayed for 5 seconds and then the screen is blanked.
This allows us to restrict who has access to what machines. The password server is pretty secure with no unnecessary daemon processes running, root cannot login through telnet (you need to login using a second account to get a prompt to su), there is a bios password and lilo password and the box is physically secure in the server room.
In the case of fatality, a paper backup is stored in a secured envelope and kept locked away with human resources who have permission to give it to a select few only (managing director, director of operations and IT managers).
It's working well for us and has been live for about three months now.
Re:Passwords will always be the weakest link (Score:2)
Re:Passwords will always be the weakest link (Score:2)
That way when (not if) an account is breached you can track what's been done, damage has been limited, and user privileges is where the buck stopped. Of course root needs to be locked up like a bull in a china shop. Make sure you're patched up. When you need high security like in the military you need to uhhh, not gonna finish this sentence I'm hungry gonna click submit and eat now