Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Password Security Panned 387

museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."
This discussion has been archived. No new comments can be posted.

Password Security Panned

Comments Filter:
  • my password (Score:5, Funny)

    by jaymzter ( 452402 ) on Thursday February 03, 2005 @04:06PM (#11566309) Homepage
    is "god", because I heard from a good source that only the most "1337" admins use that!
  • by Realistic_Dragon ( 655151 ) on Thursday February 03, 2005 @04:07PM (#11566317) Homepage
    ...but when my mother comes over I thank god that my machine sets up passwords and partitions off users pretty well.
    • USB - gpg key? (Score:4, Interesting)

      by zoloto ( 586738 ) on Thursday February 03, 2005 @04:55PM (#11566916)
      Has anyone set up a Linux/Windows or other system so that you don't have to use passwords (only as a last resort of the admin howerver) but rather had a usb thumbdrive (keychain drive, whatever) so that when you plugged it in, it automatically mounted & authenticated you with a private "sub-key" that was signed by your private key with an "unlock" flag from your gpg keyring?

      Or something similar. I'm looking to get rid of passwords altogether on my systems with something that's tested to work.

      Any ideas if something like this works at all or anything like it that might be of some use?
    • by That's Unpossible! ( 722232 ) * on Thursday February 03, 2005 @05:08PM (#11567054)
      ...but when my mother comes over

      Don't you mean "down"?
  • 1-2-3-4-5 (Score:2, Funny)

    by ectotherm ( 842918 )
    Sound like the combination to some idiots luggage...
  • >Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy

    i don't understand this. can someone elaborate please?

    • by yotto ( 590067 )
      I thought the exact same thing. It sound kneejerk to me. I would assume that I, as root, would be setting up these "normalcy" filters and not some government agency.

      Not that I think it's a good idea, just that I don't think it has anything to do with privacy.
      • by nkh ( 750837 )
        I don't think I should be prevented from using a system if I can't sleep and want to ssh at 3AM for example. It's not just a privacy problem, it's just stupid.
    • by rackhamh ( 217889 ) on Thursday February 03, 2005 @04:12PM (#11566389)
      In order to compare current usage against "normal" usage, the system has to record what "normal" usage is.

      So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.

      But do you really want the system to record the fact that you browse armadillo porn?
      • But do you really want the system to record the fact that you browse armadillo porn?

        I don't mind that, I just don't want it to know I read /.

      • by merlin_jim ( 302773 ) <James DOT McCrac ... ratapult DOT com> on Thursday February 03, 2005 @04:28PM (#11566574)
        So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.

        But do you really want the system to record the fact that you browse armadillo porn?


        More importantly do you want to feel compelled to compulsively look at armadillo porn daily out of fear that if you don't it'll raise a red flag and you'll be "caught with your pants down"

        That's a funny phrase to use here considering that you're getting caught for NOT looking at porn...

      • But do you really want the system to record the fact that you browse armadillo porn?


        Why -- do you know where I can score some?

        ...armadillo porn, I mean.
      • by Dwonis ( 52652 ) * on Thursday February 03, 2005 @04:52PM (#11566866)
        So, if you habitually browse armadillo porn, the system will know about it.

        And if your system's security is ever compromised, then the *attacker* will know about it, too. This would result in two things:

        • The attacker would know about your armadillo porn fetish; and
        • The attacker would have a detailed profile about your habits, which could be used to impersonate you further.
    • Basically software monitors internet traffic on your local LAN, and if an employee goes for more than an hour without looking at porn, there's a very good chance that it's an intruder.
    • by yintercept ( 517362 ) on Thursday February 03, 2005 @04:56PM (#11566931) Homepage Journal
      Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy

      This statement sounds very tinfoil hattish to me. There are many people who believe that a computer creating any sort of trace log is a violation of privacy. Personally, I find it good practice to record information about computer usage. For example, I usually record the incoming IP address of everyone who logs into a system. When dealing with critical information such as financial records or personnel files, I will keep a robust history of everyone who accessed a given record.

      In one case, I designed a program for a call center. The call center would allow customer service agents access to a customer's credit card number. I recorded every time a customer service rep accessed a card number along with information on the call they were handling. The computer would report any abnormal behavior in the credit card number access to a supervisor.

      Often the best way to improve your security is simply to provide your auditing information to your end users. For example, let's say I see a change in a behavior of a user...such as logging in from a different IP. I might make a program that informs the end user of this event. For example, if a person who usually logs in from Albany logs in from Kuala Lumpur, then I inform them of the event. IF they cannot remember traveling abroad recently, the change in behaviour just might be a security breach, requiring further investigation.

      Imagine if your work computer reported the time from your last log in each time you accessed the system. So, you come in Monday morning and the system warns that you logged in during the weekend. Most workers would take something like this seriously as it implies someone was stealing their identity. Tin foil hatters would be livid that the system recorded the activities of the person who stole their identity.

  • Surely... (Score:5, Insightful)

    by rackhamh ( 217889 ) on Thursday February 03, 2005 @04:08PM (#11566334)
    ... it's easier for the user to remember his/her own password than somebody who never knew the password in the first place?

    Seems to me that's the main point of a password. They may not be the end-all of security, but they sure make a decent first line of defense.
    • Re:Surely... (Score:5, Interesting)

      by tdemark ( 512406 ) on Thursday February 03, 2005 @04:43PM (#11566743) Homepage
      My biggest beef with passwords is the myriad of different "rules" as to what makes a valid password at different sites.

      I have a few great passwords ... no one is going to get them short of brute forcing (or, God forbid, key logging). However, every site seems to have different (read: REDICULOUS) parameters for passwords:

      - must not start with a number
      - must have both letters and numbers (symbols don't count)
      - can only be [a-z][A-Z][0-9]

      I would love to meet the asshats that come up with these randomly applied "rules" just so I could kick them squarely in the nuts.

      I used to only need two passwords for EVERYTHING (one "weak" password for discussion sites (eg - Slashdot) and one "strong" password for the important stuff). Alas, that was too easy. Now I have to maintain around 10 passwords that, IMNSHO, are far weaker that the ones they replaced (not by my choice).

      For example, one large credit card company recently changed its password policy. Since my old password didn't "fit" in their new policy, they simply set it to something else without telling me. Mind you, the new password I had to choose is orders of magnitude easier to crack than the old password because they removed a number of possible characters.

      Which brings up a point, what's the point in LIMITING the characters that can be used in passwords? How horrible are these designers that their apps choke on '&Dkf*l,@a', but 'b4dp4ass' is OK? What could they be doing that would disallow a number as the first character?

      In close, if you have anything to do with the authentication process of a website, before you start throwing on random rules for passwords, do us all a favor and DON'T.

      - Tony
      • I know!!! (Score:3, Insightful)

        What could they be doing that would disallow a number as the first character?

        $making $all $passwords $into $perl $variables??
      • Re:Surely... (Score:4, Informative)

        by Beryllium Sphere(tm) ( 193358 ) on Thursday February 03, 2005 @05:38PM (#11567351) Journal
        The time you want to limit the character set used in a password is when the password goes into a web form.

        Allow in ' and some others, and you're inviting SQL injection attacks. Allow in left angle bracket and some others, and you're inviting cross-site scripting.

        No sane person would worry about cross-site scripting in a password entry field, but nonetheless web developers have the reflex of limiting incoming characters to a supposedly safe set.
        • Re:Surely... (Score:3, Informative)

          "The time you want to limit the character set used in a password is when the password goes into a web form."

          My favorite is when the password contains an '@' sign and they use it to log onto a site in internet explorer. Hilarity ensues.

          ;)

      • Re:Surely... (Score:4, Informative)

        by jesterzog ( 189797 ) on Thursday February 03, 2005 @05:58PM (#11567551) Journal

        Which brings up a point, what's the point in LIMITING the characters that can be used in passwords? How horrible are these designers that their apps choke on '&Dkf*l,@a', but 'b4dp4ass' is OK? What could they be doing that would disallow a number as the first character?

        I don't work in security of any sort, and I agree with you that more characters means better security. My immediate guess is that although it may make the password more crackable from one perspective, having fewer characters to worry about would make it safer to run the password through many API's.

        Many string-related functions will do unexpected things with some special characters, and unless you know everything that it might do with every character, and all the ways that people might abuse this, it can be risky to assume that they've all been caught. In an ideal world, the programmer would know them all and know exactly what's happening to the password when it's processed, but I still know lots of great programmers who wouldn't be aware of several gotcha's in the printf() family of functions, for instance, that might be abused by crackers in one way or another.

        Especially if some software was being coded in a group and everyone had to understand it, I'd sympathise with coders or managers who'd prefer to go with a password system they understood rather than gamble they knew more about their libraries than potential crackers.

  • by teiresias ( 101481 ) on Thursday February 03, 2005 @04:09PM (#11566342)
    Sounds like a great idea. I'll also throw away the keys to my house and just install video cameras that track the movements of people approaching my home. If those movements are consistent with my routine behavior (come home from work, slam car door, pick up mail, etc etc) the door unlocks. Otherwise, my house becomes tighter than Fort Knox.

    Those keys were starting to be a bother in my pocket.

    Of course passwords and keys can be bypassed, just as a locked door can be. But it's the fact that there's a locked door there that keeps a good percentage of casual villians out of your life.
    • I think that that's an excellent point. A determined burglary is not going to have any problem bypassing you locked door. However, the kid trying for an easy score will be deterred, and that's the point. Same with passwords. Some ub3rl33t black hat is going to bypass it anyway. Some teenager with more bravado than skills will find it a road block.

    • Of course passwords and keys can be bypassed, just as a locked door can be. But it's the fact that there's a locked door there that keeps a good percentage of casual villians out of your life.


      Yeah but part of the point here is that people who implement password systems are making them increasingly difficult for users to use (eg. Sorry, your password must contain at least 10 letters, some of which must be letters, some special symbols, some numbers). That's a lot harder to use/manage than a key, especia
      • That's a lot harder to use/manage than a key, especially since people generally only need a couple of keys (home, car, maybe work) as opposed to dozens if not more of passwords (home system, work system, web email, web site registrations, etc).

        The simple solution to that is to just use the same password everywhere :)

      • Sorry, your password must contain at least 10 letters, some of which must be letters, some special symbols, some numbers).

        It's not so hard:

        • Pick random syllables (e.g., by stabbing at a dictionary) and a number, then combine them into a nonsense 'word', (e.g., "FawUDau7")
        • Pick a phrase/song/poem and use the first x letters, with the number x added to them. Using the opening of the Star Spangled Banner we get 5Oscys.
        • Pick a phrase that is in plain sight of your computer, then pick two numbers x a
    • by generic-man ( 33649 ) on Thursday February 03, 2005 @04:24PM (#11566517) Homepage Journal
      An IDS that tracks your usage patterns is not intended to replace passwords; it is intended to supplement them. Once you're in your house, to continue your analogy, there are certain things you do and certain ways in which you do them. For example, let's say you have cable television but you never watch Fox News. If someone who used your key comes into your living room and watches the Fox News channel for hours on end, that's a red flag.

      Red flags do not trigger an immediate lockdown. They just suggest to an administrator that someone may be behaving in a way that you wouldn't, and that further investigation may be warranted.

      IDSes are a great way to supplement the absolute uselessness of passwords, as long as administrators know how to use them effectively.
  • Password alternative (Score:5, Interesting)

    by dilvie ( 713915 ) on Thursday February 03, 2005 @04:09PM (#11566345) Homepage Journal
    There are lots of alternatives to passwords that have really been around a long time. Lots of companies, for instance, offer products like USB security keys. IMO, what the world needs is a really good key standard to get behind, and a killer ap to champion it. If MSN, Yahoo! and Google all supported a new key standard for authentication, it would go a long way towards universal adoption.
    • Comment removed based on user account deletion
    • Yes, but just as a password requires a predetermined combination of characters, so would a hardware "key." It would just be more convenient for saving longer passwords.

      But here's where it goes wrong: if all services use the same key, then one being compromised can lead to all being compromised. Additionally, if you use a different key for each, well I've got enough crap on my keychain than you!
      • It's fairly trivial for a website to offer a public key that can be used to create a unique login key for every site you visit, based on your own secret key.

        You might still feed salt that is used in combination with the key that is stored on your USB device (or software), so even if somebody manages to steal your physical key, they won't be able to log in to your accounts without first cracking your password.

        The scheme would simplify logins (login once, and you're automatically authenticated everywhere

      • Which is why I am so set agains using LDAP. It's nice and it can provide one signon for every damn thing you got....but again, once a password is compromised, your toast. Help Desk idiots like it because it lightens their load. I personally hate them. They make everything nice for the help desk, but again, once your password has been yoinked, your done.
    • by kzinti ( 9651 ) on Thursday February 03, 2005 @04:19PM (#11566472) Homepage Journal
      To paraphrase Bruce Schneier, a system can authenticate you with one of three things: something you know, something you have, something you are, or some combination of those somethings. The author of that article says we should wean ourselves from passwords, but doesn't offer any realistic alternatives other than "suspicion engines", which don't meet any of Schneier's criteria, although they sound like a weak attempt to add a new one: "Something you do". Would anyone here feel comfortable trusting their bank account or Paypal account to a suspicion engine? Thanks, but no thanks.
      • Bank accounts aren't really a good example, because I happen to know of some banks which actually do this.

        If you withdraw lots of cash in London and 20 minutes later you are using a cash maschine in Lima your account will likely be locked immediately. Not that this compares to suspicious behavior in the computer world (because distance doesn't matter there), but I guess it's the same approach.
  • by MankyD ( 567984 ) on Thursday February 03, 2005 @04:10PM (#11566356) Homepage
    Maybe I'm missing something. If you are going to compare usage of the system to see if the user is doing something unusual, don't you have to let them use the computer for a little while before you can make that call? If a malicious user was logged into someone elses account, they would still have plenty of time to do harm before an algorithm could definitively say they weren't who they said they were. Am I wrong?
    • Very good point here. Add to this the fact that a malicious user who knows anything about the account owner will likely have a good idea of that person's common computer habits. For example, I tend to open WinAmp and stream music, open Firefox and check various comics then /., then play a game. If a malicious user opens WinAmp and hits play, opens Firefox and browses a few sits, then runs a game and minimizes it, he can now do all sorts of things without the computer algorithm getting suspicious. In fac
    • Depends what you call plenty of time. Running on my computer, it would be warned when the intruder didn't immediately run kopete, and prolly lock him out when he didn't open /. within 20 seconds of logon.
      • That seems a bit extreme. Some days I launch my email app right away. Other times I log in, then start ruffling through my papers and/or talking to my coworker's/boss before I actually get to business.

        It seems you would need mutliple inconsistencies before you could make the call. That's why I mention that they will have time to run around doing malicious mischeif.
  • Password Lockout (Score:3, Interesting)

    by djtripp ( 468558 ) <djtripp@g[ ]l.com ['mai' in gap]> on Thursday February 03, 2005 @04:11PM (#11566359) Homepage Journal
    There are several systems we have, each with different passwords, and with different protection schemes. Users have a hard enough time remembering easy passwords, and don't remember how many times an incorrect leg in will lock them out, either indefinitely until they call the help desk, or temporarily. Most of our systems are behind a firewall, and we haven't had too many intrusion problems, but It still could be out there.
    In other words, people get locked out by stupidity. Something that looks for abnormal behavior would be great, esp when people have idiotic passwords, and suddenly a methodical password attempt to login occurs.
    • There are several systems we have, each with different passwords, and with different protection schemes. Users have a hard enough time remembering easy passwords...In other words, people get locked out by stupidity.

      That's true, but I'm not sure you realize whose stupidity.

    • That's not such a big problem; give them an item without network access, say a small organizer. Then tell them to remember one password. Put an application on the organizer that encrypts/decrypts passwords, and use that one password for it.

      Things to make this scheme more interesting:
      - backup of encrypted databases possible
      - protect main password by 2 man action of sysadmins
      - use of strong password generator within same application

      If you are worried about bad logins to a central authentication point (e.g.
      • This sounds like a (no offense) poorly implemented encrypted hardware key. Although I suppose the concept is useful in that it allows them to use passwords on things that don't normally support "good" hardware security solutions, what's to stop them from caching their password anyway. To prevent user annoyance, the device would probably cache the password for a set period of time.. Someone could walk by with their camera phone and suddenly have ALL of a user's passwords.
  • OPIE nee S/Key (Score:2, Informative)

    by Anonymous Coward
    Why permit reusable passwords when you can use hardware tokens or free one-time password systems such as OPIE (formerly Bellcore's S/Key project).

    Most free Unix systems ship with SHA-1 capable S/Key support included.
  • He's right. (Score:5, Interesting)

    by Sheetrock ( 152993 ) on Thursday February 03, 2005 @04:11PM (#11566362) Homepage Journal
    No password length can match a biometric, especially mine. The level of detail a good scanner can pick up well exceeds a memorizable password, with of course the understanding that too perfect a read will make it impossible to scan twice the same way, and the technology is only getting better.

    In the future, we'll have smart cards that will act like our Social Security numbers/national IDs work today. Cash, credit, verification and signing will all be possible using one card or perhaps even an embedded chip, and we can once and for all eliminate this nonsense about having to remember a different password for each service or the concern about identity theft.

    • Re:He's right. (Score:4, Interesting)

      by johnnyb ( 4816 ) <jonathan@bartlettpublishing.com> on Thursday February 03, 2005 @04:20PM (#11566479) Homepage
      The problem w/ biometrics is that it will wind up being way too easy to bypass (by just recording someone else's bits and replaying them to the hardware, or it will require too much money to secure the biometrics device.

      I had heard of a password mechanism once that was based on facial recognition which seemed interesting. You chose a sequence of faces, and the computer asks you to choose a face from a selection. It sounded interesting. If anyone knows where the article is, I'd like to re-read on that topic.
    • by grub ( 11606 ) <slashdot@grub.net> on Thursday February 03, 2005 @04:22PM (#11566499) Homepage Journal

      Re: your sig. Dr. Spock was a famous pediatricion. Mr. Spock is from Star Trek. Also note that it wasn't he that said the line in your quote, I'm pretty sure it was Yoda from Star Wars. You've managed to bastardize my childhood worse than George Lucas and Rick Berman now, thankyouverymuch.
    • Re:He's right. (Score:2, Interesting)

      by jcims ( 316827 )
      Yeah, they talked about this a long time ago...

      Revelation 13:16-18, "And he causes all, both great and small, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And no man might buy or sell, save he that had the mark." :P
    • No password length can match a biometric

      Sigh. How often do people have to explain this. A biometric makes a poor key. Biometrics are not changeable. Any key that cannot be changed easily is flawed.

      If biometrics catch on security will go all to hell. One compromise and it's all over.

      • Use something you have and something you know. You have a fingerprint. Use that and a RSA key. Also, what if you accidently damage or cut off the finger you use? What if you were forced to scan all 10 fingers and use a different one each time and never two neighboring fingers in succession. I mean biometrics can add a additional later to what we have....security is best done in layers.
        • Re:He's right. (Score:4, Insightful)

          by 99BottlesOfBeerInMyF ( 813746 ) on Thursday February 03, 2005 @04:49PM (#11566836)

          Use something you have and something you know.

          Changeable keys are better than unchangeable. If I break up with my girlfriend, I can change the locks to my house. If I think a online site may actually have been a russian mob front, I can change the password on all my other sites. If my fingerprints get lifted from a glass at the bar, I'm fucked forever. Biometrics are a bad idea. If my fingerprints, or DNA, or retina scan are put in one database that is hacked, and we rely upon those biometrics, I'm fucked forever.

          Biometrics are easy to use, but unreliable. If they come into common use, they will be relied upon. This will introduce a false sense of security. It's sort of like having a doorman at your building who will look the other way for $5. You feel more secure. Maybe you don't bother to lock your door inside. Then you wake up dead.

          One last thing. If some car jacker wants my car, they can jump me in the parking lot and take my keys. They need no real knowledge. They don't even need to know how to hotwire a car. If my car had a biometric key, they could still jump me and take it. I'd just be missing a body part. No thanks.

    • by DeadVulcan ( 182139 ) <dead.vulcan@pobNETBSDox.com minus bsd> on Thursday February 03, 2005 @04:24PM (#11566529)

      No password length can match a biometric, especially mine.

      Help me out, are you dissing the security of your own password, or are you bragging about the size of your biometric?

    • Re:He's right. (Score:5, Insightful)

      by renderhead ( 206057 ) on Thursday February 03, 2005 @04:31PM (#11566610)
      The main problem with biometrics is that once a hacker gets past it once, they've gotten past it forever. You can't change your thumbprint like you can your password, and your retinal scan is definitely permanent. So the security works great until someone figures out a way to fake your thumbprint. Then they can get into any of your thumbprint-protected resources anywhere in the world. Not only that, they have all the time in the world to come up with a perfect way to fake the print because they know it won't be changing in 30 (or 90, or 5) days.

      What do you do when you realize that even one of them has been breached? How do you change your security settings to lock out the intruder from the vulerable resources while allowing you to retain access?
    • Biometrics should always be optional.

      First, Internet accounts need to have unlimited character lengths for passwords. For example, I believe Hotmail only allows 16 characters.

      Second, once we have unlimited character lengths for passwords, we then could store biometrically generated passwords easily.

      Biometrics in required situations, create problems. One, there is a privacy concern regarding biometrics, especially with the government. But more importantly, it creates the problem of what happens when someo
  • Passwords will always be beneficial in helping to establish accountability.

    Passwords are less about keeping people out and more about making people accountable.
  • From the article: Today's password authentication schemes are little more than security placebos. They perversely inspire abuse, misuse, and criminal mischief by deliberately making users the weakest link in the security chain.

    The user will always be in the security chain. Ergo, no security chain can be made stronger than the user; ergo, having the user be the weakest link is a good thing. The key question is what aspect of the user is the weakness predicated on-- their memory? Their gullibility? The un

  • Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user.

    While I value my rights to privacy as much as the next person, how is this an invasion of privacy? If I am browsing a site, and it thinks I am a fraudulent user, and it makes me perform something to validate myself, how is that an invasion of privacy?

    Seriously, are you
    • Seriously, are you afraid Amazon's tracking of your browsing habits are wrong? Should they not do that? I mean, your willing to hand out your credit card to them, but please, don't let them track you!

      Perhaps you should have a look at this recent story [slashdot.org] about a man who was wrongly charged with attempted arson based on his grocery purchases, tracked via his club card. Being tracked is one thing, but having a third-party piece together a context given the data can be alarming.

  • So... (Score:5, Insightful)

    by eln ( 21727 ) on Thursday February 03, 2005 @04:12PM (#11566390)
    So what you're saying is passwords are a crappy form of security, but other forms of security suck just as much or worse?

    Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.

    Passwords are also superior to things such as biometric scanning on things like Internet sites, because they place a limit on how much trust you have on that site. Unlike biometrics, passwords can be easily changed if, say, you use the same password on multiple sites but find out that one of them has been using peoples' passwords to crack into their accounts on other sites.

    These days, if you have a well chosen password, you're far more likely to get cracked because of some other undetected vulnerability in your system rather than someone guessing your password.
    • Re:So... (Score:5, Insightful)

      by nine-times ( 778537 ) <nine.times@gmail.com> on Thursday February 03, 2005 @04:54PM (#11566897) Homepage
      Passwords are good security because, if chosen well, they're fairly hard to crack, and fairly simple for legitimate users to use. Other forms of security tend to either be too easy to crack, or so cumbersome that legitimate users find ways around them rather than deal with the hassle.

      Seems to me that there's a different difference that makes passwords worthwhile. See, there are three sorts of security measures (everything I can think of fits into one of these): Measure something the user has (like a keycard), measure something the user is (biometrics), or measure something the user knows (like passwords).

      Something the user has can be stolen. With measuring something the user is, there's something like the risk of "being stolen". If it's a fingerprint scanner, someone could take your fingerprint from an object you've touched without your knowledge. If you use facial recognition, well, you're face is out in the open for everyone to see all day long-- couldn't someone somehow capture that image and re-display it? I know, they are improving the detail and complexities of the scanners all the time, but for however much they improve the resolution of the scanners, they just need to have a "camera" with enough detail to fool it. More complex scanning methods only mean you need more complex display/replay methods to fool them.

      However, when it comes to measuring something the user knows, with current technology, there isn't a good way to "capture" that without my knowledge. At least not as long as I'm wearing my tinfoil hat.

  • by geoffspear ( 692508 ) * on Thursday February 03, 2005 @04:13PM (#11566395) Homepage
    It's inherently immoral to deny access to your data to anyone who wants to see it. All that information wants to be free! How dare you lock it behind passwords, and try to find even more oppressive methods of keeping it in chains?
  • by Eclipse5302 ( 848688 ) on Thursday February 03, 2005 @04:13PM (#11566397)
    I went to help a user this morning with their voicemail. I push the "Voice Mail" button on their phone and it asks their password. He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.

    I couldn't believe my eyes...

    Then some of my other users have started using "asdfg" and "qwerty" because I make them change it too often (every 90 days). I guess that's a little better than using their last name.

    I agree that passwords ARE useless.
    • Physical Security. Crucial sensitive data should only be able to be accessed by physical access. Setup things like ssh to use cryptographic keys and not use passwords. Leave password for sign on to user accounts and have three tries and your out policy.

      Lastly, in bad handwriting so a G and 6 can be confused, write a false password on a post-it note and place under the keyboard.
    • >because I make them change it too often (every 90 days)

      no kidding they have to use simple passwords. making them change password every three month does not improve security at all. if it gets hacked, you'd know it immediately - so why make people change every 3 months?

      the key is to make everyone come up with a secure password they get to keep.

    • He pulls out a notepad from his top, always unlocked, desk drawer. This notepad has ALL of his passwords written on it. He has access to some pretty important stuff, too.

      Let me be unconventional and argue that the problem there was that the drawer was unlocked.

      I did a risk analysis/threat modeling exercise on writing down passwords and translated it into Aunt Tillie language once for my free newsletter. Everyone says never to write down passwords, but they're just repeating what they heard themselves.

  • Physical keys (Score:5, Insightful)

    by ch-chuck ( 9622 ) on Thursday February 03, 2005 @04:15PM (#11566429) Homepage
    When Mr. Joe Sixpack opens the house door, he doesn't have to remember, "tumbler one is 13, tumbler 2 is 25, tumbler three is 10, etc.". He just puts a key in an moves on. Same with car, bank safe deposit box, etc. That's the way it will have to be with IT, a key card, something physical they carry around for access. Sure there are people who lose keys, lock them in their car, etc, but it's a 'metaphor' any adult can relate to. You go to work, they hand you a key-card to access your account, you don't have it you can't get in and it'll cost extra for someone to help you if you lose it, just like for the real thing. Fingerprints are for criminals and can spread illness, voice prints and retina scans are weird sci-fi stuff. Just give 'em a key.

    • At least one company I know has a large-scale deployment of smart-card based logins. Employees use their badges as login credentials.

      Now, if Microsoft were to decree that hardware vendors had to include a smartcard reader in order to get a Windows license, we might see some standardization.
    • The trick is the 2-layer: Something you have, and something you know. You have a key, and you know where it goes. A key should be minimally labeled, so if someone just finds it on the street, they can't guess where it belongs. So what we need is a ubiquitous standard, some kinda USB key, or something that can't be lost, like a fingerprint. Not that other people can't get copies, just that you can't lose your copy. Couple that with knowing something, like which terminal to log onto, or, say, have 5 finge
  • that monitors usage activities and alerts suspicious activity seems like a good idea...

    But think about it. How often do your usage patterns change. I might be an atypical user, but my network packets don't keep the same pattern for now; I have a meta pattern that shifts every new project. This week I've been exchanging a lot of packets with our file server, talking with source safe, access databases, and collaborative UML modelling.

    Last week nearly all my packets were terminal services to the productio
  • There is that cartoon somewhere on the net:

    "Please enter your new password"
    - {snigger} "PENIS" [OK]
    "Your password is too small."
    - {cowers}

    I think that sums up users and passwords...
  • I would prefer to see research on the effectiveness of behaviour monitoring.

    I believe the credit card companies use this type of technology. Why not see what their real usage yields in effectiveness?
  • by frovingslosh ( 582462 ) on Thursday February 03, 2005 @04:25PM (#11566531)
    Passwords can work fine and be easy for the users, it is the systems that make passwords weak. The ability to use a dictionary attack on passwords is insane. Any reasonable implimentation of password security would let a user try a very limited number of attempts to gain access by a password (to allow for typing errors and human error, even accidentally using the wrong password). After multiple failures, a reasonable system would lock out the user account for a period of time (at a minimum, it could also begin a notification process or take other measures to protect data if appropriate). After the imposed delay the user could be given another chance to enter the password, but again after one or more failed attempts a delay could be imposed again, perhaps with a longer delay after each failure. These delays would have little or no real impact on a user who made an error in password entry, but would be a major step in stopping dictionary attacks or other guessing approaches used by attackers. Not using them is simply poor system design.

    It would certainly be easy for any on-line system to recognize a dictionary attack and distinguish it from user error or just a user who had forgotten his password. For example, a large number such as 25-30 hits against a small dictionary of vastly different but common words or passwords, without ever coming close to the actual password, should certainly trigger recognization of an attempt to break into an account and take appropriate steps (perhaps imposing a delay on the account, perhaps locking out the offending IP address, perhaps locking the account until there was human action, or some other action appropriate to the particular circumstances).

    Users should always be advised of any failed attempts to gain access to the account after a sucessful login, a feature that is lacking from most current systems.

    • OK, even if the dictionary attack is happening online instead of offline --

      What happens when an intruder gets hold of a company directory, tries each username in sequence, and makes *one* login attempt to each using the password "password"?
  • hardware problem (Score:4, Informative)

    by grassy_knoll ( 412409 ) on Thursday February 03, 2005 @04:25PM (#11566536) Homepage
    From TFA:

    Somehow, the world's ATM banking systems have managed to get by with a bare minimum of fraud for more than 20 years by relying upon only four-digit codes. So what do the banking geeks grasp about password management?

    While the article continues to say that simple passwords are good, it overlooks the other half of the equation: the ATM card. Without both, no access is granted which seems to be the strength of the ATM.

    The prevelence of password only authentication seems to be a hardware problem. Everyone has a keyboard, but almost no one has ( for instance ) a securid token.

    A USB dongle might be the easiest solution, although standardization is obviously a problem. Gawd knows I wouldn't want to have one USB dongle for yahoo, one for NYTimes, one for my bank, et. al.
  • I've had to ask somebody for their account name, and they tell me: my account name is .... and my password is . . . . .

    Or, how many passwords I've found on the backs of keyboards, or on post it notes stuck to the desktop or monitor.
  • by a55mnky ( 602203 ) on Thursday February 03, 2005 @04:28PM (#11566576)
    The author of the article compares complicated and difficult passwords to 4 digit pins for ATM machines and points to the lack of fraud in the ATM situation. There is a significant difference between the two scenarios - with ATM access you need a card in addition to your pin - this is referred to as two-factor authentication.

    Sidebar
    Factors are things you need to prove your identity and there are three types -
    "what you know" - typically a password
    "what you have" - typically a card, token, key fob, or digital certificate
    "what you are" - typically biometrics
    End Sidebar

    The ATM example is 2-factor, which is inherently more secure than a password which is single factor

    A far more secure approach would be to implement a two-factor authentication mechanism, however this increases cost and overhead (AOL is now offering this as an option - for a fee or course). Some other options are one-time password schemes where the password changes after each use, or graphical based passwords.

    While in theory and practice passwords are not very secure, it must be pointed out that the other options are more expensive and more difficult to manage. Imagine having to carry 20-30 key fobs or a disk with a digital certificate everywhere you go.
  • Calm down. Warning : RTFA : Developers at play : Roundtable discussion regurgitated as ruminant principles. This is standard bassackward engineering. Take sound tested principles and piss all over them in favour of the next big thing. Lets wander past engineering before we start the marketing engines.

    Yes, i know. Silly me, its not boring. Its New, Improved and with [Insert Trademark here]. Oh wow, you actually have a shipping product? Version 1.0? Nah, ProductX _is_ mature and the, eh, the flaws are read
  • My normal usage patterns at work might very well be exactly the usage patterns that someone unautorized would use. So what is the actual point of such an excercise? Surely it must be impossible to predict what I need to use the computer for, and if someone else is using it for the same thing?
  • Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user.

    You ever seen an Apache log file Taco? All the information's already there - all you have to do is parse it.

    We're continually looking at ways to improve security without making the UI less intuitive (admin system for 300,000+ domain shared hosting accounts). We're cons

  • I don't know about you, but what I infer from the tidbits given, this sounds pretty useless. Here's my understanding, and why I think the way I do:

    Assumably, the suspicion engine compares normal patterns of activity with the current patterns. Now, there's two things about this that strike me as not too good... First, a pattern is a given set of occurences in a span of time. That span of time has to be small enough to catch and stop harmful activity, but large enough to be useful. Second, "normal" varies fo
  • That's total bullshit. Computer passwords have a long tradition and they work extremely well, in particular together with simple mechanisms that disable the account after a few tries. If you have many passwords, keep them in an electronic wallet.

    The biggest problem with passwords is that companies don't use secure network communications, but that's a problem in general. If we made all TCP streams encrypted by default, then that problem would go away.

    As for banks, their password and card security is usu
  • From the blurb: Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user

    Huh? OK I can see some of the false alarms but invasion of privacy? Would you, as the owner of the machine using this technology, monitor yourself? And if someone else monitored you, such as the company you're working for, you have no granted rights to sai
  • Web _servers_ have been ussing SSL certs since day one. They are commonplace for web users verifying the identity of a web server.

    But they can also be used for identifying the identify of the web _user_.

    If client certs were more widely used by users, and more widely supported by web sites (a catch-22 situation I guess) then we can bypass usernames/passwords completely if we wish. And rely on the client certificate for identification purposes.

    Then I won't have to keep coming up with unique passwords

  • Hard to remember? (Score:3, Informative)

    by Pan T. Hose ( 707794 ) on Thursday February 03, 2005 @04:49PM (#11566830) Homepage Journal
    Use Bruce Schneier's Password Safe [schneier.com] if you cannot remember passwords, but saying that passwords are useless when they are hard to guess because they are hard to remember, so we should use no passwords at all so there won't be anything to guess in the first place is the most stupid thing I have ever heard. If not using secrets that people can remember than what? Biometrics? Oh [schneier.com] please [schneier.com]... From the article: "79 percent of people questioned on the streets of London revealed such desirable security-sensitive data as mother's maiden name and birth date." Really? People revealed such secrets as their birth date? Let us all stop using passwords then! This is just laughable.
  • by fiannaFailMan ( 702447 ) on Thursday February 03, 2005 @05:02PM (#11567003) Journal
    The HSBC bank ask for your online ID (username), date of birth, and three digits from an 8 digit security number that you've memorised. Which digits they ask for is always randomised. Sometimes it's the 1st, 2nd and 3rd, maybe next time it would be the 3rd, 4th and 8th and so on.

    On their phone system they ask for your account #, date of birth, and 3 digits from your security number. I've always been impressed by their system.

    On a side note, I love how you never have to start telling the story from the top whenever they pass you on to another service representative. As soon as they pick up the phone it's "Hello Mr ______, how can I help?" I never thought I'd say this about a bank but the HSBC rocks!

  • Suspicion engines (Score:4, Insightful)

    by miskate ( 730309 ) on Thursday February 03, 2005 @05:50PM (#11567472)
    A couple of years ago a friend of mine was backpacking in the middle east. Like a lot of backpackers, she had travellers cheques for emergencies but relied on her credit card for everything else.

    Then all of a sudden, it stopped working. On the weekend.

    When Monday finally rolled around she rang up the credit card company to find out what was wrong and was informed that her card had been used in a number of suspicious places - several different countries in a short space of time in a dodgy part of the world, and had automatically been stopped.

    Yes she said - I'm doing a whirlwind backpacking tour of said dodgy part of the world. All that usage is legitimate. The card was re-enabled - but the process would take a couple of days during which she had to borrow money from her travelling companions.

    A week later, now in some other middle eastern country (I forget where), the same thing happened.

    My point? People don't always behave consistently. Life is not always stable. The real kicker is that usually when people are behaving differently than they normally do it's because they are outside of their comfort zone and really need as many things as possible to go smoothly.

    A suspicion engine can prevent legitimate use of a system in these situations.
  • by bruthasj ( 175228 ) <bruthasj@yaho o . c om> on Thursday February 03, 2005 @06:57PM (#11567999) Homepage Journal
    This is why I no longer carry a Credit Card. As an American living in a foreign country, I used my card frequently in multiple countries. Well, the "security" group at the Credit Card company "detected" that the card was being used illegally. They shut it down 2 or 3 different times. I was so pissed at having to explain to them that I nearly blew up over the phone. This last time they forwarded me to all sorts of people, including their security group. I swear they were going to report *me* to authorities or something.

    Anyway, let's just say after this experience, I ripped up my Credit Card and will never do business with FirstUSA or affiliated banks again. (AT&T credit cards too, but that's a different, longer story.)

    So, basically, these "detection" systems do nothing but risk false-positives and pissing off a bunch of people.
  • Repeat after me... (Score:3, Insightful)

    by deblau ( 68023 ) <slashdot.25.flickboy@spamgourmet.com> on Thursday February 03, 2005 @11:42PM (#11569560) Journal
    Security is a journey, not a destination.

    You won't be secure until you educate end users, and get them to buy in to the idea of security. The weak link is rarely the hashing algorithm or the PRNG, it's the people. If you've got a bank vault with a huge steel door and a glass window, you find a rock. As long as people keep leaving passwords written down on stickies attached to the monitor, passwords won't be worth crap.

    Instituting monitoring of accounts may or may not be a good idea, depending on your particular circumstances. But calling a security mechanism useless because some people don't know how to use it right is shortsighted.

  • by Durandal64 ( 658649 ) on Friday February 04, 2005 @01:58AM (#11570040)
    the tougher rules only make them harder for users to remember, not harder for hackers to guess
    I don't see how this makes any sense. If we assume that the hardest passwords to remember are randomly-generated ones, then wouldn't it follow that they'd be the hardest to "guess"? If your password is just a series of random digits, then it's very highly improbable for any hacker to guess it, and it takes a lot longer for it to be brute-forced.

    And the guy's example of ATMs as "getting by" for the past 20 years isn't a very good indictment of having longer, more random passwords. ATMs don't just rely on 4-digit PINs, for Christ's sake. You have to have a card, which is another layer of security. And there's also a camera at the ATM machine. I'd love to see how good ATM security turned out to be if there was no camera and a total reliance on a 4-digit PIN.

    The problem here isn't that passwords are ineffective; it's user ignorance and stupidity. If companies started enforcing a strict standard of making their employees memorize a 12-digit sequence of random characters, then weak passwords in corporations wouldn't be a problem. It takes all of 15 minutes to memorize a random password through muscle memory alone.

    Users need to be made aware of the repercussions of having a weak password to a network. A lot of students at my university will constantly bitch and moan about our policy of making everyone change their passwords every 60 days. We tell them it's for security. They say, "Well I don't care if someone gets into my e-mail." It's not just the student's e-mail that's at risk. It's the network. If someone obtains a legitimate username and password for an account at my school, they have access to all of our site-licensed software as well as the VPN server. With access to the VPN server comes access to the SMTP server, which means that our SMTP server could be used as a spam relay, and that hurts everyone.

"You'll pay to know what you really think." -- J.R. "Bob" Dobbs

Working...