Enforcing Crytographically Strong Passwords 429
Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"
Comment removed (Score:5, Funny)
Re:GOD (Score:5, Funny)
Do I need a password to view your super-secret password? Or do I run your comment by LC5?
Re:GOD (Score:2)
If I copy paste your password, only you see it... we all still see asterisks ^_^
Re:GOD (Score:5, Funny)
Re:GOD (Score:5, Funny)
Re:GOD (Score:3, Funny)
Re:GOD (Score:3, Informative)
Re:GOD (Score:2)
Re:GOD (Score:5, Funny)
Re:GOD (Score:4, Funny)
Easier to remember random passwords (Score:5, Funny)
Re:Easier to remember random passwords (Score:2, Funny)
Interesting.
On an unrelated note, where do you work?
Re:Easier to remember random passwords (Score:4, Insightful)
Sure, you get rid of idiots using "password" or something, but brute forcing all combinations of 2 4-6 letter english words plus 2 digits is rediciously easy...
Re:Easier to remember random passwords (Score:5, Funny)
but brute forcing all combinations of 2 4-6 letter english words plus 2 digits is rediciously easy...
Perhaps, but if he gets you to spell the words for him, the dictionary attack won't work.Re:Easier to remember random passwords (Score:3, Insightful)
ie: one man takes two steps down the hall: 1mt2sdth
Re:Easier to remember random passwords (Score:3, Interesting)
Exactly. Years ago I used to use "this is my really long password at work." as my GPG passphrase. The looks I got while typing were priceless. And if there are any of my friends left who don't know this is my
nqq_39tyyza7 remember that! (Score:5, Insightful)
Re:Easier to remember random passwords (Score:3, Insightful)
Re:Easier to remember random passwords (Score:5, Insightful)
Easy, but still much better than the usual girl's name/birthday style. Consider there are at least 10.000 words in the average person's vocabulary. So two words gives you 100 million possible passwords, add two digits and you have 10 billion. Actually, this is the system I personally use, I feel comfortable with it. It's not invulnerable but safer than most.
Re:Easier to remember random passwords (Score:3, Interesting)
Anyway, with a random combination of letters and numbers (including shifted values), you can get over 139 billion combinations with just 6 characters, and over 722 trillion with 8 characters. 10 characters give
Re:Easier to remember random passwords (Score:3, Insightful)
Re:Easier to remember random passwords (Score:2)
1. Be at least 8 characters long.
2. Contain lowercase and uppercase letters.
3. Contain numbers.
4. Contain no dictionary words.
5. Contain non-alpabatical characters.
2943768. Only one password satisfies all the rules above, so it also can't be used.
Re:Easier to remember random passwords (Score:3, Informative)
not even close to being equivilant, the first, being three english words (assume vocabulary of 10,000) results in 8.00 e12 combinations (10,000*2)^3[caps or not caps]
while the other password gives 3.23 e 20 combinations 62^12 [letters*2 + 10 digits] if we allow the other symbols on the top row of the keyboard it goes up to 5.00 e22 combinations
"Force"? (Score:5, Interesting)
I'm just a *nix and Windows luser. After struggling with tens of passwords for years, keeping them (relatively) secure, difficult to guess, etc., my employer is starting to press hard on even more regulations and ended up changing my password cycles. I can't keep up any more. I've had to get passwords reset monthly for about 6 months so far because I get locked out due to bad password entries. I just had to ask for advice on keeping them straight.
Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user. So, I'll have to compromise security in order to comply with guidelines.
Re:"Force"? (Score:5, Insightful)
First mistake, having an IT policy that forces users to remember dozens of passwords. Second mistake, telling a user to put their passwords in a plaintext file on the desktop. Third mistake, posting that fact on /. without posting as AC.
I'm not making fun of you, but I feel for those admin b/c nobody would make such a policy unless forced by the higher ups.
Security is based upon three types of authorization: 1) something you know (password) 2) something you are (biometrics) 3) something you have 3) a key of sometype. Assuming that security is this important to your org, maybe you should get some type of thumb drive with a security credential and then you could use weak passwords safely. Or biometric fingerprint ids (now available from IBM) plus weak passwords. But the policy your network has in place is probably weaker (b/c I'll bet many people have these plaintext files) than a much slower password cycle.
What about this combination idea? (Score:2)
Additionally, start building keyboards with biometric fingerprint pads you could use.
The USB thumb drive key thing would have a list of all of one's passwords. But to unlock it, it would not only require your fingerprints (biometrics), but it would also require let's say an 8 to 16 character typed password when attempting to unlock it.
This way, it's as simple as plugging the USB thumb drive key thing int
YAPS (Score:2)
Keep all of your passwords in YAPS. Whenever you need to login, you can look back at YAPS.
Re:"Force"? (Score:3, Insightful)
I find that using SSH keys wherever possible, with the local accounts actually having their passwords locked and forced to use SSH keys, works quite well. The trick then is to force the user to passphrase the SSH key, which is helped by using tools like keychain that allow them to use the password once and use it anywhere.
Kerberos has a similar approach but req
Re: Less is more (Score:2)
A common problem. One pet peeve of mine is expiring passwords. There are some good arguments for having them: a compromised password will only work for a certain amount of time (unless the hacker changes it), and if passwords do not change very often, a brute force attack will have more time to find a valid password. H
Re:"Force"? (Score:3, Interesting)
One way I have found that works for me is to stop what I'm doing for a minute, clear my head and then look around at my surroundings. The first thing my eyes stop on generally has some text on it (books, various pieces of computer hardware, memory cards, magazines
Don't (Score:4, Insightful)
The whole point of passwords are to deter regular joe from from gaining access. Yet anyone with enough time and commitment can and will break any password or encryption method ever created.
Re:Don't (Score:2)
That's true. Why not use a well-known (to you) phrase plus a (non-easily-guessed) number as a password?
Re:Don't (Score:2)
l33t is handy (Score:2)
password (Score:5, Funny)
Stop posting my password on Slashdot, Zonk!
There is only one way (Score:2)
People like the easy life , and they hate passwords they can never remember(think they can never remember).
Pass-ages would be better like for example "This is Grettas house , it has 100 cats in it. They like milk and beer and when you stroke them they go "Meow"
Easy to remember , though a tad long
Single Sign On (Score:4, Interesting)
To use the example above, I'd be more than willing to think up and use a long, randomized password if it was the only one I had to remember to do my job and I only had to change it once every 90 days or so.
Mod parent up (Score:3, Informative)
The corollary of this is that if you do have single sign on and/or single login then you should be enforcing strong passwords as a weak password provides access to everything.
BTW, at the moment, the closest thing to single sign on is Kerberos.
Use Password Safe (Score:2, Interesting)
The only problem is that it is not very portable in that if I am not on my own computer I don't have access to the password data ba
Re:Use Password Safe (Score:2)
Ah yes, the Memento method. [christophernolan.net]
random passwords (Score:4, Insightful)
Forcing an average user to use a difficult random password is like asking them to write it down on their monitor (I've seen this done more often than I can remember - and don't forget my memory is good
Wouldn't a non-random but still difficult to guess password be more secure?
Using the method mentioned in the article (e.g. t7p4i0t1 for combining a phrase a and a number) is OK until you are forced to change the password too often. Was it "pearl in the river" and my birthay or was that last time and now it is "lorem ipsum dolor" and my wife's birthday?
Seems to me that forcing too secure passwords unto yours users is bound to be insecure in the end.
Won't work (Score:4, Insightful)
Re:Won't work (Score:3, Insightful)
2.) Use the cluster to attack the users' passwords
3.) Bing! You've got a way to isolate the users with insecure passwords without annoying everyone else by bugging them about their (already secure) passwords. After one or two talks about how to create strong but memorizable passwords most users should get the trick
4.) Set modest password lifetimes. Every user may provide his/her own password, but after 90 or so days the password will be (temporarily?) a
choose long pass-sentence or write down (Score:5, Insightful)
A) Either use a passsentence instead of just a word, most modern systems allow for rather long passwords. Since the sentence makes sense it is easy to remember. Since the sentence has many characters, it is pretty hard to crack with current tools. Dictionary tools may change this, put place a few strange names or made-up words in the sentence and you are much saver as any 8 char password today.
B) If stuck with old systems, I usually recommend the secretaries to write their passwords down. YES! Comparing the risk that one of the ~250 daily stupid attemps to guess passwords from random idiots succeeds is MUCH larger if people are told to remember their passwords. They'll automatically choose simple ones. I guess about two or three passwords in our own system per week. If they choose a very complicated passwd and write it down, then an attacker needs to be physically in the office to steel it. If the guy is physically in the secretaries office, he has no problem getting everywehere anyway and we have much bigger problems.
Cheers
Long pass-sentence library proposal. (Score:2)
I propose a library which automatically selects a pass-sentence randomly from an unreferenced disk sector. The calling program presents this sentence to the user and gets him/her/it to type the first character of each word of the sentence. If he/she/it gets it right, that is their new password, and the program calls erase_sentence() to overwrite the sentence in the unreferenced disk sector with zeroes.
int find_sentence() : Read a random sentence on the unre
Re:choose long pass-sentence or write down (Score:3)
Advice (Score:4, Insightful)
Most modern password systems allow an almost arbitrary length password, and randomly generated passwords are not working - people simply write them down in order to remember them.
Take a phrase that is meaningful to the user, say, 'My car is a red Ford' and add some simpleobfuscation 'My c@r is a red-F0rd!', and you have a phrase that is not only easy to remember, but is going to take a lot of effort to brute-force.
Passphrases (Score:2)
I keep wanting to write a variant on Diceware that builds grammatical sentences by taking a valid syntax and plugging in random verbs, nouns and adjectives in the right places.
Re:Passphrases (Score:5, Funny)
Or I could just send you the documentation we got back with the last project we outsourced to India.
My technique. (Score:5, Interesting)
Now, this is NOT my password, but it may have been at some point, but for example
As you can see, that password would be difficult to guess and crack, since it contains number, symbols, upper and lower case, 18 characters, and has no dictionary words in it.
Try and type that password and you'll see how easy it is to remember.
Two suggestions (Score:3, Informative)
2. Microsoft Research came up with an inkblot authentication scheme [microsoft.com] which appears to have solved this problem.
Re:Two suggestions (Score:2)
That's a very cunning thing, really - and I'm no Microsoft fan, but I must admit that's really good R&D. I'd use their system anyday if I could.
Say it once, say it twice! (Score:3, Interesting)
Put 32 random bytes on a magstrip and hand it to your user. Oh but Tom, what if they lose the card or it's stolen? Yeah simple plan for that.
USER: "Yeah hello sysadmin? I lost my card."
ADMIN: "Ok. Your account has been temporarily deactivated please pick up a new card."
If you're a company/group/etc that is worried about security you can afford a keyboard with a magstrip reader (they're not that expensive).
Tom
Re:Say it once, say it twice! (Score:2, Insightful)
People will always report a loss immediately, because they cannot log into a computer and cannot clock in, and hence cannot get paid without it.
The problem with the regular users was they would lose it constantly, forcing me to issue several cards every day, and it just got to be too much hassle when they have generic system privledges anyways.
I wanted to
Re:Good idea... (Score:3, Insightful)
This is like having your credit card stolen. It's in your best interest to get on top of that as soon as possible.
Tom
Cut n Paste! (Score:3, Interesting)
----
I'm sure I'm not the only one who occassionally uses keyboard patterns for passwords. I'm not talking qwertyuiop or asdfg (obvious, no randomization/separation of key sequences) but things like !@()ZX>? or QW./>?wq
Hell, half the time I remember friend's phone numbers by the way you punch in the numbers. Sometimes when asked what a number is I'll even do the "phantom phone dial finger wiggle" so I can recite the damned thing.
Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?
It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?
Tactile memory (Score:2, Interesting)
Simple ... (Score:2)
To paraphrase: pick a simple phrase that is silly, such as "green fruit stink" or "toadies are easy". Further "...a longer passphrase of a limited character set is stronger than a shorter passphrase of a larger character set...".
Its secure, easy to remember and robust against dictionary attacks. Just takes a little longer to type. And if you are using old LM on NT where only the first 8 letters are used and this is useless, you deserve everything you get.
here's a start... (Score:3, Insightful)
isn't it about time we realize that if users do things like sequencing or recycling, the password is no more secure than if users were allowed to keep using the same original "secure" password to begin with?
Not so hard... (Score:2, Funny)
Forget passwords. (Score:5, Informative)
Re:Forget passwords. (Score:2)
USB thumb drive key, since most computers seem to have a USB port. It would store a list of passwords, and the passwords could be incredibly complex, like a kilobyte for a single password.
Next, we need to encourage keyboard makers to make a biometric fingerprint ID thing on them.
To unlock the USb thumb drive key thing, just use your fingerprint in combination with an 8 character password. Now, is a fingerprint comp
Re:Forget passwords. (Score:2)
Even without the biometric ID on it, it's still secure, at least as much as ATM cards. They only requiere a card and a 4 digit pin.
Re:Forget passwords. (Score:2)
Good idea, but make sure to have back-up thumb drives too.
Re:Forget passwords. (Score:3, Funny)
Re:Forget passwords. (Score:2)
...and makes a DoS attack trivial.
Password expiry linked to password complexity (Score:2, Interesting)
If I chose a password of "random", the computer could reject it and now allow me to use it.
If I chose a password of "r4nd0m11" it may allow me to use it for a month due to it being complex.
If a chose a password of "1tst00b4dth4t1c4ntyp3l33tsp3aks0w311", it may allow me to use it for 3 months.
All of this could be controlled by a policy created/configured by the system administrator and could include things
Password Overload (Score:5, Insightful)
The more important and sensitive systems get strong passwords. The web-based tool I use to diagnore hardware issues in equipment that isn't even online? It gets something easy to remember.
For non-technical users, the situation is worse. If you get too psychotic in your password policies, they're just going to write them down on a post-it they stick to the underside of their mousepad if they're bing circumspect, and right to the monitor if they're not.
If you're dumb enough to run a system so braindamaged that it allows brute-force attacks and so insecure that running a decrypt on a password file gives the bad guys the keys to your palace, you need a strong password policy. You will also deserve to be mocked when a soceng hack allows someone into the building to look closely at any monitors bearing post-it notes.
Password security is the last refuge of the incompetent sysadmin or web developer. Careful separation of user roles and discouraging escalation of priveleges is more important than someone using gpe~9u?bi4 as their password for this week.
SoupIsGood Food
For what purpose? (Score:2)
It's always amused me that online access to my credit card account requires an unmemorable 8 digit number, a username and a password. However, the *worst* thing anyone gaining access to that account could do (apart from see how I've been spending my money) is to pay my bills for me. I really don't think much protection is required to stop people doing that.
Most of the things that I might reasonably want to protect are in my hous
Re:For what purpose? (Score:2)
However, the *worst* thing anyone gaining access to that account could do (apart from see how I've been spending my money) is to pay my bills for me.
And what exactly is stopping them from paying a bill to their own account?
Spouse's name (Score:5, Funny)
If you think it's a weak policy for your organization, then your employees aren't changing their spouses fast enough....
Re:Spouse's name (Score:2)
"easy-to-remember passwords..." (Score:2)
For what it's worth, after you are assigned passwords on a few systems this way, it can be almost impossible to keep them straight in your head. If you're only dealing with users with accounts on one system - this isn't too bad.
Other options include things like (radius?)server systems - where you carry a dongle around which always spit
AOL have the answer! (Score:2)
TYPE-BORDER anyone?
I Cant Remember Anything (Score:2, Insightful)
Mnemonics (Score:3, Interesting)
Perhaps instead of offering people simply randomly generated numbers and letters, or even pronounceable versions thereof, why not offer a variety of phrases along with the resulting hash after filtering it through 'leet' speek?
By the way, I did not RTFA, so I apologize if this is -1 Redundant
The method I use (Score:2, Interesting)
ex: Kanarian
Then add a few touches to "alien it up a bit"
ex: !K@N@rI@n!
Then when I need to change the password, I just make up a member to the race, and do the same changes to it.
ex: !B@ThooS@n!
Fairly easy to remember, and doesn't matter if the names are stupid, nobody's supposed to see them anyway.
Profanity! (Score:4, Interesting)
Re:Profanity! (Score:3, Interesting)
Some years back, I saw a fun example of the benefits of this. I worked in the computer center of a large university, where there was a big Univac mainframe used by many departments for heavy number crunching. One thing rather dubious about its security was that every file could have a pair of read/write passwords - and the admins could get a printout showing "rpwd/wpwd filename" for any user's files.
The head of the computer center (let's call him "Bolton" to prot
Discover VMS (Score:3, Insightful)
It works like this:This has been in VMS since the mid 80-ies. The sysadmin can also mandate SET PASS/GEN and set a maximum password lifetime (after which the user has to set a new password before logging in).
This concept could be easily modernized with non-alphabetical characters and longer passwords.
Easy (Score:2)
In the forests of the night (Score:5, Insightful)
Password Helper
Use the Password Helper panel to pick a secure password.
From mac os X 10.4.
cryptographically strong (Score:3, Informative)
You can try to force users to use "strong passwords" or "good passwords", but passwords can't be "cryptographically strong".
Obscene Nonsense (Score:2, Informative)
1. Come up with a phrase that is meaningful only to you -- not a quote from a book or movie. For example, lets say that your first dog's name was Samael and that you have never told anyone that you thought Samael was a reincarnation the infamous hell-hound Kerberos. Yes, h
Re: (Score:2)
Accept human language properties (Score:2)
If I remember correctly, human language has about two bits of information per character at average. So if you want a cryptographically strong 128bit passw
NOT more secure! (Score:2)
1. Stickies with passwords attached to monitors, underneath keyboards ect...
2. The SAME password used everywhere (web, work..ect..).
Passwords have finally reached the end of their life. Smart Cards, SecurID's....biometric are a MUCH better choice.
use a phrase (Score:2)
of course this won't have to be repeated every few minutes, but could work as a "master password" to unlock all the other password a user need.
in cases where only short passwords can be used, let the computer chose one, and save it into the password keyring.
just my
strong passwords not useful... (Score:2, Interesting)
The arguement for having strong passwords almost always goes: "There are 200,000 words in the english language. A computer can test all of those words within seconds: Therefore it is necessary to have strong passwords."
Then we get recommendations on how to make a password secure (and yet, it's not to use a secure ID token with it). To avoid a brute force attack make the minimum size of passwords over 7.
Most people have lame passwords (Score:2)
SELECT COUNT(*) AS numof, password FROM users GROUP BY password ORDER BY numof DESC LIMIT 100
The rest of the top 100 are mostly kids or pets names or soccer teams. The most prominent are ones like 'harry', 'katie', 'arsenal', 'david' or, one of the all-time l8m3r passwords like 'c
Use sentences instead of words (Score:2)
Like with PGP.
Just require a minimum number of blanks and a minimum number of characters to assure that a sentence-like construction is being used.
cryptographically strong passwords (Score:3, Informative)
The same password can be used on a secure system, and some trojan web site.
They can be collected with keyloggers.
They can be told to other people.
They are less memorable, which means more password resets. Password resets will always be a weak point in the system.
For high security AND a large number of users, you HAVE to have two factor authentication.
Use phone-based password manager (Score:3, Insightful)
We cant just mandate users access our systems from "approved" sources - that flys in the face of what management is asking for: A system accessible anywhere, with reasonable security percautions in effect.
Though centralized authentiation schemes like LDAP are working well for us, "legacy systems" (ie: accounting, payroll, and factory/inventory management) dont integrate with central authentication systems. Meaning that's yet another password to remember...
With users accessing our systems from so many sources, strong and frequently changed (90-180 days) passwords are a necessity. Though they need the ability to save them:
1) How important is the data in your wallet/purse. Why not just write the passwords down, store them in your wallet/purse, and then manage that. After-all, if your wallet/purse has been stolen or rumaged through, there's a good chance you'll know.
2) Consider this two-factor authentication system:
Something you have: cell phone
Something you know: password to program
How many folks now have MIDP/Java enabled phones. Why not provide them with an app to securely save their passwords on their phone? With a tool like FreeSafe [sourceforge.net] They could not only store all their passwords on their cell phone, they can generate both random new passwords, and One Time Password hashes.
Now if FreeSafe could only store notes, and have some sort of backup capability (which the developer says he's working on)...
Re:Passwords are so out of date! (Score:2)
Intruder: "African or European?"
Computer: "I don't know! Argh!"
(Computer crashes)
Re:Force users to remember? (Score:2)
Well, the following password is cryptographically strong, according to the above definition, but nevertheless easy to remember:
AAAAaaaa1111....
SCNR
Re:passwords..... (Score:2)
I have a
When i want it i just gpg --decrypt theFile.txt
Of course the gpg key is password protected too.
Re:too many passwords (Score:2)
Re:too many passwords (Score:2)
It's getting there though, Kerberos is about the closest thing you'll get to a single sign on. All the unix systems support it, Windows supports it and most of the web servers support it as well. Very few business applications support it though. It's a pain in the arse to set up and requires support from the highest levels of management in an organisation. Usually there are higher priorities for the IT budget.
Re:Why bother? Crypto can be dangerous. (Score:2)
And because it's already rated so low (-1) I'm not even going to justify my reply any further than to say:
Yes, IAATM (ie. I am a Theoretical Mathematician)
Re:why not include text speak (txt spk)??? (Score:2)
That only adds a few hundred words to teh tens of thousands in the standard password cracking dictionary, along with every Trek and Middle-earth related name. If you ONLY used l33t you'd be much les secure.