digg

Facebook Connect Join Digg About

Security Myths and Passwords

cerias.purdue.edu A blog post by Eugene Spafford which examines password security, and the way that detrimental security practices sometimes get propagated because they're considered by many to be "best practices."

Who dugg this? Made popular Apr 22, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

38 Comments

show profanity settings
expand all
  • ALLCAPS, on 10/12/2007, -0/+21Funny bit from the linked article:

    at one location where a new policy was announced that passwords must be changed every month, a senior administrator was heard to moan “Do you know how much time I’m going to waste each month ensuring that everyone on my staff knows my new password?”
  • JeffP, on 10/12/2007, -0/+15another downfall of changing passwords every month, is the tendency of people to choose an easily rememberable password with a number on the end, and increase it by one every month...
  • duke, on 10/12/2007, -0/+6Very, very true. Either that or you get "password2" replacing "password1" (simply changing the last character), and then they write it on the sticky.

    Look, people just want to do their work. The last thing they need is some @ssh@t sysadmin pushing them around in a pointless waste of time. If you mess with people, they will rebel and sabotage your security to remove the burden of the stupid, arbitrary policy. Either they'll do sticky notes on the monitor, choose a ridiculously stupid password, or deliberately hack around it. All stupid policies do is to encourage people to defeat them, whereas if you explain the security issues and ask their cooperation while otherwise leaving them alone, they will cooperate and go about their business. Even if they don't cooperate as fully as you might like, it will be better than the measures they take in rebellion of the overly burdensome policy.

    As for myself, I just type in something dumb when I'm forced, and then immediately change it back. As far as I can tell, all it does is to annoy me and waste time that I could otherwise spend on work.

    I do have one question, though, and maybe someone here can answer it - there was an episode of theBroken where krose was explaining about nthashes and lmhashes, and why lmhashes are insecure. He made a statement about the nthash changing with every password change, and how the change itself helps to defeat cracking the password. What was unclear is whether it will change only if you type a different password. IOW, if you simply change "dumbpassword" to "dumbpassword1", and then back to "dumbpassword", will that change the nthash from what it was originally, or will it be the same? TIA, duke
  • chamblah, on 10/12/2007, -0/+6Password changing schemes can get very out of hand.

    For my work billing system it's on a one month cycle. All passwords must be 6-8 characters, contain alphanumerics, no alike characters near each other, and each new password must not have the same character in the same field as the previous password.

    IE:
    1st: pas1word
    2nd: as1wordp
    3rd: s1wordpa
  • thecwin, on 10/12/2007, -1/+7Our school forces password change every 11 days, and it can't be any one of your last three passwords. All that happens is that people have a rotation of a couple of simple passwords rather than one more complex password. You're allowed a 1 character password, and it's surprising how many people have one. The amount who write their password in the front of their planner is amazing too.

    It'd be far better for security if they just forced you to have good passwords of 8 characters or more. That way, the only way it's gonna be found is some cracking attempt or looking over the keyboard.. which would be able to get the simple passwords anyway. Any reasonable cracking attempts on an 8 char password would easily show up on system logs, unless they took a few hundred years ;)

    Sure there might be more forgotten passwords, but they have all our pictures on file anyway, so it's pretty obvious if someone's coming to change somone else's password.. and the admins are rarely doing any work... usually just eating donuts ;)
  • ohmar, on 10/12/2007, -1/+6and the fact that it is a total pain in the ass to think up new passwords that are not included or contain words from their lists of "imaginary words"
  • inactive, on 10/12/2007, -1/+6The administrator password here is 'adminpass.'

    Please shoot me.

    I just LOVE school.
  • shelby1076, on 10/12/2007, -1/+5Most of my users write their passwords on sticky notes & stick them on their monitors. uhhhhhhhhh
  • muyuu, on 10/12/2007, -0/+3What idea you asshat? Your idea was old when Kefrens started planning his pyramid.
  • retawd, on 10/12/2007, -0/+3Yeah. Your idea still owes Jesus a quarter. Your idea remembers when Baskin Robins only had 6 flavors. Your idea was around when it was just WD-39. Your idea left its suitcase on Noah's Ark. Your idea's Social Security # is 000-000-0001. Your idea grew up next door to the Flintstones. Your idea is old. Sorry, it had to be done. I'm drunk and kinda sorta bored.
  • gukid, on 10/12/2007, -0/+3Required numbers, characters and symbols in passwords is just a waste of effort. If I can't pick a password that I'm going to remember, then I'm going to write it down somewhere, or email it to myself. What's safer, a password that is written down somewhere, or that's just written in my mind... hmmm......
  • willrawls, on 10/12/2007, -2/+5Check out http://www.passwordchart.com , a very interesting way to generate very hard to guess passwords that are easy to generate and regenerate yet which are very difficult for a 3rd party to regenerate (without inside knowledge).

    Basically, this guy has come up with a way of hashing a pass phrase into a substitution table that you can print out. Because it uses MD5 for the hashing, there are over 4,500,000,000 possible password charts.

    As long as you know the pass phrase you can regenerate the password chart from any location. No information is sent from the page to the servers. Some careful thinking of how to apply it will allow each username on each system to have a unique, strong password that is easy to recreate, but only attackable with knowledge of the pass phrase or brute strength, thus rendering dictionary attacks useless.

    So we can use a different pass phrase for each client (again easy for us to remember, but difficult for a 3rd party to intuit) to generate a different password chart for each client, each computer, each system, whatever.

    There was a digg on password chart a couple of weeks ago. We've begun using it at a client site and I already feel better about the passwords. Granted it adds another step for creating and (when I can't remember them) to regenerate them, but it sure beats the default passwords the client was using before I got here.

    I should note that with careful thought by the clever, this password chart scheme could be used internally inside programs to allow for stronger lines of communication between programs, browser and web server, or as a seed to a pretty simple to implement secure storage system essentially allowing "weak" passwords to be entered yet used in a "strong" way.
  • cliffzdude, on 10/12/2007, -0/+2"Another form of disclosure is when the holder of the password discloses the password on purpose. This is an education and enforcement issue."
    Absolutely true, however the inference that education and enforcement can "fix" the issue is a great leap of faith. In truth, especially in large organizations like ours you can hit users with policy until you go blue in the face, however at the end of the day some doofus will give his secretary his password. The use of a password change policy is a valid procedure here. Note it will not only limit the sharing of passwords, but it will likey enhance the odds that such policy violations will be uncovered.

    The author makes a lot of assumptions regarding people that show me he has great trust in the humans he works with. Good for him! Experience on my part has shown that such trust is misplaced when it comes to user passwords. They WILL do the wrong thing, like it or not. They just get much better at keeping their policy violation a secret. Ironic they can keep the fact they share their passwords a secret.
  • Inthraller, on 10/12/2007, -1/+3My school requires a password change every 3 months. The password cannot include your name and cannot have a word that is a word from the dictionary. The must have at least 1 upper and 1 lower case and must have at least 1 number IN THE MIDDLE. Oh yeah, it also has to be at least 8 characters long. You'd think I was going to school at the NSA. Once you have used a password, it can never be used again. This fall is my third semester and I'm running out of gibberish passwords that I can remember for more than a week or so.
  • pkulak, on 10/12/2007, -0/+1No, a cracking attempt will not show up in the system log if the attacker gets a hold of the passwords file. Then she can just take the hash, set some rainbow DVDs on it and be done by morning. Though, I don't know how easy that is to get anymore. I do remember when I was in high school it was a plain text rw-r--r-- :D.
  • pkulak, on 10/12/2007, -0/+1I really hope you posted that from a computer on that network.
  • regeya, on 10/06/2008, -0/+1Where I work, that's grounds for dismissal.

    I wish I was kidding.

    It's not a high-security installation.

    We've not done it, but we have someone who's decided to enforce one part, and my guess is that it will become policy.

    Strong passwords are a good idea, but we figure, hell, we're firewalled off, we all have shared files, we all trust each other...good times, right? It's a staff of writers, creatives, and salespeople, no devoted IT people. Me, I know enough to be dangerous, but not implement a system which won't grind to a halt when we implement this.

    The policy requires a password for anything which requires a password which looks something like this: eq45i243608@#TY*$&@#Hkjbnl2{wharrgarbl}69 though you are allowed to modify that if there are limitations in the software.

    Your screensaver must lock your laptop, workstation, or other device in no more than 10 minutes.

    Your password may not be shared with anyone, for any reason, ever. What, you've called in because you forgot, before you went home, to inform Tech Support that Mail.app is "doing something weird" and "could you just fix it" and you can't give any more detailed information? Well, come on in; we need for you to login for us! Alternatively, do you have access to ssh and a VNC client? If not, we'll wait until tomorrow when both IT and you are in, sorry! What, there's only one IT person, he works during the day, and you only work during the night?

    Any sort of group password/account is strictly forbidden.

    Passwords, if stored somewhere other than your brain, must be encrypted.

    Setting applications to remember a password, any kind of application and any kind of password, is forbidden (nevermind that the OS X keychain is encrypted, or that not saving your password in Mail.app is a HUGE pain in the ass; these are from two separate rules, and the rule is fairly clear about "Remember Password" facilities being forbidden.)

    While there is no guideline on how often the password changes, it should not be at all similar to your last 5 email passwords.

    The hell of it is, I think I'm going to have a meeting about it, after which I'll be told it will not be enforced, while we'll still have someone with a Hitler complex insisting that it be enforced. The kicker is that one thing this person's actually right on; if there hadn't been prior policy of one person knowing everyone's passwords (I know, it's incredibly dumb) and turn those passwords in, in printed form, to department heads, I wouldn't have a list. Further, if it hadn't been for a majority of people, I kid you not, when confronted with 'your password must be eight characters and must include at least one numerical digit' try to use things like 'dog', 'password',' tina', 'pickles' and the like, I would never have adopted a policy of, 'okay, if they're too dumb to work with the ISP's very simple rules, here's a list, ISP! Here's your password, users!' Also, since, as with desk drawers and filing cabinets (company policy, even on computer data: there should be no expectation of privacy with company equipment) there has to be a reasonable amount of access to your information, it seems inconceivable that the spirit of this policy was intended to completely gut existing policies, and do so with a document which gives no hints on how the company expects us to actually implement those policies.

    Worse, our fileserver, since our corporate office won't shell out for new equipment, is an old G4 running Debian Etch. For the logins, since we ALL have access to the same data, all usernames are generic (such as department_1, department_2, etc for mapping to computers by desk) and the password is actually the same for everyone. The fileservice is only accessible to the outside world via VPN, and those users' 'login shell' is /bin/false. On client machines, I have an iHook file which simply mounts those shared folders for convenience sake. What, you're telling me that not only do we have to throw out that convenience, but I have to supply a means for the person to log in and change their password? And this business of the password policy on how often to change and the makeup of that password only being a suggestion...does that mean I'm supposed to, or am I even allowed to, hook up

    Hey, I've got the Internet service firewalled off to the fullest extent possible, and our security is based on trust of fellow employees (if they can't be trusted, you fire their asses) plus physical security. Hell, if they're going to steal data, they're going to do it no matter what.

  • regeya, on 10/06/2008, -0/+1Some systems use shadow files now, which tend to be locked down a bit better. The field for the hash has an unhelpful 'x' in it.
  • toddmok, on 10/12/2007, -1/+2If you have trouble remembering your passwords then use a sentence as a password. Do not write this sentense down anywhere just memorize it. Then your password will be the first letter of each word it's a good thing to have proper names and number is the sentense too because a proper name would be capitolized and instead of writing an "o" when you have the word one, write the number "1". This way you have a password over 8-12 characters with different case and numerals. Also it is easy to remember because after all it is just a sentence
  • Darksat, on 10/12/2007, -0/+1This is a good article about password security
    http://darksat.x47.net/index.php?topic=743.0
  • Proginoskes, on 10/12/2007, -0/+1Wowsers! That Password Chart thingie is a horrible security killer. Here's why: If I choose a random password out of all the available character on my keyboard, then my set of symbols is somewhere on the order of 90 or so codes/characters. If I choose a password from a "Password Chart" which I've PRINTED OUT, and STORED IN MY DESK, then I'm choosing from *36* codes!

    Which takes less time to crack, if you managed to grab the password database: a 10 character password from 90 code symbols or a 10 character password from 36 code symbols?
  • Genma, on 10/12/2007, -0/+1exactly, the real problem isn't methodology, it's apathy. it's the 'don't know, don't care' attitude from the rest of the staff. even the ones who understand how every point of access can be a vulnerability have no obligation to care, "it's IT's job not mine." what we need is more accountability, if they were held responsible for breaching I'm sure there would be a little more effort. but management doesn't work that way, they're usually just the same as hard-headed and stubborn. that's why they get targeted time and time again, it's always the same story.
  • rabasolo, on 10/12/2007, -0/+1No digg. First of all, the title is misleading. Is the blog author saying that periodic password changes are ineffective? I totally beg to disagree. It all depends on the risk of the system. If a franchise totally depends on the security of an application---for example, a bank's financial system---then it would require, AMONG OTHER SECURITY MEASURES, periodic password changes.

    The blog author cites that "any reasonable analysis shows that a monthly password change has little or no end impact on improving security!" What is his empirical evidence for this? Does he have any stats?

    However,I do agree with the blog author that the protection should match the criticality of the system. "The best approach is to determine where the threats are, and choose defenses accordingly. Most important is to realize that all systems are not the same! Some systems with very sensitive data should probably be protected with two-factor authentication: tokens and/or biometrics. Other systems/accounts, with low value, can still be protected by plain passwords with a flexible period for change."
  • yahoofrom, on 10/12/2007, -0/+1ok this article is unlame.
  • thecwin, on 10/12/2007, -0/+0Getting ahold of a passwords data would be extremely difficult... if they got ahold of that, there's more important problems (Windows server ;) those Windows password hashes for even long passwords can be cracked in a few minutes)
  • mrops, on 10/12/2007, -2/+2I say biometrics. I am sure if we do a cost analysis, it might just be cheaper to get everyone finger print readers instead of bearing admin cost for people forgetting passwords due to a strict password policy.

    I am sure there is a opportunity to make money here.

    Real Invetors beware: I will sue you if you use my idea.
  • drgordonfreeman, on 10/12/2007, -0/+0This blog post may be a response to the fact that Purdue (where Spafford works) recently implemented a university-wide monthly password change policy. Guess it made a little too much sense to consult the resident security expert before doing so.
  • dashifen, on 10/12/2007, -1/+1I like it, but I still think that the passwords generated would most likely end up written down. Especially if a password generated with this tool were used as the login to a computer, people are likely to write it down so that they don't have to re-enter their pass-phrase into the chart system or because they can't at the time. A wonderful tool, though, and a nice use of client-side javascript.
  • drgordonfreeman, on 10/12/2007, -0/+0A variation of this is mentioned in the article: "For instance, knowing that someone uses the same password with a different last character for each machine allows passwords to be inferred, especially if coupled with disclosure of one."
  • inactive, on 10/12/2007, -0/+0I will be forwarding that to our computer officers!
  • CraigJ, on 10/12/2007, -1/+1I am going to send this to my IS folks, not that they will read it. They implemented this policy about a year ago. Nobody can remember their passwords, so guess what? They write them down. It is really just a pain in the ass that doesn't do any good.
  • ohstoopid1, on 10/12/2007, -0/+0A good way to easily complicate a password I use, hold Shift while you type say a zip code or phone number. For what its worth...
  • phpCypher, on 10/12/2007, -0/+0a security practice always becomes insecure once it is a convention
  • Durrok, on 10/12/2007, -1/+1Mine used to be TT31337 so I feel ya...
  • Durrok, on 10/12/2007, -2/+2Hey I take offense to that! I'm usually drinking Monster and browsing Slashdot or Digg!

    Kids these days... sheesh...
  • werunit, on 10/12/2007, -0/+0http://www.websearchinfo.com/passwords
  • windhawk, on 10/12/2007, -1/+0An Example List of Common and Especially Bad Passwords can be found at http://geodsoft.com/howto/password/common.htm. The list is a compilation of several common password lists plus some lists of common words and common names (the most common of the U.S. Census common name lists). It is worth a look to see into the mind of the average user as they select passwords.
  • jaguarsavages, on 10/12/2007, -4/+1Ah, I met Prof. Spafford at a security presentation a few years back (At Purdue University). Very talented guy :)

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.