digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

Security Myths and Passwords

cerias.purdue.edu — A blog post by Eugene Spafford which examines password security, and the way that detrimental security practices sometimes get propagated because they're considered by many to be "best practices."

Bury
show profanity settings
expand all
  • ALLCAPS, on 10/12/2007, -0/+21Funny bit from the linked article:

    at one location where a new policy was announced that passwords must be changed every month, a senior administrator was heard to moan “Do you know how much time I’m going to waste each month ensuring that everyone on my staff knows my new password?”
    • mrops, on 10/12/2007, -2/+2I say biometrics. I am sure if we do a cost analysis, it might just be cheaper to get everyone finger print readers instead of bearing admin cost for people forgetting passwords due to a strict password policy.

      I am sure there is a opportunity to make money here.

      Real Invetors beware: I will sue you if you use my idea.
    • muyuu, on 10/12/2007, -0/+3What idea you asshat? Your idea was old when Kefrens started planning his pyramid.
    • retawd, on 10/12/2007, -0/+3Yeah. Your idea still owes Jesus a quarter. Your idea remembers when Baskin Robins only had 6 flavors. Your idea was around when it was just WD-39. Your idea left its suitcase on Noah's Ark. Your idea's Social Security # is 000-000-0001. Your idea grew up next door to the Flintstones. Your idea is old. Sorry, it had to be done. I'm drunk and kinda sorta bored.
  • JeffP, on 10/12/2007, -0/+14another downfall of changing passwords every month, is the tendency of people to choose an easily rememberable password with a number on the end, and increase it by one every month...
    • ohmar, on 10/12/2007, -1/+5and the fact that it is a total pain in the ass to think up new passwords that are not included or contain words from their lists of "imaginary words"
    • drgordonfreeman, on 10/12/2007, -0/+0A variation of this is mentioned in the article: "For instance, knowing that someone uses the same password with a different last character for each machine allows passwords to be inferred, especially if coupled with disclosure of one."
  • chamblah, on 10/12/2007, -0/+5Password changing schemes can get very out of hand.

    For my work billing system it's on a one month cycle. All passwords must be 6-8 characters, contain alphanumerics, no alike characters near each other, and each new password must not have the same character in the same field as the previous password.

    IE:
    1st: pas1word
    2nd: as1wordp
    3rd: s1wordpa
  • sonthiar, on 10/12/2007, -1/+5The administrator password here is 'adminpass.'

    Please shoot me.

    I just LOVE school.
    • Durrok, on 10/12/2007, -1/+1Mine used to be TT31337 so I feel ya...
    • pkulak, on 10/12/2007, -0/+1I really hope you posted that from a computer on that network.
  • shelby1076, on 10/12/2007, -1/+4Most of my users write their passwords on sticky notes & stick them on their monitors. uhhhhhhhhh
  • cliffzdude, on 10/12/2007, -0/+2"Another form of disclosure is when the holder of the password discloses the password on purpose. This is an education and enforcement issue."
    Absolutely true, however the inference that education and enforcement can "fix" the issue is a great leap of faith. In truth, especially in large organizations like ours you can hit users with policy until you go blue in the face, however at the end of the day some doofus will give his secretary his password. The use of a password change policy is a valid procedure here. Note it will not only limit the sharing of passwords, but it will likey enhance the odds that such policy violations will be uncovered.

    The author makes a lot of assumptions regarding people that show me he has great trust in the humans he works with. Good for him! Experience on my part has shown that such trust is misplaced when it comes to user passwords. They WILL do the wrong thing, like it or not. They just get much better at keeping their policy violation a secret. Ironic they can keep the fact they share their passwords a secret.
  • thecwin, on 10/12/2007, -1/+6Our school forces password change every 11 days, and it can't be any one of your last three passwords. All that happens is that people have a rotation of a couple of simple passwords rather than one more complex password. You're allowed a 1 character password, and it's surprising how many people have one. The amount who write their password in the front of their planner is amazing too.

    It'd be far better for security if they just forced you to have good passwords of 8 characters or more. That way, the only way it's gonna be found is some cracking attempt or looking over the keyboard.. which would be able to get the simple passwords anyway. Any reasonable cracking attempts on an 8 char password would easily show up on system logs, unless they took a few hundred years ;)

    Sure there might be more forgotten passwords, but they have all our pictures on file anyway, so it's pretty obvious if someone's coming to change somone else's password.. and the admins are rarely doing any work... usually just eating donuts ;)
    • Durrok, on 10/12/2007, -2/+2Hey I take offense to that! I'm usually drinking Monster and browsing Slashdot or Digg!

      Kids these days... sheesh...
    • pkulak, on 10/12/2007, -0/+1No, a cracking attempt will not show up in the system log if the attacker gets a hold of the passwords file. Then she can just take the hash, set some rainbow DVDs on it and be done by morning. Though, I don't know how easy that is to get anymore. I do remember when I was in high school it was a plain text rw-r--r-- :D.
    • thecwin, on 10/12/2007, -0/+0Getting ahold of a passwords data would be extremely difficult... if they got ahold of that, there's more important problems (Windows server ;) those Windows password hashes for even long passwords can be cracked in a few minutes)
  • CraigJ, on 10/12/2007, -1/+1I am going to send this to my IS folks, not that they will read it. They implemented this policy about a year ago. Nobody can remember their passwords, so guess what? They write them down. It is really just a pain in the ass that doesn't do any good.
    • duke, on 10/12/2007, -0/+5Very, very true. Either that or you get "password2" replacing "password1" (simply changing the last character), and then they write it on the sticky.

      Look, people just want to do their work. The last thing they need is some @ssh@t sysadmin pushing them around in a pointless waste of time. If you mess with people, they will rebel and sabotage your security to remove the burden of the stupid, arbitrary policy. Either they'll do sticky notes on the monitor, choose a ridiculously stupid password, or deliberately hack around it. All stupid policies do is to encourage people to defeat them, whereas if you explain the security issues and ask their cooperation while otherwise leaving them alone, they will cooperate and go about their business. Even if they don't cooperate as fully as you might like, it will be better than the measures they take in rebellion of the overly burdensome policy.

      As for myself, I just type in something dumb when I'm forced, and then immediately change it back. As far as I can tell, all it does is to annoy me and waste time that I could otherwise spend on work.

      I do have one question, though, and maybe someone here can answer it - there was an episode of theBroken where krose was explaining about nthashes and lmhashes, and why lmhashes are insecure. He made a statement about the nthash changing with every password change, and how the change itself helps to defeat cracking the password. What was unclear is whether it will change only if you type a different password. IOW, if you simply change "dumbpassword" to "dumbpassword1", and then back to "dumbpassword", will that change the nthash from what it was originally, or will it be the same? TIA, duke
    • Genma, on 10/12/2007, -0/+1exactly, the real problem isn't methodology, it's apathy. it's the 'don't know, don't care' attitude from the rest of the staff. even the ones who understand how every point of access can be a vulnerability have no obligation to care, "it's IT's job not mine." what we need is more accountability, if they were held responsible for breaching I'm sure there would be a little more effort. but management doesn't work that way, they're usually just the same as hard-headed and stubborn. that's why they get targeted time and time again, it's always the same story.
  • gukid, on 10/12/2007, -0/+3Required numbers, characters and symbols in passwords is just a waste of effort. If I can't pick a password that I'm going to remember, then I'm going to write it down somewhere, or email it to myself. What's safer, a password that is written down somewhere, or that's just written in my mind... hmmm......
  • willrawls, on 10/12/2007, -2/+5Check out http://www.passwordchart.com , a very interesting way to generate very hard to guess passwords that are easy to generate and regenerate yet which are very difficult for a 3rd party to regenerate (without inside knowledge).

    Basically, this guy has come up with a way of hashing a pass phrase into a substitution table that you can print out. Because it uses MD5 for the hashing, there are over 4,500,000,000 possible password charts.

    As long as you know the pass phrase you can regenerate the password chart from any location. No information is sent from the page to the servers. Some careful thinking of how to apply it will allow each username on each system to have a unique, strong password that is easy to recreate, but only attackable with knowledge of the pass phrase or brute strength, thus rendering dictionary attacks useless.

    So we can use a different pass phrase for each client (again easy for us to remember, but difficult for a 3rd party to intuit) to generate a different password chart for each client, each computer, each system, whatever.

    There was a digg on password chart a couple of weeks ago. We've begun using it at a client site and I already feel better about the passwords. Granted it adds another step for creating and (when I can't remember them) to regenerate them, but it sure beats the default passwords the client was using before I got here.

    I should note that with careful thought by the clever, this password chart scheme could be used internally inside programs to allow for stronger lines of communication between programs, browser and web server, or as a seed to a pretty simple to implement secure storage system essentially allowing "weak" passwords to be entered yet used in a "strong" way.
    • dashifen, on 10/12/2007, -1/+1I like it, but I still think that the passwords generated would most likely end up written down. Especially if a password generated with this tool were used as the login to a computer, people are likely to write it down so that they don't have to re-enter their pass-phrase into the chart system or because they can't at the time. A wonderful tool, though, and a nice use of client-side javascript.
    • Proginoskes, on 10/12/2007, -0/+1Wowsers! That Password Chart thingie is a horrible security killer. Here's why: If I choose a random password out of all the available character on my keyboard, then my set of symbols is somewhere on the order of 90 or so codes/characters. If I choose a password from a "Password Chart" which I've PRINTED OUT, and STORED IN MY DESK, then I'm choosing from *36* codes!

      Which takes less time to crack, if you managed to grab the password database: a 10 character password from 90 code symbols or a 10 character password from 36 code symbols?
  • toddmok, on 10/12/2007, -1/+2If you have trouble remembering your passwords then use a sentence as a password. Do not write this sentense down anywhere just memorize it. Then your password will be the first letter of each word it's a good thing to have proper names and number is the sentense too because a proper name would be capitolized and instead of writing an "o" when you have the word one, write the number "1". This way you have a password over 8-12 characters with different case and numerals. Also it is easy to remember because after all it is just a sentence
  • jaguarsavages, on 10/12/2007, -4/+1Ah, I met Prof. Spafford at a security presentation a few years back (At Purdue University). Very talented guy :)
  • Inthraller, on 10/12/2007, -1/+3My school requires a password change every 3 months. The password cannot include your name and cannot have a word that is a word from the dictionary. The must have at least 1 upper and 1 lower case and must have at least 1 number IN THE MIDDLE. Oh yeah, it also has to be at least 8 characters long. You'd think I was going to school at the NSA. Once you have used a password, it can never be used again. This fall is my third semester and I'm running out of gibberish passwords that I can remember for more than a week or so.
  • drgordonfreeman, on 10/12/2007, -0/+0This blog post may be a response to the fact that Purdue (where Spafford works) recently implemented a university-wide monthly password change policy. Guess it made a little too much sense to consult the resident security expert before doing so.
  • ohstoopid1, on 10/12/2007, -0/+0A good way to easily complicate a password I use, hold Shift while you type say a zip code or phone number. For what its worth...
  • windhawk, on 10/12/2007, -1/+0An Example List of Common and Especially Bad Passwords can be found at http://geodsoft.com/howto/password/common.htm. The list is a compilation of several common password lists plus some lists of common words and common names (the most common of the U.S. Census common name lists). It is worth a look to see into the mind of the average user as they select passwords.
  • trakgalvis, on 10/12/2007, -0/+0I will be forwarding that to our computer officers!
  • rabasolo, on 10/12/2007, -0/+1No digg. First of all, the title is misleading. Is the blog author saying that periodic password changes are ineffective? I totally beg to disagree. It all depends on the risk of the system. If a franchise totally depends on the security of an application---for example, a bank's financial system---then it would require, AMONG OTHER SECURITY MEASURES, periodic password changes.

    The blog author cites that "any reasonable analysis shows that a monthly password change has little or no end impact on improving security!" What is his empirical evidence for this? Does he have any stats?

    However,I do agree with the blog author that the protection should match the criticality of the system. "The best approach is to determine where the threats are, and choose defenses accordingly. Most important is to realize that all systems are not the same! Some systems with very sensitive data should probably be protected with two-factor authentication: tokens and/or biometrics. Other systems/accounts, with low value, can still be protected by plain passwords with a flexible period for change."
  • yahoofrom, on 10/12/2007, -0/+1ok this article is unlame.
  • phpCypher, on 10/12/2007, -0/+0a security practice always becomes insecure once it is a convention
  • werunit, on 10/12/2007, -0/+0http://www.websearchinfo.com/passwords
  • Darksat, on 10/12/2007, -0/+1This is a good article about password security
    http://darksat.x47.net/index.php?topic=743.0
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.