Real Security? 557
An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"
Common Sense (Score:5, Insightful)
Are we increasing security too much, so that the users circumvent it?
Simply increasing security is not the problem: the real problem is knee-jerk reactions that miss the mark and annoy users rather than provide actual security. People (politicians, corporate America, etc) try to look good by implementing new security measures, but fail to put any thought into what is needed to be effective.
The greatest threat... (Score:5, Insightful)
Social engineering can get you a lot further than being a l33t h4x0r.
Sliding Scale (Score:2, Insightful)
Enforcing passwords != Increasing security (Score:5, Insightful)
Anyone with a working knowledge of security knows how far to take it, where the critical points are, etc... if you let a bunch of amateurs do it then they're not 'increasing security' they're just 'increasing the bloody mess that someone will have to sort out when the company gets a clue and hires someone with some experience;'.
I would If I could ;] (Score:3, Insightful)
Forced password changes (Score:5, Insightful)
If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.
Increasing versus Improving security (Score:3, Insightful)
By "increased security", do you mean increased security measures, or the increased security of the resulting system?
If the resulting system is secure because of good security measures, then not every idiot can wander in.
On the other hand, if you mean just increased security measures, which, apparently aren't resulting in a more secure system, then the "security people" are idiots for using weak security mechanisms over and over again, in a hope of increasing the overall security of the system.
Improved security measures may not be large in number, but result in a secure system. You're better off using 1 strong encryption scheme rather than 4 weak ones.
Too many passwords - so I write 'em down! (Score:5, Insightful)
So what do I (and presumably everyone else) do? I write them down somewhere. How much LESS secure is that than having one (or maybe three at most) username/password combinations that I never write down or tell anyone?
So I called my bank a few weeks ago and told them that if I signed a disclaimer, would they allow me to go from six pass/PIN/IDs to just a username and password of my choosing? No no no! Far too insecure.
So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!
But nobody can reliably remember SIX things to log in to one account, as well has having to remember all the other usernames/passwords, etc. they might have.
So, I've closed my account with them. Because I think they're too damn insecure.
Re:Forced password changes (Score:3, Insightful)
Did you know that many 31337 hax0r cracking tools will straight away defeat the more lame methods for using complex passwords?
This includes swapping every known integer/alpha replacement (e=3 0=o l=7) e.g. If someone used h3110 as their password (i.e 'hello' in hax0r spelling) it wouldn't take any longer than a standard dictionary attack.
Having a single password changed every 30-60 days is not that difficult. IT becomes a problem where users have to maintain multiple passwords for multiple systems. This is even more dangerous for admins who have to maintain even more, and they are used to protect sensitive systems.
Re:Wait a second (Score:5, Insightful)
But unfortunately, security people are like PHB's, when they see the reaction to their security measures are circumvention (taping passwords to monitors, etc) they think they need more enforcement, not better ideas. Its far easier to blame the user than to admit your idea was a bust.
Re:Two minds about it (Score:3, Insightful)
Shoddy concept of security. Password cracking as we all (hopefully all) know is based on someone's inability to do something different with themselves. People tend to stick with familiarity, and there's nothing wrong with using say your dog's name bowser as a pass, but how about mixing it up !30w$eR ... it's still familiar and most crackers aren't going to spend their time regexp'ing 100mb password files when time isn't on their side.
I would go on, but work calls...
Re:password quandry (Score:5, Insightful)
Pa55J4n
Pa55F3b
Pa55M4r
Pa55Apr
Sure, now you have 'secure passwords', but once someone recognizes the patter... This, IMHO is counter productive security wise. Have the ultra secure passwords, but don't make you're users change them too often or this shit begins to appear.
Re:Two minds about it (Score:2, Insightful)
That was the point of the article, I thought.
What would happen if you did require medium long sentences? Users would find a way to avoid typing them. They would leave their sessions open all the time. Time them out? OK, they'll find a fancy keyboard driver insertion utility that makes the system think they're typing. And so on.
There is a balance between security and usability. You ignore it at your peril.
There is no substitute for training users. Until we see them as our allies and not our enemies or our chattel, we're condemned to these tail-chasing security games.
Security's Theory of Relativity (Score:2, Insightful)
That said, the only effective way to maintain security when it is required is to keep it usable for lUsers. We all have our keychains for PGP, but how do you make an easy to use yet secure keychain for the end user? An encrypted program on a USB Key? A login on a secured central server? We still protect our own dwellings, the places we keep our most valuable items, with a 50 cent shaped peice of metal. How much more valubale is that forwarded joke sitting on your hard drive at work?
I use good passwords, and here's how (Score:5, Insightful)
Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.
So an example phrase might be: "i love to post on slashdot"
which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:
"iltp05"
That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.
Why are we hanging the security folk? (Score:3, Insightful)
Beyond that, no matter how good the solution, there are allways those people who will try to end run it. Worse still, there are those who encourage others to also end run the system. At the top of the worse still pile, is the manager who somehow or another thinks this person would be a good security pro...
Also blaming the Universities is trite and unsopisticated. Please, folks don't go to University to learn about the real world, they go to learn theorey, and play intellectual games, etc. etc. Where is the problem? Is it the people turned about by the Universities, or is it the people who hire University grads to do work which demands real-world utility? So, there weren't a dozen or so graduates of technical schools, whose training would be centered in the real world, not the theory, available to do the same job, right, at a lower cost?
I find it somewhat in poor taste to hang an entire industry for what more likely is the fault of their managers... I find it more unseemly to attack Universities for what they have allways done, and what we expect them to do, allthough in all fairness, they do turn out the MBAs whose intellectual chauvinism probably has more to do with hiring the wrong qualifications for the job.
Moore's Law vs. Evolution (Score:5, Insightful)
My bank gave me a random 4-digit PIN for my ATM card. Why isn't this horribly insecure? Because the ATM eats the card after three failed attempts to enter the correct PIN.
Re:different levels of importance (Score:3, Insightful)
when setting root/user password on SuSE 8.2 I noticed that if you set all lowercase passwords during installation it's fine, but if you try to change it to another all lowercase password later it bitches about it and won't let you.
I hate requirements on passwords. displaying advice about passwords is okay, but when you have bullshit like "must contain at least one capital and number" all you do is potentially force the user into using an unfamiliar password and hence writing it down or making it trivial or something.
Too many passwords (Score:2, Insightful)
You've got seperate passwords for any forums, any games, any webmail, your ISP email, any school/corporate/home/other logins, any websites, any other services that need a password, right?
Oh, and you don't have any of them recorded anywhere too, right?
Oh, you also change them regularly to something completely different but equally secure, and don't record the new password, right?
I call bullshit. Using secure passwords is all well and good, but being expected to have to keep a seperate PW and login for every single account you have is completely insane. While I hate to say this, what we need is a _trusted_ service to authenticate who you are and then allow access to all your varied accounts.
Either that, or we need a massive push to allow using public/private keys to authenticate identity. Of course, that'd have to be linked to a concrete device to carry a key of any meaningful length. But what's the problem with this I ask, after all, people carry credit cards all the time.
If you use a smartcard to carry the key and perform biometric identification of the user, which then transmits to the {blank} that user X with key Y is logged into computer Z, at which point the {blank} considers "Is the key Y the right key for user X? and is user X authorized to do {blank}?"
All that's needed to allow this to work is a trusted authority that can issue smartcards and keys to people. As for how the authority checks identity, governments issue passports/driver liscences/security clearances all the time, so obviously a mechanism exists to verify that a person is who they say they are.
And don't say that 'for sites that require extra security, they can just use a password for added security' this is wrong, we need to move from a security system which verifies on the service end based on information provided by the client, we need a system which verifies at the client end based on information provided by the service.
Re:Common Sense (Score:4, Insightful)
a) your procedures must make sense to your users. Sometimes this means education, other times (more often, in my experience) it means having intelligent procedures.
b) Your procedures have to generate the minimum amount of work required to be effective. Duplication of work or extra work that people have to do (like forcing a stupid click through quiz) without an obvious benefit will just piss people off. And when you piss people off, they don't feel like following your rules.
This doesn't mean you don't need strong rules, but you have to present them in such a manner that people feel comfortable with them, and not like you're being a bitchy secadmin.
Oh, and you need to remember that your job is to keep the network safe and clean so that it's accessible - just locking everything down so that everything is unusable is NOT a real security policy!
Why multiple passwords (Score:1, Insightful)
Or to put it simply, do you want the paypal admin to log into your amazon account?
This was a technique to steal accounts back in BBS days- you'd set up your *own* BBS, and wait for the users. Some of them you would recognize, and some of those would use the same password as elsewhere. Statistically effective.
This is almost never a reason to not reuse a password (I have about seven passwords I use, but even there is a whole lot of repetition, and I have some themes I base it on- otherwise, I'd only run about one or two), but it is the reason behind *part* of the mess.
I can't really defend having to change a strong password, and if they want it changed sometimes all they would need to do is just force a change once every year or two- everyone I know at work just has theirpassword1, theirpassword2... and when the system complains about that, you just find a way around it. So the net effect is that a hypothetical cracker takes maybe 10 times as long to check 0..9 postpended, assuming they don't do that already.
Re:Wait a second (Score:3, Insightful)
The people who "designed" these systems are not people who are used to thinking about security, or even know how to think about security. Criticizing the entire field of security professionals based on these systems is like complaining about doctors being incompetent because the miracle cure you bought off the internet made you sick.
Tog's criticisms are valid, but he aimed wide in directing his ire. Similarly, I suggest that your statement "security people are like PHB's" is incorrect, and you actually mean "security frauds are like PHB's."
But are they actually good? (Score:1, Insightful)
The point being that your passwords use letters with a biased distribution, and there is a fairly strong correlation between consecutive letters. So the entropy is very low, and a markov-chain attack could crack these quite easily, even with some lame numeric substitutions.
Re:Definitely (Score:2, Insightful)
hard problems ... human factors (Score:3, Insightful)
Re:I use good passwords, and here's how (Score:3, Insightful)
"iltpos" or "hthayt" has much less entropy than "ilcpskl" (which a computer gave me). Knowing you use this system, a hacker can download a bunch of ebooks and process them to generate a Markovian model of the English language. That would represent that letters appear at the starts of words with different frequency, and even (with work) that the frequency changes depending on how far you are in the sentence.
Re:Enforcing passwords != Increasing security (Score:4, Insightful)
Re:I use good passwords, and here's how (Score:3, Insightful)
Jedidiah.
is everyone missing the point? (Score:2, Insightful)
The point is not to be secure from unathorized access. The point is to be secure from liability!
If users resort to stickies then they are the ones violating policy, not the hospital administration. Go ahead and use your associates login while you wait forever for IT to give you access.... as described in the article. But do so and you take responsibility for having violating the rules. Wait until you get your own login (as the company policy probably says you should) and you will not incur such liability.
As long as technologists ignore the real world, we will not have functional IT. It may be painfull to wait for the system to solve its real world problems (just imaging the doctor simply not doing any work until she got her login account several weeks into the job), but unless we let the whole system find and fix its mistakes, we will keep chasing our tails. It is certainly not about whether or not certain passwords are more secure than others.
Don't know my own password (Score:5, Insightful)
I've been accused (Solaris Sys Ad) of tricking the computer into not needing a password for my login name -- because I type it is so quickly, it seems like I've just typed some random gibberish (which I sort of have). Keeps lookers guessing, too. My typical passwords are 12-18 characters in length -- but they seem a lot shorter
As you've no doubt guessed by now, I love this method. I can also "memorize" dozens of unique passwords and never seem to forget one -- even one I haven't used in many months! When I see passwords like "password7", I just smile; Seems to me, mine are just as easy to remember.
Just hope I don't someday encouter a Dvorak!
Re:Maybe no security at all (Score:2, Insightful)
Re:password quandry (Score:2, Insightful)
So instead of thinking of some random combination I just found a pattern on the qwerty keyboard that met the requirements. This is far less secure than what I would have chosen since anyone who catches me typing in my pass can instantly recognize it.
The whole thing is retarded anyways. I, the user, should be allowed to chose my password and its appropriate level of security. The system runs Unix and I have no permissions to anything but my own stuff. There's not really much damage that could be done aside from whiping out my personal things, so why bother with such strict securty?
Re:My personal favorite (Score:2, Insightful)
- the first three letters of your mother's maiden name
- the numbe of fillings you have
stick em together and you have a seven or eight character password that looks like garbage but still can be remembered by the user.
That is the most cryptographically weak password I've ever heard of. Maybe not the most, but it's even worse than "password" or "sneakers" because people probably think they are doing good.
That's like asking someone to use their birthdate with their initials tacked on. Just because something looks random...
I think most license plates have 6 characters on them? So now I can just watch which car a target drives in. Mother's maiden name? a little social engineering or a spammy e-mail. And good grief, the number of fillings they have? Even if I didn't want to just take a couple pot shots (how many people have more than 10 fillings? 20?), that's not exactly a state secret.
You might do well to read a book or two by Bruce Schneier [amazon.com]
Most hacking are inside jobs (Score:3, Insightful)
Only about 20% of the attempts are actually people attempting to use exlpoits, bugs, or brut-force a password. There are measures against this 20%, but the other 80% has to have educated employees or a policy that is followed.
I have seen some people still have access months if not years after leaving or being let go, which is just bad sys management.
Human error is 90% of the security threat...
Security is just passwords (Score:2, Insightful)
Security is the process by which you determine if somebody is allowed to see the information concerned - this hinges on who they are and what they are trying to access.
How to do proof you are who you say you are?
This is actually a very difficult question.
hat aside (for now), all security/identity is built around 3 things:
1) Something you know (usernames, passwords, etc)
2) Something you have (secureid cards, tokens, passes, etc)
3) Something you are (biometrics, fingerprints, retina scans, genetics, etc)
The first two are easily overcome with some creative thinking - read Kevin Mitnick's "The Art of Deception".
The third has the same problems the other two have - how do you establish identity to begin with?
Anyone can claim an identity, all you need is the documentation to "prove" it and these can be forged or obtained with little effort. So how can you ever really know who you are dealing with?
Re:Sure, your bank account first (Score:3, Insightful)
Wrong.
The first priority of security is to raise the cost of breaking the security above the value of the benefits of breaking the security.
If anything about the security makes it fail, then it has failed.
In the vast majority of common cases, security needs to be easy enough to use, or people won't. When it fails that way, it's partially the person's fault and partially the security's fault... but whatever the ratio it's certainly not 100% the person, because it's always a game of probabilities and risk assessment.
Making security hard decreases the value of the secured item for the people who are supposed to be using it. Make it hard enough and it will exceed the value of the thing being secured. Then it's not just pointless, but of negative value. Making security easy is a high priority unless the secured item is of high enough value to make devaluation not enough of a concern to be worth worrying about.
The idea that security should be hard is unfortunately a very poisonous one, because people then assume if it's hard, it must be security. Then we end up with shitty systems like "airport security" that decrease the value of the airline system while doing nothing to increase true security. The best way to attack this problem is to remove the false idea that "security is not supposed to be easy", i.e., security should be hard.
Re:Two minds about it (Score:3, Insightful)
I don't know if you intended that to be funny, but I almost snorted milk all over my keyboard when I read it. Good one.
Good one! (Score:2, Insightful)
Re:I disagree with the article (Score:2, Insightful)
Password expiry is no better than having no passwords at all, whether user-generated or automatically generated. The first thing that happens after they run a computer-generated password tool is to write it down. Thus, these tend to be much worse than letting the user pick the passwords. At least user-generated passwords can generally be remembered, and thus require at least a little effort to obtain. :-)
However, f the user is choosing them, you'll have most folks either making stupid changes like you describe or rotating between a handful of passwords that they can remember. The rest will write down their new password. Thus, password expiration still buys you nothing, and may still make things worse, but at least it is less likely to do so than with computer-generated expiring passwords.
Besides, if you don't give anyone your password and only send it over encrypted channels (you do turn off telnet, right?), then the password changing can't have any benefit. If someone tries to guess your password, there should be the exact same chance that the new one will be guessed as the old one... except that the human factor means that the passwords will gradually get worse as you expire more passwords.
The only way that the probability might be different is if someone were trying to guess a given account's password with continuous login attempts spread over a period of several months (in which case you might get lucky and change it to something that had already been tried). If that's happening and your network admin hasn't caught on... well, you know where the real security problem lies. On the other hand, someone might check the same set of obvious passwords again, in which case changing the password to something that had already been guessed would make things much worse. The only way that password expiration can improve security is if your password is periodically compromised, in which case the soltution is to prevent the compromise instead.
In short, expiring passwords either has no impact on security or makes your system less secure. It simply isn't practical to expect people to remember a dozen different passwords that change very month, every three months, or even every year.
If you really need high security, use a SecurID system where you have a PIN number that never changes and a constantly changing number generated by a device that fits in your wallet or hangs on your keychain. If $65 every three years is too much to pay for the security of their account, there's nothing in their account worth protecting anyway, so you should relax, let them have Bambi as their password, and repeat to yourself "it doesn't matter".
Re:Definitely (Score:3, Insightful)
Re:Missing the point of the article (Score:3, Insightful)
The doctor is one of twelve people in the world with a degree in orthorhinocolonoscopy. He makes $120,000 a year. You really think they're going to let you punish him?
More to the point, discouraging employees from writing down passwords may be a good idea in some places, but these people are trying to get their jobs done. If they can't get their jobs done, you don't get paid. Every time they forget their password and have to wait for an IT person to fix it, every time they have to run five flights of stairs to check their data, the less likely the department turns a profit and the more likely you get fired.
if allowed to get to a third offence, it is either them or me - and I'm betting it is them, and damn the unions and labour relations - they're unfit for the job.
Who cares if they have a 172 IQ, two doctorates and know more about their field then any other person in the world? If they can't jump through your hoops, then of course they aren't fit for the job.
Re:Definitely (Score:2, Insightful)
Me too.
I also use a three... make that four tiered system.
a. simple (slashdot, new york times, etc.)
b. medium (unpriviledged accounts, e-commerce)
c. banking (banks only)
d. secure (longer and root only)
I only have one simple password. I have two medium passwords, one banking password and one secure password. Other than the simple one, they are all 8+ characters long and random.
I generate them by banging on the keyboard, holding shift and banging some more, releasing shift and banging some more. Then I click-select-drag-drop-repeat a few times and then start deleting characters at random.
I then write the newly christened password down on a small piece of paper and carry it in my wallet for a few days until my fingers have memorized the sequence. I then eat it.
As for changing passwords, what's the point in that? If you have a strong password and you (or your systems admin) are at all alert to long-running brute force attacks on your account, then a hacker has the same chance of guessing your brand new password in X hours as they do of guessing your old password in X hours.
Strong passwords are good security. Rotation discourages strong passwords. QED.
BTW, if one noticed a brute force attack underway in the logs, would one change the password? Or change the account name?
Security idiots (Score:3, Insightful)
I can't believe you people. This is the kind of thinking that saddles the rest of us with security nazis. This isn't GURPS, it's real life. There aren't muggers out there gunning for access to your computer system. There aren't Tempest-equipped Secret Agent Persons sniffing your authentication fields. You don't really need that tin-foil hat, and you don't need to make the rest of us wear one, either. Maybe if this was a matter of national security, but it's not.
"Gimme your iButton and PIN or I'll blow your fucking brains out" is *exactly* equivalent to "gimme your password or I'll blow your fucking brains out".
Re:Two minds about it (Score:3, Insightful)
Have you been mugged lately? Now which do you suppose your users are going to give up... Their right ear or their pin # and ibutton?
You're technically correct, but the scenerios are not reasonable.
Unless you have access to very valuable data, nobody is going to mug you for your iButton and pin, they'll take your cash and throw your wallet away. The average mugger won't even know what an iButton is, much less how to use it or that a pin may be necessary.
If you do have access to data or systems valuable enough for rubber hose crypto to be considered, you'll have other measures in place like physical access control and a security officer to call who can lock your account immediatly.
At the same time, surely you realise that in any situation where you might turn over your iButton and pin, you'd also turn over your password.
In most cases, someone sophisticated enough to slip into your work area and use devices that can sniff rf emissions from the cable will have bigger targets in mind. If you are such a bigger target, once again, physical security should be sufficient to keep strangers away from your machine.
The important thing to remember about security is to use an appropriate level. 90% or so (at a guess) have access to rather boring information. If you can keep kiddiez out and avoid random worms and trojans, you'll be fine. I do NOT enjoy boilerplate power point slides nearly enough to actually try to gain access to yours or anyone elses (and risk felony charges).
If you're concerned about industrial espianage, you'll gain a lot more security with an alarm system, a firewall, and careful HR procedures to avoid hiring the competition's spy (and issuing him an iButton and PIN, etc.).
In all areas of security, it's common to see great deals of money and trouble thrown at the 'front door' while ignoring the back door. Things like steel doors with 3 deadbolts next to an unmonitored picture window. Home security systems with pin numbers, sensors, and blinkinlights that can be trivially disabled with a hammer (WHACK, rip) faster than you can enter your pin. If criminals weren't so stupid on average, they'd be worthless.
Consider the billions being spent on nifty new airport security. Consider a deadbolt on the flight deck door.
A big point is that unless security upgrades are very nearly painless for users, they'll find a way to disable it (probably completely disable it) and reduce your security level.
The iButton is good since it defeats MOST intruders while not presenting any great inconvieniance to the user (which is probably made up for by the 'cool factor').
The other big danger in security is pseudo security. That is systems and devices that sound quite secure but are trivially bypassed, like fingerprint scanners that can be tricked by breathing lightly on the pad to 'reactivate' the latent print left by the user. Another is over-estimation of the security provided.
Summary, more is more until it is too much, then it becomes less :-)
But does the website encrypt the password? (Score:4, Insightful)
And speaking of security, don't you just love those websites that continue to ask you to enter in your requested password, all done in 128 bit encryption mode, with the characters blanked out so you can't see what you're writing, only to parrot it back to you in an email
Many websites store passwords in cleartext (hence, they can send it back to you in an email.) They do it for a variety of stupid reasons (a programmer couldn't figure out how to encrypt it, or perhaps customer service likes being able to login as a user, etc.).
So, unfortunately, you can have an extremely clever password, entirely uncrackable, but you give it to a website and it's now immediately compromised. And worst of all, you can't tell if it's stored securely or not.
Thus, I tend to have a password for trivial/unknown systems (ie, Slashdot, chat rooms, etc.) and a password for more secure systems (eTrade, online banking, etc.)