Unlearned lessons

[unixronin]

Today's User Friendly strip makes a security point I've commented on myself many a time:  If you make your password policy demanding enough, you can force all of your users to write their passwords down, and the odds are at least some of them will leave their password notes where they can be seen and/or found by someone who shouldn't have them.  At which point your carefully crafted password policy, proof against any but the most massive distributed brute-force attack, becomes vulnerable to the pizza boy who happens to glance at the receptionist's desk while chatting her up on his way through the front lobby.

Comments

[perspicuity.livejournal.com]

you could provide them with a secure passwd vault that doesn't live on the main system, or a palm or phone or something... and hope to god they don't used "boobies" for the passwd :) ooh, another layer of confusion!

#

[mrmeval.livejournal.com]

I use 5318008

[mrmeval.livejournal.com]

All security systems are vulnerable to social engineering as it's called. It can be quick or it can take time but eventually it can be done.

What I've seen of SecurID impresses me. It's not cheap but it's better then biometrics.

"Biometrics can be fun to exploit but keeping the parts alive is tough." --darkmeval. ;)

Consider that added to the quotables. ;)

[unixronin.livejournal.com]

Hardware tokens are a good system, I think. As schneier is wont to comment, the most secure authentication systems are those that require a combination of something you have, something you are, and something you know.

[robbat2.livejournal.com]

my sole complaint against the SecurID was their their server portion ran only on Solaris or Windows (I had a 5 unit eval kit with the server and keys for a while). But again, follow Schneier's comments that they should not be used in isolation.

[ithildae.livejournal.com]

When I was an IT professional, that always just bugged me no end. I don't mind tougher security for those coming in through the firewall, but for those inside, give it a break.

The other option is to assign passwords from a random character generator. That is what happened when I worked for the government. Getting a password replaced was a significant problem, but it worked. Every six weeks, we got an email notifying us of the change.

[unixronin.livejournal.com]

At Cardima, I actually put together a little class on how to pick a strong-enough password that you can still remember. No single words, no information that can be trivially looked up about you, create something out of multiple elements that are individually meaningful to you but not to anyone else (and that wouldn't be obvious to someone else as things that would be meaningful to you). Maybe the first name of the girl you had a secret crush on in eleventh grade and never told anyone, and the place a character from your favorite book was born, separated by the first half of the license plate of the car your uncle crashed into a moose last Thanksgiving.

[ithildae.livejournal.com]

I used to do things like the second letter of my children's middle names, in reverse order or height (or weight) which was not the same as age. You can do many things that enable you to remember a strong enough password. It just takes effort.

[roseate1.livejournal.com]

My problem is that there are different "systems" with different password requirements, so in my work environment I end up having 4 or 5 passwords at any given time, and they all have to be different from each other. It's become VERY frustrating.

bad fingers ... no donut. Take 2:

[unixronin.livejournal.com]

I hear you. And what makes it even worse is when half the systems you have to use won't allow you to use what you consider an acceptably strong password. Classic MacOS/AppleShare, 8-character MAXIMUM password length? Come on. 4-digit maximum for your ATM PIN? Oh, puh-lease. How long does it take to brute-force a keyspace of 10K keys?

(Apparently the reason ATM card PINs are 4 digits is because some engineer's ditzy wife insisted she couldn't possibly remember a code longer than four digits. One might be tempted to respond someone that close to functionally innumerate shouldn't be trusted to manage money in the first place.)

Re: bad fingers ... no donut. Take 2:

[bikergeek.livejournal.com]

Apparently the reason ATM card PINs are 4 digits is because some engineer's ditzy wife insisted she couldn't possibly remember a code longer than four digits.

I smelled an urban legend--especially given the sexist "math is hard" stereotype--so I looked for an actual cite. Apparently it's factual, at least according to the inventor of the ATM, John Sheppard-Barron, as interviewed by the BBC: http://news.bbc.co.uk/2/hi/business/6230194.stm

Re: bad fingers ... no donut. Take 2:

[house-pundit.livejournal.com]

Then somebody didn't talk to the cognitive psychologists. Almost everyone's short term memory will take six to seven individual pieces of information. Long term memory is almost infinite with enough repetition. It's that last that's the tough part and gets into activation levels, etc.

It's not a case of anyone's math skills. Short term memory length is close to universal across individuals unless there's something noticeably damaged. If someone's short term memory was less than five, you'd *notice* there was something wrong with them. Not "ditzy". Something wrong.

I believe his wife told him this, but I disbelieve that this woman couldn't remember her best friend's phone number.

Re: bad fingers ... no donut. Take 2:

[bikergeek.livejournal.com]

t's not a case of anyone's math skills.

I know that. But the story very much plays to the horrid, sexist stereotype people have that "women are bad at anything involving numbers." Even if the particular story is true. And many urban legends play to negative stereotypes about various groups. So the story initially smelled like an urban legend to me.

The reason USAn local phone numbers were pegged at seven digits was that AT&T *did* talk to cognitive psychologists, and did research, and found that seven digits was the longest string most people could reliably remember.

As far as someone remembering four versus seven digits, remember that thirty years ago we didn't medicalize difference nearly as much as we do today. Variations in peoples' personalities, or skill levels at performing tasks such as remembering arbitrary strings of numbers, were just put down to differences between individuals and that was that.

In any event, as long as you practice reasonable security (don't write the PIN down on the card itself, or on a scrap of paper you keep in your wallet, etc.) four digit PINs don't seem to be all that insecure. Especially since the machine "eats" the card after three incorrect guesses. what worries me more in terms of security are the debit cards that are branded with a Visa or MC logo, since those can be used for purchases just on a signature.

Re: bad fingers ... no donut. Take 2:

[unixronin.livejournal.com]

I believe his wife told him this, but I disbelieve that this woman couldn't remember her best friend's phone number.

My thought exactly.

[tabbifli.livejournal.com]

I was all set to use one of my "I can remember this without writing it down and it probably can't be brute-forced with an english-language dictionary" passwords (my passwords are based off of (at least) one of the multiple foreign languages I partially read and then mangled) for work.

And then I was told that I would have to write it down so that someone else could use if if necessary.

It's in english now, and it isn't used *anywhere* else. Fortunately, the system I work on is ancient, decrepit and confusing as hell, so nobody actually WANTS to log into it. Security through stupidity and obsolescence.

and now the smart card...

[jilara.livejournal.com]

We now have a smart card built into our badge that can be used to log into the system in lieu of password. And of course, the first week I had it, I left it in the system when I went home... (I now log in the old way, with user ID and password, since that's still allowed.)