Schneier on Security
A blog covering security and security technology.
« Embedded RFID for VIP Status |
| Gladwell on Profiling »
February 7, 2006
Passlogix Misquotes Me in Their PR Material
I recently received a PR e-mail from a company called Passlogix:
Password security is still a very prevalent threat, 2005 had security gurus like Bruce Schneier publicly suggest that you actually write them down on sticky-notes. A recent survey stated 78% of employees use passwords as their primary forms of security, 52% use the same password for their accounts -- yet 77% struggle to remember their passwords.
Actually, I don't. I recommend writing your passwords down and keeping them in your wallet.
I know nothing about this company, but I am unhappy at their misrepresentation of what I said.
Posted on February 7, 2006 at 7:23 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I can see that as being a bit of grammatical legerdemain. One of the definitions of the word "suggest" means to imply as a possibility, or indicate. Substitute that in, and you have "Bruce Schneier publicly implied that it was possible that you actually write them down on sticky notes." and it's quite possible that you (and by "you" I mean the ethereal quantity of all you people out there) really do that.
Actually, they only *somewhat* mis-represented what you said. Sticky-notes *are* small pieces of paper, albeit with a bit of adhesive attached. Unfortunately, this slight addition causes people to do really stupid things, like tack them onto their monitors (not always a stupid thing to do, but when your logon creds are written on it, then it becomes stupid.)
The wording, taken outside it's original context, does rather evoke sticky notes on monitors.
Hanlon's razor would sugest we attribute this to incompetence rather than malice, but either way, it disinclines me from trusting this company.
Bruce is right -- the distinction is important. Your wallet is the safest place to keep the passwords you can't memorize and need to use away from home. I also keep a copy in a safe place at home together with the credit card info necessary to close accounts if my wallet is lost or stolen.
The real joke, of course, is security staffs that command users to use "strong" passwords, change them frequently, and write them down nowhere. LOL.
The trouble is, occasionally people lose their wallets/purses, just as occasionally they lose their laptops and PDAs.
Ordinarily one then proceeds to shut off all potentially compromised credit cards and ATM cards, and (if a checkbook is compromised) put a watch on any bank account whose routing number is now potentially in the wrong hands.
People who keep lists of accounts and passwords in their wallets then have an even bigger problem: potentially, some bad guy now owns their web access to electronic banking, pay pal, cell phone, etc. They may not even remember the URLs and account names any more, and may have trouble remembering obscure -- but abusable -- accounts that they haven't accessed in a while, the only record of which is on that piece of paper.
Even for the ones with URLs and account names that can be reproduced from memory, it can be hard to get the password changed quickly, since often the customer support organization for web access is separate from the regular telephone customer support, and can be difficult to contact by phone. In these cases, one can find oneself at a distinct disadvantage with respect to the hypothetical bad actor in possession of one's account information.
For people with PDAs, there is an alternative -- applications that store account information in encrypted form, protected by a single master password. So long as that password is well-chosen, and not re-used for some other purpose, this approach gives peace of mind even if the PDA is lost or stolen.
For Palm users, there's an excellent open source application called Keyring (http://gnukeyring.sourceforge.net/), which serves this purpose admirably.
Being misquoted is pretty infuriating... hopefully they will correct their mistake.
"If you are upset about their press release, perhaps you should only link to that and not http://www.passlogix.com/ in whole."
I couldn't find a link to the press release. I received it in e-mail.
"The real joke, of course, is security staffs that command users to use "strong" passwords, change them frequently, and write them down nowhere. LOL."
Rules of passwords:
1. Choose a password that's so complicated you can't possibly remember it.
2. Never write it down.
Well, what's more secure than a login you can't possibly use? If you can't log in, then you can't cause harm.
That's why you keep a second copy of your passwords at home, preferably on, say, a flash drive encrypted with a master password you've memorized (*cough* Password Safe). Then when you lose your wallet, go change the passwords. This is probably easier than all the other stuff you have to do when you lose your wallet, such as canceling all those *it cards and arranging new ID.
Seems like a "sticky" situation to me...
Makes me wonder what/who else they are misrepresenting in their marketing buzz to generate demand for SSO (since it apparently doesn't exactly sell itself on merit alone).
"A recent survey stated"
Any pointers to which survey?
Maybe I'll abandon the likes of Password Safe and just stick all my passwords to my monitor. After all, it's endorsed by Schneier! ;-)
Look on being mis quoted as a very minor price of fame ;)
Look out though you will soon have the Paperatz after you, to be photographed at one of those inconveniant moments such as when you stumble out of some night club in a "tired and distressed state" at an early hour of the morning ;)
I feel this happens quite often and if you were to keep track of each and every time you can go nuts :)
Wikiquote has a more useful approach I think :
As far as passwords and writing them down on a note in your wallet is concerned, a couple of things come to my mind. What about a little disinformation that I do sometimes, that is, let's say I've got 10 logins, but 15 passwords on my list.
On the other hand Just1Key( http://www.just1key.com/ ) comes handy sometimes, but it's easily abused by keyloggers.
Interesting link. I did not know it existed.
They don't have most of my good quotes. (I presume it's not ethical to post your own quotes to the site.)
Yes it's okay, moral dilemas can be solved by posting in your real name on the talk page (link marked discussion on the right.) others will then copy over the ones they think are valuable. In answer to a recent article of yours;
- the aim isn't truth, instead verifiability.
so please add links and / or references to the places where you said the thing you claim to have said :-)
- most wikipedia editors are pseudonoymous, but care about their accounts, so reputation is important.
- the others are traceable by their IP address so iff you claim Bruce Schnier said "write it on a post it note" we will hunt you down and provide evidence for the law suit which will surely follow. :-)
The wallet in Nokia series 60 phones (not 40) should be quite good for storing passwords. Has anyone done any proper cryptoanalysis on it? One big problem seems to be that it's difficult to backup to Linux.
'dilemas'? 'pseudonoymous'? 'iff'? 'Schnier'? This from a supposed editor. And Wikipedia wonders why it has a bad reputation for accuracy...
Speaking of quotes, you were on NPR the other day, Bruce, and I missed it.
You should post those sorts of things...
Sean : Wikipedia may have a bad reputation for accuracy, but I don't think it is merited. The journal Nature, which is quite serious, conducted a comparative double blind review, asking experts to compare scientific articles in both Wikipedia and the Encyclopaedia Britannica (probably not enough to be statistically significant, though, it concerned 42 entries reviewed by 42 experts). Surprisingly, they have more or less the same number of serious and minor errors. It's in the december 15th 2005 issue, page 890 and 900-901. The report is available online if you are curious. I personally think that the main problem with Wikipedia is not the accuracy, but how easy it is to quickly vandalize the entries. That certainly gives it a very bad reputation.
the password issue is symptomatic of a larger problem. people "skinware" define systems as the hardware and software they work with, but a more encompassing definition would also include the skinware in the system category, and the problem is that the hardware and software are evolving in power much faster than the skinware, threatening to leave it behind.
ideally, passwords should be at once strong enough to withstand dictionary attacks, yet simple enough for their users to remember without ever having to write them down anywhere. anytime a password is written down or entered into storage media, a new risk is created. anytime the same password is used for more than one account, a new risk is created. an obvious solution is to minimize the number of accounts; yesterday when i looked at this thread it had comments from mid-2005 and one guy said he had 70 different log-ins. that's too damn many accounts! some people need to turn off their computers and go outside once in awhile.
so far as i'm aware, the best way is still for the user to select something generally obscure, but meaningful specifically to him. as a young dodger fan long ago, my favorite pinch hitter was manny mota, who did all his talking with his bat, a respectable hair over .300 overall, but who possessed the remarkable attribute of batting between .800 and .900 when i was paying attention to the game. i grew up in zip code 90272, so a typical password might look like 9man0ny27mo2ta (except that i don't use manny mota, there are plenty of other dust bunnies between my ears). until someone comes up with a better way that meets my criteria, including no storage of any kind, no post-it notes, no wallets, no keychain drives, no nothing.
Carry your password in your wallet, but use a "password grid" to keep it secure even if it's lost.
(Unfortunately this blog isn't very ascii art friendly, but if you'll copy and paste the examples below into a text editor with a fixed pitch font, they'll look more like what I intend.)
Start by creating an 8 X 8 grid with a randomly chosen character inside each square. For example:
Now choose and memorize a pattern of squares equal to the number of characters you want in your password. For example, if you want to use 9 characters, you might choose a "T" pattern:
| | |1|2|3|4|5| |
| | | | |6| | | |
| | | | |7| | | |
| | | | |8| | | |
| | | | |9| | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
or an "L" pattern:
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
|1| | | | | | | |
|2| | | | | | | |
|3| | | | | | | |
|4| | | | | | | |
|5|6|7|8|9| | | |
Of course you can go diagonally, backward, or even jump from square to square across the grid. The pattern can be as long and as complex as you like, so long as you can remember it.
Then, using your memorized pattern, read your password from the grid. For the "T" pattern above the corresponding password would be "8m#xk5M2L", and for the "L" pattern it would be "sk9GWnC4k".
If you want or need to change your password, you can do it by replacing the grid with a new one while still keeping and using the same memorized pattern.
Mike in Miami
And so, what did they say when you called them to tell them you were misquoted?? Or are you just going off online instead of going to the real source of the problem -- if so, hope you aren't in management.
Bruce, I was very glad to see your email about how they misquoted you. I was just reviewing passlogix for my company and it concerns me that if they can't quote someone correctly how can I be sure their software is developed correctly. I'm a Six Sigma Guy, and we take things like quoting correctly very seriously. A quote is as good as data.
Mike in Miama:
That's like weak 64-bit encryption? hehe
Mike, that grid is an implementation of secret sharing: the password is split between the grid and the pattern. Unfortunately, the password grids are only as secure as the secret pattern you use. Unless you are really creative about the pattern you pick and have the good memory to recall that pattern later, it would not be a good idea to depend on this solution.
Alternatively, there are methods also based on secret sharing and use a mnemonic and a lookup table. Basically instead of remembering a pattern you remember a sentence, which will unfold into a pattern (for the sake of comparison).
One example is:
The nice thing about this approach is that you can actually tweak the security of the encoding by making the lookup table larger, hence the decoding process longer.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.