Schneier on Security
A blog covering security and security technology.
« The Case for Eliminating Secrecy |
| Da Vinci Code Ruling Code »
April 27, 2006
Security Myths and Passwords
Good essay by Gene Spafford.
Posted on April 27, 2006 at 12:25 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
My last job had me changing my dozen or so passwords every month. This proved to have the benefit of quickly identifying which systems readily crashed because their password changing algorithm was buggy, and thus I got to know some sysadmins I otherwise wouldn't have. Other than that, I saw no benefit.
Incidentally, institutionally we were restricted to an 6-8 character password and a reduced character set (so as to be compatible with Microsoft).
My laptop allows 256-character passkeys. I've never changed any of them there.
My current job has various passwords that expire on a regular basis (but with different periods).
Frankly, I don't remember any of them -- if I don't have my Palm or its desktop counterpart I won't have access to any of those systems.
I have a;
Wireless device pwd
Wireless Admin pwd
Gateway Admin pwd
IM Gateway Admin pwd
Desktop Local Admin pwd
Server Local Admin pwd
Test lab Admin pwd
Test lab Server Local Admin pwd
Performance Review pwd
Mortgage website pwd
Gas utility pwd
Electric utility pwd
Water utility pwd
Front gate pwd
BF2(video game) pwd
Many of these expire, require different charactors, keep histories of past password, and compare old passwords to new ones to be sure they are not too simliar.
I'm sure most people probably have a very similar setup with their passwords?
Now my passwords are different for virtually every system, but WOW I would say 5-10% of my job has been just keeping up with the insane about of password setting and resetting.
sorry I forgot the;
Dell website pwd
Purchasing application pwd
POINT -->From an employer point of view having any of these password source exploited could pose a risk in having my important Admin passwords compromised. (Since getting the other passwords would assist in guessing the other passwords.)
Squirrell noises ... I smell a new open source project
I have been using PasswordSafe.
which is on sourceforge....
Got worried one day when a spoof email made me think that I had had my paypal account hijacked. Then I realized too many of my passwords were the same. guess one you have them all....
Wish this passwordsafe app ran on osx and linux too.
I must admit that on several occasions in my youth I have found "ways" to obtain passwords to access a few systems.
I can tell you that it is a pain when a victim changes his password because getting the password in the first place is usually difficult, dangerous (e.g. physically installing a Keylogger), takes time or just comes from a one time lucky opportunity. Sometimes it needs social engineering tricks that will not trick the same person several times.
Systems were users never change passes give unlimited access forever once an attacker is lucky or takes his chances.
Systems were users change their passwords regularly are better. Even if users end choosing a bit "poorer" passwords, cracking attempts on the passwords can be detected.
Check out Password Gorilla (compatible with PasswordSafe) at http://www.fpx.de/fp/Software/Gorilla/
It works on Windows, Linux, *BSD, OSX, and Solaris, and can be run from a USB key. Source is provided so it can be ported to other platforms.
I just counted my logins. It appears that I have 167 logins either current or "maybe still important". This doesn't count password history -- this is just distinct sites. It includes shopping sites and organization sites that require logins.
I'm a software engineer with a sysadmin bent so I'm sure I have more than "most people" but even 1/4 as many is still a bunch to keep track of.
There Has Got To Be A Better Way (tm).
One system I've worked with had a centralized system to update your passwords for all the subsidiary systems. Problem was, it had a 4 previous password history, but at least one application had a 6 previous history. So I changed to one of the 5 I was using, and got locked out of that application with an invalid password.
Really a tale of bad admin work, but still a warning.
While working at Microsoft a bunch of people got notified that they need to change their passwords for having password that violated the HR policy.
Their passwords were things along of the lines of F---TheAdmingroup, F---MyBoss, etc.
When HR found out they didn't punish the people they instead asked "Ummm, how do you have all these people’s passwords?"
Turned out one of the VPs had bought a tool to break the security in Windows 2003 and export ALL the passwords under the guise of a "Password Security Check"
Mind you this was at MICROSOFT so you can imagine what might be happening out in the "real world".
Most likely many of your passwords have been compromised by well meaning people running websites and online services.
AG, that is quite a lot of passwords. Do you manage them with software, or paper?
I too have about 50+ different passwords, though the root of some are the same (helps me remember).
All my passwords are contained in certain additions of various books (plus some manipulation). One just needs to know where to look and what those manipulations are. It's like looking for a needle in a haystack - except I know where the needle is.
Does anyone else use passwords embedded in publicly available material like books, magazines, articles, maps, pictures, charts, etc...?
Unlike everybody else in creation (apparently), I have a whole slew of unique or partially unique passwords. I just remember them, for the most part (there are a few "very uncommonly used" ones that I have to refer to my double secret database of passwords, like the password to my 403b web site account, which I touch maybe once a year or so) - I store a copy of them all on a USB key with Bruce's password safe, not so much for my use but for my wife's, if I should become incapacitated.
I've generated some passwords by using publicly available materials combined with a seed of random characters (I've reused the seeds in a few instances, mostly low security stuff like my yahoo account).
When I was in college a billion years ago, you had to be able to log into the mainframe to use the fortran compiler. I had two classes that required fortran code, so I had a mainframe account.
I forgot my password exactly once, before the first homework assignment was due. There was an ironclad policy for password resets - "If you forget your password, you must physically show up in room N between 12 and 3 pm on Friday afternoons with your school ID. There are no exceptions".
The assignment was due on a Tuesday, I forgot my password on Monday, and I got a zero. The complete and utter lack of forgiveness or flexibility taught me never to forget my password :)
I disagree that this is a *good* essay. I think the subject is an important one that should be treated, but this essay did a poor job.
The author stated his premise at the beginning, then wandered off to survey ways that passwords can be compromised. Finally, in the last few paragraphs he came back to his premise, but didn't really present any hard evidence to support it.
IMHO this is just the start to a treatment of this subject. It is an important subject, though, because so many who don't thoroughly understand security DO rely on 'best practices.'
I think once before you advised (paraphrasing) "Use secure (i.e., non-trivial) passwords, then write them down somewhere--this is better than using more memorable ones that are easily guessed." This, to me, is the most practical advice I have heard in a long time. I think it may apply here; change your passwords occasionally (not necessarily every month) and if you have to, write them down somewhere secure.
A monthly password change requirement has two highly predictable consequences.
1. Month and year will work themselves into many passwords, making known text attacks easier (only need a three-letter hash dictionary when the first or last 5 out of 8 chars are "apr06").
2. Lots more passwords showing up on yellow stickies, scrap paper in wallets, etc.
I have about 200 passwords stored in my KeyChain. On my Mac I remember only one password – the system password. Every password ever used in Safari, OS X Server Admin, file servers, certificates, gets funneled into my keychain, which is of course stored encrypted and decrypted with my login password.
It's really, really nice.
You know, i we're always very concerned about security for MySql databases en PHP script which allows people to login secure using the blowfish 448bit algo. But today i'm less protective anymore, for the simple reason: if my host logs in as root with a simple password, if someone can gain acces to the webserver, he has all the passwords. Ok there blowfish encrypted, nothing can be done with it, but all user info is avaiable when the hacker has controle of the whole system.
So if you know the "root" pass you have them all. That isn't very secure i think.
and for sure i have "written" down passwords, still do that, because there so long and contain so many caracters, i cannot remember them if i change them also a month.
For security reasons, i am still a huge fan of deception, like the red blinking light in a car can give the thief 2 choices: there is really an alarm, or this light is a fake.
If the car is openend, the things in it are way gone when you reach your car to grab the thief.
Both systems are "protective".
"Now, looking back over those, periodic password changing really only reduces the threats posed by guessing, and by weak cracking attempts."
I don't get this. Unless you change the password WHILE the guessing/cracking attempt is in progress, how does it affect the likelyhood of a successful guess?
The management of our multiple passwords is a well known issue and one must admit that their replacement by a centralized authentication token is unfortunately not for tomorrow.
Besides overloading administrators with requests of creation, destruction, locking or unlocking accounts, adding, assigning or withdrawing access rights, the anarchistic multiplication of passwords, generates another more serious problem, namely a decrease of security level.
For the sake of simplicity, we circumvent the recommended or imposed security rules. This chaotic situation constitutes an obstacle to our protection and the protection of our enterprise data and removes any reason of being for the use of passwords.
According to a study carried out on the behavior of the users, 50,8% of respondents are aware of the good practices in terms of passwords management BUT do not apply them.
Beside these well known issues, we have to deal with an additional parameter which is the mobility. Many of us are travelling, using more than one computer from different locations. In the same way, we need to access our application and web sites from everywhere, from every computer. This is why, I opted for an online password manager.
I'm using the online password manager PWMGR (www.pwmgr.com) for different reasons. I store there my passwords, PINs but also any kind of number I need to access from everywhere. I don't need to be bothered with the selection of a new password since I can use the integrated password generator. When a new password is requested I simply asked PWMGR.COM to generate one based on my defined policy. I even don't know some of my secrets anymore. I just go on-line, select the related entry and copy it to the application. Furthermore, I don't have to be concerned by the backup of my data in case of disk crash as this service is provided by the PWMGR. It also allows me to align the required level of authentication ( simple or strong authentication) to the sensitivity of the data contained in each individual vault. It sends me a random PIN code on my mobilephone.
I would be interrested to know what other people thinks about PWMGR.
Authenication needs to somehow be in the hands of the User.
Every place I have a password is another place someone can steal, misplace, or expose my password.
Maybe a user sided encrpytion? User data can only be decrypted if the user connects with there blackbox?
I'm a little confused, too. It's pretty clear how password change requirements prevent/mitigate offline cracking attacks (if it take 2 months to crack a password, and you change them every month, then cracking is useless). However, guessing attacks, by the author's definition, only take a few attempts.
Furthermore, the author's thinking about the cost of password compromise is far too binary to be useful. He says "If any of the other attack methods succeed, the password needs to be changed immediately to be protected — a periodic change is likely to be too late to effectively protect the target system." This is not always the case. For instance, what if the asset being protected is valuable, but time-sensitive information? If a password is exposed, a change requirement highly mitigates the damage. The author breaks his own rule of relating policies to the asset being protected. Also note Black's comments on this topic above.
I would deny the premise of this question if asked:
"According to a study carried out on the behavior of the users, 50,8% of respondents are aware of the good practices in terms of passwords management BUT do not apply them."
Good practices? "Stated" good practices, maybe, but seriously how realistic, helpful and truly good are these?
I always complain that the rules are SO bad I have to have a different username for many systems. At my day job ALONE every password is different, but check the usernames (Standard is when I can pick one easily):
AD - access to my desktop computer, etc.; standard username
Peoplesoft - unix-style randomized username
HR Self-Service - SSN
Another HR system - NO username
Payroll - SSN
Education - SSN
Expense Reporting - SSN
Trouble Ticketing - Unique assigned
Room reservations - Standard
Supply purchases - NO username
Document storage - Standard
Travel Reservation - NO username
Omniuture - Unique assigned
I end up having text files in not unreasonably hidden places for work, and another for my freelance website access. Everything personal I remember, hope the auto-complete remembers or use a lot of forgot password systems.
@passwordsafeFan (and Dave):
Password Gorilla is nice.
I usually keep a dat file and a couple of binaries/tck kits in my USB drive.
I still use PasswordSafe at work, BTW.
The defects and even failures in most of enterprise security defense systems can be root caused into problems in "security execution", ie. the discrepancy between the policy and the real environment. The security manager just book those best practices into their "policy", while not considering their staff, their skills, the data to protect, the threats to contain/mitigate…
My company lately changed the rules for passwords. Before this "reformation" the passwords could have 6 till 8 characters. Now ("to improve security") the passwords must have exactly 8 characters. Good to know for any hacker, as he now can omit all words with 6 or 7 characters when bruteforcing...
> Good to know for any hacker, as he now can omit all words with 6 or 7 characters when bruteforcing.
Unless the available character set is tiny, this doesn't actually matter; the 6 and 7 char passwords add negligibly to the total time of the attack. For example, even if they are digits only, allowing 6 and 7 char passwords increases the search space from 100 000 000 to 111 000 000 which is only an 11% increment. With a larger character set the increment is even smaller. For example with mixed case alphanumeric passwords, allowing 6 and 7 character passwords only adds 1.6% to the search space. That's a very small increment, and more than offset by eliminating those risky 6 char passwords.
And 6 char passwords really are far too weak these days. Even a totally random combination of every character you can get directly from a standard keyboard (i.e. 52 upper and lower case letters, 10 digits, space, and 32 punctuation marks) gives only 95^6 = 7.35 x 10^11 possibilities, which on a typical up to date home PC can be brute forced in just a few days (4 days and 6 hours on average). And most "strong" 6 char passwords are more likely to have something like 1 upper case, 1 digit, 1 punctuation mark from the top row, and the rest lower case; a random 6 char password like that can be brute forced in 1 to 2 hours.
Once you add in the possibility of an attacker using a botnet to get a distributed attack, 7 char passwords are also far too weak.
In fact, these days, even 8 char passwords are barely adequate, and will suffice only if they are randomly composed from at least mixed case alphanumerics, and, ahem, expired at least annually. To make passwords safe using character sets that are a little more user friendly, you need to either go to at least about 12 characters, or introduce some kind of stretching function to dramatically slow down attackers.
> institutionally we were restricted to an 6-8 character password and a reduced character set (so as to be compatible with Microsoft).
That's odd. While there is lots wrong with Microsoft's password implementations, they have supported 14 character passwords since 1990. (More recent versions of NTLM use MD5 hashing and don't have any length restriction at all.)
I agree with YellowStickyCollector: regular password change policy usually increase weak passwords and "at hand" writed passwords.
I'm systems administrator, and my policy was educate users. It's dificult and you should do it slowly. But if you promote little security improvements, not too anoying for users, step by step; the users got used to each "level" and apply them.
For passwords I use two tricks:
- use phrase initials to remember passwords; (for example: wh5ro&8gpfl stands for "we have 5 red onions and 8 green pepers for lunch")
- change some user passwords myself and then go to these users to tell their new passwords; (changing 2 o 3 passwords a day, you can renew about 500 password a year); use this moment also to teach passwords value in company security, and the importance of change it if user suspects than anyone else knows his/hers password.
And also, have good writen instructions to guide a user who wants change he/she's passwords. And have quick/efective response to troubleshot any problem he/she can have doing this.
(Of course, all other usual rules are enforced: no short passwords allowed, no already used passwords allowed, no quick changes allowed --passwords that I "imposed" to users must stay for 5 days minimun; and for that time, users get used to them ;-) --, login 30 min. blocked if 5 wrong password attempts occurs, etc, etc).
> Of course, all other usual rules are enforced: ... passwords that I "imposed" to users must stay for 5 days minimun
I agree that these policies are often implemented thoughtlessly, although I think Spafford undervalues expiry policies in some areas. (Some further discussion next post).
However the password policy that really annoys me is the MINIMUM password age facility in the Windows NT family. The rationale for this given in the help files is nothing but paranoid delusion. The supposed justification is that if a password history is enforced then those obstreperous users "can cycle through passwords repeatedly until they get to an old favorite". This is utter nonsense. For a start, users simply don't do that. An uneducated user with a "favourite password" and an expiry policy will actually just append some sort of counter, like "Mary1", "Mary2", "Mary3" or a themed sequence like "hydrogen", "helium", "lithium". Further, if users are really going to such extreme measures to circumvent your security settings, then the real problem is very poor user education. In that case, quite likely 90% of your minimum-aged, expirable passwords are the absolute weakest passwords that comply with the policy, can be cracked in seconds by any sniffer, and all the rest is a waste of time. If, as you say, you have taken good care with user education, then there is simply no reason to have this policy.
Meanwhile what minimum ageing DOES achieve, is preventing a user from changing a compromised password! The chance of this situation arising when a password is compromised depends on the ratio of minimum to maximum ages, but one common recommendation gives 12%, and up to 99.9% is possible. So the only significant effect the policy has is to WEAKEN security!
In your case, it is even worse. You select a password for the user (so you know it) and then forbid them from changing it. This violates basic security policy, which is that only one person should know a password, and thus knowledge of the password can be bound to a person's identity.
This should be the other way around; if a user password becomes know to you (for example, because you reset it) then the user should be required to change it immediately. As it stands, imagine what would happen if a particular user's account was used to commit a serious crime. Police interrogate the user, who says "Of course I wouldn't be silly enough to use my own account, I would be caught for sure. But this admin, Birp, he forces us to let him know all our passwords..."
The minimun age thant I apply is in order to avoid users change inmediatly the "strong" password than I assigned to them for one "weak" password.
They must work almost for 5 days with my password, and for that time they got used to it. So, they retain it until my next "password assigment".
It's just a little trick to force users to employ "strong" passwords (aka, "complicated" passwords for them).
> It's just a little trick to force users to employ "strong" password
But they're not strong passwords. They're compromised passwords, because someone else already knows them. You've become so concerned with users choosing weak passwords that you've forgotten the whole point of *having* strong passwords, which is that no-one else should be able to guess them!
Assigning passwords is only acceptable if they are machine-generated, so that no-one else knows them. Even that is of questionable benefit because some studies show that users are much more likely to write down a machine generated password.
Your are right. A password, by definition, must be a secret thing that only it's owner can know.
My only disclaimer in this case is that the environment in what I applied these asigned passwords was a very extreme one: wen I arrived that entrepise, nobody has password; even root and administrator accounts where without it. And all users (included CEO and other directors), where totally "anti-passwords".
I generalized also the method, because I was sure that users always whould choose "meaningful" passwords (aka, easy guess ones) (like their pet name or the autor name for the novel they are reading in that moment). And I feelt my passwords "more strong".
But I was wrong. It's not a method that you can generalize. As long as you must find a password asigner than you can trust.
Now I see clear that every user must take care or his/hers account.
scheiner........Well I really found you interesting when I read your encounters with passwords.....I am David, and will like to be a great password hacker even as you were in you youthful days....I will be very delighted if you can take me through all th necessary procedures to come out as a your successful product..
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.