Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« In Praise of Security Theater | Main | SAS Troops Stationed in London »
January 25, 2007
Dogbert's Password Recovery Service for Morons
Posted on January 25, 2007 at 12:51 PM • 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Speaking* of passwords and making things to easy, I thought you might also like this:
http://www.boingboing.net/2007/01/25/...
(* I know, I know, we're always on the topic)
Posted by: nzruss at January 25, 2007 1:17 PM
I wonder if anyone's tried the Diebold voting machine key on an ATM yet?
I know, I know...different divisions.
But it seems to me Diebold needs to hire some paranoid spook from the Government and give him the title, "Director of Get A Clue About Security"
Posted by: Matt from CT at January 25, 2007 1:21 PM
Be sure to test your password strength here:
http://www.microsoft.com/athome/security/privacy/...
"Password1"
Nice, strong, easy to remember.
Just trying to help,
IM
Posted by: I M Secure at January 25, 2007 2:25 PM
Our passwords have to be at least six characters. Much more secure.
Posted by: 123456 at January 25, 2007 2:28 PM
And ours must have letters and punctuation in them.
Posted by: 123456.com at January 25, 2007 2:34 PM
@I M Secure
>> ... "Password1" ...
"Password123456" has "Best" strength!
I feel so much better now.
Posted by: Myvoice at January 25, 2007 2:34 PM
Bank ATM usually have a locked room where the back panel access is. At least in Montreal. The most common locks I've seen on those doors are either Abloy (old and new style) or Medeco.
Then there's the vendor supplied key to access the inside and *then* there's the vault's combination. Additionnaly, access is carefully logged, video cameras film everything and the ATM independently transfers a transaction log to the processing center receiving the content of the vault. I don't know if it independently reports the content of the bill cassettes however, but the transaction log should account balance out with the cash deliveries.
The keypads are supposed to be tamper-resistant and perform the the PIN encryption independently of the ATM O/S. The whole thing is a sealed unit which should disable itself on tampering. Likewise a cryptocard (like IBM's) is used to encrypt the backhaul link. Keying was traditionally down with a pair of sub-keys at least one of which is entered by a separate individual, usually from security.
However, I haven't worked in a bank for a little while now. Things may have changed/evolved a bit.
Posted by: Alexandre Carmel-Veilleux at January 25, 2007 2:35 PM
If voting machines were treated like bank ATMs, risk would be quite low indeed. Instead even the little in-store mini-ATM get better treatment then voting machines. With things like mandatory security cam laws and reasonnable locks.
Posted by: Alexandre Carmel-Veilleux at January 25, 2007 2:39 PM
I think someone must be bugging my office - how'd they get my job into a comic strip so perfectly?
Posted by: derf at January 25, 2007 3:50 PM
Me: "OK, your encryption software is installed. Now you need to generate a key and set a passphrase. Click here."
They: "OK..."
Me: "Now, the passphrase has to be something you can remember, but still has to be strong and hard to guess..."
They: "OK, let me think..." (thinks)
Me: (looks around office) "...and it can't be (something written on a desk doohickey)!"
They: "AAARGH!!! How did you DO that?"
Posted by: Reader X at January 25, 2007 5:36 PM
Speaking of passwords:
http://www.literatecode.com/2006/11/12/...
Posted by: Ilya at January 25, 2007 8:36 PM
There was a discussion at work in which folks discussed how they kept track of their passwords. I said, "I call up Bruce Schneier. He has all of my passwords written down on a little piece of paper in his wallet."
Maybe you had to be there.
Posted by: Larry Hosken at January 25, 2007 10:12 PM
My best password story involves the manager who couldn't keep his own password memorized. Over and over again, he'd lock himself out trying to log into his account. This was with simple passwords of the form "password1" by the way . . . he'd simply forget which numeral, and every time they'd increment "password2," "password3" etc. and he would ruin each valid password with too many guesses.
They finally found an answer for him. Set password to "password11" and set "number of tries" to 999.
Posted by: Andrew at January 25, 2007 10:23 PM
That password checker is so crappy it's almost criminal.
g;Z-3
Posted by: Hullu at January 26, 2007 2:02 AM
.. just checked, it seems it requires a length of 14 to be 'Best'.
aaaaaaaaaaaaA1 is Best!
Posted by: Hullu at January 26, 2007 2:37 AM
Another Dilbert strip, this one about airlines and airport security (click my name).
Posted by: Dilbert at January 26, 2007 3:33 AM
Here's an interested and somewhat related story that I run into today, about passwords and biometrics.
Posted by: skynyrdFrynd at January 26, 2007 7:41 AM
oh the joys.
i know the passwords to at least 50 % of the computers at work because the people are stupid and too lazy to change them. so if when they started the password was [thecompanyname], [thecompanyname]123, or training, it is way too often that even after that. and a few people think they are smart when their password is [password] in some other language. .. would work a bit better if there were no people speaking that or those languages in the office though.
and of course, some people keep their most business critical passwords on post-it notes attached to their display. wohoo.
Posted by: a. at January 26, 2007 9:48 AM
That password checker is excellent!!!
now I know that
aaaaaaa is Weak but
aaaaaaa1 is Medium and
aaaaaaa1! is Strong and
aaaaaaaaaaaa1! is Best, I know what I'm going to use now....
Z.
Posted by: Zwack at January 26, 2007 1:40 PM
At an old job, we had need of sending e-mails around in encrypted form. I was the one who helped people go through the key generation interface. I always told them that when it says "passphrase", it means that you can use a full phrase, with punctuation and spaces, and that they should take full advantage of it to create a passphrase that's both easy to remember and hard to crack.
Even after explaining this, many people used a 6-8 character string anyway (as I could tell from the '*' on screen). A few people just blurted out to me what they used as they were typing it.
Passwords are a complete failure as an authentication mechanism. If we could educate people, passphrases *might* work, but a lot of people seem to be stuck in the 6-8 character string mindset.
Posted by: Timm Murray at January 26, 2007 4:11 PM
@Timm Murray: Agreed, except that no one has come up with something better .
Posted by: JR at January 27, 2007 2:03 AM
"BruceSchneier!" was rated as "best". I suppose we shouldn't be surprised.
Posted by: Password at January 27, 2007 5:46 PM
Yeah SecurityBullshit.com is funny but I heard Curphey worked for McAfee so its a bit like the pot calling the kttle black.
Posted by: Industry Insider at January 29, 2007 11:43 AM
"HelloWorld2007" was rated as best.
Anyway how long will it take for someone to fake such a webpage and collect passwords?
You probably wouldn't notice if your password is sent to a server using AJAX.
Sad part is that a lot of people are probably filling in their real password in that form.
Posted by: Roflo at January 30, 2007 9:30 AM
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
Archives by Date2012 J F M A M
  |
| Latest Book |
more books by Bruce Schneier |
| Syndication |
|
Full Text Feed
Excerpts Feed |
| Translations |
|
German
Italian |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments