Schneier on Security

Speaking* of passwords and making things to easy, I thought you might also like this:
http://www.boingboing.net/2007/01/25/diebold_voting_machi.html

(* I know, I know, we're always on the topic)

I wonder if anyone's tried the Diebold voting machine key on an ATM yet?

I know, I know...different divisions.

But it seems to me Diebold needs to hire some paranoid spook from the Government and give him the title, "Director of Get A Clue About Security"

Be sure to test your password strength here:

http://www.microsoft.com/athome/security/privacy/password_checker.mspx

"Password1"

Nice, strong, easy to remember.

Just trying to help,

IM

Our passwords have to be at least six characters. Much more secure.

And ours must have letters and punctuation in them.

@I M Secure
>> ... "Password1" ...

"Password123456" has "Best" strength!

I feel so much better now.

Bank ATM usually have a locked room where the back panel access is. At least in Montreal. The most common locks I've seen on those doors are either Abloy (old and new style) or Medeco.

Then there's the vendor supplied key to access the inside and *then* there's the vault's combination. Additionnaly, access is carefully logged, video cameras film everything and the ATM independently transfers a transaction log to the processing center receiving the content of the vault. I don't know if it independently reports the content of the bill cassettes however, but the transaction log should account balance out with the cash deliveries.

The keypads are supposed to be tamper-resistant and perform the the PIN encryption independently of the ATM O/S. The whole thing is a sealed unit which should disable itself on tampering. Likewise a cryptocard (like IBM's) is used to encrypt the backhaul link. Keying was traditionally down with a pair of sub-keys at least one of which is entered by a separate individual, usually from security.

However, I haven't worked in a bank for a little while now. Things may have changed/evolved a bit.

If voting machines were treated like bank ATMs, risk would be quite low indeed. Instead even the little in-store mini-ATM get better treatment then voting machines. With things like mandatory security cam laws and reasonnable locks.

I think someone must be bugging my office - how'd they get my job into a comic strip so perfectly?

Me: "OK, your encryption software is installed. Now you need to generate a key and set a passphrase. Click here."
They: "OK..."
Me: "Now, the passphrase has to be something you can remember, but still has to be strong and hard to guess..."
They: "OK, let me think..." (thinks)
Me: (looks around office) "...and it can't be (something written on a desk doohickey)!"
They: "AAARGH!!! How did you DO that?"

Speaking of passwords:
http://www.literatecode.com/2006/11/12/what-your-password-could-tell-about-you/

There was a discussion at work in which folks discussed how they kept track of their passwords. I said, "I call up Bruce Schneier. He has all of my passwords written down on a little piece of paper in his wallet."

Maybe you had to be there.

My best password story involves the manager who couldn't keep his own password memorized. Over and over again, he'd lock himself out trying to log into his account. This was with simple passwords of the form "password1" by the way . . . he'd simply forget which numeral, and every time they'd increment "password2," "password3" etc. and he would ruin each valid password with too many guesses.

They finally found an answer for him. Set password to "password11" and set "number of tries" to 999.

That password checker is so crappy it's almost criminal.

g;Z-3<? - it says that's a Weak password. Although only 7 characters long I'd bet that's a better one than aaaaaaA1 - which it says is strong.

Though it jumps that first string into 'Strong' once you add the 8th letter. I wonder if that doesn't make it into the Best cathegory, what on earth does?

.. just checked, it seems it requires a length of 14 to be 'Best'.

aaaaaaaaaaaaA1 is Best!

Another Dilbert strip, this one about airlines and airport security (click my name).

Here's an interested and somewhat related story that I run into today, about passwords and biometrics.

http://software.ericsink.com/entries/Technology_Dependence.html

oh the joys.
i know the passwords to at least 50 % of the computers at work because the people are stupid and too lazy to change them. so if when they started the password was [thecompanyname], [thecompanyname]123, or training, it is way too often that even after that. and a few people think they are smart when their password is [password] in some other language. .. would work a bit better if there were no people speaking that or those languages in the office though.
and of course, some people keep their most business critical passwords on post-it notes attached to their display. wohoo.

That password checker is excellent!!!

now I know that

aaaaaaa is Weak but
aaaaaaa1 is Medium and
aaaaaaa1! is Strong and
aaaaaaaaaaaa1! is Best, I know what I'm going to use now....

Z.

At an old job, we had need of sending e-mails around in encrypted form. I was the one who helped people go through the key generation interface. I always told them that when it says "passphrase", it means that you can use a full phrase, with punctuation and spaces, and that they should take full advantage of it to create a passphrase that's both easy to remember and hard to crack.

Even after explaining this, many people used a 6-8 character string anyway (as I could tell from the '*' on screen). A few people just blurted out to me what they used as they were typing it.

Passwords are a complete failure as an authentication mechanism. If we could educate people, passphrases *might* work, but a lot of people seem to be stuck in the 6-8 character string mindset.

@Timm Murray: Agreed, except that no one has come up with something better .

"BruceSchneier!" was rated as "best". I suppose we shouldn't be surprised.

I love this new site.

Yeah SecurityBullshit.com is funny but I heard Curphey worked for McAfee so its a bit like the pot calling the kttle black.

"HelloWorld2007" was rated as best.

Anyway how long will it take for someone to fake such a webpage and collect passwords?

You probably wouldn't notice if your password is sent to a server using AJAX.

Sad part is that a lot of people are probably filling in their real password in that form.