Schneier on Security
A blog covering security and security technology.
« Reducing the Risk of Human Extinction |
| Datamation Interview »
November 14, 2008
Me on Passwords
My Guardian article also appeared in The Hindu. Nothing I haven't said before.
Posted on November 14, 2008 at 12:47 PM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I did my master's project/thesis on electronic commerce security, and one point of contension was the use of passwords. Many experts argued that passwords are poor security, and I countered that while other techniques may be more secure, how useful would it be to try to get customers to use something else--the would just take their business elsewhere. Not a good tradeoff.
I very much like systems that indicate how strong a password is when someone enters it based on a great deal of criteria, which can persuade some users. Others won't care, and probably never will. (Another risk is that if someone breaches an acccount based on a weak password, through no fault of the business, it is still bad press and reputation damage.)
In my project, I did a graphical analysis of the types of profits and losses in relation to security, which shown a rarely stated yet obvious conclusion: if authenication is too week, you lose your reputation and resources and fail. If too strong and inconvenient, you lose your customers and fail.
It's a bit different in business where you have to worry less about keeping people happy. But the cost/benefit is still the key.
I've been an IT auditor for over a decade, and my most successful password attacks have not been when I've tried to brute force attack an account (or even dictionary attack on one). My most successful attacks have been when I've tried a handful of common ones against every known ID (particularly easy if i know user IDs are first initial last name, and I get a phone list for example). Less overhead, more success. I'm sure you know this, but some casual readers may not.
Thanks Bruce. Good observations.
"My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m"."
It will be even more effective when one creates the sentence in a non-english language (sanskrit for e.g) and then convert the first letters into English and set their password.
I like phrases like that, expecially when they incorporate a word that can be turned into a symbol.
"Thursday at 7 I watch Smallville and CSI." = T@7IwS&C.
Its been my experience that how we USE the passwords causes more incidents than how we CHOOSE them. Providing them to phishers has become a common problem and compromised desktops and web sites add to it. Those incidents can only be prevented by using authentication methods stronger than passwords that are reusable from any location.
As I understand the construction of a cracking dictionary, the phrase "mandatory meeting schedule" would be considered as three possible passwords rather than one.
If so, a password such as " by June 10th. In July we " [sic: leading and trailing spaces include) would never be broken by a dictionary attack.
Am I right or wrong?
Further, a lot of people use the same passwords for multiple functions (in fact I do this myself). But, there are situations where that is okay (using the same password for a lot of websites that you don't care about much) and where it isn't (using the same password for your bank account as for anything else).
Personally, I keep work-related and non-work-related passwords strictly separate. For financial accounts or other "high value" accounts, I use a unique password and I try the keep the number of those accounts to the absolute minimum so that I can remember the passwords without writing them down. For everything else, I use one of several common passwords (and try to avoid grouping together less trusted / important things with more trusted / important). For a particularly untrusted, unimportant account (e.g. a dodgy-looking web site) I will make up a password on the spot and write it down rather than bothering to try and remember it.
Anyway, I suspect most people are not willing to even remember more than 2 or 3 passwords, and so they use the same password for all of their game accounts, facebook, web sites they visit, etc. And its probably their daughter's name with the date of their anniversary tacked on the end, or something... A field-day for phishers! When I make up a password for anything I care about, I make it as random as possible, and then focus on memorizing those random characters so that I don't have to ever write it down.
For passwords that I care about, I flip coins to generate binary numbers, then translate them into characters via an ASCII chart. It does take a couple dozen times of entering each password to memorize it, though.
For ones that I don't care about, I just generate a string that "seems random" to me, without coinflipping. (At least this removes some of the most obvious strings).
I agree with moo mostly; however, I come up with *one* really long and difficult password which I then create a twofish encrypted USB volume with.
On that volume, I have all of my sensitive information including credit card numbers with contact phone numbers, login information for all of my accounts, and the security questions that go along with them (I never answer those questions truthfully, as it's easy for a third part to get the answers in most cases). This setup allows me to create passwords that are as complex as possible without having to memorize them.
If someone were to crack twofish or brute-force my 40+ character pass-phrase, I'd be screwed.
If you use this method, remember to make regular backups of the volume :)
As SysAdmins etc we all know that from the systems perspective passwords are cheep and chearfull.
We (should) all know the problem with passwords is the grey squishy bit at the other end.
Humans don't do the written word very well, and have difficulty rembering things without a pattern within them. And we have another failing we are in general "old dogs" so do not take kindly to "learning new tricks" after we are no longer pups.
Worse we are also in general as stuborn as mules and we have to not only see but belive something is better before we will sign up to it.
Which is why the "carrort or stick" teaching methodology appears to be the lowest common denominator method used in all cultures.
These traits / failings appear to be inherant from the way our minds work or are trained, and are not going to be resolved any time soon.
As John pointed out the important aspect (which System designers realy realy should take on board) is the bussiness case. Upto now the main method of dealing with password failings is a typical business response to an unknown quantaty which is "externalise the risk".
However as John noted when it comes to reputation you cannot externalise risk, so it's a failed method of mitigation.
Passwords are both an easy "cop out" for system bods and a liability to their pay masters, due to the majority of users.
So we realy need to replace them with a better method as a matter of business priority.
And it should be driven from the top by the business not the system bods.
Unfortunatly as has been often pointed out the grey squishy bit is it's own worst enemy. We cann't remember things, we lose things and we are disorganised to the point where a number of us close the door without knowing we have our keys...
Which is why most of the methods so far tried have partialy failed.
Which is why I guess it's hardly surprising Bruce recomends writting your passwords down on a bit of paper in your wallet...
So it's definatly time for a "better mouse trap".
Bruce, you said: Websites are sloppy, too, allowing people to set up easy-to-guess "secret questions" as a backup password or email them to customers.
allowing? you mean requiring! I can't count the number of sites that had this mandatory section where you have to choose one of five questions whose answers are guessable in one minute (either bruteforce, social or plain google). you know what? I put another huge unlock password/phrase there, completely unrelated to the question.
For the response to secret questions, use a password just as difficult as the main password, unrelated to the question, kept track of with PasswordSafe.
Sure, the 'first letter of each word in a sentence' approach will defeat a dictionary attack, but statistically certain letters are more common as the first letter of words, because certain words are more common in any sentence. The word 'the' makes up 7% of the english language. And it gets worse. Half the English language is only 135 words, and 13.7% of those words begin with the letter 't'.
You could cleverly add digits or symbols, and choose a set of letters that seems random to you, but as a general recommendation, the 'first letter of words in a sentence' is weak.
For passwords, this approach is more random:
You shuffle and deal out a random password with upper and lower case letters and numbers. You could make a set of cards with symbols also, if you wish.
For secret questions, it is better to allow user choice. To make a social guessing attack harder I recommend guidance to users to choose a negative QA response e.g. "The worst team is ...",
"I would never call a pet ....",
"My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won't be in anyone's dictionary."
That's great advice for choosing a password, but when the administrator decides, for security reasons, to expire your password and force you to choose a new one every 90 days, you've got to go through the creative exercise of choosing a perfect password again...and remembering it.
Password aging policies, inflexible password rules, and the now-ubiquitous "secret questions", all seem to run counter to the practice of choosing and keeping a good password.
@Feelyat - Good comment on aging. When I was a sysadmin, that was the number one complaint. We had strict rules requiring good password complexity. Users were even willing to put up with it at first... but after the second or third expiration (not counting forced changes when they forgot the password), they tended to revolt. Several people contemptuously told me the policy had led them to leave the fabled under-keyboard post-it.
This was mainly due to auditors who had standard checklists and always insisted on "good" password aging policies. They didn't seem to grasp that additional complexity would offset a longer maximum age. All too often knee-jerk security trumps actual thinking about what we're trying to accomplish.
On another subject - anybody got a decent PasswordSafe-compatible tool on Linux? I've been using the command-line pwsafe, but it's not as convenient as the Windows PasswordSafe. Yes, I could just use an encrypted file, but pwsafe also protects the passwords in RAM.
I have often just taken an easily remembered word or phrase and typed it off the home keys on the keyboard. In this way, even I do not actually know the real password. Its simple but then I don't have any real need for total security.
@MarkR: Password Gorilla works fine on Linux and MacOS X (and Windows) and looks and feels just like the original.
I never took the "security questions" literally. Sometimes I just give randomly generated strings, or in case where I have to answer the security question every time (since my browser discards the cookies that sites "remember me" by), I use nonsensical answers. E.g., using "Bruce Schneier" as my mother's maiden name, that kind of thing.
And then I keep these site-specific answers to security questions in the "Notes" field in Password Safe.
The security questions often crack me up (but I shouldn't laugh because they are a weakness). I don't know what good strong encryption and long/complex passwords are if you have a big DAS (Dumb @$$ Stupid) vulnerability.
I shook my head at a phone conversation with a credit card company. They asked me for my mother's birth month, then they gave me four months to choose from. So, they upped my odds of guessing from 1 in 12 to 1 in 4. DAS.
I also loath the favorite sports team questions. If you are trying to break an account whose owner is in St. Louis, there is an excellent chance the favorite team will be the Cardinals, Blues, or Rams. DAS.
It's like installing two dead bolts and alarms at the front door, but leaving the back door accessible with a skeleton key as a back up. Or using think chains to bolt your laptop down to a flimsy wooden table.
@Loic Nageleisen: "allowing? you mean requiring! I can't count the number of sites that had this mandatory section where you have to choose one of five questions whose answers are guessable in one minute (either bruteforce, social or plain google)."
Entering something is required. Actually answering it with the simple correct answer is optional. If the question is "where were you born?" you could type in Guatala-bangala-boogala-desh instead of Springfield. For mother's maiden name, you could type Wanana-tanna-pumba. Something unlikely to be guessed or googled.
They may require you to enter something, but there is seldom a case where you must give the weak answer.
How many do this? Not enough I'm sure.
I like the SFSP (Simple Formula for Strong Passwords) paper from SANS (http://www.sans.org/reading_room/whitepapers/authentication/1636.php)
My personal method is to start with a relevant phrase that contains exactly five words and two numbers. For example, I’m a huge fan of the Beatles. So my phrase can be, “In 67, Sgt. Pepper was released.” Taking the first letter from each word leads to i67spwr. If I want to maintain the capitalization, it becomes i67SPwr. I then use another letter or two to signify the site, such as i67spwra for amazon.com and i67spwrl for the library.
The beauty of this system is that it allows me to use the “Post-It” method for a hint. I could write down “Beatles” (or if I want to be a little more obscure, “btl”) and put sticky notes all over my office. I challenge a cracker to derive i67spwrd from “btl.”
Why do I specify a five-letter, two-numeral phrase? Because there are systems still in existence which allow a maximum password size of eight. Why two numbers? Because one of my financial institutions requires that the password contain two numbers.
The key is consistency. If you have to make little exceptions, you tend to write them down.
Michael Seese, Author of Scrappy Information Security
I just remembered a funny anecdote. Once, while doing an after-hours security sweep at one of our facilities, I found an office where the userid (we don't use a scheme as simple as "mseese") and password were on a Post-It on the monitor. And the password was "golfing1." I thought, "You can't remember golfing1?"
I had a colleague who would replace the Post-It with one which read, "Forget your password? Call the Help Desk."
@ Michael Seese: ""You can't remember golfing1?"
As an IT Auditor, I've found cracked passwords (or found post its and other notes) such as "November," "secret11," etc.
How much do you want to bet that when those passwords quit working, "December" and "secret12" worked?
I've told managers what their passwords were at exit conferences before. They usually argue that I can't compare information I obtained as an auditor to information someone else can obtain. Perhaps, but not even an auditor should ever get their password. My position may have given me a bit more freedom to do it with less scrutiny, but what I did was not anything someone else couldn't have done.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.