Comments

Matt from CTJanuary 25, 2007 1:21 PM

I wonder if anyone's tried the Diebold voting machine key on an ATM yet?

I know, I know...different divisions.

But it seems to me Diebold needs to hire some paranoid spook from the Government and give him the title, "Director of Get A Clue About Security"

MyvoiceJanuary 25, 2007 2:34 PM

@I M Secure
>> ... "Password1" ...

"Password123456" has "Best" strength!

I feel so much better now.

Alexandre Carmel-VeilleuxJanuary 25, 2007 2:35 PM

Bank ATM usually have a locked room where the back panel access is. At least in Montreal. The most common locks I've seen on those doors are either Abloy (old and new style) or Medeco.

Then there's the vendor supplied key to access the inside and *then* there's the vault's combination. Additionnaly, access is carefully logged, video cameras film everything and the ATM independently transfers a transaction log to the processing center receiving the content of the vault. I don't know if it independently reports the content of the bill cassettes however, but the transaction log should account balance out with the cash deliveries.

The keypads are supposed to be tamper-resistant and perform the the PIN encryption independently of the ATM O/S. The whole thing is a sealed unit which should disable itself on tampering. Likewise a cryptocard (like IBM's) is used to encrypt the backhaul link. Keying was traditionally down with a pair of sub-keys at least one of which is entered by a separate individual, usually from security.

However, I haven't worked in a bank for a little while now. Things may have changed/evolved a bit.

Alexandre Carmel-VeilleuxJanuary 25, 2007 2:39 PM

If voting machines were treated like bank ATMs, risk would be quite low indeed. Instead even the little in-store mini-ATM get better treatment then voting machines. With things like mandatory security cam laws and reasonnable locks.

derfJanuary 25, 2007 3:50 PM

I think someone must be bugging my office - how'd they get my job into a comic strip so perfectly?

Reader XJanuary 25, 2007 5:36 PM

Me: "OK, your encryption software is installed. Now you need to generate a key and set a passphrase. Click here."
They: "OK..."
Me: "Now, the passphrase has to be something you can remember, but still has to be strong and hard to guess..."
They: "OK, let me think..." (thinks)
Me: (looks around office) "...and it can't be (something written on a desk doohickey)!"
They: "AAARGH!!! How did you DO that?"

Larry HoskenJanuary 25, 2007 10:12 PM

There was a discussion at work in which folks discussed how they kept track of their passwords. I said, "I call up Bruce Schneier. He has all of my passwords written down on a little piece of paper in his wallet."

Maybe you had to be there.

AndrewJanuary 25, 2007 10:23 PM

My best password story involves the manager who couldn't keep his own password memorized. Over and over again, he'd lock himself out trying to log into his account. This was with simple passwords of the form "password1" by the way . . . he'd simply forget which numeral, and every time they'd increment "password2," "password3" etc. and he would ruin each valid password with too many guesses.

They finally found an answer for him. Set password to "password11" and set "number of tries" to 999.

HulluJanuary 26, 2007 2:37 AM

.. just checked, it seems it requires a length of 14 to be 'Best'.

aaaaaaaaaaaaA1 is Best!

a.January 26, 2007 9:48 AM

oh the joys.
i know the passwords to at least 50 % of the computers at work because the people are stupid and too lazy to change them. so if when they started the password was [thecompanyname], [thecompanyname]123, or training, it is way too often that even after that. and a few people think they are smart when their password is [password] in some other language. .. would work a bit better if there were no people speaking that or those languages in the office though.
and of course, some people keep their most business critical passwords on post-it notes attached to their display. wohoo.

ZwackJanuary 26, 2007 1:40 PM

That password checker is excellent!!!

now I know that

aaaaaaa is Weak but
aaaaaaa1 is Medium and
aaaaaaa1! is Strong and
aaaaaaaaaaaa1! is Best, I know what I'm going to use now....

Z.

Timm MurrayJanuary 26, 2007 4:11 PM

At an old job, we had need of sending e-mails around in encrypted form. I was the one who helped people go through the key generation interface. I always told them that when it says "passphrase", it means that you can use a full phrase, with punctuation and spaces, and that they should take full advantage of it to create a passphrase that's both easy to remember and hard to crack.

Even after explaining this, many people used a 6-8 character string anyway (as I could tell from the '*' on screen). A few people just blurted out to me what they used as they were typing it.

Passwords are a complete failure as an authentication mechanism. If we could educate people, passphrases *might* work, but a lot of people seem to be stuck in the 6-8 character string mindset.

RofloJanuary 30, 2007 9:30 AM

"HelloWorld2007" was rated as best.

Anyway how long will it take for someone to fake such a webpage and collect passwords?

You probably wouldn't notice if your password is sent to a server using AJAX.

Sad part is that a lot of people are probably filling in their real password in that form.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..