|
|
|
Passwords
|
|
|
- Forget passwords, use passphrases
- They're easy to remember and extremely difficult
to brute force. Just tell your users "Write a snippet of
something which is meaningful to you". We can all type at 30+
words a minute so entering a 30 character password in natural
English (perhaps without spaces) goes supringly fast. For example,
supposing I liked classical literature, I could use
|
|
- socaesarmaythenlesthemayprevent (this is part of
Brutus' soliliquy in Act 2 Scene 1 of Julius Caesar, which I had
to memorize way back in high school). If you want to be reaaaaally
anal you can obfuscate it a bit (l33tify, what have you). There is
no convinient dictionary of "meaningful phrases in
English" out there, although I suppose it would be somewhat
less than secure if someone were able to find out you were, e.g.,
a Star Trek fan. And they're guaranteed to be easy to remember --
humans are a lot better remembering natural language they have an
emotional connection to than remembering arbitrary alphanumeric
strings. In fairness, I stole this tip from a Slashdot discussion
about a year back sparked by advice from Microsoft, and have been
using rediculously long passphrases since for all my "if that
breaks, I'm "#$"#"#$%ed" logins (I still go
with crazy insecure for trivial things like my slashdot login).
I've got about 12 of them at the moment and have no problems with
remembering them and changing with the security policy, whereas
beforehand I had a discrete post-it.
|
|
|
|
|
Passwords
|
|
|
-
I've started using what I think is a great was to create what appear
to be rather secure passwords that are easy to remember and
recoverable (that's a highly qualified statement as I am in no way a
security expert). Go to:
http://www.hashapass.com/ [hashapass.com]
|
|
-
and enter your "parameter" (e.g. "march2006")
and "master password" (e.g. "mysecretpassword")
and you get a password (e.g. "K0u4CUXG") generated from
the two. Of course you still have to remember the password, but at
least if you forget it you can recover it from wherever you are,
without having to write it down. It's all local JavaScript on the
browser, so there's no network exposure...W
|
|
|
|
|
Passwords
|
|
|
- Current corp policy here is minimum 8 characters,
characters are classified as "upper case", "lower
case", "numbers", and "special
characters", and we must use at least 3 different classes of
character in the password. Password changes every month, and we
cannot repeat any of the previous 10 passwords....
Simple solution is to use a pass phrase that's easy to remember,
and add numbers to the end of it.
|
|
- Like:
"I hate our dumbass security policy01"
"I hate our dumbass security policy02"
"I hate our dumbass security policy03"
"I hate our dumbass security policy04"
"I hate our dumbass security policy05"
"I hate our dumbass security policy06"
"I hate our dumbass security policy07"
"I hate our dumbass security policy08"
"I hate our dumbass security policy09"
"I hate our dumbass security policy10"
"I hate our dumbass security policy11"
at this point I can either start the sequence over again, or keep
counting upwards.... how many months has it been since this
dumbass security policy took effect?
:-)
|
|
|
|
|
Passwords
|
|
|
- A password with the requirements you've outlined
is pretty easy to generate and remember: myPASSWORD33fitsHERE999
American English words, a couple of digits, mixed capitalization
without looking too much like l33tspeak and it doesn't look like
line noise.
|
|
- Someone running a password cracker would have to
try every combination of words in their dictionary file with
multiple attempts for capitalization and numeric sequences mixed
in, a data set that contains too many permutations to feasibly
try.
Just don't write it down anywhere. It would be easier to steal the
little sticky-note under the keyboard than it would to brute-force
it.
|
|
|
|
|
Online Tools
|
|
|
|
|
|
- 2600: The phrase "We the people of the
United States, in order to create a more perfect union" could
compress down to "WtpotUSiotcampu". Unfortunately this
only involves upper and lower case letters.
|
|
|
|
|
Passwords
|
|
|
- I use two complementary password generation
schemes: (1) I pick a word or pair of words and convert them to
31337. Example: supersecure->sp3rs3cur3.
- This is 10 chars long, which is Good Enough for a
commonly rotated password, easy to remember but hard to guess.
- (2) I choose a phrase, such as a quote I like,
and use the whole thing, For a while my root password was:
myvoiceismypasswordverifyme.
- Now, technically that's not very secure because
it's all lower case letters. But due to the length the amount of
time it would take to crack is quite high. Again, good for a
commonly rotated password.
- For added security I use method 2 with method 1.
Here's a secure password I no longer use:
Iseemt0behavingtremend0usdifficultywithmylifestyle
! (Uppercase I intentional; exclamation point included.)
You get the idea.
|
|
- Unless there's some flaw that I don't know about,
I've always liked the password method where it's two random
English words (DoorAsphalt or MessHeave). It's easy to remember,
and assuming, say, a 40,000 word dictionary, that gives 1.6
billion combinations.
|
|
|
|
|
Passwords
|
|
|
-
Some advice Bruce Schneider once gave: there is nothing so terribly
wrong with writing your password down on a piece of paper and
putting it into your wallet. Your wallet is a security mechanism
that you already use, and you are very practiced at keeping it
secure.
|
|
- Paper left in a wallet tends to become crumbly
and perhaps ultimately unreadable. That's why people tend to keep
such bits of paper in their desk drawer rather than their wallet.
- You should keep a dollar folded up in a safe
place in your wallet, and just use the serial number on it as your
password.
|
|
|
|
|
Passwords
|
|
|
- Most people have responded with their experiences
in keeping track of their passwords, but I was wondering if it
would be possible to implement a system where the password expiry
would be based on the complexity of your password. So when you
enter your password, the system could analyze the length, number
of repeated characters, digits, and symbols. Then with the
complexity, it could calculate the expiry time. So people who have
passwords of length 8-12 would have to change their passwords
every month, those who have 20+ length passwords could keep theirs
for 6 months (depending on how you calculate the complexity). This
way people could 'buy' a longer expiry time by adding symbols or
length.
|
|
- My personal favorite way of generating secure
passwords is to use a Passphrase. You can use Diceware to generate
some passphrases for you http://world.std.com/~reinhold/diceware.html
[std.com] and it also has instructions for adding symbols/numbers
to the passphrase.
Other slashdotters have mentioned Password Safe by Bruice Schneier.
I strongly recommend this as well. I keep a copy of these at home
encrypted using my master passphrase just in case I forget them.
- Interesting thought. But the idea of password
expiry is not just to reduce the available time to crack. It's to
limit the damage if the password has been compromised. If we
change passwords every 90 days then a bad guy only has 90 days to
do some damage. A talented bad guy would install a back door
within that time window, though.
- And as an attacker, if I could find out this
information (knowing which accounts expire frequently), that would
tell me which accounts to attack (due to having less complex
passwords). Not outside the realm of possibility, however
unlikely, and it provides information on the password.
(A similar concept is the old Lotus Notes login screen. Instead of
displaying a single '*' for each character typed, it would display
a random number of '*'s. That made it more difficult for a
shoulder surfer to see how many characters were in the passphrase
at a glance. Note: It was still possible to listen to the keyboard
or, worse, watch the operator's hands or shoulder movements.)
|
|
|
|
|
Passwords
|
|
|
-
So what's to keep you...from simply rotating the password?
-
Jan: 0123456789abcDE_
- Feb: 123456789abcDE_0
- Mar: 23456789abcDE_01
|
|
- You get the idea
- No digit will ever be the same as the same digit
in any previous 15 passwords. It contains numbers, lower and upper
case letters, and a non-alphanumeric character.
|
|
|
|
|
Passwords
|
|
|
- Depending upon the system, that's sufficient.
- The key is not how complex you can make a
password. The key is how will an attacker defeat it. So, a simple
password is sufficient if the attacker will not have enough
chances (statistically) to defeat it. This is easy to accomplish
by having a time delay between authentication attempts or a
lock-out period. But this is only sufficient if you have a person
actively monitoring the authentication logs. Example: Suppose you
have a list of 10,000 common words.
|
|
- You take a random word, a digit (0-9) and another
word, that will give you 10,000 x 10 x 10,000 possible
combinations (1,000,000,000 or "one billion"). So, if
you get 3 guesses before you're locked out for 15 minutes, then
you can guess 12 passwords an hour
... 288 a day
... 864 over a 3 day weekend. Round that up to a thousand
and it's still a "one chance in a million" to guess the
password over 3 days of trying. As long as there is someone
reviewing the logs, the attempts will be noticed and actions can
be taken before there is any real chance of your password being
cracked. And WordNumberWord is not that difficult to remember.
Now, this is NOT a good practice for passwords for encrypted files
or anything else that can be cracked off-line.
|
|
|
|
|
