Re: Passwords

..    On  18.03.05
wrote  howard@brazee.net (Howard Brazee)
on  /COMP/LANG/COBOL
in  d1evfn$ofh$1@peabody.colorado.edu
about  Passwords


HB> The problem with passwords is a serious problem.   We can't use
HB> passwords that are easy to remember, and we can't write them down and
HB> post them next to our computer.

A couple of years ago I had made a count, and found that I had to
memorize 20 passwords (including PINs for bank and phone cards). With
all the web sites and web forums, this number has multiplied.


HB> What happens is often people go to
HB> a site that wants a password, and they try a dozen variations of
HB> their user-id until they get one that hasn't been used at that site
HB> before, log on, get a password, forget it, and repeat next time they
HB> need to go there.    Or if they can, they use the same password
HB> everywhere.

The latter makes sense, actually not the same password everywhere,
but a set of, say 5 userid/password pairs depending on the necessary
security level.

HB> (I wonder how many sites have been created that are
HB> designed to harvest such passwords).

Well ... I don't know either.

At least, nobody has yet cracked the passwords I use for my bank
accounts...


Yours,
Lüko Willms                                     http://www.willms-edv.de
/--------- L.WILLMS@jpberlin.de -- Alle Rechte vorbehalten --

Belehrung findet man öfter in der Welt als Trost.  -G.C.Lichtenberg

In article <9T7QryK9flB@jpberlin-l.willms.jpberlin.de>, l.willms@jpberlin.de (Lueko Willms)
 writes:
> .    On  18.03.05
>   wrote  howard@brazee.net (Howard Brazee)
>
> HB> The problem with passwords is a serious problem.   We can't use
> HB> passwords that are easy to remember, and we can't write them down and
> HB> post them next to our computer.

Of course there's a ton of research on passwords and other forms of
shared-secret (and secret-and-verifier) authentication in computer
security.  And the conclusion everyone comes to - unless they just
adopt it as an axiom to begin with - is that passwords, particularly
short passwords, simply do not work.  They're a terrible mechanism.

(PINs are even worse.  They're much too short, and they make other
attacks, like account scanning, possible.  (In account scanning you
pick a PIN and try it across the whole range of account numbers.
Since there's only one login failure per account, the bank doesn't
lock access to any of the accounts.  With a small PIN number space
and a lot of accounts, chances of finding a match are very good.)
And ATM cards contain the PIN in the clear anyway, so if you have
a card all you need is a mag-stripe reader.  Pathetic.)

Pass *phrases* are a small improvement.  A passphrase that's not too
difficult to remember can have as much entropy as a "good" password
without any trouble, even if the passphrase system doesn't require a
verbatim match (for example, it may fold case) in order to accomodate
minor differences.  It's not hard for most people to remember a
quotation of a couple of sentences, for example.

It also helps to have a sensible threat model.  It may be acceptible
to keep a file of passwords on a computer, for example, if it's
properly protected; if that machine is sufficiently compromised to
allow an attacker to get the contents of the file, they can get the
secret information in other ways (eg a keystroke logger).  Absolute
security rules in the absence of a threat model are security theater,
and generally the sign that security policy is being set by someone
who knows nothing about the subject.

> HB> Or if they can, they use the same password everywhere.
>
>     The latter makes sense, actually not the same password everywhere,
> but a set of, say 5 userid/password pairs depending on the necessary
> security level.

Or a single (or better handful of) passwords that are mangled
slightly, in a manner the user can reconstruct, for each login domain
- for example, the user appends a character he associates with the
site to the "base" password.  That adds a little security against
manual attacks (it's negligible for automated ones that are at all
sophisticated).

>    At least, nobody has yet cracked the passwords I use for my bank
> accounts...

You mean, none of the people who have cracked them have yet used
them in ways you have noticed.

--
Michael Wojcik                  michael.wojcik@microfocus.com

Proverbs for Paranoids, 1: You may never get to touch the Master,
but you can tickle his creatures.  -- Thomas Pynchon

..    On  18.03.05
wrote  mwojcik@newsguy.com (Michael Wojcik)
on  /COMP/LANG/COBOL
in  d1fe3v0ge0@news2.newsguy.com
about  Re: Passwords

 

MW> You mean, none of the people who have cracked them have yet used
MW> them in ways you have noticed.

Maybe.


Yours,
Lüko Willms                                     http://www.willms-edv.de
/--------- L.WILLMS@jpberlin.de -- Alle Rechte vorbehalten --

Ein Buch ist ein Spiegel, wenn ein Affe hineinsieht, so kann kein Apostel he
rausgucken. -G.C.Lichtenberg

Donald Tees wrote:
> Lueko Willms wrote: 
> Under Linux, I can put them all in an encoded wallet, and have it
> remember them for me. If you get one of those half gig memory devices on
> a keychain, they plug into your USB slot, then place the wallet on the
> keychain device, you have a nice key to everything your's that will fit
> in your pocket. Under $100.
>
What's the official name for the 'half gig memory devices on a key
chain' ? Somebody in Future Shop demoed one to me while he was
discussing a new XP Machine, putting it into a USB slot to look at his
Word documents.

I've not yet seen one of those 'wire less' Mouse/Mice you once referred
to. Not that I spend my time sauntering around computer stores.

Jimmy