RE: Article / Document about passwords vs. passphrases

["Ken Kousky" <kkousky () ip3inc com>]

Folks - this still seems to miss the real crisis.

Until we admit that enforcing strong passwords is itself part of the
problem, we'll continue to miss the mark.

Passwords are something you know so if you implement any kind of policy that
makes it hard to know your password, YOU are breaking the security model -
not the user.

We have 30 to 50 passwords per user; at work, at home, for play, for trade.
To be strong, they must each be different or we're subject to the weakest
link problem. To be strong, they all have to change frequently. 

The sole purpose of a password for authentication is to capture something
the user KNOWS. 

These discussions all involve creating rules that a user won't know if they
have 30+ passwords that we keep changing.

The answer still must be multi-factor authentication> Write down the complex
part and save it as a token or take a token value from a device and append a
pin or simple KNOWN password. 

You can write down 20 characters and save them on your desktop and them
simply append a simple KNOWN password.

But again, the part the client KNOWS is the password and we can't go on
creating algorithms we call strong passwords that make it impossible for the
user to know their passwords.

Again - passwords are something a user knows. If you have an algorithm that
produces passwords your users don't know, it's your system that's broken -
even if we hide that system in the language of strong passwords or
passphrases.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Kurt Buff
Sent: Tuesday, October 31, 2006 1:36 PM
To: Florian Rommel
Cc: Pen-Testing; security-basics
Subject: Re: Article / Document about passwords vs. passphrases

On 10/30/06, Florian Rommel <frommel () gmail com> wrote:
<snip>
> I was told that Windows vista will not let you use (SPACE) in your
> password , can someone confirm or deny this?

This seems quite absurd. I've been using spaces in my passwords for
years on Windows, up to and including Win2k3 - for MSFT to degrade
password functionality in this away would be madness far surpassing
their norm.

> also someone said that
> only the most recent version of linux allow you to have long
> passwords, according to my memory, this has worked already for a
> looong time (i remember i used a long password quite a few years back
> already) so any info on that would be good too. Any pointer as to how
> to improve this article would be excellent since quite a few of the
> people I know use my stuff as reference and I wouldnt like to be
> "that" wrong :)

Can't speak to Linux, but my FreeBSD installations have, for the 5+
years I've been using them, have allowed me passwords as long as I
wanted - certainly longer than 8 characters.

Kurt

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------