Security Basics mailing list archives
RE: proper password handling
From: "Isaac Van Name" <ivanname () southerlandsleep com>
Date: Fri, 6 Oct 2006 12:19:29 -0500
As always, Mario, I enjoy reading your posts as they are entertaining, if not always considering an alternate opinion. That being said, I agree 100% that three-way authentication with biometrics is a strong method that should be employed. For a company that is at all worried about security (which should be every company), this is worth the investment. However, in cases where, for whatever reason, the company will not go that route, there are reasonable alternatives. In this respect, I have to say that Robert's quote is not a bad idea, although I would not call it the "best" solution. The best solution would be a member of a multiple-point authentication method, like the one above. In a company that doesn't want to go the "best" route, you have to improve what you already have as best as you can. Consider this: Yes, we can fire everyone that writes down a password because they can't remember it but, then, all the offices in my workplace (except mine) and probably everyone else's would be empty. (Office personnel != computer literate) in most cases. Educate, threaten, warn, discipline... and they still do it. It's a fact of life. We're just smarter and more capable than them. One thing I've noticed time and time again about network security is that you have to take into account who you're securing. For instance, if some office personnel need 3 websites to perform job-related tasks, but you decide you don't want anyone to have internet access, then you'll probably get fired quickly. Same with passwords... if you set the standard so high that employees just keep getting fired, management will probably plant a foot in your hind quarters and give you a nudge. You already know that they're going to write down the password, so work off of that. Make a password between 11-14 characters and a "passphrase" inside of it (starting at a random location) that's 4-6 characters long. Make the passphrase something they can remember with a pneumonic ("I have 2 Dogs" = Ih2D). Let them write down the rest of the password ("j4f6QA15") and tell them where the passphrase goes (after the 4 = "j4Ih2Df6QA15"). Now, you can complain that security is compromised (and it is to an extent), but you also have to consider how the REST of it can be compromised: How long would it take to brute-force a 12-character password? True, it would take less time if you knew the written 8 characters, but you'd still have to "brute" the passphrase for an undetermined amount of characters at any position in the written portion... quite a daunting task still. Then, if they write down their pneumonic, shoot them. They deserve it. Enforce what you know they can handle, and make that meet your security needs. It's worked for me so far, and I still have a job. One thing to remember, too: No matter how much you secure your network, it will ALWAYS be susceptible to compromise... you just have to defend as best as you can. Isaac Van Name Systems Administrator Southerland, Inc. ivanname () southerlandsleep com "What good would you do with an ignorant employee? Ignorance is grounds for dismissal..." - Mario Spinthiras Open Source developing at its finest: "Written in vim, W3C valid and UTF-8 encoded, for her pleasure." Disclaimer: This email is intended only to be used to feign intellectual mastery of a subject or superhuman command of the English language, when profanity is involved. By reading this email, you are agreeing to cease all correspondence with the sender upon realizing your own ignorance, and furthermore to refrain from taking legal action against said sender when your compounding ignorance crushes your inadequate self-esteem. Have a nice day. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Mario A. Spinthiras Sent: Wednesday, October 04, 2006 1:19 AM To: Robert.Graham () bt infonet com Cc: security-basics () securityfocus com Subject: Re: proper password handling Robert.Graham () bt infonet com wrote:
The best solution I ever heard of was from the Security Guru himself,
Bruce
Schneier: Create passwords with a secret string that you commit to memory, in the
middle.
Write down the password with everything but this special string. Then,
from the
user side, it simulates two factor authentication (something you have[the
paper]
and something you know [your secret string]). Even if the paper is lost or compromised, the damage is minimal. Ideally, once the paper is
compromised, the
password is changed, but the secret string may be re-used. Best would be
to lock
up a safe copy so that should the carry copy be lost, that password can be
reset
easily and quickly. Today, with so many passwords, it's not possible to create strong ones
that can
be remembered. Robert J Graham | Security Engineer | Global Security Group | BT Infonet |
Tel:
+1 310 335 4454 | E: robert.graham () bt infonet com |
http://www.bt.infonet.com
---------------------------------------------------------------------------
This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life. http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Fortunately for me I have the tendency of judgement with regards to who is considered a guru or not in any matter whatsoever. In this case my judgement does not fail me and the feedback from it gives me the negative impression with regards to "guru" statements. A password is not something you write down. I do not know which madman started such a foolish practice but if there was a prize in computational security I presume he would have won it many times over. The above practice is not based on "what you know" and "what you got" , because the two end up being compbined in the same exact place at the application layer which means that it was in vein to proceed doing so. All it is is a missing string. That still gives administration and management of a firm the "doubt" that they will write it down since the principle is based on two parts to complete a whole passwords. The above practice is simple A DOUBLE "WHAT YOU KNOW" authentication process which in my eyes and many righteous administrators out there... IS COMPLETELY WRONG. If you want more on creating a wonderfully constructed authentication process which concludes security at its finest I suggest you search through my posts with regards to biometric three way authentication : "What you got , What you know , Who you are" Enjoy! Regards, Mario A. Spinthiras --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- proper password handling Robert . Graham (Oct 03)
- Re: proper password handling Mario A. Spinthiras (Oct 04)
- RE: proper password handling Isaac Van Name (Oct 06)
- Re: proper password handling Zapotek (Oct 04)
- <Possible follow-ups>
- Re: proper password handling krymson (Oct 06)
- Re: proper password handling Gregory Rubin (Oct 10)
- Re: proper password handling Mario A. Spinthiras (Oct 10)
- Re: proper password handling Mario A. Spinthiras (Oct 04)