Re: Student paper "editorial" on robust passwords

["David Wall @ Yozons, Inc." <david.wall () YOZONS COM>]

MessageWell, the phrase you selected is probably pretty good, and if you have a system that locks out after a several 
failures in a row, it's probably never going to be broken (assuming no keystroke loggers or the like are present).  But 
that's because you're being conscientious.  But how many people will open the attachment you sent them unsolicited and 
run the risk that they've been tricked?

You are a touch typist because few non-typists would be able to successfully type such a string easily and accurately 
since it wouldn't be echoed back.  Heck, many can't even figure out when their caps lock is on!  Also, the password 
policy in the joke commentary doesn't even give usable tips as you have suggested, only making a bunch of rules that a 
regular joe wouldn't likely think of as a way to construct such a mnemonic.

As you are a computer expert who is likely familiar with security, you know and respect this.  Most other users look at 
the long list of passwords to remember and figure a piece of paper is an easy tradeoff for remembering it all.  After 
all, this policy is for only one such system, while the user will also have many others.  In fact other systems 
probably won't accept your password because it won't meet their password quality standard.

Also, some smart folks who come up with my32yos#nir are doing well, except that they use it everywhere.  So the same 
password is used in many systems in which the security of those passwords is not well established.  On some low 
security sites that require logins (news sites, for example), they'll even helpfully remember the password in a cookie 
for you, so if you suffer a cookie exploit, you'll give up that password which turns out to be used on many other sites 
as well.

I personally have so many passwords that I use Password Safe, a free, open source Windows program developed initially 
by crypto guru Bruce Schneier.  It's a nifty tool, but how many non-techies would ever consider such a thing?

Next, consider the obvious social attacks, including watching someone enter their password, asking them their password, 
keyboard sniffers, etc.  You'd be amazed at how often people just give it up when asked.  We have people email us their 
passwords when asking for support.

Many other system, including those at AOL (at least last year this was true), store the passwords in the clear in their 
databases (or provide them in the clear to support personnel) since they can ask you want it is before they give you 
support.  Most exploits are not done on individual accounts as much as they are done by hacks that give them access to 
the database, and then they mine every password.  Recall the guy who sold the AOL database recently?

And never forget phishing/trojan attacks in which your nice password is conveniently entered into a rogue site for easy 
capture....

More robust can mean less secure quite easily.  If something is so secure that it's a pain, people will break their own 
security for convenience.  They will leave their expensive RSA token at their desks, or hold the door open for the 
"delivery" man, or write their passwords down.  Thieves foil car alarms by triggering alarms enough times that the 
owner turns it off to avoid more "false" alarms.  Doors are propped open "just for a minute" while they run to their 
car or smoke a cigarette.  People leave their computers unattended while still logged on.

Anyway, my point was more with respect to the humor of it.  They probably weren't even suffering from any serious 
password hacks when this policy was introduced.  And what sort of issues would crop up if someone did break into the 
account.  It's important to balance the amount of security with the value of what's behind it.  If I can spend my 
money, I'm more concerned than if I can look at more course schedule, for example.  

David
  ----- Original Message ----- 
  From: Lucas, Bryan 
  To: SECURITY () LISTSERV EDUCAUSE EDU 
  Sent: Thursday, September 23, 2004 10:39 AM
  Subject: Re: [SECURITY] Student paper "editorial" on robust passwords


  more robust = less secure?  How's that?

  The attached Cambridge study on passwords and mnemonic devices disproves a lot of the misconceptions regarding 
complex passwords, including they are too hard to remember and will be written down more frequently/longer.

  From an anecdotal standpoint, I've also found that after I've keyed in a complex password 2-3 weeks, I don't even 
think about it anymore, my fingers take over.   

  Using a phrase such as "My 32 year old son's name is Robert" and adding in a special character such as "m32yos#nir" 
makes it both complex and easy to remember.

  Bryan Lucas
  Lead Server Administrator
  Texas Christian University
  (817) 257-6971

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.