Re: Passwords
From: Michael Wojcik (mwojcik_at_newsguy.com)
Date: 03/18/05
- Next message: Howard Brazee: "Re: OT - "Snaw Crash""
- Previous message: R.Freitag: "Hint IBM MVS"
- In reply to: Lueko Willms: "Re: Passwords"
- Next in thread: Lueko Willms: "Re: Passwords"
- Reply: Lueko Willms: "Re: Passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 18 Mar 2005 20:36:15 GMT
In article <9T7QryK9flB@jpberlin-l.willms.jpberlin.de>, l.willms@jpberlin.de (Lueko Willms) writes:
> . On 18.03.05
> wrote howard@brazee.net (Howard Brazee)
>
> HB> The problem with passwords is a serious problem. We can't use
> HB> passwords that are easy to remember, and we can't write them down and
> HB> post them next to our computer.
Of course there's a ton of research on passwords and other forms of
shared-secret (and secret-and-verifier) authentication in computer
security. And the conclusion everyone comes to - unless they just
adopt it as an axiom to begin with - is that passwords, particularly
short passwords, simply do not work. They're a terrible mechanism.
(PINs are even worse. They're much too short, and they make other
attacks, like account scanning, possible. (In account scanning you
pick a PIN and try it across the whole range of account numbers.
Since there's only one login failure per account, the bank doesn't
lock access to any of the accounts. With a small PIN number space
and a lot of accounts, chances of finding a match are very good.)
And ATM cards contain the PIN in the clear anyway, so if you have
a card all you need is a mag-stripe reader. Pathetic.)
Pass *phrases* are a small improvement. A passphrase that's not too
difficult to remember can have as much entropy as a "good" password
without any trouble, even if the passphrase system doesn't require a
verbatim match (for example, it may fold case) in order to accomodate
minor differences. It's not hard for most people to remember a
quotation of a couple of sentences, for example.
It also helps to have a sensible threat model. It may be acceptible
to keep a file of passwords on a computer, for example, if it's
properly protected; if that machine is sufficiently compromised to
allow an attacker to get the contents of the file, they can get the
secret information in other ways (eg a keystroke logger). Absolute
security rules in the absence of a threat model are security theater,
and generally the sign that security policy is being set by someone
who knows nothing about the subject.
> HB> Or if they can, they use the same password everywhere.
>
> The latter makes sense, actually not the same password everywhere,
> but a set of, say 5 userid/password pairs depending on the necessary
> security level.
Or a single (or better handful of) passwords that are mangled
slightly, in a manner the user can reconstruct, for each login domain
- for example, the user appends a character he associates with the
site to the "base" password. That adds a little security against
manual attacks (it's negligible for automated ones that are at all
sophisticated).
> At least, nobody has yet cracked the passwords I use for my bank
> accounts...
You mean, none of the people who have cracked them have yet used
them in ways you have noticed.
-- Michael Wojcik michael.wojcik@microfocus.com Proverbs for Paranoids, 1: You may never get to touch the Master, but you can tickle his creatures. -- Thomas Pynchon
- Next message: Howard Brazee: "Re: OT - "Snaw Crash""
- Previous message: R.Freitag: "Hint IBM MVS"
- In reply to: Lueko Willms: "Re: Passwords"
- Next in thread: Lueko Willms: "Re: Passwords"
- Reply: Lueko Willms: "Re: Passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
