Insecurity

[hirez]

Apropos not much, here's a list of common passwords (ie - anyone with half a brain will try them first) and here's a list of common changes people make to 'normal' words.

Note that a really driven cracker will also try things that are personal to you. The section in 'Wargames' where Matt Broderick tracked down Prof. Falken's backdoor p/w (joshua) isn't fiction.

Those of you with a mind to play could do a lot worse than download John the ripper and see how long it takes to crack some of your own passwords. (I'm certainly going to)

It's also a Really Bad Idea to use the same password on multiple sites. LJ compromise is bad enough, Paypal and/or bank... Personally, I won't touch online banking. It's just not secure in this country or the US. The Swiss, unsurprisingly, have it right: one-time passwords.

Remember, you're as secure as the weakest link in the chain. A complex LJ password is useless if you've got 'remember me on this machine' ticked on a box with a rubbish p/w.

Stay safe, kids.

Comments

[moral-vacuum.livejournal.com]

I tried to read the info on john the ripper, but it made my head hurt. But I follow most of the above guidelines anyway.

I need to change my LJ password again to something even more difficult to guess, though

[hirez.livejournal.com]

I'm going to have a furtle with the thing right now. I've used it on Unix, but the Winders incarnation is going to be a bit of a voyage of discovery. Still, that's why it's called security research.

[hirez.livejournal.com]

Well, bloody hell. That took about four minutes on my old 1Ghz Athlon.

Mind you, getting there was a bit of a chore, since it want its passwords in a format provided by a different command-line utility. However, it is a utility that'll hoover the admin password from a Win2k box.

(And it's just tripped the thermal alarm. Time to stop.)

There must be a GUI password-quality checker.

[hirez.livejournal.com]

Ok, that just seems to test the rubbishness of Winders password storage.

Thus far, I've only found npassword. That's a horrible tool which will insist on passwords like gt^1.kFgz90&. No Bloody Good at all.

(I'm sorry. I'm a hacker. I'm fascinated by this.)

As a layperson...

[redcountess]

I think it's a good rule of thumb to not use words that are in the dictionary, to mix in numerals randomly with the letters, and as well as not using the same password for everything, to change your passwords regularly. Of course, when one has memory problems, one sometimes forgets which password one uses on which site, but that's what password reminders are for! Oh, and the other good thing to do is change the password straight away, when one has been generated for you, eg. when you join a service, etc.

Re: As a layperson...

[siani-hedgehog.livejournal.com]

Of course, when one has memory problems, one sometimes forgets which password one uses on which site, but that's what password reminders are for!

i have terrible trouble with this. i have not *yet* had to ask the IT dept at work to reset mine, but i have had to spend an hour thinking before i could remember it.

[the_axel]

That's all true as far as it goes, but most access security problems aren't caused by lists or brute force attacks but by people giving their passwords away - either they write it down because they can't remember the 10 different complex passwords they have to change every month or they tell somebody they shouldn't.

Overly complex password rules exarcabate the former problem and do nothing to address the latter.

To address the problem of a program trying to break in by trying a pile of combinations, all you have to do is to disable the users access profile if more than n failed attempts are made in a human-scale-shortish piece of time (e.g. 5 attempts in 10 minutes).
You then need to have a secure password resetting process involving people, but that's manageable if the organisation is willing to invest the resources in it, so not likely to happen on LJ but a bank certainly can and should.

[hirez.livejournal.com]

Oh, absolutely. I was writing a companion piece in my head on the way home on the subject of why passwords are a rubbish answer to the problem of making sure you are who you say you are. Biometrics are an even worse answer, of course. At least a password is repudiable. Can you change your fingerprint if it becomes compromised?

Any password policy that causes people to write them down is inherently broken.

Mind, what's a bank to do when someone rings up for a password reset? "Hi, this is Bob in accounts..."

[the_axel]

I can only speak for the bank I work for really, but I know that our Telephone Bankings processes today are very effective at keeping other people away from your money.

That's because the Canadian regulatory environment and (consequently?) the banks principles & policies are organised so that if we fuck up a password resetting situation and somebody does steal your money, we'll reimburse you after recieving a police report and an affidavit that it was stolen.

Identity theft does happen, we know what it looks like and we know how to sort it out pretty quickly as long as the real customer does their part.

[hirez.livejournal.com]

Right enough. It wouldn't surprise me to discover that the Canadians were a lot more sorted in that regard.

(And I'm sure I've mentioned before that Visa's fraud dept were on the phone within 30 seconds of a failed online transaction last year.)

[siani-hedgehog.livejournal.com]

i used to have no trouble being my mum on the phone to Visa. knowing my grandmother's maiden name was usually enough.

[the_axel]

Security has changed a lot in the last few years.

They ask more questions, and they are less obvious than that.

[thepaintedone.livejournal.com]

I had a fun situation with bank security last night. I was buying a new suit in London and for some reason the bank decided they needed to ask lots of extra security questions when I used my debit card.

Cue 20 minutes of the shopkeeper being quizzed about what I was buying, then the phone being passed to me so I could answer some 'security questions'. Date of birth, no problem. Last two letters of your security phrase. What security phrase? It'll be your mothers maiden name (notoriously secure that one). So I duly give the last two letters of my mothers maiden name, which they then inform me is incorrect.

I'm now geting increasingly annoyed, I put in my pin number, they took the 3 digit second number off the back, the amount isn't all that high anyway (within my cheque guarantee limit for example) and the shop is off of Oxford St, which is where I work so hardly an unusual transaction. Now they are trying to tell me my mothers maiden name?

I took a wild guess that the bank had mis-spelt my mother name, which turned out to be right. Thing is, since I set up the account I have never before been asked to spell it out, so I had no idea that some muppet wrote it down wrong ten years ago.

Needless to say I'll be having words with the bank on Monday. I have no problem with security on my accounts, but 20 minutes of hanging on the telephone is ridiculous, especialy when they are using inaccurate and wildly out of date security data without any sort of warning

[hirez.livejournal.com]

That's really quite rubbish. But, since bank employees can't/won't think outside the procedure box (The 5750 rant is approaching on platform one), we're stuck with this sort of non-secure inconvenience.

Oh God I sound like Bruce Schneier.

Cash. That's the stuff.

[incy.livejournal.com]

You would be surprised at how many fradulent transactions are caught by this, not all obivously, but it does stop a lot.

[hirez.livejournal.com]

I guess we're lucky that most thieves are only in that trade because they're too stupid to do anything else.

[margotmetroland.livejournal.com]

One-time passwords - when I worked at UBS, we had a wee credit-card sized thing that generated apparently random numbers which we'd use to log into the remote network. Is that the sort of thing you mean?

[hirez.livejournal.com]

SecurID cards? They work well when you've a medium-sized userbase, but I'm given to understand they're, um, a premium price, so not the sort of thing you'd hand out to the mass of punters.

(I'm straying into areas About Which I'm Best Off Not Talking, which is a bit unfortunate because I like speculating about this sort of thing.)

IIRC, without going back and delving through my notes that are at work, the bank in question printed off a sheet of codes and couriered them. Each time you use one, you cross it off and go to the next. There's no point stealing them because they require a passcode/PIN (something you have, something you know), they're easy to carry about, and if you do lose the sheet the bank can invalidate the unused set and print off some more.

[margotmetroland.livejournal.com]

SecurID cards, that's the chaps. Dunno how much they cost, but UBS could definitely afford them and all the replacements the pissed traders needed.

I read about "one-time" code books in a Tim Powers book which sounds a bit like your list of printed codes. Each sheet had a different way of coding your message and so long as you and your receiver tore off the same sheet at the same time, you could transmit and receive coded messages in relative security. If you lost the book, both would need to be replaced.

[venta.livejournal.com]

I'm given to believe by a friend in Australia that they have indeed started handing out such gizmos to people - to access their online banking, I believe it was. Not sure if it was all banks, or just his.

[hirez.livejournal.com]

Oh, now that's good news. I wonder if they'll manage to render it useless in some cack-handed banking manner?

[(Anonymous)]

Greetings from 86.133.151.89

http://www.timewarner.com/corp/newsroom/pr/0,20812,700839,00.html

[hirez.livejournal.com]

Hello Mr/Ms BTCentral.

That's very interesting news. Perhaps the SecurID tokens are going to become ubiquitous and cheap?

[(Anonymous)]

My alveoli shall remain blessed by regular inhalation on my part for the duration, but it may come to pass.

http://www.avesodisplays.com/sol/smart_cards.html

As for what comes after passwords, there was something a while back about sequences of images selected in a particular order functioning in a similar way. It showed some promise. In fact, combining the two to form a one-time pad? Select the images you chose from the set not eliminated by the pattern on the LCD screen of your physical key. Though that's not perfect.

Which of these images most reminds you of your mother?

[hirez.livejournal.com]

The picture of Simon Rattle, obviously.

[incy.livejournal.com]

I think all the major banks are doing it here on trial, except for Lloyds who have now rolled it out to all users.

The other measure is after you give your account number the next page displays soem information to prove it is the bank not you (i.e. give back an agreed code word, different for everyone know it is not a phishing site).

The other good measure is occasionally to give a false password the first time, phiseher site will say thankyou and the site is down/details updated/whatever not knwoing they are wrong. A genuine site will give you an invalid log on.

[hazeii.livejournal.com]

Morphic resonance (http://www.thedailywtf.com/forums/59595/ShowPost.aspx) (who needs passwords anyway?).

[hirez.livejournal.com]

Dear Lord. It's hardly Dennis Ritchie, is it?

[perlmonger.livejournal.com]

common passwords

Hmph. "plover" is there, but not "plugh" or even "xyzzy". Kids these days, I don't know... No "fnord" either, come to that.

[hirez.livejournal.com]

They're not in the 'most popular passwords' list distributed with John the ripper, either.

[hirez.livejournal.com]

... On the other hand, I set a sacrificial Win2K account up with fnord as a p/w and it found it in under three seconds. I think that's more to do with the startling dreadfulness of lanman hashes though.

[poggs.livejournal.com]

As in "Let's store the password in in UPPER CASE too so you only have to crack one then brute-force the capitalization!"

[hirez.livejournal.com]

... And let's split the things in two so as to negate any password-length benefits.

[steer.livejournal.com]

xyzzy -- the network name of my current work desktop machine.

[venta.livejournal.com]

LJ's own password-quality-checking thingy grumbles at passwords which contain no non-alphabet characters. I don't understand this.

I'll agree that drawing your password from the whole alphanumeric set is more secure than drawing it from just the alphabet. However, surely by insisting that the password contains at least one non-alphabet character they're providing extra information to anyone wishing to crack passwords. In effect, they're (potentially) taking adequately secure alphabet-only passwords and insisting people make them less secure.

I've not yet encountered anyone who can explain why this theory is wrong, either :(

[hirez.livejournal.com]

Well, if you don't insist on non-letters, people won't use them, so you can cut down the guesswork. More to the point, it's most likely that people will use dictionary words or names because they're easy to remember, so if you go through the set on the first page I linked to, you stand a good chance.

In theory, you could bung in some numbers and punctuation anywhere which makes the guessing hard. Unfortunately, most people go for the o->0, i->1 and s->5 leetspeak substitutions.

The best password options I've found thus far have been auto-generated pronounceables. A lot like the way the planet-name generation in Elite worked.

[serpentstar.livejournal.com]

Pipex do this for their online email checking -- nine-letter auto-generated pronounceables. Reasonably easy to remember, as they all do sound like weird planet names.

[smogo.livejournal.com]

I'm ashamed to say that my online banking password was in that list! So I've changed it.

[hirez.livejournal.com]

Glad to be of service.

[thepaintedone.livejournal.com]

As others, including yourself, have said, I don't really buy into the hyper-mania for utterly meaningless passwords. There are only two scnearios (AFAIK) where it matter.

1. A human trying to guess based on knowing you. As soon as you're sufficiently obscure that the possibillities are in the hundreds, this is pretty much ok. e.g names of children, two possibillities so easy to guess. Random CD title from the shelves next to me, 800 possibillities, sorted.

2. Brute force. Any system which doesn't lock down after n bad attempts deserves to be brute forced. Ditto systems where no one is checking the logs for large volumes of bad attempts. Again, it's down to the number of tries. If your password is sufficiently crap that a cracker will try it within the first 20 attempts then fine your a muppet, but as long as the re-try wait period makes each single attempt take 5 minutes (i.e 3 attempts every fifteen mins), even a medium secure password is fine unless Mr Cracker can sit and blast the thing unobserved for weeks on end.

None of which means I don't advocate non-obvious passwords that are reasonably hashed, but not to the point where ordinary users are trying to remember the ASCII output of a white noise generator.

I actualy think that technicallities asside, going nuts on making people devise ridiculously obscure passwords diverts attention from more serious areas of security. I've never yet seen a password brute forced or guessed in any company I've worked for, but I've lost count of the number of times that co-workers share their passwords so they can get into each others stuff while they are away. It's so routine that people seem surprised when you scream at them, and defeats the entire point of having security in the first place.

However, scream I shall continue to do, backed up with the story of the person at my last company who was taken from the office by the police after I found out she was defrauding us and our clients using a collegues credentials that he'd given her so she could check his e-mail while on Holiday.

On a related note, my new company has no security policy of any kind and I've got my infrastructure manager sorting out a company wide policy from scratch. Can you recomend a good book or resource on best industry practise for this sort of thing? I don't mean low level technical stuff, but rather appropriate ways to handle domain admin, delegation of permissions, oversight and monitoring of super user access, that sort of thing. Basicaly so we can draw up a document which a security auditor would be happy to see being used as policy.

[hirez.livejournal.com]

Hey, look, we're in violent agreement...

I guess no-one would be surprised that $work are fairly keen on sensible security, and indeed have departments who'll cheerfully fill a whileboard with a mathematical proof of why one 'solution' or other is rubbish.

What we tend to do is regularly hoover out the password files of all the kit we can and run a cracker on the things. The results are mailed back to the relevant users if they're really embarassing.

Security policies? Both 'Practical unix and internet security' (O'Reilly) and 'The unix system administrators handbook' (Pass. My copy is at work) have useful high-level information and plenty of war-stories. Don't be put off by the Unix slant - a good policy is OS-agnostic. I should also point out that $work have many fine and experienced security consultants...

A relevant SANS course is also utterly and completely excellent.

[poggs.livejournal.com]

I was so interested reading all the comments I forgot what I was going to comment on.

[thermaland.livejournal.com]

I really doubt that any cracker is going to think of spelling "password" backwards! I am way too cunning for the bad guys.

[juliet]

[hello, was pointed here by mr_tom]
My usual approach is to pick a line from a song & Do Stuff to it (including but not limited to taking inital letters). Can therefore be reasonably long without getting tough to remember, doesn't resemble a regular word, & I know a lot of song lyrics.

I do have the problem of having large numbers of pwds to remember (sysadmin) & use Keyring on my Palm as the best combination between security & practicality.

You may be able to help with something I've been considering recently whilst thinking about security policy at work: what are the benefits of making people change their passwords often? It doesn't strike me as helping much with any brute-force attacks (I'm assuming a change every 3 mths or even mth; obviously one-time pwds are a different deal) as 3 months is plenty of time & after the Bad Person has got in they can set themselves up so changing your pwd after that won't keep 'em out. And it *does* seem to have obvious disadvantages, i.e. people are more likely to write their pwd down/use more obvious words/etc etc. Am I missing something obvious?

[hirez.livejournal.com]

[ Emailed ]

[steer.livejournal.com]

It's also a Really Bad Idea to use the same password on multiple sites.

Anything else is pretty much utterly impractical apart from some scheme whereby your password adds an element from the site name. Since I would have about fifty passwords otherwise (online banking, online shopping, various sites I regularly participate in, all my bills online, conference paper submissions, news sites I read from etc etc), I can't possibly remember enough passwords.

[hirez.livejournal.com]

PasswordSafe, as mentioned in the next post along.

Still, one does one's own risk assessment and makes one's own decisions.