Security Basics mailing list archives
Re: Security procedure question
From: Daniel DeLeo <danielsdeleo () comcast net>
Date: Tue, 26 Sep 2006 15:56:06 -0600
This has piqued my interest. I have been touting the practice that you remember a sentence that has numbers in it, like "Get knocked down 7 times, get up 8." and then taking the first initial of each word, using digits for numbers, and keeping in the punctuation, so that you would get a password of: "Gkd7t,gu8." (looks pretty random, right?) This way users can still keep their bad habits like using their spouse's birthday, whatever, but they get a good password out of it:
My wife Helen's birthday is May 22, 1970. becomes MwHbiM22,1970I remember reading a paper where the author, a university professor, let 1/3 of his students (in some CS 101 course) pick their own passwords (with no instruction), told 1/3 to use randomly generated passwords, and told the remaining 1/3 to use the above procedure. He then ran John the ripper against all of the passwords and also kept track of how many times the user had to call the help desk to get their passwords reset. He found that the random passwords and the sentence-initial-letter passwords were equal in strength, and that users picking their own passwords and users using the sentence- initial-letter-passwords called the help desk the same amount of times, while the users with randomly generated passwords called the help desk much more often. So this seems to validate the password- from-a-sentence idea, but...
What worries me about this approach is that there might be some way to make breaking the passwords faster using statistics about which letters are more likely to be the first letter in a word, or that some famous phrases from literature, TV, movies, etc. would be used so commonly that the attacker could pre-load strings generated from these famous phrases into his password dictionary.
Anyone know anything about this? Daniel DeLeo On Sep 25, 2006, at 6:17 PM, Ken Kousky wrote:
One way to discourage users from writing down passwords is to stop the idiotic practice of expecting them to remember strong passwords - theycan't! So if you're imposing a policy of strong passwords you must assumethey'll be written down. Strong passwords are a token.Strong passwords, by definition can't be remembered. They have to change frequently and they're not to be used on multiple systems which would exposethem to the "weakest link" syndrome.Here's Kousky's Algorithm - we've been teaching it for five years and it'sstill better than most simple alternatives.One option to help is to let them write them down - even tape them to their machines, but leave a four digit pin missing from the string. It can beafter each capital letter in the string so what is written down is: Kw3$34Q3@ASBut the real submitted password requires my four digit pin: 1234 be inserted after each capital letter ... that is, after the K goes a 1, after the Qgoes the 2, etc. Real submitted string is K1w3$34Q23@A3S4If you don't get over the crazy idea of strong passwords you're part of the problem. We need strong strings to submit over the wire or on a laptop andthat can best be served by multifactor solutions. We consider this one and a half factors. Strong factors are hard to duplicate and you know if they're missing. You might also check out our paper for '02 - "Strong Passwords are an Oxymoron" Regards KWK IP3 Inc. -----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] OnBehalf Of Mario A. Spinthiras Sent: Monday, September 25, 2006 7:52 AM To: MandommGmail Cc: security-basics () securityfocus com Subject: Re: Security procedure questionEven so if the method i mentioned previously on this thread is applied , even if the user is foolish enough to avoid or unable to understand andapply the theory of a password then maybe they shouldn't be workinganywhere near computers - but thankfully for the unbelievably stupid mymethod works since it applies to the following criteria: 1. Who you are (Biometric authentication) 2. What you know (The password of the unintelligent ignorant user) 3. What you have (The usb stick with the key on it)To my opinion, any user not following a company's security policy should be either arrested for possible industrial espionage and/or sabotage ofthe company. The minimum impact should be his/her dismissal from the company as an employee. Regards, Mario A. Spinthiras MandommGmail wrote:I'm concerned about a user leaving the id and password on paper in orhttp://en.wikipedia.org/wiki/ FDE#Full_disk_encryption_and_Trusted_Platform_Mnear the laptop. There is no way one can defend against a user who decides to stick a sticky pad on his laptop and leaves his password there. The best encryption tool does not defend against human stupidity. Alex----- Original Message ----- From: "Saqib Ali" <docbook.xml () gmail com>To: "Brown, Sam" <sbrown () ashe ucla edu>; <mario () netway com cy>; <lists () hwf cc> Cc: <security-basics () securityfocus com> Sent: Friday, September 22, 2006 1:26 AM Subject: Re: Security procedure questionIf you don't mind, can I ask what product you selected? There are somefull/whole disc encryption implementations that support TPM. See the URL for description:odule---------------------------------------------------------------------- -----If your laptops are TPM enabled the full disc encryption software canwrap the decryption key with TPM, so the user won't have to remember or note down an extra username/password. On 9/20/06, Brown, Sam <sbrown () ashe ucla edu> wrote:We're going to be deploying whole disk encryption to our laptops so I am interested in hearing how others have distributed the software encryption ID's and passwords to users. I'm concerned about a user leaving the id and password on paper in or near the laptop. Sam Brown---------------------------------------------------------------------- -----This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------- ------- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 --------------------------------------------------------------------------------- -----This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleledInfosec management education and the case study affords you unmatchedconsulting experience. Using interactive e-Learning technology, youcan earn this esteemed degree, without disrupting your career or homelife. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------- -----This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------- --------------------------------------------------------------------------- -----This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------- -----
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Security procedure question, (continued)
- Re: Security procedure question Mario A. Spinthiras (Sep 21)
- RE: Security procedure question Henry Troup (Sep 21)
- Re: Security procedure question Saqib Ali (Sep 22)
- Re: Security procedure question Mario A. Spinthiras (Sep 25)
- Re: Security procedure question Saqib Ali (Sep 25)
- RE: Security procedure question Henry Troup (Sep 21)
- Re: Security procedure question Mario A. Spinthiras (Sep 21)
- Re: Security procedure question MandommGmail (Sep 25)
- Re: Security procedure question Mario A. Spinthiras (Sep 25)
- RE: Security procedure question Ken Kousky (Sep 26)
- Re: Security procedure question Daniel DeLeo (Sep 27)
- Re: Security procedure question Saqib Ali (Sep 27)
- Re: Security procedure question Mario A. Spinthiras (Sep 27)
- RE: Security procedure question Curtis Duck (Sep 27)
- RE: Security procedure question Paul Sutton (Sep 28)