funsec mailing list archives
Re: 1 in 3 workers write down passwords
From: coderman <coderman () gmail com>
Date: Wed, 18 Oct 2006 11:03:02 -0700
On 10/17/06, Ron <iago () valhallalegends com> wrote:
... Hmm, I generally tout myself as a security guy, but I have to admit, even I do that sometimes.
agreed; once your password list gets long enough you need to do it. (i'm counting 27 high entropy passwords in my file, like a9@7.8X7&17Rd5#Dw)
Generally, when I'm given a password for a remote system that is something like "7QbbBr2CqqS", I'll write the password, all by itself, on a yellow sticky note and stick it to my monitor for a week or two, until I feel like I've memorized it well enough to toss (fine, eat) the note.
i don't even bother trying to memorize. instead i boot into a system with full disk encryption using a single good password/passphrase that i _can_ remember. that is where the text file with all the other passwords lives. (this system also contains all my authorized private ssh keys, which i prefer to passwords when possible)
I think one of the major issues is: stupid passwords. I've spent time at places that have completely asinine password policies (must be 8 characters or longer, letters and numbers and at least 2 symbols, no spaces, no 2 characters within every 4 characters can be the same, etc. etc. etc.). Worse yet, the users are GIVEN a password that looks like somebody sat on a keyboard, and is expected to memorize it.
yup, pretty stupid. i only expect users to remember one good password. maybe two, on a good day. so leverage that one good password with disk encryption so they can keep myriad other secrets safe...
I think that we really have to make a request of password-based software: - - Allow spaces - - No maximum length - - Encourage a pass phrase When I hand out a password, it's usually 16 or so characters long, and extremely easy to memorize. Usually, it resembles line from a song or television show or something I see in the room. Then it's nearly impossible to crack or guess.
this has lower entropy and is a compromise (probably worth having in place of high entropy passwords that can never be remembered, but still weakens authentication security). the FBI runs a nice distributed password cracker that uses heuristics and profiling to greatly improve the probability of recovering a password/passphrase. using words and phrases opens you up to these kinds of attacks.
I'm probably just rambling. But I really hate the common password policies.
agreed. i'm fond of full disk encryption and writing them down on such a protected storage medium, but this does mean you need your laptop whenever you need a password. (the other reason i like full disk encryption is that the operating system is then protected against offline compromise. an encrypted file isn't very secure if someone can trojan the truecrypt binary on your box, for example...) _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- 1 in 3 workers write down passwords Dude VanWinkle (Oct 17)
- RE: 1 in 3 workers write down passwords Richard M. Smith (Oct 17)
- RE: 1 in 3 workers write down passwords Drsolly (Oct 17)
- RE: 1 in 3 workers write down passwords Richard M. Smith (Oct 17)
- RE: 1 in 3 workers write down passwords Drsolly (Oct 17)
- Re: 1 in 3 workers write down passwords Drsolly (Oct 17)
- Re: 1 in 3 workers write down passwords Dude VanWinkle (Oct 17)
- Re: 1 in 3 workers write down passwords Ron (Oct 17)
- Re: 1 in 3 workers write down passwords Dude VanWinkle (Oct 17)
- Re: 1 in 3 workers write down passwords coderman (Oct 18)
- Re: 1 in 3 workers write down passwords Dude VanWinkle (Oct 18)
- Re: 1 in 3 workers write down passwords coderman (Oct 18)
- RE: 1 in 3 workers write down passwords Richard M. Smith (Oct 17)
- <Possible follow-ups>
- RE: 1 in 3 workers write down passwords Toralv_Dirro (Oct 18)
- Re: 1 in 3 workers write down passwords Fergie (Oct 18)
- Re: 1 in 3 workers write down passwords coderman (Oct 18)
- Re: 1 in 3 workers write down passwords Brian Loe (Oct 18)
- Re: 1 in 3 workers write down passwords coderman (Oct 18)