nanog mailing list archives

Re: Dear Linkedin,

From: Alec Muffett <alec.muffett () gmail com>
Date: Fri, 8 Jun 2012 22:28:19 +0100


On 8 Jun 2012, at 21:55, Michael Thomas wrote:

With apps and browsers that
can remember passwords why are we still insisting that users generate
and remember their own bad passwords? That's one reason that I
find the finger wagging tone of that Linkedin post extremely problematic --
they have obviously never even considered thinking beyond the current
bad practice.


That's a fair point, well made; in practice I try to educate people on how to choose a good password by showing them 
bad ones and giving them a list of "Don'ts"; giving them a tool would be easier but then you have a race to the bottom 
for platform neutral tools which are well-written, don't repeat plaintexts and don't serve off a central authority like 
a website.

In some ways when faced with a challenge like that I would prefer people learned how to pick their own.

One pentester-friend of mine can now determine which in department employees of his customer reside because each 
department circulated its own rules on "how to choose a secure password" and the templates/technique are distinct from 
one department to the next.  He brute-forces a password (possible because the passwords are 8 characters-ish and 
reasonably short, thereby making templates irrelevant) and then reprograms his cracking software to mess with the 
per-department template to crack the rest of the users in a shorter time.

Having people make up their own passwords reduces scope for that sort of behaviour - you crack some of the clueless 
folk but the overall quantity of breaks may be reduced.

Also: someone earlier mentioned "the password anti-pattern" - just to clear up a misapprehension, password security is 
not itself the aforementioned "anti-pattern"* but instead the actual "password anti-pattern" is (for example) 
surrendering your Blog password to a third party like Flickr so that it can post photos to your blog on your behalf.

This sort of problem is solved by OAuth which community (unsurprisingly) is from whence the password-anti-pattern term 
was popularised; Google's "application-specific password" scheme addresses another aspect of the same issue.

More concisely the "password anti-pattern" is "giving your password away or using it untowardly". 

        -a

Current thread:

Dear Linkedin, Michael Thomas (Jun 08)
- Re: Dear Linkedin, Lyndon Nerenberg (Jun 08)
- Re: Dear Linkedin, Paul Graydon (Jun 08)
  - Re: Dear Linkedin, Michael Thomas (Jun 08)
    - Re: Dear Linkedin, Paul Graydon (Jun 08)
    - Re: Dear Linkedin, Michael Thomas (Jun 08)
    - Re: Dear Linkedin, Michael Thomas (Jun 08)
    - Re: Dear Linkedin, Alec Muffett (Jun 08)
    - Re: Dear Linkedin, Michael Thomas (Jun 08)
    - Re: Dear Linkedin, Alec Muffett (Jun 08)
    - Re: Dear Linkedin, Owen DeLong (Jun 08)
    - Re: Dear Linkedin, Joe Provo (Jun 08)
    - Password safes &c. (was: Dear Linkedin,) Andrew Sullivan (Jun 08)
    - Re: Password safes &c. (was: Dear Linkedin,) Tyler Haske (Jun 08)
    - Re: Password safes &c. (was: Dear Linkedin,) Andrew Sullivan (Jun 08)
    - Re: Password safes &c. Paul Graydon (Jun 08)
    - Re: Password safes &c. (was: Dear Linkedin,) Lyndon Nerenberg (Jun 08)
    - Re: Password safes &c. (was: Dear Linkedin,) Jay Ashworth (Jun 09)
    - Re: Password safes &c. Paul Graydon (Jun 08)
    - Re: Password safes &c. (was: Dear Linkedin,) JoeSox (Jun 08)

(Thread continues...)