RE: proper password handling

["Isaac Van Name" <ivanname () southerlandsleep com>]

As always, Mario, I enjoy reading your posts as they are entertaining, if
not always considering an alternate opinion.  That being said, I agree 100%
that three-way authentication with biometrics is a strong method that should
be employed.  For a company that is at all worried about security (which
should be every company), this is worth the investment.

However, in cases where, for whatever reason, the company will not go that
route, there are reasonable alternatives.  In this respect, I have to say
that Robert's quote is not a bad idea, although I would not call it the
"best" solution.  The best solution would be a member of a multiple-point
authentication method, like the one above.

In a company that doesn't want to go the "best" route, you have to improve
what you already have as best as you can.  Consider this:  Yes, we can fire
everyone that writes down a password because they can't remember it but,
then, all the offices in my workplace (except mine) and probably everyone
else's would be empty.  (Office personnel != computer literate) in most
cases.  Educate, threaten, warn, discipline... and they still do it.  It's a
fact of life.  We're just smarter and more capable than them.

One thing I've noticed time and time again about network security is that
you have to take into account who you're securing.  For instance, if some
office personnel need 3 websites to perform job-related tasks, but you
decide you don't want anyone to have internet access, then you'll probably
get fired quickly.  Same with passwords... if you set the standard so high
that employees just keep getting fired, management will probably plant a
foot in your hind quarters and give you a nudge.

You already know that they're going to write down the password, so work off
of that.  Make a password between 11-14 characters and a "passphrase" inside
of it (starting at a random location) that's 4-6 characters long.  Make the
passphrase something they can remember with a pneumonic ("I have 2 Dogs" =
Ih2D).  Let them write down the rest of the password ("j4f6QA15") and tell
them where the passphrase goes (after the 4 = "j4Ih2Df6QA15").  Now, you can
complain that security is compromised (and it is to an extent), but you also
have to consider how the REST of it can be compromised:

How long would it take to brute-force a 12-character password?  True, it
would take less time if you knew the written 8 characters, but you'd still
have to "brute" the passphrase for an undetermined amount of characters at
any position in the written portion... quite a daunting task still.

Then, if they write down their pneumonic, shoot them.  They deserve it.
Enforce what you know they can handle, and make that meet your security
needs.  It's worked for me so far, and I still have a job.  One thing to
remember, too:  No matter how much you secure your network, it will ALWAYS
be susceptible to compromise... you just have to defend as best as you can.


Isaac Van Name
Systems Administrator
Southerland, Inc.
ivanname () southerlandsleep com


"What good would you do with an ignorant employee? Ignorance is grounds for
dismissal..." - Mario Spinthiras
 
Open Source developing at its finest:
"Written in vim, W3C valid and UTF-8 encoded, for her pleasure."
 
Disclaimer:  This email is intended only to be used to feign intellectual
mastery of a subject or superhuman command of the English language, when
profanity is involved.  By reading this email, you are agreeing to cease all
correspondence with the sender upon realizing your own ignorance, and
furthermore to refrain from taking legal action against said sender when
your compounding ignorance crushes your inadequate self-esteem.  Have a nice
day.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Mario A. Spinthiras
Sent: Wednesday, October 04, 2006 1:19 AM
To: Robert.Graham () bt infonet com
Cc: security-basics () securityfocus com
Subject: Re: proper password handling

Robert.Graham () bt infonet com wrote:
> The best solution I ever heard of was from the Security Guru himself,
Bruce
> Schneier:
>
> Create passwords with a secret string that you commit to memory, in the
middle.
> Write down the password with everything but this special string. Then,
from the
> user side, it simulates two factor authentication (something you have[the
paper]
> and something you know [your secret string]). Even if the paper is lost or
> compromised, the damage is minimal. Ideally, once the paper is
compromised, the
> password is changed, but the secret string may be re-used. Best would be
to lock
> up a safe copy so that should the carry copy be lost, that password can be
reset
> easily and quickly.
>
> Today, with so many passwords, it's not possible to create strong ones
that can
> be remembered.
>
>
>
>
> Robert J Graham | Security Engineer | Global Security Group | BT Infonet |
Tel:
> +1 310 335 4454  | E: robert.graham () bt infonet com |
http://www.bt.infonet.com
>
---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec
management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed
degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
>   
Fortunately for me I have the tendency of judgement with regards to who 
is considered a guru or not in any matter whatsoever. In this case my 
judgement does not fail me and the feedback from it gives me the 
negative impression with regards to "guru" statements.

A password is not something you write down. I do not know which madman 
started such a foolish practice but if there was a prize in 
computational security I presume he would have won it many times over.

The above practice is not based on "what you know" and "what you got" , 
because the two end up being compbined in the same exact place at the 
application layer which means that it was in vein to proceed doing so. 
All it is is a missing string. That still gives administration and 
management of a firm the "doubt" that they will write it down since the 
principle is based on two parts to complete a whole passwords.

The above practice is simple A DOUBLE "WHAT YOU KNOW" authentication 
process which in my eyes and many righteous administrators out there... 
IS COMPLETELY WRONG.


If you want more on creating a wonderfully constructed authentication 
process which concludes security at its finest I suggest you search 
through my posts with regards to biometric three way authentication : 
"What you got , What you know , Who you are"


Enjoy!

Regards,
Mario A. Spinthiras

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------