Re: password vs pass-phrase (was: Are users right in rejecting security advice?)

[Roger Safian <r-safian () NORTHWESTERN EDU>]

My thoughts on the password issue are varied, and have evolved over
time.

We need passwords.  At the moment they're the only acceptable tool
for securing a variety of assets.  I'm hopeful at some point another
technology will replace or augment the password.  That being said,
the password has a variety of well known weaknesses.  I believe that
we need to balance the risk of password exposure with the needs
and wants of our communities.  My experience is that users are not
fond of passwords.  Trying to implement a solution that is not
popular will encourage work arounds.  I assume that a academic
environment will compound this issue.

I'm starting to be convinced that the concept of password strength
is less useful.  When I started here, a six character, upper case,
password was for all practical purposes uncrackable.  Faster computers,
coupled with low cost specialty equipment and rainbow tables has now
driven the password length needed to resist cracking to, what I
believe are, unacceptable lengths for most of our community.

I see two main risks we are trying to address.  Password cracking, and
the unintentional exposure of the password.  (shoulder surfing)  The
cracking issue might be better addressed by providing additional resources
to protect and/or monitor critical systems, such that if the hashes were
exposed we could quickly react to that by enforcing a change.  Surfing
can be mitigated by length and education of users.  In my mind, the
recent discussion about length needs to focus on a particular risk.  I
concede that the arguments about length and entropy are correct.  I'm
suggesting the argument is not as relivant.

Perhaps we need to enforce password rules based on the risk we are trying to
protect.  Perhaps the typical user can get by with a minimum password
length of X, but users who have access to more vital assets, need a
length of 3X or some additional authentication mechanism.

I like the idea of changing the password with some frequency.  What
the frequency should be, I'm still trying to work out.  The reason
I prefer some sort of regularly scheduled password change is that
if a password is compromised the change may secure that asset again.

I'm just thinking out loud here.  I do know that passwords are a sensitive
issue in my community, and my community is unlikely to acquiesce to
significant lengthening of the minimum.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key servers.
(847) 467-6437   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great childhood!"