Re: Passphrases v Password

[Tim Doty <tdoty () MST EDU>]

On 07/08/2013 08:58 AM, randy wrote:
> Brad Tilley from my office developed a password generator tool that is
> pretty effective and easy to use. It's at http://16s.us/sha1_pass/.
> Basically, you supply it a phrase/sentence and it generates a number of
> password strings (base64, SHA-1, hex, etc.) that you can cut and paste into
> the login page.

Right, but that does absolutely nothing for initial login to a system, 
and therein lies the problem. Some sort of password manager is "the 
solution", but the initial login to a system remains a problem. I can't 
copy and paste until I've logged in...

There are other ways to approach that (for example, you can use a 
Yubikey to store an impossible to remember, ridiculously long and 
complex password/phrase, or employ smart cards, whatever) but all have 
their faults. Its not an easy problem.

Tim Doty

> -Randy Marchany
> VA Tech IT Security Office and Lab.
>
> On Mon, Jul 8, 2013 at 9:50 AM, Tim Doty <tdoty () mst edu> wrote:
>
> > I've been resisting, but I will point out that that xkcd significantly
> > overstates the entropy of English which ruins his analysis. Relying on
> > simple passphrases as protection against hash cracking doesn't work against
> > real threats (http://arstechnica.com/**security/2013/05/how-crackers-**
> > make-minced-meat-out-of-your-**passwords/<http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/>
> > )
> >
> > In my opinion the biggest problem we face is that our systems are geared
> > to require a password and password only for authentication. Even if you
> > stand up a two factor system you are left with
> >
> > 1) locking out certain functionality (e.g., you can't use a Yubikey with
> > an iphone)
> >
> > 2) increased complexity (which tends to weaker security)
> >
> > 3) uneven requirements resulting in exposed single factor mechanisms
> >
> > Whatever solution any given institution comes up with is up to them as a
> > means of best meeting their requirements, but the factually incorrect and
> > consequently misleading xkcd strip is obviously a sore point with me.
> >
> > Tim Doty
> >
> > On 07/05/2013 07:49 PM, Cathy Hubbs wrote:
> >
> > > Thanks to those that answered both on and off the list. I see we are out
> > > in
> > > front but not alone. Yes there are others!
> > >
> > > Every institution has a variety of considerations when making a decision.
> > > Happy
> > > to discuss off line.  The driving force was one year expiration and
> > > customer
> > > friendly.  We believe it is easier to teach customers to write natural
> > > language
> > > sentences than to pick a number, a symbol, an upper case, and a lower case
> > > character.
> > >
> > > My colleague loves to trot this XKCD comic strip
> > > http://imgs.xkcd.com/comics/**password_strength.png<http://imgs.xkcd.com/comics/password_strength.png>
> > >
> > > password_strength.png
> > >
> > > Thanks again.
> > >
> > > Cathy
> > >
> > > On Jul 5, 2013, at 12:22 PM, "Cathy Hubbs" <hubbs () AMERICAN EDU
> > > <mailto:hubbs () AMERICAN EDU>> wrote:
> > >
> > >   Greetings,
> > > > American University is moving to require passphrases, 16 character
> > > > minimum,
> > > > with upper and lower case requirement for standard users (staff,
> > > > students, and
> > > > faculty).
> > > >
> > > > I would love to hear from anyone that has gone down this path and
> > > > experiences
> > > > from their customers.
> > > >
> > > > Thanks
> > > >
> > > > Cathy
> > > >
> > > > Cathy Hubbs, CISSP, CISA, CGEIT
> > > > Chief Information Security Officer
> > > > Office of Information Technology
> > > > American University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature