Re: 1 in 3 workers write down passwords

[coderman <coderman () gmail com>]

On 10/17/06, Ron <iago () valhallalegends com> wrote:
> ...
> Hmm, I generally tout myself as a security guy, but I have to admit,
> even I do that sometimes.

agreed; once your password list gets long enough you need to do it.
(i'm counting 27 high entropy passwords in my file, like a9@7.8X7&17Rd5#Dw)


> Generally, when I'm given a password for a remote system that is
> something like "7QbbBr2CqqS", I'll write the password, all by itself, on
> a yellow sticky note and stick it to my monitor for a week or two, until
> I feel like I've memorized it well enough to toss (fine, eat) the note.

i don't even bother trying to memorize.  instead i boot into a system
with full disk encryption using a single good password/passphrase that
i _can_ remember.  that is where the text file with all the other
passwords lives.  (this system also contains all my authorized private
ssh keys, which i prefer to passwords when possible)


> I think one of the major issues is: stupid passwords.  I've spent time
> at places that have completely asinine password policies (must be 8
> characters or longer, letters and numbers and at least 2 symbols, no
> spaces, no 2 characters within every 4 characters can be the same, etc.
> etc. etc.).  Worse yet, the users are GIVEN a password that looks like
> somebody sat on a keyboard, and is expected to memorize it.

yup, pretty stupid.  i only expect users to remember one good
password.  maybe two, on a good day.  so leverage that one good
password with disk encryption so they can keep myriad other secrets
safe...


> I think that we really have to make a request of password-based software:
> - - Allow spaces
> - - No maximum length
> - - Encourage a pass phrase
>
> When I hand out a password, it's usually 16 or so characters long, and
> extremely easy to memorize.  Usually, it resembles line from a song or
> television show or something I see in the room.  Then it's nearly
> impossible to crack or guess.

this has lower entropy and is a compromise (probably worth having in
place of high entropy passwords that can never be remembered, but
still weakens authentication security).

the FBI runs a nice distributed password cracker that uses heuristics
and profiling to greatly improve the probability of recovering a
password/passphrase.  using words and phrases opens you up to these
kinds of attacks.


> I'm probably just rambling.  But I really hate the common password
> policies.

agreed.  i'm fond of full disk encryption and writing them down on
such a protected storage medium, but this does mean you need your
laptop whenever you need a password.

(the other reason i like full disk encryption is that the operating
system is then protected against offline compromise.  an encrypted
file isn't very secure if someone can trojan the truecrypt binary on
your box, for example...)
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.