Security

Don't be fooled by the argument against unique passwords

The "security is not secure" argument seems to be getting quite popular these days, and it makes security sound awfully easy. Chad Perrin warns that when something sounds too good to be true, it usually isn't.

These days it seems like every time we turn around someone has written another article that gives "security" advice directly contradicting actual secure practice:

  • Don't use strong passwords! Just use whatever you'll remember!
  • It's okay to use one password for everything as long as it's a strong one!
  • You don't have to use a strong password as long as it's uncommon!

Those of us with even a modicum of logic coverage in our educations should be familiar with the idea of a false dichotomy. The false dichotomy, or false dilemma, is what is known as a formal fallacy of propositional logic. When someone makes an argument based on the idea that there are only two options, thus making a case for choosing one of those options over the other, despite the fact that there are other ignored options that may be preferable, that person is indulging in a classic fallacy of the false dichotomy.

My favorite solution to all of these convenience issues with using strong, unique passwords is to use a password manager. Unfortunately, doing so is still not as easy as using password123 everywhere, and as a result, a lot of people are willing to swallow any ridiculous swill being peddled about how bad security practice is actually "more secure."

The arguments for strong passwords are common and well documented. The most cursory searches should turn up something that will give you the gist of the idea. Unfortunately, the problem of convincing people that every password should be unique might be a little more difficult to solve. Explaining it is not too difficult; just slightly less easy than explaining the importance of a strong password, and its importance is slightly less obvious to the casual observer, so it is done less often.

The best example that comes to mind for what can happen if you do not use unique passwords goes something like this:

John and Jane each have accounts at forty different Websites. John uses the same password at all of them because it is too difficult to maintain multiple passwords in his head, while Jane uses a password manager to ensure she can use a different password for each site without having to remember any of them.

Both of them have memberships at example.com, and by some twist of fate they both end up using the same password, OJ01GzVWR5. In fact, they both use the exact same forty Websites. Along comes Pat, a malicious security cracker. Pat manages to bypass the incredibly deficient security at example.com and download the unencrypted database of usernames and passwords.

With this database in Pat's grasp, the malicious security cracker makes a list of a hundred high-value Websites, mostly including financial institutions. Pat starts running the username and password pairs in the unauthorized copy of the authentication database.

Because Pat's strategy involves entering each username and password combination only once, a direct attempt to access each of the hundred sites once per account name is all that is needed. This neatly avoids problems like the potential of being locked out of a highly secured site. In fact, it turns most sites -- however well-designed -- into a trivial exercise to access under someone else's credentials, as long as some people use the same username and password everywhere.

The end result is that Jane's bank account remains secure, while John's gets cleaned out the next day, and it is all because he took the advice of some security "expert" whose credentials largely consist of a piece of sheepskin and a job at a big-name security vendor that does not actually produce anything innovative. Sometimes, though, when advice sounds too good to be true, that is because it is not true. The perfect example is when someone tells you that you do not need unique passwords to be secure.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

197 comments
johnm7
johnm7

I deal with a system at work which guarantees that the passwords cannot be memorized. They must be a mix of uppercase, lowercase, and numbers (This is OK). The check for strength then strips all the numbers, changes it to lower case, and does a dictionary attack where no 5 character or longer sliding window can be an English word (no pass phrases), and the first 8 characters cannot be an anagram of an English word. This portion is way over the top, and completely random passwords have fallen foul to this test. The password changes so frequently that by the time it is memorized, it is time to change again. Everyone has come up with a solution that compromises the security of the passwords in some way or another. Some of the passwords are split (one half written, the other half memorized). Some just increment a number. Some are just plain written on a post it note on the bottom of the keyboard. Some use a password manager. Nobody has it memorized. Another password problem that I find annoying is sites that accept a **Really** strong password without complaint. This would be a 40 character password generated by a password manager that allows all characters on the keyboard. The problem arises when you actually try to use the password and a message pops up that the password failed. Since the password manager entered both the original during creation, and the login attempt, there is no way that it is typed in wrong. The problem is the site did not warn me about which characters are not allowed, or what the limit on the password length is, and then the original accepted a password that could never be matched. The only passwords that need to be memorized with a password manager are the login to the OS, and the decryption key for the password manager. Password managers are wonderful, but I am going to write the password to the password manager down and lock it up (in case I am hit by a truck, my wife can then get in to all of the places she needs to).

dcolbert
dcolbert

Those of us with even a modicum of logic coverage in our educations should be familiar with the idea of a false dichotomy. /:) Aaaaaanyhoooo... Today I just rotated my password back to one I was using 9 months ago. I know that because I directed my staff to implement a secure, rotating password policy and the solution they implemented requires an 8 character minimum, mixed case password with alphanumeric and special characters and no dictionary words, and passwords cannot be recycled until the 4th rotation. Prior to that, users had 4 digit PIN passwords, had dictionary passwords, and never had to change them. There was a great gnashing of teeth and wailing among my user base. Several very educated men who you would *literally* trust with your life referred to the very studies that inspired you to write this article - while protesting my executive decision to insitute a traditional secure policy routine. I guess that modicum of logic coverage in my education paid off. *chuckle* I'll tell you what, though... This security measure has increased costs and decreased productivity (except for our support staff, who is far busier resetting passwords and locked accounts than they were prior to the change). It is also possible that more users are writing down their passwords and leaving them in easily accessible places than before. (Note to self: have my desktop support guy perform a cubical audit looking for written passwords. Check with HR/Legal to ensure that this is legal). The question for me, and it is a difficult one to answer: Are the increased costs *less* than the costs we would have incurred from a security breach due to poor password security policies? Because if they are, I've made the right decision. If not, while it may be a win for strong security best practices, it is a loss for sound business principles. I mean, I'm behind you on this one Chad. I believe in secure passwords, I know all the tricks to easily remember *very* long and secure ones. Like a *nix user who can actually leverage the benefits of FOSS, I'm a cut above and can easily benefit from very secure passwords. But I'm willing to entertain that enforcing draconian password policies on typical end-users may (at least sometimes) do more harm than good, depending on a variety of variables.

ps.techrep
ps.techrep

IMHO, the use of the same userID is far more dangerous from a privacy standpoint than is the password. If the same ID and password are used for ever site, it is just asking for trouble. But, if you are only concerned with external hackers, so long as a different username and email address are used for each site's user ID, I see no problem using the same password for most of those sites.

NexS
NexS

It drives me nuts when people (and by 'people' I mean every user I pass by) complain about having to change passwords and have complexity in it. There have been sentences like 'Why should I?' and 'It doesn't make a difference' thrown around. And I've given up explaining -- I just enforce it nowdays.

rmshay
rmshay

At best, one strong password could be memorized. Beyond that, the passwords are either simple or on a sticky note attached to the monitor. That's the limit of human capability (on average, and only average counts). You are not going to get executives to memorize a vast number of ever changing passwords and their minions will have to write them down for them. The minions, of course, can then send the files to wikileaks. Security has to be convenient enough to be used and not circumvented.

Marc Thibault
Marc Thibault

[This security measure has increased costs and decreased productivity] As do most safeguards. The thing is that risk is about probabilities. If you don't know the probabilities, you don't know what's a reasonable cost to mitigate. You can't manage what you don't measure--that includes risk. So, what are the odds?

apotheon
apotheon

Seriously. Introduce your users to more than two options. It's not "only deal with the annoyance of strong password policy or with the annoyance of bad security". There are other options as well, such as OTP tokens and password managers. There are solutions to this problem.

Neon Samurai
Neon Samurai

When we re-did our password policy I ran the cracks and did up a table of breaking times based on lengh/complexity. We increased the planned policy as a result. It also gave me times to quote for users: "but why can't I just use...." - 'because that can be broken in XYZ seconds'. "But, there is a three try limit" - 'there are ways to figure out your password first before the login screen'. "But, it's too hard to remember" - 'do you have a few minutes to talk about ways to pick more memorable passwords or potentially using a password manager program so you need only remember one complex password?' I've also had it the other way in cases where I needed to use a shared password with a user. "But you'll laugh. Don't laugh at my password" - 'as long as it's up to policy, it's just a password. oh.. actually, you've chosen a pretty good one and here's why...' Make it something to work with the user on and figure out quick easy ways to explain why.

CSSathish
CSSathish

Can we say a strong password is which should not be a dictionary words. It should contain some special characters. In-between numbers can also be used. But it becomes difficult for one to keep the password in mind To keep the password very strong (of course in our mind also), a new trend can be followed instead of a using any password manager It is Pass Phrase. I hope some of them would hear about this. Let me detail it to you. For example, let Mr. Jill is joining a new community web site. He wants his password not to be leaked or should not be easily guessable. He joins the community on 30-Nov-2010. He now creates a new Pass phrase: ?I joined the Community at 30/Nov/10?  IJtc@30N10 In this scenario, He has created a phrase and used the first letter of the each word to form ?IJtc? and in-between he used case changes. For at he has used a special character ?@? and used the joining date as number ?30?, November month first letter ?N? and the year 2010 as ?10?. You can also use last letter of each word to form new password ?Idey@30v10? Similarly, Mr. Jill is opening a new bank account and he receives the Net banking account details. He can create a new pass phrase like ?I opened My new account in Citibank with $100?  IOmnacb$100 By using this kind of Pass phrase, we can keep our password more complex, easy to remember and difficult for the unwanted persons to be guessed.

apotheon
apotheon

I know about half a dozen strong passwords I'm using right now. The weakest of them is twelve characters long. Another is eighteen. Others are even longer. The hundreds of other passwords I use, however, are stored in a password manager, and are even longer than the majority of those I have memorized. Of course, "memorize" is kind of an insufficient term. Most of those memorized passwords are more stored in muscle memory than in a way that is consciously retrieved from memory; I need to sit down at a keyboard and type that eighteen character password I mentioned in order to "remember" it with any facility. Trying to dictate it to someone else, it would probably take twenty minutes to get it right. Most people don't need to ever remember more than two. Store everything else in a password manager. Save yourself some headache, and some risk.

dcolbert
dcolbert

Endless budgets, manpower, skills and resources. The dichotomy, false or not, may be real, and *might* not be of my doing, Chad. Again, *you* need to realize... sometimes it isn't what you *could* do, if you could feed unicorns Corproate-OS platforms and they farted perfectly configured self maintaining FreeBSD enterprises that delivered all of your corproate MIS goals in a way that wouldn't cause your user-base to reject it completely... It is what you CAN do within the constraints of *reality*. Now you've got *me* feeling like calling you some pretty nasty things. Seriously. Welcome to the real world, Neo. Open-Source Security Principles, powered by Fairy Dust and Rainbows.

NexS
NexS

Taking the time to explain such things to every user would be a project in itself. And the "I'll tell you, and you tell your mates" approach doesn't really work because people don't care enough to bother.

apotheon
apotheon

Pass phrases are not known to be strong. They're only believed (by some) to be strong. The first problem is that a strong password is made up of as many tokens as there are characters in it, while a pass phrase is made up of as many tokens as there are words in it. The second problem is that using dictionary words is how you get predictable passwords, but to some extent pretty much all pass phrases are predictable, because the whole point of a pass phrase is to make it memorable for the user who has to remember it. You're much better off using a twenty character password with letters, numbers, special characters, and even spaces in it, and store the password in a password manager's encrypted database, than using the phrase "what a difference a day makes" -- in some respects essentially equivalent to a six character password. For the love of Baud, folks, just get a good password manager already. How is it that people have not heard of these things? I currently like pwsafe plus a simple script, but your needs may differ from mine.

Neon Samurai
Neon Samurai

Third party signed certificates are not a requirement of a certificate as a password manager "key". It seems to normally be symmetric encryption with the certificate being a means to jack the bit strength well beyond a password's ability to negate brute for and time trade-off or similar attacks outside cryptanalysis exploitation. (details for anyone interested) Symetric encryption uses the same key to lock and unlock the box. Bob and Alice both work at the bank and have a duplicate key to lock and unlock the front door. The encryption keeps a thing in the possession of a single owning entity trusted because they have key. (certificate, password, biometrics..) Asymmetric encryption uses two keys where the opposite key from the one used to lock the box is required to then unlock the box. Bob has lower authority and works out front as a teller while Alice works behind the glass in the safe room with manager's signing authority. They pass things back and forth through a drawer in the wall that slides between and has no handle to pull; neither side can push the drawer closed then pull to re-open it. Alice, as manager with higher authority and ownership of the drawer access both the front area and safe room so she can actually access it from either side by closing it on the other. Bob can not access the safe room so he can only ever push things to Alice or receive things she pushes back (making accessible to anyone in the front area). The encryption places a thing in the possession of a recipient trusted by a third party who's opinion they both value. (PGP pub/priv trusted by self assigned values, SSL pub/priv trusted by recognized certificate signing authority's validation) This is not to say that one couldn't choose to use their asymmetric private certificate when asked for a symmetric certificate. The symmetric system simply wants the same cert to "open" the file each time. I wouldn't personally suggest using one's public certificate when asked by a symmetric system. :D Perhaps someone's designed a password manager that validates certificates to a central authority. Maybe it's a distribution system with one admin having read/write (pub/priv certs) and all other's having read only (pub cert). I just don't see the central authority required to get strong encryption for a password database.

JCitizen
JCitizen

you mean the ones of your own making, and not the expensive ones like Verisign(for example).

apotheon
apotheon

dcolbert: The things you said laid claims of deficiency for using software other than MS Windows or MacOS X, and implied stupidity for thinking that it might be worthwhile to consider how to make security easier -- rather than just weaker for the sake of convenience. You made categorical (and personally insulting) comments that you later came back and claimed were just "devil's advocacy" or "misunderstood". Your claims were quite different from tbmay's in that he said "Yeah, this stuff is true; sometimes the bosses don't like it." Meanwhile, you said "No, that's not true, and you're an idiot who lives in a fantasy world if you think anything you come up with will ever work." Stop trying. I won't believe you when you contradict your earlier words so directly. santeewelding: Stop instigating. There's nothing to be gained by trying to engage in meaningful conversation with dcolbert for now, and no amount of trying to paint me as more substantially the "bad guy" just because I came to that conclusion is going to change that fact.

apotheon
apotheon

I don't want to play this game any longer, where you backpedal and pretend you meant to be totally friendly and honest, then pull the same crap again. Stop trying to bait me. I don't want another flame war.

Neon Samurai
Neon Samurai

A phyisical password manager was only a given option for the question; "how do you use a password manager to remember your login when you need to be logged in to run it." - consider a physical password manager instead of a software one. Obviously it's not the only option either. Swipe cards or similar token authentication would be better suited where passwords are not. This only gets you past the initial login unless you use single sing on across everything. (edit; read entire comment.. then post.. ) I do get the need to see it from the user side and I see you did mention alternative systems right after. The real issue is passwords themselves; which relates back to past discussions. They remain the most economic to implement but like key locks, they are continually proven more convenient than effective. My current solution to the original question though; don't be first in the morning. Ask the staff member beside you if you can plug in your usb and remember your password (or whatever mobile storage it's on). I figure the person recognizing me in person is an initial authentication. This wouldn't work for solitary terminals or frequently forgotten initial logins. A cert on a rom card or usb is probably better though

AnsuGisalas
AnsuGisalas

... chop off my employees fingers or pluck out their eyeballs if they want to get past my security." -Because I hate my employees more than I love my secrets! Muahahahahahahaaaaaaahahaha*cough* *sputter* - hairball... Sorry, that was my immediate association from the above quote.

apotheon
apotheon

dcolbert: It probably has something to do with the fact that your version of "devil's advocate" is "trolling for flames".

dcolbert
dcolbert

My users who despise passwords that are anything more than 4 digit numeric PINs are now carrying around a physical gadget to store and retrieve their secure, strong passwords. Users who overload paper-trays despite a huge label at the back with an arrow pointing to a line that says "MAX" in bold 74 pt. font? I'd love good, accurate biometric security solutions. That didn't add any costs and didn't require you to go through some bizarre ritual to get your fingerprint recognized. That would be fantastic. Let the bad guys chop off my employees fingers or pluck out their eyeballs if they want to get past my security. Neon - where the conversation leads, kind of proves my point. Mostly... I said I *did* implement secure password policies where there were none before and I agree with Chad's thesis here. I voiced some "Devil's Advocate" concerns about the repercussions of such policies. As a manager, I need to look at things from all perspectives and *wonder* what unforeseen outcomes might come of my policy decisions. It is kind of like playing chess. It shouldn't have led to another flame war that I did so when in spirit, I absolutely agree with Chad. I'm still trying to figure out how THAT happened.

santeewelding
santeewelding

You both -- Donovan by a margin probatively less than Chad -- have succumbed, it seems, to the technical as measure of soul. Doomed; both of you.

dcolbert
dcolbert

I was saying exactly what tbmay said. We process information differently, Chad. I've said it in another thread, and now I'll say it here. It is the only thing I can think of that explains situations like this. I've never said anything was "right" or "wrong". I concern myself about what IS.

dcolbert
dcolbert

Woah... I see where you got hot... and saying what you said ABOVE would have potentially avoided a lot of heat between you and I. I think you've made quite a few "ridiculous condescensions" aimed at me and my expertise as well, (and first), but maybe that is just MY sensitivity to some of the general things *you've* said showing through. Sometimes we talk in general observations and a person who identifies themselves with what we are attacking takes it as a personal offense. In this case - my point was, and you were dismissive of this point when I tried to clarify- there are a lot of companies where it is as likely as fairy magic that they could successfully transition from what they have to what you think is ideal. (Something like, "if your company is so fragile, maybe it should go die"). It doesn't matter if it IS ideal or not. In that situation, there may be IT guys who have as much chance of sprinkling themselves with fairy dust and thinking a happy thought and flying to Never Never Land with the Lost Boys - of being able to achieve the things you propose. That isn't an observation aimed personally at YOU in any way, at all. I understand how you could take it that way. To me, it was just a wise-cracking, snarky way of putting a dry observation. I'm sorry you took it otherwise.

Neon Samurai
Neon Samurai

I'll go back to lurking this thread. I just wanted to mention physical password managers. If the concern is the initial login rather than additionally needed passwords (eg. websites), maybe look at physical password managers. This does remove the budget advantage of a freely available bit of software but it covers the need to securely store and access a password prior to login. Now.. I'm going no where near the social topics of this exchange. I'll be over here with whatever rubber-necked drivers are still slowing down for a look.

apotheon
apotheon

You seem to think that people who spend their careers learning about security matters should just let people hired for their ability to open a Word document dictate security policy, santeewelding. I disagree with your sentiment. I question my own conclusions about security every single day. If the questioning does not lead to undermining my own arguments or understanding so that I learn something new, I keep operating on the assumption those conclusions are correct. People who never even come to any conclusions beyond "I don't like passwords" do not get to make security decisions on my behalf.

apotheon
apotheon

As you've described them, I understand what you're saying about your circumstances. I never said anything that disputes the notion that sometimes we simply have to bend to the reality that bosses sometimes just say "no". That's not what dcolbert is saying. What he's saying is that bosses who sometimes just say "no" -- regardless of whether there are good ways to help people follow good security practice -- are right. He's saying that using software that doesn't cost anything to make it convenient to use strong passwords is "powered by Fairy Dust and Rainbows." He's using the fact that my primary OS choice does not come with a restrictive EULA and a holographic decal as "proof" that I'm living in a fantasy land, that I'm biased against reality somehow, and arguing against that rather than against poor security practice. This is in no way the same thing as what you just said. What you just said is "Sometimes, no changes will be accepted by the people in charge." That's true. You're right. I do not disagree with that. This, on the other hand: > I can assure you, Donavin could enforce security right to the point he would lose his job. Unless he's lying to us about his reasons for disagreeing with me just to try to stir up a flame war, I don't agree with that. I suppose it's possible he was just trolling for flames, though -- and if so, he certainly succeeded at stirring up a flame war. I shouldn't have been baited, whatever his actual intention, but such is life.

Sonja Thompson
Sonja Thompson

is "attack issues, not people." As bloggers for TR, you both are well aware of the Terms of Service. I enjoy reading both of your points / counter-points, but please refrain from name calling, fellas.

tbmay
tbmay

...security DOES often matter. And the users of the technology might have to accept they have a role in it's success, if it's going to be successful. I try to make my recommendations relevant. Let me give you an example....a small...but not so small that many others don't walk by this desk...or even sit at this desk...business I support had a key financial person with her password taped to her monitor. Others in the same business had discovered (before I entered the picture) the joys of open shares on their workstations, unpassworded. And they bought a wireless AP and plugged it in to the first open jack they could find and, you guessed it, did not secure it. I AM NOT exaggerating. When I did my first site survey, I literally saw their files from the parking lot without knowing the first password. This demonstrated to the manager things needed to change. And this change did not come without protests. I don't want to whip anyone into compliance. But there is a point where I can't help them any more. Fortunately, these folks in this example still use me. I try to keep my recommendations and practices both practical and realistic. But even that will have it's detractors.

santeewelding
santeewelding

Alternatively true to what? What is the "what"? A thing to be ignored? A thing to be discarded? To be reviled? "You all" hold truth and they do not? Is there something you are missing? Reminds me of overseers whipping the masses into compliance, completing the tomb of a Pharaoh in the balance. "You people just don't understand the importance of all this!"

tbmay
tbmay

...good points are made by both parties. At the end of the day; however, Donavin's reality is pretty close to mine. Mind you, I've been a sysadmin in regulated financial institutions where these changes were mandated. Resetting passwords and angry users were the order of the day. At least we could blame someone else. In other environments, and as an independent consultant, the only complex passwords I deal in are key system passwords. I burned out trying to get users to change A LONG TIME AGO. Chad, the real thing is the users DON'T GIVE A FLYING FLIP. ANY change you impose on them is going to be resented. I make recommendations to their bosses that include things you talk about. I put it in a nice, well typed, letterheaded, grammitically correct letter that doesn't resemble my posts on TR. My guess is they glance it over and toss it in the trash. That's all I can do. If the business owners don't care about what they perceive to be obscure risks, I can't do any more about it. I can assure you, Donavin could enforce security right to the point he would lose his job. Yes. It is a compromise. I sell it as simple risk management. The ball is in their court. Now, my firewalls...no remote root (su required) Sealed, random passwords under lock and key..etc etc. Servers...same deal. User accounts - only recommendations that go largely ignored. Password manager? One more thing they don't want to fool with. That's the reality. We have to support people who are HOSTILE to technology and change.

apotheon
apotheon

Tell the guy who claimed I live in a fairy tale and know nothing about security with his ridiculous condescensions. . . . because he thinks I'm a Linux guy, apparently.

apotheon
apotheon

> My jabs are light-hearted Yours are full of ridicule and thinly veiled contempt for neck-bearded basement dwellers, suggestions that I'm going to murder you if you disagree with me too much, and other complete violations of your fraudulent self-image of a light-hearted friendly guy. > But, that fits the profile, too. Thanks for the demonstration of my point.

dcolbert
dcolbert

Stop projecting your issues onto me. Look back - and every time someone is resorting to personally-aimed low blows (with teeth) in our exchanges, it has been you. My jabs are light-hearted, yours are "you're an idiot, a moron, a jackass, uneducated". I don't have to say much, because anyone who has been following our exchanges knows this. You can't handle being challenged. You react poorly to it. Your behavior is borderline autistic. But, that fits the profile, too.

tcavadias
tcavadias

..fa la la la la la la la laaaaaaaaaaaaaa... ;-) Ya'll really don't want me in here singing now do ya? As I have a whole entire doggie crew ready to howl at a moments notice. Their speciality is the song - "I'm making a list, checking it twice..." Now get into your corners.. behave yourselves.. no name calling.. or I'll just have to come back and start singing. -Tammy [_]3

apotheon
apotheon

1. You have some serious issues with me that, frankly, I do not understand. The best I can come up with is speculation that you don't like the fact I disagree with you on several topics, and simply cannot abide disagreement. Maybe that's it. Maybe not. I'm no psychiatrist, and I don't know you. 2. If your company is so fragile, and unwilling to adjust to changes in technological realities, maybe it would be a good thing if it just died already. If not, you should probably stop raising spurious nonsense that gives that impression as part of your "arguments" against good security sense. edit: I made it short mostly because it's not really for your benefit. I wouldn't want to fill this comment up with irrelevancies that drive readers who might learn from it elsewhere. Also . . . tl;dr, because I can't be bothered to read page upon page of invective right now from someone who never bothers to actually understand any of my points.

dcolbert
dcolbert

Budget WHAT? "A Simple open source password manager"... Plus the cost to train 130+ employees on using the password manager, creating the documentation and publishing it, providing follow up support. That doesn't account for providing training for over 500 external users in multiple locations. You over-simplify situations when it suits your arguments, and over-complicate situations when you attack arguments you disagree with. It isn't so trivial or inexpensive as you propose. But what you make up for in technical skill, you can be forgiven for lacking in business acumen. It is a common liability among IT professionals, so don't go too hard on yourself. Just wait, and a great example will come by... TAC Support Notification to All Staff: "Just a reminder to all, When adding paper to the trays, make sure to pay attention to how much paper you are putting in. There is a line in each tray labeled ?Max? and that is the maximum capacity that the tray has for paper. If paper exceeds that line, it will cause the printers to jam. Just something to look out for Thank you" It isn't that our users are idiots. They're among the best at what they do. But reloading paper trays has nothing to do with their core abilities. Neither does a "simple open source password manager". Where is this password manager going to be, anyhow, so that they can get logged into their machine in the morning? If it is on their machine, and their machine is safely logged out or locked - having their password stored in a keyring app on their PC isn't going to be much help now, is it? Perhaps we should buy them all smart-phones, and put the passwords in a key-ring manager on those devices. Only... well now I have to make sure they securely lock *those* devices, and create a mobile device policies for the entire user base. Now how do they remember their secure lock for their mobile device? Maybe I'll get them little thumb-drive devices that... Wwaaaaait a second!!! Did anyone in the TAC ever take care of that paper-jam from the tray being overloaded... If we just switched to FreeBSD, all these problems would go away. Of course, we would be out of business.

dcolbert
dcolbert

Lay off, buddy. That stuff will kill you. Actually, in fact... now that I think about it, here is my lighter. Go to town. Can I suggest you graduate to soemthing harder and do the world a favor? (My apologies to crackheads for associating you with people so reasonable). You have *no* idea what kind of office staff I work with, no idea what kind of end users I work with. A "open source password management tool" is, for a great majority of my users, simply out of the question. You understand that a *great many* Doctors are just retiring rather than adopt mandatory EHR and EMR programs? The main difficulty with them would be getting users to buy into spending maybe five minutes learning how to use them up front so they can save themselves time, frustration, and embarrassment (to say nothing of security problems) later. Our office staff focuses on medical posting and billing. They're incentive based. It is nearly "assembly line" work. Most of them are middle aged or older women who have never worked anything outside of specific health-care niches that are completely non-technical. Practices are *worse*. You are completely disconnected from the real world - which is why you're a *nix blowhard. You'll never get it. Guys like you are the *worst* thing that ever happened to Linux and Open Source. Jack Wallen once really insulted me. He called my claims irresponsible. You, Chad, make irresponsible claims on a regular basis. If you're typing in an opinion, you can count on it containing irresponsible statements. And by the way, for a guy who claims to "avoid violence except as a last means and only in self-defense", you sure throw out ad-hominem insults pretty freely. I on the other hand, have either been very good natured at sharing jabs with you or completely held my tongue for more messages than reasonable. I just find so much of what you CLAIM completely contradicts so much of what you DO. Perhaps you're just a pathological liar. It would explain how you can be so gung-ho about Open Source and *nix. As for dichotomies, false or not, they exist, and they are often out of an individual's control to change. You've got to work within the system. This is your basic failure - you want to work in a world of ideals. Sure, if you Were Darth Dorkwad you could make EVERYONE bow to your vision of perfection. But it isn't going to happen - so your vision *remains* fairy-dust and unicorn farts. This is probably why you consult, rather than *work*. Go in and make a bunch of suggestions that can't REALISTICALLY be implemented, charge a bundle, then blame it on the client when they don't do what you suggest. Good gig, huh? It is the same method you use to defend *nix and FOSS.

apotheon
apotheon

How does giving everybody a slick little password manager, available under an open source license, eat into your budget? How does trading a touch of up-front training on how to use a password manager for the immense manpower cost of dealing with lost or forgotten passwords on a daily basis mean you require more manpower? I know that something like OTP tokens costs money and require a little more back-end infrastructure. It might end up saving money in the long run, or even just breaking even; even if it costs a little more overall, though, it should definitely save on manpower. I also mentioned password managers, for which I do not really see a downside. The main difficulty with them would be getting users to buy into spending maybe five minutes learning how to use them up front so they can save themselves time, frustration, and embarrassment (to say nothing of security problems) later. > The dichotomy, false or not, may be real, and *might* not be of my doing, Chad. I didn't say it was of your doing. The fact it's a false dichotomy, however, means it is not real. It's an illusion. The fact people think it's real is the problem; they stop looking for other solutions because the first two options are assumed to be the only possibilities. > Now you've got *me* feeling like calling you some pretty nasty things. It sounds like you have issues. > Seriously. Welcome to the real world, Neo. In the real world, a very small up-front investment can save worlds of hurt down the line. In the real world, however, nobody thinks past five minutes from now. This is not my failing. > Open-Source Security Principles, powered by Fairy Dust and Rainbows.

JCitizen
JCitizen

and Neon is right, its a proverbial war out here!

NexS
NexS

Secret abuse. You can make them feel stupid without them realising.

Neon Samurai
Neon Samurai

It builds very nicely on my previous desire to have at least two people who'd job it is to break into the network. An ongoing challenge. My idea was just sort of within IT; "bob broke into the network again, here's what we gotta fix encase Eve finds the same way in" But.. an office wide wall of sheep with "here's who Bob broke into the network through" could be a lot of fun. It would take the right office staff that could take being centered out like that. I like it though.. turn the place into a war zone and when real attackers arrive, the locals will be the trained watch gaurd.

apotheon
apotheon

Maybe every business network should have a Wall of Sheep like they have at DEFCON. Show the usernames and cracking times for passwords; offer pamphlets with simple explanations of how to solve that problem on a table near the wall of sheep. Keep it running constantly. I kinda like the idea, actually. Hmm.

JCitizen
JCitizen

:) They never had any trouble remembering them, but occasionally we got the usual help desk call.

apotheon
apotheon

Either they were using something that could be brute-forced by cracking software that is "aware" of common character substitutions and alternate spellings, or they were basically just using passwords with spaces in them. I use very lengthy passwords with spaces in them quite regularly. Some were even originally inspired by "phrases". By the time they have any real strength against cracking, though, they do not meet the definition of "passphrase" that grants a passphrase any real benefits in usability over passwords -- so they're basically back to being strong passwords at that point.

JCitizen
JCitizen

you could barely recognize them as words once they got done dreaming up all kinds of character replacements for the letters of the words. Numbers that sound like or look like the letter were sometimes substituted. Shortened or fudged words that looked like some kind of new gutteral texting language or slang dialect were other techniques dreamed up by the clients. They were very good at this creative process, and I think it would have slowed down anyone intent on breaking it, and anyway, that activity would eventually be picked up by our security team. They usually were. Any failures to guess the password alerted the team through the Active Directory Group policy plug-in process, if I remember correctly. I never worked in that area, but I did have MSCE training in AD.

apotheon
apotheon

1. Using a passphrase implies individual "words" in the passphrase being weak if they were themselves used as passwords. Is it better to have one 20 character password that is strong or four five-character passwords, making up a passphrase, that are individually weak? 2. How do you enforce strong passphrases without running into exactly the same "problems" that prompt you to want to use passphrases instead of passwords anyway?

JCitizen
JCitizen

We encouraged customized character fudging of the pass-phrases in our training, so the dictionary attacks wouldn't be so successful or at least slow to crack. Scripting forced a change every 60 to 90 days, and no repeats. We also trained them to conjure personal quotes only they would know or understand, instead of popular sayings. I used to randomly ask for the clients pass phrase in my security checks, and I was surprised at how resourceful our folks were! We also concentrated on perimeter/interior defense and locking down remote clients. Besides just meeting HIPAA requirements, we rarely had data breaches. I felt like our CIO had a good handle on keeping the LAN/WAN safe. I was pretty confident our blended defenses would make life harsh for any crackers trying to fuss with the system. We didn't take into account that we were an unlikely target, because we were all paranoid. This paid off when some of the professionals who handle domestic violence cases had attempts to infiltrate the LAN. Not all criminals are after money. As I reflect back on that old contract, by now we would have to contend with the accounting side of the organization, what with all the banking breaches going on everywhere. This is where this article would have been taken very seriously at IT meetings.

Neon Samurai
Neon Samurai

But, it was a 40 character string the person used. (10+ char if counting by the word) I do like your pointing out weakness in short passphrases though. One still needs to base the "passphrase" string on a mung'd up memorable phrase. Even the given 40 char example was invalidated by knowing the quote the person based it on.