Security optimize

Masking passwords: Why it's not a good idea

After reading an article arguing that password masking isn't worth the effort and might even be detrimental, Michael Kassner isn't sure where he stands on the issue. Here, he works through the reasoning for it.

The article Stop Password Masking, was written by Dr. Jakob Nielsen, a well-regarded expert on Web and user interfaces:

"Jakob Nielsen, Ph.D., is a User Advocate and principal of the Nielsen Norman Group which he co-founded with Dr. Donald A. Norman (former VP of research at Apple Computer). Before starting NNG in 1998 he was a Sun Microsystems Distinguished Engineer.

Dr. Nielsen founded the "discount usability engineering" movement for fast and cheap improvements of user interfaces and has invented several usability methods, including heuristic evaluation. He holds 79 United States patents, mainly on ways of making the Internet easier to use."

As you can see by Dr. Nielsen's accreditation, his mentioning that using password masking is a bad idea isn't something to be taken lightly.

Why mask passwords?

Until I read the article, I considered masking passwords to be a no-brainer for the following reasons:

  • Masking passwords were the logical outcome of being concerned about people stealing passwords by visually observing the password being entered.
  • Auto-complete is a bad idea period, but masking helps prevent someone from seeing previous passwords that have the same first few characters. This is of special concern when the computer has multiple users.
  • Masking passwords is required by some regulatory bodies in order to gain their approval. Also a company's security policy may require masking any time a password is entered.
Why password masking is bad

Nielsen summarizes his stance by pointing out:

"Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to log in failures."

Through his research, Nielsen has come to the conclusion that using nondescript bullets to cover up password characters violates an important usability principle, that of providing sensory feedback. To back up his claim, Nielsen provides some additional detail:

  • Users make more errors when they can't see what they're typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business.
  • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

I didn't see any reference to studies verifying either of the above theories, still both appear to have merit.

Using portable devices

I do agree with Nielsen about how masking passwords on mobile devices is a real pain. As proof, I know associates that do exactly as Nielsen mentioned above. They dumb-down the password just so it's easy to enter. Not a smart thing to do when visiting important Web sites such as a banking portal.

Another viewpoint

Jason Montgomery, a security expert with SANS presented a different viewpoint in this blog post. As a security aficionado, I was interested in his reply to something Nielsen had written. I quoted it earlier, so here's a recap of the part being referred to:

"Typically, masking passwords doesn't even increase security, but it does cost you business due to log in failures."

Montgomery responded:

"Nielsen's probably right: It might be costing you business. The question is how much business? Security shouldn't be the be-all, end-all goal. It's there to serve the organization first and foremost. Viewing the cost of security controls with respect to the function it's protecting is the correct perspective.

Well said Mr. Montgomery, I concur with your approach and I'm sure Dr. Nielsen does as well. It's called compromise and I think that Nielsen may have already found a solution:

"Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win."

Sounds like it might work, what do you think? Does it cover all possibilities? When do we know if we're safe enough to lower security standards for increased usability?

Final thoughts

Until I read Nielsen's blog post, I felt that masking passwords was just a necessary part of the process. Now I'm not so sure. It's cumbersome and businesses could be losing customers. Yet on the flip side, not masking passwords is a potential security risk.

Disputes surrounding password usage continue to impress upon me the need for mainstream multi-factor authentication. But wishful thinking doesn't help us right now. What's your take on yet another usability versus security conflict?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

312 comments
ColinFromTheCrypt
ColinFromTheCrypt

The author just says that masking passwords is not a good idea. One would have to agree if the only issue is usability, and if lack of user intellect is not a concern. From a purely security perspective though I would have to be worried about giving access to sensitive or classified information to an individual who could not cope with simple password masking. Perhaps they would have similar struggles with some of the other controls required, such as policies and procedures. But then again, this article did not actually say that masking passwords was a bad security practise.

awhitney
awhitney

I almost agreed with this article when I first read it. Until yesterday... I was attending a webinar via live meeting and the presenter had shared his desktop with all the viewers and then logged into the web-app he was demo'ing. Thankfully the web app masked his password. Many users would not even think about the fact that everyone could see the password if it were not masked.

jasilvasy
jasilvasy

This is one of those double-edged swords type of situations. I agree with Dr. Nielsen; a lack of feedback to the user frequently results in the user quickly forgetting their password. Too many forgotten passwords, and the user tries to dumb it down for his/her benefit. Also, the user often overrides the security of the masked password by placing the paper with the written password on the desktop in front of them so they can see it and touch-type the password. However, I wouldn't want to log into anything in a public arena, even just a site for blogging, with an unmasked password. I get antsy when someone stands immediately behind me at an ATM when I'm entering my PIN. There may be a good option, though. I just read a commentary regarding the usefulness of longer but "simpler" passphrases. It stated that a passphrase of 16 characters, all lower case, would provide a possible 10 million combinations. The benefit to the user is they could generate a passphrase such as maryhadalittlelamb which would be easy to remember and type. Then it could be masked because its simplicity would make it easier to remember. Also, to satisfy complexity requirements, and possibly to confound brute-force dictionary attacks, the user could be required to toss in a number and a special character wherever it felt most comfortable.

Dr_Zinj
Dr_Zinj

Feedback and loss of business was cited as reasons why not. I manage several masked password protected applications each with about 250 users total. I end up having to reset passwords about 8 to 10 times a week per app's due to lockouts and forgetfulness. It's so bad that that we're looking forward to a single point of logon implementation in the next month. Each failed logon results in 30 to 60 minutes of lost productivity for each user before they give up and call me. So the losses in-house are quite real. If your using masking for a customer and that happens 90% of the time they don't bother coming back. Masking only provides extra security when the actual keyboard isn't visible to any bystanders.

mikifinaz1
mikifinaz1

I met a guy who, with his team created the most secure OS in the world for the U.S. government. The only problem was, no one could use it. Security and usability will always be at odds.

ericarthurtodd
ericarthurtodd

What about sites that have security questions above and beyond the password, I have never seen them masked. I have to believe the potential for abuse is just as great there as with any password. I do like the idea of a check box, provided masking is the default. It just has to be large and obvious enough that it will not be overlooked and it needs to be placed before the password endry window.

NCWeber
NCWeber

I think people just need to touch type like we used to do when we had real typewriters. It's a very useful talent. It used to be mandatory when I was in high school. You would think that with the advent of computers it would be more important. Alas, the opposite has occurred. Being able to type by feel as opposed to hunt and peck, which most people do today, is what really causes mistypes during login. If you don't need visual feedback to use the keyboard, you don't need visual feedback to type the password.

Neon Samurai
Neon Samurai

I personally like how KeepassX and DDwrt do it. The password field is masked by default but a checkbox for displaying the text is available. If your sure of the phrase or have potential peepers on your shoulders then leave it masked, if you need to see it, unmask it and go.

Deadly Ernest
Deadly Ernest

In most cases you don't need a password on a computer because what the people are doing is basic office activities and don't deal with confidential information, so why clutter the system up. In my early post on this subject at http://techrepublic.com.com/5208-12846-0.html?forumID=102&threadID=312290&messageID=3106113 I mentioned setting up a system with no passwords for the general usage. I'm surprised no one's taken a shot at me about it yet. Passwords are a security device. If we set the security up at the data on a user based needs system (as I described), why bother with passwords to stop people using your Office suite of software and other non-confidential stuff? This will make the majority of users happier and ease the Help Desk calls for password resets too. For web site access, limit passwords needed until they get to the part where you need the confirmation to go on.

twainiqolo
twainiqolo

I think that there would be more business losses if masked passwords is not used. Its the feeling of security overriding the feeling of inconvenience. The best theory in the world is always argumentative. There is only one sure way of prooving it..Lets stop using masked passwords for one year and see what happens. Result could be interesting information

Michael Kassner
Michael Kassner

I appreciate that information. There are so many situations that it's virtually impossible to account for all of them.

JCitizen
JCitizen

were very successful at our organization, we had to comply with HIPAA so we wouldn't have been able to use the good Dr's advice. However I think using a cell phone as a token, would make things way easier for the mobile client. At least until bio metrics is improved.

Deadly Ernest
Deadly Ernest

or more of the words, like maryhad1littlelamb adds a number and is close enough to the original to be easily remembered too.

Michael Kassner
Michael Kassner

I use that approach all the time and if it works form my poor memory, it will work for others. Thanks for bringing that method up.

ITSecurityGuy
ITSecurityGuy

Many, including me, can type fast enough, while concealing the keys well enough, that you would never get my password. I even keep the ease of typing in mind while creating some passwords, to be sure they can be typed quickly enough, in front of others, so no one would be able to detect my password.

Michael Kassner
Michael Kassner

I'm starting to see a trend where the larger organizations are spending a significant amount of time on password issues. Also the point about keyboards is very valid.

Michael Kassner
Michael Kassner

Compromise and moderation should be impregnated in all of our minds.

Michael Kassner
Michael Kassner

I thank my mother every day for making me take typing in high school. Even though it was during 1960s and rather embarrassing. A geek and taking typing. Over time I've lost the ability to touch type, back then I was able to type 50 wpm without looking. Not now.

Neon Samurai
Neon Samurai

As a standalone system off the network, you may have a good idea. If that machine touches the work network or any work related information then it could be a big problem. Getting in is about finding the one loose thread then pulling it to see how fast the network unravels. It's not a grand flash of genious like in the movies but baby steps from start to finish. An unprotected work machine get's you on the network; run your own tools from there then move to the next baby step. It also provides access for escalation; install your tools on it and access them remotely. Malware is also using brute force and similar password cracking so now you have a terminal on the network infected and pounding the rest of the machines or sniffing input for any connections out that require a password. Perhaps a kiosk system that runs a protected guest layer over the secured base system. While an open guest system may be a good idea, it has to be thought through.

JCitizen
JCitizen

typing, drafting, and welding. I might as well have gone to Vietnam; and believe me I tried. I've NEVER regretted the typing class for sure!

ITSecurityGuy
ITSecurityGuy

"I thank my mother every day for making me take typing in high school. Even though it was during 1960s and rather embarrassing. A geek and taking typing." However, I don't remember the word "geek" being used back then, as it is today, as a term with which one might self-identify. Yes, I was embarrassed to be a "college prep" student taking a "business" class, like all of those "average" students that weren't in any of my "honors" classes, but I never called myself a geek. I was too cool for that; after all, I was elected Treasurer of Student Government, by the whole student body. ;-) http://www.answers.com/geek What made it worse (& better) for me is that she made me take it during summer school. Worse, because nobody wants to be in school during the summer. Better, because I took it at a different high school, meaning none of my schoolmates ever knew anything about it. When I got my first TRS-80, long before the IBM PC, it finally paid off, even more than while typing college papers, which I probably would have paid someone to do, if my parents hadn't also sent me off with a new Smith-Corona. I even chose a Sans Serif typeface called Futura, looking something like Verdana or Tahoma. Mom only convinced me to take the class by telling me that my aunt could type something like 100-120 wpm. My aunt & uncle, mom & dad all graduated from Cornell with medical, engineering or science degrees. So that made it almost OK. Today, I probably touch-type more than twice as fast as I did just after the class, especially after typing my wife's papers for her latest medical degree.

Deadly Ernest
Deadly Ernest

and even looser thread. By establishing separate access networks you make the work easier.

JCitizen
JCitizen

I just kept on trucking! =)

JCitizen
JCitizen

I visited the staff psychologist! HA! They wanted to make sure I wasn't becoming the next Charles Whitman. Heh, heh. He declared me "normal"?! Imagine that! :O I was a typical confused teen. ?:|

Neon Samurai
Neon Samurai

You'd have fit in with my group of misfits well.

JCitizen
JCitizen

I loved science but lacked the math skills to take the necessary prerequisites. Nobody called me a geek, though; they were scared of me for some reason. Almost six foot, 216 lbs, and could out run the state track champion in a 440 yd. dash. Bad tempered too! A total gun nut - liked machineguns, and class A explosives the best. Had almost no social skills and still thought girls were sissies to be avoided at all costs. People thought I was communist or something because I wore nothing but an old marine utility cap and Sears oxhide work cloths. I did get giggles from Mennonite girls though! I know - I was a basket case! HA! :^0

Michael Kassner
Michael Kassner

Type that fast. I like to transpose, so it forces me to look more than most. Also, I may have made a mistake and should have said nerd versus geek. That's a few years ago and I'm happy remembering yesterday.

Neon Samurai
Neon Samurai

Typing class started it and computer classes through the rest of high-school also helped. Chatting on the local BBS and later on IRC seem to be what really brought my speed up though. Accuracy, spelling and grammar; not so much.. but speed. :D

JCitizen
JCitizen

I know, but we were talking about less security for less needed situations and more for critical security situations. VLAN does help keep the uninitiated from unnecessary snooping, I'm sure. Not everyone in college is a Cisco student. It has been a long time since I read that ACL sheet, but I thought I recognized some VLAN switch ports on it, if my foggy memory serves me well, there were ways to enhance the security of a switch, if that switch had that feature. Like I just said, it has been to long time since then. And I have not had need of that kind of spaghetti, thank God!

ITSecurityGuy
ITSecurityGuy

If, by that, you mean a VLAN, they are not designed as security boundaries, and should not be considered valid as such. Some implementations of VLANS have been known to allow packets to cross from one to another. Also, MAC spoofing can enable a breach across VLANs.

JCitizen
JCitizen

I think DE is right about this, it could greatly increase productivity, and as long as their was a hardware gateway between "forests", it should be a safe proposition. However, I wonder how many smaller organizations would want to pay for all that equipment, and possibly one more IT guy as well. They have a large staff at that college. A good sell would be to crunch the numbers and show a good ROI, which might not be too hard, in many situations! Got to get that CIO on board!

Neon Samurai
Neon Samurai

I still remember walking past the large poster showing wireless network name and password; as if the mac filtering they did made a difference. The computer security class (if only they had offered more than one class in it) was just beside the computer labs so it was right there contrasting with what you'd just spend an hour discussing. Anyone could walk off the street and get in with little effort. For the provided workstations each student had to use there ID. On the admin side, that meant running some scripts each semester start and having students activate there own accounts for initial password. In the military case, I guess a student ID and password for each terminal wouldn't have been much different from a blank login. At least it was behind several layers of physical security; front gate, just being on base, building access points.

Deadly Ernest
Deadly Ernest

facility. We had three training facilities on campus, one a year long course, one had two courses a year, the third had four courses a year. All with visiting people. we had two other units with large numbers of casual visitors we had to give basic computing access to. Plus the hundreds of regular staff who worked there. We managed with two physical networks, after I got it changed. The regular staff worked on the secure network from their offices, no password for the basic stuff there either. The other network served the training and transient area and had no highly classified material on it and no access to highly classified material. i say that as some of the training materials were classified as 'in-confidence' and had to be made available to the students. they were put on a file server behind a firewall, IDS, and password access required. the rest was wide open. In the course of a year about two to three thousand students would go through, as well as around five to six thousand transients. All needing basic computer services. We were luckier than most in that all the work areas for the regular staff were in buildings where you needed to pass a security checkpoint to get access and the whole campus had a security checkpoint at both entry points. The real problem was the conflicting work protocols between the Army, Navy, Air Force, and their civilian support organisations. By blowing away the need for the vast majority to get IDs and passwords issued, we also blow away the BS paperwork that was keeping five staff flat out busy on a full time basis. Thus freeing up a lot of person hours for other work. The differences between officers and other ranks was nothing in comparison to that problem.

JCitizen
JCitizen

There is no doubt a college needs to be open and easy to use. No logon for a student terminal. A student terminal could not save information except on a floppy or a special server student folder, pre-configured by the professor. User ID and logon password required, of course, for student folder access. Professors and staff had their own "domain" with limited access to other staff that only concerned their department. No sharing for administrator accounts, presidents, deans, but they had their server fiefdoms, and of course a larger scope per forest. You should have seen the horrible cisco ACL sheets for this system, to keep these forests and trees separate and secure from one another. Not to mention the firewall configuration betwixt and between. This was the college I learned computer science in (primarily), and things went smoothly as far as I could tell, from my exposure to the IT staff. One of my fellow students set up the ACL. This had to be your model completely DE; but beyond most organizations ability in scope, hardware, and security. If you have a lot of terminals open to access with no password required, it takes fancy footwork like this to protect the inner core from attack by a rogue terminal. A crime cracker would only have to deposit his load into one of the unattended terminals(not dumb terminals), and leave to let his bot do the dirty work. If I'm not mistaken, this would almost be as difficult as trying to bust through the main firewall to the WAN(cloud), because the switch design entailed a lock to each department with a virtual switched network that kept each of them away from each other, if they didn't need cooperation, those that did could access the appropriate servers if need be. It took a LOT of AD policy,switch,server, and router configuring, but I'm not aware of any breaches since I left. Needless to say, if you were not a student using a classroom computer, you needed a user ID and password. (edited)- should read "from the WAN" not 'to'

Michael Kassner
Michael Kassner

Thanks for sharing the link. I had heard that saying before, but never knew where it came from.

Former Big Iron Guy
Former Big Iron Guy

Ernest, I think that most of us can agree that security protocols should be definitely related to roles, sensitivity, potentiality of damage from mis-use or mis-appropriation and all the professional security practices. However, many sorts of things keep being done because no one questions "we've always done it that way.." much at all. As far as statistics go, everyone (IMHO) has occasion to misuse them from time to time. Another thing that tickled my funny bone is that the quote about "Lies, Damn Lies and Statistics" seems to have been around for a long while. Peter M. Lee, Department of Mathematics, University of York, has researched the origins of it at url:http://www.york.ac.uk/depts/maths/histstat/lies.htm

Deadly Ernest
Deadly Ernest

dependant on a reasonable analysis and testing of the local situation as each work environment is not the same. The approach in my example would have been wrong in another job I worked where we dealt with highly classified material all day long. It's all horses for courses. One of my pet peeves is the general application of stats obtained from one specific situation. Things like some stats from a couple of very old English cities showed that reducing the top speed in the city greatly reduced pedestrian injuries by over 50%. Well, that's nice. But dropping the speed limit from 60 kph to 50 kph in a city where there average distance from door to door in over 75% of the streets is about ten metres (about thirty-three feet) or less, and the incident rate of pedestrians being hospitalised is about 100 per 1,000 people per annum is a totally different proposition to doing the same thing in a place where the current pedestrian hospital rate is around 5 per thousand people per annum and the average door to door distance in streets is nearer thirty metres (about one hundred feet). Yet that's what happened her in Australia. The UK study was used to justify reducing the urban speed limit and also applies to little rural towns where the door to door space is nearer 100 metres (about three hundred and thirty feet). A crazy misuse of stats to meet some other agenda. This sort of blanket usage is common, especially in security situations.

Neon Samurai
Neon Samurai

If the intent is to provide a publicly accessed webserver, that's not going behind layers of firewall and authentication. Like the parking lot, it's intended to be a more public space. I'm just saying that when the technological steps to protect a thing are simple, why skip them? Put the technology in place (within reason) then you can move on to the regular task of staff training (or reminding as it usually is). It takes very little effort to setup a home router using the provided technological tools. One isn't going to have constant guest traffic so adding a friend's machine manually should be easy. Big business should have management tools in place to provide similar functions. The information being protected does have to justify the degree of security practices wrapped around it. The problem is how valuable information can turn out to be. An open network your business staff regularly use; let me drop a sniffer in line and see what turns up.

Deadly Ernest
Deadly Ernest

'Don't over extend your perimeter to cover any more than is absolutely required.' An example of this is the company car park. Unless there is a real security risk in the car park, as may happen at CIA Langley or the White House, you don't provide it with proper security, the most you'll have is a check system to keep 'strays' out, like a guards asking for company ID or a swipe card system. But you'll have full security at the staff entry access point to the building. The same applies in IT security. You don't have total security to limit people downloading web pages from the public web server, but you have a lot of security measures before they can get anywhere near the high security data file server. In both cases you asses the access needs and the risks involved, then design the system to suit the real needs and risks. The trouble is most IT security is based on a format that doesn't do that process. the format assumes you want to keep everyone out of everything, unless proven otherwise. That often means and excessive application of security and an over use of resources. You apply the technological steps needed to impede access where they are needed, and only where they are needed. One real risk with over application is once you set up a secure perimeter you tend to get complacent and think anyone inside it has been cleared at the perimeter. Whereas, if you have an open perimeter and security where needed, the checkers at the needed points are more alert and tougher to beat. This is standard in physical security and also applies to IT security. Think about. Who's most likely to have the password written near the computer, who's most likely to wander off for minutes at a time without securing their computer - then think on how much classified material will they work on during the day. You should get some interesting surprises when you ask about and get the real life answers to those questions.

Neon Samurai
Neon Samurai

.. people are the weakest point in security. No reason to forgo the technological steps and make it that much easier though.

Deadly Ernest
Deadly Ernest

I started my working life in a bank, after a youth of being an uncaught toe rag. Then a few jobs like being a cop, stock control and warehouse security officer. Unit security officer in a small DoD establishment. Lots of time as cashier, financial management, auditor. Heck, about 75% of my working life has involved being responsible for security one way or another. Then into IT. It matters not how good the electronic or physical security, your biggest breach point is people, and always will be.

Neon Samurai
Neon Samurai

It's the same around here. Lots of detected wifi, many of them wide open, some with WEP (so, wide open also), fewer with WPA or WPA2. All thanks to the global Linksys/SMC/Default network as provided by the good folks at [insert favorite consumer router maker here] and the allow all, deny some approach. Shame it's not permissible to jump on an open wifi and post a note to it's owner. The best I've come up with is broadcasting messages off my testing router when not in use; "WEP is broken, use WPA - this means you XYZ wifi network owner" (edit): Wifi is great but it takes a few simple steps to use safely. Good to hear that you keep your NIC turned off too. A physical Wifi radio switch is a requirement when buying a mobile.

Deadly Ernest
Deadly Ernest

out of curiosity the other day I turned it on - the wifi that is as it's usually disabled - and found I had access to five open networks. I guess my neighbours have wifi. I didn't use them, just found it interesting.

Deadly Ernest
Deadly Ernest

general office usage came about after I did a full hardware and software audit upon starting there. I'd sit at each system and run a program that went through the system and printed a list of everything on the system. I forget what it's name was as they already had it, but it was neat - I only had to tell it the network printer to use (the one in my office) and it printed a sheet, or set of sheets, listing the hardware and software on the system. This took a few minutes to run, pop the cd, and move to the next one. While waiting I'd idly check the desk out and ask the people what type of stuff they usually worked on. Most took the opportunity to bitch about the company password policy and how often they had to have the password reset. In 72% of the cases I found the password written down near the computer and easy to find without help. In 75% of cases I found they did NOT access any classified material in their daily work. At the time the company ran a campaign about password security every two months, and had been for some years. I spoke to management, we set one area up as a trial area. I chose the one with the most password reset calls to the help desk. Productivity went up in the area with no passwords, and help desk calls from there dropped 70%. The next thing I set up was a basic FAQ and Help database for the most common help desk problems - this was placed on the corporate intranet web server, I also instituted a way of lodging help desk calls through this. Help desk calls by phone dropped to 2% of previous call levels, total help desk requests dropped to 23% of previous levels. A survey of staff showed many were finding their answers on the help database, and a check of calls showed 40% of all help desk calls the previous year were password related. Suddenly the IT staff had a lot more time on their hands to get things like preventative maintenance down and get ahead instead of being reactive. Also the general staff were a lot happier too. This is clearly a case requiring a good analysis of what they do first, but all I did was follow the basic physical security rules of 'Only secure what needs to be secure.' I applied that to the data and bingo, all works better.

Neon Samurai
Neon Samurai

I thought you where saying that a workstation should be left with no password but attached inside the company network. That unprotected workstation would be a pretty inviting thread to start pulling your sweater apart from. An intentionally open network segment outside the protected LAN is a bit of a different situation. It'd need it's own protections but it's not intentionally within the business side of the LAN. In terms of a gateway, that bit of hardware could be made more of a one way item through routing tables and generally by default, one would have to open outside port access. I wouldn't inherently suggest it's a thread to pull because it allows data traffic too and from the network. But, leave your router open to external traffic or without passwords and yes, it is absolutely a whole to be exploited. I personally wouldn't allow a wide open network segment unless it was part of the business such as a coffee shop network. Anyone touching the companies network should be authenticated to do so. I don't see why that can't be done without placing the burden on the users either; if a machine is having connection issues that's a tech support thing not a reason to open the network up wide. A wired network would be less of a concern since one needs direct access for the most part. Your guest can get a dhcp off the wire and get on with the meeting. For wifi, I'm a fan a fan of authenticating the connection then doing a second stage authentication against a RADIUS box. Failing that option in cases similar to a single consumer grade box; use all the layers the router can provide including MAC to reduce traffic processing and WPA2 pass phrases well beyond the current rainbow table limits. I'm perhaps not the best judge though as I even itch at the thought of a shack in the middle of no where broadcasting un-WPA'd signal.

Deadly Ernest
Deadly Ernest

1. You said any access to the network is a loose thread. thus the gateway (an access to the network) is a loose thread. 2. The situation I mentioned earlier has two networks accessible by the system. 2.a. One has no password and is public access, just like a company web server in the gateway. This has no classified information on it at all. 2.b. The second network has the classified information that requires a password to access it. Just like most places have set up for their current internal network. ..... This situation is just the same as accessing via a VPN or through the gateway, but does the same internally and allows people to get on with their work without a need for passwords when not working on classified material, which is most of the time. ........... Mind you, such a system would be really come into its own if you use an internal cloud computing solution. ........... Like in any corporate situation the systems should be locked down so users aren't using admin access privileges and adding new software of any time isn't an easy option - that should be the case regardless of what password method you use. ............ Does that help explain my view?

Neon Samurai
Neon Samurai

Printed labels on notebooks with name, password and address are not good nor are post-its lingering for the lifespan of the password. In the short term though, I'd rather have users write down passwords for two days until they become remembered. I also recommend Keepass or similar for password creation and storage allowing the user to select a passphrase which is memorable without being easily guessed. The big long one protects the collection of unrememberable ones. With a shared machine, users would be authenticating against the AD anyhow so it doesn't need to be left unprotected. No reason to leave it wide open to be compromised by guests or early stage break-ins. I'm not sure how the gateway would be a looser thread or why not having an unprotected machine on the network would require passwords be written down though so I may be missing something if you can flush out the details of the looser thread a bit further.