Password Protection

Will Truman

Will Truman is the Editor-in-Chief of Ordinary Times. He is also on Twitter.

Related Post Roulette

32 Responses

  1. Kazzy says:

    But is it a really good sports message board? That might be more valuable than the totality of what is in your financial accounts.Report

    • Jeff in reply to Kolohe says:

      And, as is often the case, xkcd is wrong. He’s comparing one 11-character password to 4 passwords each up to 7 characters. If I was writing a “password buster”, I would start with letters and numbers (with extra weight for “real” words). That would catch his silly example long before the one he thinks is bad.

      One thing I’ve discovered from xkcdsucks is that Randall is really bad at math.Report

      • Patrick Cahalan in reply to Jeff says:

        Yes, he’s wrong, but he’s not as far off as that.

        Since the sub-words in the passphrase are of unknown individual length, it’s not four separate passwords. It’s still one big one, particularly if you use any non-alpha character as a word separator.

        thisismyuniquepassword

        (the MD5 hash 9aacebbd75c2d8804cfc8b3ff20055dc is not in any currently published rainbow table)

        is not as easy to crack as

        this
        is
        my
        unique
        password

        (which would be trivial)

        Of course, if you *know* from social engineering what sorts of words your target picks from, then yes it’s a pretty crappy algorithm for generating passwords.

        Note: everybody still uses MD5 and they ought to switch to SHA-256, but that’s an aside.Report

  2. BlaiseP says:

    Banks are by far the worst in this regard. It’s unfathomable, why they insist on such dumbass password schemes.

    But the absolute worst, and I’ve been seeing a lot of it lately, is open username/pwd combinations in PHP

    $link = mysql_connect(“localhost”, “user”, “tr00t”) or die(mysql_error());
    mysql_select_db(“mydatabase”);

    Stuff like that causes me to stomp and shoot and spit. So I talk to the client about it: “oh, don’t worry about it, there’s nothing important back there anyway.”Report

    • Morat20 in reply to BlaiseP says:

      I’ve been trying — in vain — to get my work to switch to RSA tokens. I use them for another aspect of my work, and I don’t work in a small shop. There are far, far, far and away enough people to make it economically feasible.

      But nope. We’re up to 12 character passwords, changed every 60 days, no reuse for a year, one upper case and one special character, no dictionary words, and god knows what else.

      So everyone cheats and writes them down.

      RSA tokens are dirt cheap and secure. (Blizzard was subsidizing the dang things for World of Warcraft, basically charging you shipping to get one). A four digit pin, which everyone can remember, and a 6 digit number that changes every 60 seconds.

      Secure as hell, even if you lose the token. You’d have to be dumb enough to write your PIN ON the token to break it.Report

      • BlaiseP in reply to Morat20 says:

        I issue revokable X.509 certs from my own CA, loaded onto an encrypted USB drive. Lots cheaper than RSA. No tickee, no washee, you mount the USB drive, point your app security to that cert, then it will runReport

        • Kolohe in reply to BlaiseP says:

          Well, a good number of enterprise IT folks (at least in the government) consider USB drives to be the bisexual heroin addict prostitutes of computer hardware and won’t let a USB drive even come into their buildings anymore, much less on their systems.Report

          • BlaiseP in reply to Kolohe says:

            This is really nothing but the good ol’ CAC card X.509 paradigm, only a hell of a lot cheaper and far more secure. The cert is tied to the absolute release of the executable instance: Bob can’t run Sally’s installed software. The last thing I want is some GS-3 moron fucking with my security. If they want, I’ll retrofit the security model to their OS security but I will not play li’l password games with this species of chump.Report

          • Patrick Cahalan in reply to Kolohe says:

            USB drives aren’t the Evil Widget, there… it’s “Autorun”. This is a trivial problem to fix.Report

            • Mike Schilling in reply to Patrick Cahalan says:

              One of the amazing things about security is how many holes are trivial to close but stay wide open. (Something everyone in this conversation is painfully aware of.)Report

          • Will Truman in reply to Kolohe says:

            Tangential, but I was once upon a time reluctant to get a smartphone because I thought my Pocket PC plus a regular phone suited me just fine. This changed when I got a job at a place that banned Pocket PCs… but didn’t ban smartphones. Pocket PCs represented a security threat, by a Pocket PC with cellular capability and a camera (which most PPC’s lacked) didn’t.Report

            • BlaiseP in reply to Will Truman says:

              Most corporate security is a joke. Everyone knows it. Industrial espionage is big business and everyone’s doing it. Most intel breaches are inside jobs anyway.

              All this hoo-hah about prohibiting devices onsite: anyone who’s running an MS Exchange Server has already hung his big naked ass out the window for the world to see, and the family jewels too.Report

            • Kazzy in reply to Will Truman says:

              What’s a pocket PC?Report

              • Will Truman in reply to Kazzy says:

                Also called PDAs. Smartphones without the cell part (and, because of the technology at the time, usually without a camera). The modern equivalent would be the iPod Touch.Report

              • BlaiseP in reply to Kazzy says:

                Once, Kazzy, back when the plesiosaurs’ reign of terror was sweeping across the coasts of Pangaea, there was the Pocket PC, which ran an operating system called Windows CE, short for Cretaceous Edition, though some believe CE arose from Cretinous Excel. The archaeologists differ on this subject but all agree on that bit about the plesiosaurs.

                As its name implies, WinCE was half o’ this and none o’ that. It featured manly edition names like Stinger and Chainsaw, but its chief attributes were Slow and Stupid, which the aforementioned plesiosaurs were not, let me tell you. We early mammals continued to believe in low-powered ARM processors and evolved smaller and more efficient kernels to best utilise their very considerable resources.

                Well, the plesiosaurs are gone and good riddance. They were fast and rude and predatorious in extremis. But WinCE is still out there, somewhere, equally irrelevant but still an annoyance.Report

              • Tod Kelly in reply to Kazzy says:

                Actually, I’m just happy to see you.Report

    • Will Truman in reply to BlaiseP says:

      As others have pointed out, banks produce layers upon layers of password requirements… that are undone by simply knowing the street that the account-holder grew up on or their favorite pet.Report

  3. Mike Schilling says:

    Who steals my purse steals trash, but who steals my opinion of Alex Smith steals red and gold.Report

  4. Patrick Cahalan says:

    FWIW, a couple of GPU machines can break 8 character passwords in feasible time, now.

    (http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125)

    Probably the right number of characters is now > 12, for anything you want to keep secure for a while. Passwords are right out; you need a passphrase instead.

    RSA tokens are a possible solution, but they are an administrative pain (there’s a guy at JPL whose full-time job is replacing and revoking RSA tokens) and you can’t transmit them over the Internet or the phone… so if a traveling user loses their token, they’re SOL until they get back to the office. This can be a deal breaker.Report

    • BlaiseP in reply to Patrick Cahalan says:

      RSA got beat down. Google’s certs got beat down. All these third-party sites are trivially beat down. The CA mechanism is dead.

      Physical tokens are the way to go. Nobody whines about needing a physical key to get in their front door or into their cars.Report

    • Morat20 in reply to Patrick Cahalan says:

      They also last five years. JPL is a big, big place.

      My company? One of the HR reps handles it. There’s generally a few weeks where she’s handling a couple hundred RSA turnovers (when they expire — generally tied to some contract reaching a 5 year milestone), but msotly she hands out one a week.

      True, being on travel can screw you — but in the age of smartphones (and Blizzard has done this as well) syncing an app to cell is another fashion of generating a token. You can still clone the cell phone and probably access the token that way, but you’d still need the PIN.

      Treat cell-generated tokens as suspect requiring a check-in or prior authorization (give them a use or three gratis), and you’ve got a guy on travel who can use an app on his phone.

      If he’s lost both his phone AND his token, well he’s fucked enough that they’re shipping him new stuff anyways.Report

  5. Snarky McSnarkSnark says:

    This information is a few years old, but at one point, 60% of all web passwords were one of the following:

    “password”
    “secret”
    “123456”
    “sex”
    “sexyboy”
    (same as username)

    Report