In a world where it is possible to create credential-stealing malware and where users are supposed happy to trade passwords for a bar of chocolate in a railway station survey, we ask the question: is the era of password authentication coming to a close? From the first time systems administrators looked to restrict access to …
Key fob advantage
The key advantages of the key-fob system come when you are operating on an untrusted computer, as you can still intercept and duplicate a fingerprint hash (even assuming the reader hardware becomes ubiquitous) but the changing code sequence closes the window of opportunity for malware users to do bad stuff.
What hacks me off is the problem of needing more than one such key as most systems have not got the concept of registering the key's private part with more than one organisation. Yes, that weakens the security as then a compromise of one 'trusted' group brings them all down, but it would be nice if banks could agree on having one or two systems that they could share.
Most users don't need "top secret" authentication, just the ability not to be shafted wide open by one compromised PC they happen to make unfortunate (or foolish) use of. A changing hardware key offer that for most users and has no special interface needs.
Fingerprints, and other biometrics, have much larger margins of error and of course have issues if you need to use them after an accident, following rough manual work, etc, that might have changed your biometric profile.
And another thing in favour of the key-fob
It the key-fob can be taken by threat without the removal of your finger. Do we really want serious criminals using* our severed fingers, eye balls, etc?
[*] Yes, I know a lot of biometric readers will fail on plastic copies or dead tissue by design, but do they?
An alternative - possibly
We looked at a product called BioPassword which measures the speed that users type their password as well as whether the password being entered is correct. If there is any discrepency between the 'pattern' that a user entered their password to how it's normally typed then their access is denied, even if the password is correct.
We tested this with many different people and surprisingly it worked very well. Knowing another user's password was not sufficient to gain access to a machine.
ps - I don't work or have any connection with BioPassword whatsoever.
Our major bugbear is the PCI-DSS standard; to comply, we have to enforce the strictest password policy, which involves (something like) a minimum 8 character password containing lower and upper case, numerals and special characters, changing once a month, and not the same to the last ten passwords.
Not only that, but these requirements apply to two or more systems (depending on department), meaning that even if somebody uses the same password across systems, the time of month that they change may be different.
Obviously, nobody short of savants can cope with this, and so in the REAL world we end up with shared passwords, obvious passwords (the most common is the person's surname, capital first letter, with 1! on the end), post-it notes, passwords kept in plain text on mobile devices, etc., etc.
I agree wholeheartedly that simpler password requirements would be more secure, as would alternative authentication methods (personally I like the idea of login name, simple password AND fingerprint), but the problem there is implementing it across systems, not to mention keeping ourselves legally safe in regards to PCI-DSS.
I can quite imagine the scenario if there was a PCI-DSS security breach. On one hand the vendor would be doomed if they hadn't enforced strong passwords; on the other, they'd be doomed if they had, and users wrote them down. There's no way to win!
Not quite true
8.5.9 states change it every 90 days (at least) - we do 32
8.5.10 states 7 characters, not 8
8.5.11 states Numeric and Alphabetic (their words) and there's no mention of Upper/Lower case or special characters
It costs too much and takes too long
Computers come with a built in authentication method. It's crap but its enough for any bean counter to say "Why do we need to spend money on something we already have?" The existence of the sticking plaster that is "strong" password policy makes it all the harder to argue for something better. "Ramping up security policy" often means insisting on longer, more complex password with a shorter expiry period and ordering more post-it notes.
The simple username/password combination is also easily shared amongst colleagues. Oh the Corporate Security Policy may forbid it, but when understaffed IT access teams take a couple of weeks to turn around new user requests, senior managers have this habit of telling you to ignore company policy and just effin' do it. What CIO is going to mandate a "Something I have and something I know" type authentication system if it means new starters sit idle waiting for their keyfob/smartcard to arrive?
Personally, I'd love to have a single sign-on username with PIN and key-fob for all the systems I access but I'm not holding my breath.
Turn that frown upside down Red Bren
There are a number of Single Sign On apps available (IBM Tam springs to mind) that will happily sit there and Hoover up all your typed in passwords so you don't have to remember them. The credentials are stored on an encrypted 'wallet' kept on a server that is accessed using (you'll like this!) your LAN credentials!
So now instead of countless little scraps paper that got easily misplaced) just a single yellow post-it note taped to the bottom of a keyboard is all it takes to access everything!
But one example.
In a previous job we had a room full of (mainly FreeBSD and linux) servers, and each box had an empty root password. Yes, empty, no password at all, and that was very deliberately done that way.
Why? Because if you're in that room you don't want to have to recall the root password, and you do want to get on with the job of fixing things.
Security relied on simple things: First, the wheel bit --which RMS by own admission thinks is a dirty capitalist bad idea, see "info su". I for my part think he is on crack and anyway we were a company not his hippie colony, so we reinstated the wheel bit through pam-- which blocks anyone but the designated people from "going root" and the rest has tailored sudo permissions. Second, most people simply had no access to most boxes and those that did, did so on the say-so of some executive, and we kept a paper trail of that at least. Never needed it but you never know. Third, physical security. The key to the server room was well outside the usual key system, only the sysadmins and the big box'o'keys in the secretary's keep had keys.
Of course, it wasn't fort knox grade by any means. But most "security" relies on the good will compliance and social acquiescence of the rest anyway. We're in the company to work together, and this does require a certain level of trust.
Of course this was a company of some 50 people and that is a different environment than a million person multinational. Still and all, if you look carefully and honestly at your requirements, you can get some surprising results.
The beauty of fingerprints is that you can still change your password; provided you have all upper limbs intact, you got 10 different passes from the start.
If you agree to put a biometric reader on the floor, you increase to 20 choices. But re-typing them every time a screensaver kicks in will require the use of slippers and no socks to work!
PS. I'm not fond of getting my toes or eyeballs stolen from me, either.
How about some pseudo-random form of password, like using index finger on even minutes, your big thumb on full half-hours, and any other finger on the remaining odd minutes? Of course, the login screen must contain a digital clock.
Does make-up or contact lenses prevent people of using biometrics? Inquiring minds...
So you want to secure your shop. What do you focus on?
Had a bit of a discussion lately about how /in hospitals/ people leave their peecees logged in, even overnight, so it's dead easy to show up, say you're from IT, and "loan" the box for a bit. With full access to whatnot.
A simple solution to that might be, observing that in large enough hospitals people walk around with access cards anyway, to add a chip that you need to stick into the box before it'll give you a session and lets you log in. RFID probably wouldn't be such a swell idea here because there's no compelling reason to go over the air and every reason not to. Because you need that card with you anyway, perhaps to open doors and such, you'll automatically take that card with you when you leave or come and fetch it quick-like if you forget it--or you put it on a ski pass thingy.
Sun touted a thin client system (ray 100s, nice flatscreens, a big enterprise to run all that), that did exactly that and since the session wasn't tied to a terminal but to that card, the session traveled with you. This seems a useful property in a hospital, too.
This won't work for everybody, but for this particular workflow it would probably work well, and better than fingerprints or other biometrics.
Biometrics, as mentioned earlier by the by, have this property where replacement of the credential is far more expensive than faking it; simple fingerprint scanners can be fooled with gummy bears, but even much harder to fake other biometrics are still more expensive to replace in case of compromise than to fake. That's nice for criminal detection where the scrutiny will be intense and faking might be detected, not so nice for casual identity, where nobody pays much attention at all until after the horse has bolted.
You can require "multiple factors" but unless you can explain exactly why that helps in your case, you haven't really thought about your process. And that's the rub: It's your workflow more than anything that puts hard restraints on how you can improve your security before people will resort to sticky notes and thereby completely devastate your security efforts.
A keyfob might be nice, but a list of OTP passwords would do just as well. You'd use that for, say, external access from untrusted machines, but then do you really want untrusted machines on your network? That probably requires a separate "access only" VPN lan, not a full joining into the internal network. Biometrics are the latest cool thing but should you still choose to trust that stuff and never cut your own fingers, you'd still need a reader which isn't universally available. Personally I like ssh keys on an at least moderately trusted box with big passwords to taste, and an agent to reduce the need to type those passwords. But then I know not to walk away from my box without securing the session--preferrably through a hotkey or other. But that again won't work for everybody.
So, if it's your job to secure something, it's your job to spend some serious thinking on just what it is you want to achieve with that securing. If you stick to defaults like extra double strong passwords, expensive keyfobs, biometrics, and so on, without thinking much about it, you're not doing your job and any breach really is due your negligence.
Sometimes security really comes down to exceedingly simple things like "the armed sentries let you through" or "have the key to the servers". And sometimes that's precisely enough. Deciding what is necessary and sufficient is what's important, everything else is just that more tools to get the job done.
In short, getting people to apply basic security is very much a people problem. And people problems, technology can perhaps help with, but never solve.
Password requirements might be bad...
The worst, I think, is not the draconian password requirements, but the [insert-prefix-here]illion internal logins. When I turn on my computer, I need to type in a pssword for my computer hard drive, my computer login, the VPN, the remote machine I'm working with, its VPN, the source control password, the database password, and probably a few others to boot.
Passwords/logins are used for 1) protecting data and 2) tracking users. Too often, the data protected is pretty worthless, and/or inaccessible outside the company anyway, and the "tracking logins" could just be replaced with an IP address log. Even before removing the need for passwords, we need to remove the passwords we didn't need to begin with.
This is true
People would be more willing to use a hardware authentication device if it was easier to use than passwords; note the use of swipe-cards or contact key-fobs by bar staff who share a till. The act of presenting the token logs you in, rather than being part of some elaborate ritual of keyboard gymnastics, number transcribing and multiple click-throughs.
With a barcode reader...
...and no other special configuration, you can have a stupid password that is mostly on a bar code so you don't have to remember it, and a PIN. As far as the PC is concerned, what l!your password is is the PIN followed by the bar code.
Elsewhere, if victims of a "random mix of character types" password policy haven't already thought of using their own car registration number, I offer the suggestion as a gift.
"A case can be made that long passwords that are regularly changed lead to more security problems than a reasonable password that is kept confidential"
Agree 100%, it does my head in at work.... BUT in the end I can cope. Anyone who can't cope can just ask to have helpdesk set them a new password. Can be extremely labour-intensive for helpdesk staff, but a lot better than posting a sticky note with the password.
Fingerprint reader - had one on my previous laptop, absolute rubbish. it worked on first try about half the time, otherwise depending on environmental humidity / my laptop's mood / recent solar flare activity etc it could take anywhere up to 6 or 7 tries to work - usually I just gave up and typed the password manually. The tech needs substantial improvement before this will really work. And if your fingerprint is protecting something sufficiently important / cash-rich, someone just might hack your finger off for it... hence the thumbs-down
A cheap simple second factor for authentication: http://tinyurl.com/3a7gbrp FYI
Car Registration Passwords
Even better would be to use *someone else's* car registration, not your own, or at the very least not your current car's registration. Unfortunately this technique doesn't work if the requirement is for a minimum of 8 characters. If so you could always use two registrations, which gives 14 characters of mixed numbers and letters and should be fairly memorable.
Passwords can be counterproductive
Most of our computers are in a secure area that you need a specially permissioned access card to reach. We have lost more time (and money) because of lost admin passwords than we ever have from people messing with stuff they shouldn't have. In fact, I don't think we've ever had an incident of someone breaking a machine they didn't have the password for.
Anyone who has physical permission to access our floor in the data centre almost certainly has the passwords to damage anything they wanted to sabotage. Also, they could do plenty of damage without needing any passwords: loosen cables, break the emergency power-down glass, trip breakers, hit the halon release (or set off the smoke detectors), trigger the sprinklers (which the insurance company insist we have in case the halon doesn't contain a fire)... The list is long.
I think sometimes you just have to trust people.
In a previous job
(when I had one) we had to change passwords every 45 days and of course they had to be 8+ characters including numerals, not used for the previous n passwords, no 'dictionary words', etc. The system even checked for words backwards and some letter-number substitutions. Of course, you've guessed it, you had to write your password down somewhere because you'd forget it in 24 hours.
It seems to me that the more rules you apply the more combinations you can exclude, so cracking a password by brute force becomes easier. It wasn't hard to work out what the dictionary words were because it told you if you used one (and it was an American dictionary so you could often get away with British slang or dialect words).
Presence of a paired bluetooth device could be used as a second factor. I use (the excellent) Blue Proximity on my personal (Ubuntu) laptop, with the sensitivity turned right down - if my phone is not next to my laptop, it locks - when I put it back, it unlocks.
I'm sure it would be easy to use this as a second factor by setting it up to accept a short password when the paired device is present. A longer password should be available for device-free log-in in case you lose your phone on a screen-break.
I have written an algorithm which re-combines the result of an irrational equation to the nth place with any word of more than n letters. On an abacus.
This generates unique strings of gibberish to write on Post-it notes.
For further details, my password is password.
Where's my chocolate ?
Some people are whining about having to remember 8 characters every month? This is a problem for you ? Jeez........
And you are able to count to ten and find your way home at night ?
It's the applications
At least if you're going to have passwords, do it once and do it with Kerberos. Then you can replace the initial Kerberos authentication exchange with something else, like smartcards, and not change anything else.
However there's quite a lot of effort involved in getting systems to authenticate via Kerberos and get their users/groups via LDAP, if you've not done it before. Then you have all your apps too. Whilst you can get many web applications to authenticate via Kerberos, this is additional work for each one (if they even support it), and some changes at the browser side too.
So I can understand why people don't: they just install the app in its default settings, which is to have a local username/password database, and get on with using it.
Pick a smart password policy
It took a while to grow on me, but I've come to see my company's method as generally superior to letting users pick their own passwords, no matter how complex you force it: Just give them a dictionary word, a number, and a few more letters to fill in the extra, on a card, and tell them to destroy it once it's memorized. Change every so often.
We're not the NSA here, and if someone gets a user's password, even a competitor, it's not going to be the end of the world. We have legal remedies for that. Security wonks will tell you that no amount of protection is overkill, but in the real world that's not even remotely true.
Two-factor would totally obviate this need, but it was long ago determined that keyfob management and replacement would be far more expensive and time-consuming than password management. We rarely need to change passwords, so there's not a lot of management there.
Security deposit or fill in a police report
Would it be wrong to ask for a £50 security deposit when issuing a password.
- If it is stolen it should be in a police report. If you lose/forget it you lose your deposit.
Nothing focuses the mind like a £50 note.
(this does mean the delivery of accounts would have to meet a similar high standard)
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Google offers up its own Googlers in cloud channel chumship trawl
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?