The use of stolen login credentials continues to be the most common way for network intruders to access sensitive information. Two out of three breaches were the result of weak or swiped passwords, making a case for strong two-factor authentication, according to Verizon’s latest annual Data Breach Investigations Report. The …
What's the alternative?
Passwords have issues, but what do we replace them with? Most of the options seem to rely on having unique ID that identifies you as an individual, not as 'someone authorised to access this account'. And I don't want that. And when you have a unique ID used across sites (who in their right mind uses a Facebook ID to sign in to other site?) then when it gets cracked it gets cracked big-time.
Even without serious hacking (and I think aol has been hit recently - I'm getting a spate of malware links from hacked aol contact lists lately) - there is always the problem of shoulder surfing or man-in-the-middle at insecure internet cafes.
I must admit that google 2-factor seems pretty effective though...
Re: What's the alternative?
2 factor is the way to go IMO. I juggle 50 or user/pass combinations and it a ballache, expecting users to do the same is just inviting them to post-note them .
Got 2 factor on my main Gmail account and its awesome, feel a lot more secure checking my emails from hotel PC's knowing that my account credentials cant be scraped and reused via a dodgy admin with a keylogger :)
Re: What's the alternative?
It can be done badly though. Ever tried Microsofts two-factor auth? I have it on my office 365 account; if you do it via SMS, it first gives you the partially obfuscated mobile number, and you have to enter the last 4 numbers into a box to confirm you know the number before it'll even send you the SMS, which has 7 digits rather than the usual 6 or in some cases 4. And once thats over it bugs you to go through the entire routine again, including confirming you know the number, with monotonous regularity during the same session. I eventually switched to using Google authenticator, which is less grief, but the requests are still as frequent.
Google, Lastpass (with a Yubikey), Dropbox and Apple cover most of the rest of the accounts I've enabled it on, and all seem to strike the balance between security and convenience much better. I can't understand why its not mandatory with all the banks - I don't think its even an option with Natwest.
Re: What's the alternative?
So how are you doing the two-factor, by SMS?
(I don't like the idea of Google having that info)
Kettles, meet the pot
That will be the same Verizon whose POS terminal at my local petrol station tells me what software, including version number, it is running, every time I use it?
Tell them to come back when they have a clue.
Re: Kettles, meet the pot
I think you are thinking of VeriFone, whose Chip and PIN PEDs I have wrestled with for many a gloomy hour.
Re: Kettles, meet the pot
OK, a hint. Petrol is across the pond from Verizon. Verizon is what was once Bell Telephone (OK, a bit more complicated than that, but close enough for government work).
Here, where Verizon is a company to contend with (my voice, data and internet provider is Verizon, as they offered the sweetest deal *and* fiberoptic to my home), we use gasoline. Same deal, different name, courtesy of English being a foreign language to the US. ;)
Still, one ponders the fact that Verizon figured out what every *other* study has figured out.
Next week, a new study on how the sky is brighter in the day and it gets dark in the night (a second study).
A third study will tell us that PASSWORD is a bad password.
A fourth study will tell us that ASSWORD is a bad password.
Few to no studies will offer a workable solution.
Passwords are not the issue, the people who use them are. Most folks have one or two passwords they use for everything. They use the same passwords for bank accounts, forum postings, and travel review sites so a breach in one area opens them up across the board.
People being lazy also use easy to guess pw's like their birthday. A friend who used her birthday as her pass adamantly said she never gave her birth date out. Next day on facebook some joke went around about converting your birthday into a funny name and she posted hers. Easy to reverse engineer and it's posted for all to see.
The average user with their post-it notes on their monitor or stuck under their keyboard think no one else would think to look there. These are typically CFO's and CIO's as well. One payroll clerk I know used a screensaver that moved her mouse randomly so her workstation would never lock.
Strong passwords with weak users = zero security.
"Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months." - Clifford Stoll
Users aren't the issue, the entire design of passwords is flawed. See how easy that was?
You're not going to change Human behavior. Even with long term comprehensively immersive training the learned behaviors are expressed less extensively within six (6) months of leaving the immersive environment (except for psychologically damaged people). It's hardwired into Humans to adapt to their present surroundings the
laziest most efficient way possible, so Post-It notes...
Furthermore, there's a reason that I discourage my staff from having their own machine shops and labs at home, just like the military discourages the use of non military firearms while active. It's because 'at home' practices are always more efficient than workplace practices and the natural, unchangeable part of a normally functioning Human mind will always override the less efficient workplace practices even if the workplace practices are more effective.
Inevitably, you're going to get somebody who either forgets and crosses the streams of home/workplace practices or, even worse, does so intentionally and nobody is prepared for the change so you end up like me with half a pinky finger. That's the thing about workplaces, it isn't 'yours' and if everybody isn't on the same page things go wrong. Like the shady guy who goes around copying passwords of the Post-It notes everybody has stuck to their monitor (I do it too, I just put a security guy by the door to my office though, so it's cool. Perhaps that's the solution, private armed security for every person).
Humans happen, passwords are constructs. One of those things can be reliably changed or the systems underpinning them can be changed. Humans can't reliably be changed unless it's by their own choice. Forcing, or even incentivizing, change is only temporary and completely unreliable.
Bad tools force the user to adopt unnatural practices that are impossible to perpetually maintain. Combined with at home participation with similar tools and no active reinforcement it's actually even more dangerous. Good tools are designed with the user in mind and made so that fucking them up is nearly impossible (gas pumps at automobiles filling stations are a great example of a well designed tool. If you are able to get to one it's nearly impossible for you to fuck it up unless you're doing something extraordinarily stupid. You can't even return the nozzle without 'logging out').
So from an engineers perspective, passwords are the problem. It's Fundamentals of Engineering 101 which teaches you that you don't bother trying to change Humans (unless you're in bioengineering), you change the thing the Humans are interacting with to better suit their internal wiring as well as their varying degrees of intelligence and presence of mind. You want widely used anythings to be designed for the lowest common denominator and well labeled. That's why claymore mines say 'This side toward enemy' in three languages and have the nice little drawings of how to properly vaporize people using the device. It's why car keys can be inserted any direction. It's why plugs on computers are standardized. It's why the blaring 'stall alert' in our company plane speaks 'stall alert, errnnngh, errnnngh, errnnngh, stall alert' at the same time both pilots have nicely labeled 'stall alert' flashing lights on their panels, you can't miss it or fuck it up. That's what 'passwords' have to become.
Obviously, they won't be passwords anymore, but as someone above noted, it's discovering what they'll become that's the key. Sitting around blaming Humans for being fuckups is a fuckup in itself. Nothing useful comes from that and even thinking about it should set off your own internal stall alert. Unless killing all the people is an acceptable solution, but it takes the fun out of being rich you know. There's nobody to build nice stuff for you if they're all dead :)
I would give you more up votes if I could. Your analysis of the problem is spot on. People are the weakness of password's. I use an algorithm such as alternating letters of the site with a secret.
Such as e0l1r2e3g4 for the Register.
It really doesn't help that password policies are so inconsistent across the board in what types of characters, min/max lengths etc they allow. Or that Apple, among quite a few others, blocks pasting into password fields, forcing you to type I'm told because it thinks its 'more secure'. I use long random passwords more or less everywhere I can and just copy them from a password keeper; passwords you really can't type all day and hope to remain sane. Apple's dogmatic insistence more or less guarantees that an awful lot of users will definitely end up using far poorer passwords, which to me looks rather obviously less secure. In some places you can always use the Keychain, but since it assigns new items to to login keychain by default, that doesn't appeal, as that (by default) is opened when you log in.
So while I'd fully agree people are the problem, they get plenty of encouragement to behave badly.
".....Apple's dogmatic insistence more or less guarantees that an awful lot of users will definitely end up using far poorer passwords...." Yes, but who actually uses an Apple device for anything important anyway?
I'm curious, what is a 'poorer password'? Is it one that is based on the system of characters we use for all of our communications, but that forces us to misuse those characters in the worst possible ways, so much so that the 'not poor' passwords become impossible for the average user to remember without a reference sheet?
Or is a 'poorer password' one that's an absolutely unique identifier that's good until compromised and then useless for your entire life?
Some clarification is in order here. You can't just run around claiming 'poorer password' without actually understanding what you're getting into you know. This has fuck all to do with Apple or anyone else's security implementations, it has 100% to do with people not understanding who they're building something for. If what you're building doesn't recognize and work with the user then it is poorly built. Again, that's a basic engineering rule: Good design begins and ends with the intended user. Your job as an engineer is to build something within the parameters defined by natural Human behavior. If you want to change behavior then the technical disciplines aren't appropriate for you. It's how well you recognize Human behavior, and integrate it into your design, that determines if you're any good at your job. All other criteria are secondary.
Re: Poorer Passwords?
"You can't just run around claiming 'poorer password' without actually understanding what you're getting into you know."
When the choice is between, for example, "Tiddles" and "bNt10aM7jOtfo" I think the user has to bear some of the responsibility for their choices, particularly when Tiddles photo is plastered round their workspace, lovingly captioned with "Tiddles dismembering his first mouse" etc.
Yes, good design has to account for human behaviour and should do far better than allowing "Tiddles" in the first place, but there's always a point where the user gets to exercise some degree of control, and they prove remarkably adept at finding ways to minimise inconvenience to themselves. Even if you junk passwords for something better, the chances of finding an ungameable system that entirely negates user ingenuity are minimal.
Re: AC Re: Poorer Passwords?
"....Even if you junk passwords for something better, the chances of finding an ungameable system that entirely negates user ingenuity are minimal." One fun case we had was a company we worked with that used smart cards for IDs that you had to plug into your keyboard to unlock your PC. Just about everyone there kept an old USB keyboard in a desk drawer for when they had to log into someone else's PC or had forgotten to bring their card to work.
"It's why the blaring 'stall alert' in our company plane speaks 'stall alert, errnnngh, errnnngh, errnnngh, stall alert' at the same time both pilots have nicely labeled 'stall alert' flashing lights on their panels, you can't miss it or fuck it up."
All good points, but God I wish the one above was always true
Re: Andrew Fernie
"All good points, but God I wish the one above was always true". There are two problems with such warnings - firstly, if the crew's own take on the matter makes them distrust the automatic instruments then they will ignore all warnings, especially if they are contradictory; secondly, sensory overload arrives a lot earlier when stressed, which means that the important automatic warning gets lost in the general noise of a panic. At which point you really want to have reflexive action from good and consistent training, basic muscle memory of 'that go beep then I must push buttons X and Y' - the Air France pilots do not seem to have had particularly thorough training.
Similarly, most lusers do not have any form of security training, and what they do get is a one-time exercise which is rarely repeated, so they do not learn good security habits. It's all fine moaning about the lusers but if an organisation isn't willing to spend the time and money to train them and enforce security then they really need to blame themselves.
Re: Andrew Fernie
"secondly, sensory overload arrives a lot earlier when stressed, which means that the important automatic warning gets lost in the general noise of a panic."
Yep, which does appear to have been what happened on AF447 - no crew communication, stress, and a resulting fallback to instinctive (and incorrect) decisions.
Sorry, but anyone thinking the answer to the human aspect of the password problem is 'properly enforced policies' is a raving lunatic. Full stop. It really doesn't matter at all how much safer weekly changed very long strings of obscure letters and symbols would be as long as there's not a snowball's chance in hell anyone could feasibly remember even one of them for five minutes - let alone the army of them needed for 'proper password hygiene' across the countless places one needs to log into every step of the way on the web today.
The entire concept is hopeless. The best version of it y'all ever going to get is the one you see right now, as bad as it is - if we don't like that, we'll have to give up the notion of people memorizing arcane strings and find something better. Oh, and to anyone arguing I don't get to highlight these shortcomings without proposing a better alternative I can promise a very special place of their own in my heart...
Something better is where it has to go! It's not optional. You're 100% correct.
Re: Don Je Re: Nope.
"Something better is where it has to go! It's not optional...." Er, why? You seem to forget that we live in the age of 'good enough for the cost', where less than perfect solutions are often accepted or even promoted because a solution is not seen to require a more expensive option. Yes, some solutions do require such added tech as two-factor authentication, retinal scans, etc. But do we all have steel shutters over our windows, laserbeam intruder detectors on our lawns and an armed guard in our homes 24x7? No, because for most of us that is considered unnecessary and too expensive. Hence I suspect the gold ol' password will linger on for many years hence.
I wrote a piece about this very subject last year: 'Passwords and Post Its', for a final year undergrad paper, with a slant towards the SMEs of this world. Contains a little bit of research and some of my own thoughts on the subject: computing.derby.ac.uk/ojs/index.php/itpsme/article/viewFile/15/13#page=47
The bottom line is that we as a species are intrinsically lazy about the subject. We are typically cognitively incapable of memorising schema, resulting in replication across multiple sites. We share credentials & don't change them often enough. We will lie about our password use when challenged and trade security against speed of access.
It's not likely to change dramatically anytime soon.
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- YARR! Pirates walk the plank: DMCA magnets sink in Google results
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
- Human spacecraft dodge COMET CHUNKS pelting off Mars