back to article Passwords are for AES-holes

When did you reach burnout? For me, it was spring 2009. Looking back, I did well to last as long as I did but the constant pressure of coming up with something new, again and again, became too much. I'm not confessing to an emotional crisis, by the way. I'm talking about my ability to create new system logins that I can remember …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Re: If that's so, then why

re: "...There is no difference between the strings abababab and nGl04$sh when you are brute-forcing..."

To be pedantic: A series of lower case characters the same length as a series of random characters, upper case, lower case, numbers and special characters, will be cracked much faster by brute force. This is because you go through all the lower case combinations second, after dictionary derived possibilities. Once you've done that you add in numbers, upper case and then special chars.

1
0
Silver badge

Re: If that's so, then why

Good god. You can be brute-forced from 1000 different ip addresses on 1000 different networks with just a single probe from each. How the hell do you prevent that on a system that is publicly available and is designed to allow remote access?

1
0
Pint

Re: Fuck me, eh? Class!

I have a sudden vision of your colleagues helpless mirth as they arrange for you to be in charge of user support for those 'special users'.

No, no - don't tell me - you're actually deeply respected at work and they put you in charge of the difficult cases so that you can make use of your special talents.

2
0

Re: Correct Horse Battery Staple

isirta

Why not? Well, it isn't enough characters. Also it stands for [I'm Sorry I'll Read That Again], the quite rude and weird radio comedy show mostly from the 1960s with the Goodies -and- John Cleese and Humphrey Barclay and... oh, look it up.

Maybe it's foolishly optimistic but I'd propose that a user should be allowed to tick a box to say that they understand why a really strong password is important, and then pick their own anyway - like that.

We have to use 8 characters mixed-case and a number and change once a month. I have RSI and I can't get to my keyboard-alternative without typing a password first. I get through it by pretending that the letters are a swear-word, and the number... my secret. (I hope.)

0
0
Anonymous Coward

Re: Correct Horse Battery Staple

For anyone who hasn't seen it yet. http://xkcd.com/936/

One of the many, many times XKCD has made me sit up and think.

0
0
Anonymous Coward

Re: Correct Horse Battery Staple

My new password for everything: aaronemwas beingamassivecocktoday.

And i mean everything.

1
1
Anonymous Coward

Re: I don't hate my users

lol

so because you utterly failed in implementing the "system" it must be bad? maybe you just suck very badly at your job.

0
0
Anonymous Coward

Re: If that's so, then why

Oi! Grah and Aaron!

Why no icon? In the singular because you should both be using the "get my coat", and in both your cases it'll be a fucking anorak.

0
2
Coat

Well I'm not

about to argue with that.

0
0

Re: Fuck me, eh? Class!

Aaron Em: "I don't know where you're getting your users"

Yeah, you're right, no true scotsman would, would they?

You know where the door is.

1
0
Anonymous Coward

Re: In fact it is not

I can get away with many permutations of Password

Pa$$word

P@ssw0rd

etc

The annoying thing is the company I work for has implemented SSO for a lot of it's systems but still doesnt get about secure ID. I have a secure ID token and I would have thought that this would be an ideal way to authenticate myself to almost all our systems?

0
0
Bronze badge
Go

Poetry

I use the initial letters of song lyrics (with an occasional number in there)

The trouble is I sometimes hum the song (as it has to be one I like so that I can remember it)

0
0
Coat

Re: Poetry

Hah, I used to use telephone numbers and substitute the numbers for letters for old style text phones

2= abc, 3= def ..... every repeat number in the string was the next letter

07485558471 = 0pgtjkluhq1

but now just used 16+ length paraphrases

0
0
Anonymous Coward

Re: In fact it is not

Aaron Em's userlist: -

* Aaron Em

* Aaron Em's Mum

"Correct horse battery staple" has only been around about a year. Which of those users tried it once, fucked it up and locked himself out of his encrypted account I wonder.

0
0
Joke

Use two-phase visual login

Use two-phase visual login. You first show a picture of yourself and for the verification your secratary has to show her tit. This then logs you in and also verifies your identification the added human component.

But on a non-deemed-sexist (had I switched roles - nobody would of thought it to be sexist - funny that) idea.

Why don't they combine the ID cards you need to use the company toilet et all as a proximity login that also has you type in your micky-mouse password. AND this is the best part - the security ID's are not allowed to leave the building (beeps and flashes and locks the doors if you try) - they are left with the security receptionist who each morning looks at you - and hands you the ID with your picture on it. Genius and clearly so complicated that it's insulting to receptionists that they are not already given this role.

We then have a system that has verified identity, reduced loss of security pass's and also security pass's that if somebody leaves the company on short notice are not left out in the wild. Also ontop of that you can still use the same password over and over again as long as only you know it as it is just iceing on a rather nice cake.

Back in the old days, people had like ophysical security and things with keys - believe they were called offices and they did work. Nowadays with this modern assimulation of battery farm office spaces that would make a chicken blush we find this solution is now impossible and remarkably we now need to find a new solution.

Personaly - go old-school - give your staff the space they deserve and don't make them have to use toilet cubicles with a laptop and mobile just to get a sence of space.

0
0
Bronze badge

Re: Use two-phase visual login

@PXG

"Why don't they combine the ID cards you need to use the company toilet et all as a proximity login that also has you type in your micky-mouse password."

We had this more than a dozen years ago when I worked at a bank. We had a personal smart card which plugged into a reader attached to your PC before you logged in. You entered the master password for the card and it logged you on to your workstation. It could also save login credentials for Windows apps and websites and fill them in for you at the appropriate prompts in the same way that modern browsers do. These cards were separate from the ones used to gain access to the building.

If you needed to leave your desk for any reason, you just pulled the card from the reader and the password protected screen saver automatically kicked in.

These were separate from the cards used to access different buildings and server rooms.

Another part of that solution was that if you used your card to log in at another computer in the company, say in one of the training or presentation rooms, it would promptly download and install the apps you were authorised to use, along with the settings you had on your main PC. This was great for monitoring the systems I was managing while attending a course.

The technology is out there if you look for it.

2
0
Thumb Up

Re: Use two-phase visual login

Oh yeah I know the ability is out there, saw what you outlined at Infosec in 1998/1999 (one of those years) and wasn't new then.

The real crux is that these ID login cards are often very anonymous in looks and in that I mean have no picture of the user. This prevents them being used as building entry ID's were humans are involved (can still use as swipe cards/proximity still).

I have also found that places that use these tend to place the physical security of these down to the user and allow them to go to lunch with it in there pocket or take home or have on the ID keychain with there security pass. This leaves the RFID variations open to being cloned - not many employee's I know of that hand out RFID security tokens also offer you a sheilded wallet to keep them in, dont cost much for them either - just not enough news headlines to drive that market into reality, just yet.

Point is that most RFID/login computer card/physical keys handed out to users only have the added security being deminished as there allowed out of the building and/or at best they get lest under the keyboard/in there top draw of the desk.

What I have not seen is one that is also a security ID and you are verified by a human when you enter the building who then hands you your ID and you hand back when you leave the building. Something as simple as that. Sure I would love a system of plastic cards that had a digital ink that were generated when you entered the building. So reception/security takes a new picture everyday so your picture actualy reflects what you look like and not what you looked like before you went on holiday last week etc etc. That would be nice, some would say annoying and sadly that is the way of life.

1
1
Silver badge

Well written article, good pictures.

"...likelihood of a civil servant leaving my 'strong' password on a USB stick in the back of a taxi or a sacked call-centre underling in Bangalore selling my 'strong' password to the highest bidder."

Passwords don't work like that. The Man does not have your password, so he can't leave it on a USB stick. The System does not store your password, so the underling can't sell it.

0
3
Anonymous Coward

"The System does not store your password"

But oh so depressingly often, it does. People are happy to store your password in plaintext, and just as happy to email it to you as a reminder, also in plaintext. You cannot assume that third parties are following the bare minimum of best practises, and you probably already know that your employers are not.

4
0
Bronze badge

I am only allowed a limited number of words to discuss my topic of the week. In this instance, passwords are an analogy for all forms of security in that they are utterly useless because they rely on blind trust. My wife once checked into a hotel on business and, as is standard practice, allowed the receptionist to make a copy of her VISA card as 'security'. Within half an hour (as we discovered when the bill turned up a month later), one of the hotel staff was using my wife's VISA card details to buy himself plane tickets, clothes and all manner of other shit. Passwords are just the same. If you think passwords are somehow protected from humans seeing them or recording them or backing them up or printing them out for their mates, you are living in a land of self-delusion.

1
0
Megaphone

Yes, passwords are annoying...

... but really annoys me is sites that, for some inexplicable reason, force you to use weak passwords. And by weak, I mean short.

For example, National Savings & Investments (NS&I) limits their account password to a measly 8 characters. If you use Tesco.com, you’re stuck with a maximum of 10 characters for your password.

Rather than bemoaning having to use strong passwords, I think it would be more productive to name and shame the silly companies that don’t even give you the option of choosing a strong password.

3
0

Re: Yes, passwords are annoying...

Probably depends on what you are really logging on to. Not sure about all but iSeries (AS400) is a max of 10 for both username and password

0
0
Anonymous Coward

Re: Yes, passwords are annoying...

Sites like this limit the maximum length of passwords for the simple reason that people can't remember long passwords. I have a long WiFi password, I used song lyrics, it turns out that even if I actually tell people what it is, tell them the places where people often go wrong (spaces? No spaces? Is it an "a" or a "the" at that part of the lyric) even if I write it down, no-one has managed to correctly enter it. It's only 10 words, two lines of a fairly well known musical. People who can't touch-type simply can't enter long passwords when they're *ed out.

0
1
Unhappy

Re: Yes, passwords are annoying...

I've run across a depressing number of financial/retail sites that don't allow punctuation or special characters in their passwords...

1
0

Dabbs again?

Crowbarring open a designated-whiner-for-the-users niche here at the Reg, I suppose, because that's exactly what a red-top tabloid for IT professionals desperately needs to have.

0
9
Anonymous Coward

Post-It notes and

The other problem with forcing users to have too many strong passwords is that they will inevitably write them down, typically on a Post-It note stuck to their monitor or in the pen drawer of their desk pedestal unit. Many of them are quite aware that this may be against the house security policy but they are also aware that the main reason for plethora of passwords is that different parts of the organisation refuse to cooperate with each other for political reasons.

Another problem is when the corporation's big knobs demand exemption from the corporate security policy and then proceed to use some weak password that they use everywhere. This was exactly the case at my previous contract: the head honcho had his secretary's secretary order the IT manager to allow the use of "the same 4 digit password that he uses for everything". The IT manager resisted bravely for a few minutes but capitulated when he remembered the fate of former rebels in management.

4
0
Silver badge

Re: Post-It notes and

The same 4 digit password, you say? I can imagine the BOFH having some fun with that!

0
0
FAIL

Pot... meet Kettle

Seriously Reg, how you can have the gall to publish an article criticising anyone else's login/password failings, is beyond me. Especially when your own website has about eleventy-billion completely pointless separate subdomains, all requiring individual logins –and there are Alzheimer's inflicted goldfish with better recall than your login cookie's "remember me.." option.

Title says it all.

[Had to login for about the fourth time today, to post this]

21
0
Thumb Up

Re: Pot... meet Kettle

Madra - If you ever stand as a MP or in any politcal capacity, then you can count on my vote as somebody who can cut thru the mustard.

On a plus side(sofar) I have been asked if I care about cookies and this has only been the once, thus far touch wood(on the internet this turn of phrase is often understood and if it is you only have yourself to blame).

1
0
Facepalm

Re: Pot... meet Kettle

[edit] s/understoon/misunderstood/

sorry

0
0
FAIL

security joke

The worst security joke I have encountered so far was when I contracted for a international business machine manufacturer. The had just installed a very new and very expensive mainframe in the basement of one of their national HQ's. To get to it you had to swipe a card to get through the first door, be physically signed in by a rented uniform, and swipe a different card and enter a challenge response password to get through a second door. And repeat the process to get out again.

There were no toilets in the basement.

By the third day of operation, we had a rota where whose ever turn it was had to go through the security procedure to get out again and go up to the second floor toilets. They then had to work their way down through the fire escapes, wedging the doors open with ash trays, until they were back in the computer room. Then go all the way back up to the toilets and came back through the official security channels. That department was later critised for not showing initiative.

6
0
Thumb Up

Re: security joke

Oh I completely believe this.

Toilets and cigarettes have been the durge of security in so many area's for a while and this was before the smoking laws came into effect. See that firedoor with sensor - if you put duct tape over that sensor then we can smoke all we like without grief from alarms going of in reception.

Though days like this you can just play a ice-cream truck ringtone out load near a fire-exit and stand a fair chance of having it opened for you :).

4
0
Anonymous Coward

Re: security joke

I used to work at a company who had a super secure R&D area. To access it you need an ID card and finger print check. Except you didn't. In the delivery bay there is a locked door which is unlocked by a motion sensor for people coming out of the secure area. People would rarely come out of that door because there are more convenient ways out. But anybody walking past it would unlock it. So if you forgot your pass all you had to do was stand by that door until it was triggered. For your added convenience a green light would come on when it is unlocked, so you didn't even have to stand conspicuously close enough to hear the click of the lock.

After I left I heard they had quite a major confidentiality leak in that place. Their solution was to frost the windows of the R&D area.

2
0
Anonymous Coward

Re: security joke

So true about the fire doors...

The last place I worked the idiots in the warehouse continually left the doors open (because it was either too hot or they were just too lazy to close them) and then wondered why so many times things were stolen. Numerous times I left the building in the evening to see the doors left open because none of the warehouse staff closed then when going home.

I've also visited the pharmacy departments of countless UK hospitals and while most have security doors and signing in and out at the front and expect "all staff to challenge visitors" conveniently leave the rear delivery door open due to frequent deliveries throughout the day and maintenance / cleaning staff needing access to remove rubbish (mostly packaging). You could walk into most of these and as long as you look confident and vaguely business like you'll be ignored every time. It's not just the Controlled Drugs that are valuable either, frequently the price of a single pack of drugs is over the £100 mark and one person can easily pick up 3 or 4 cases containing 20 or so packs in each.

3
0
Bronze badge
Go

Re: security joke

Another story about open doors.

At one customer I had to be signed in to the server room every time. That was fine until the time we did some weekend work. Little did I know that the operators cleared off half way through Saturday afternoon and I couldn't get access to bring the production system back online.

I rang my contact at his home to ask to be let in. He told me about the loading bay door at the back, and sure enough it was left open.

3
0

People not passwords = security

It doesn't matter if the password is simple. Just block brute-force attacks and only allow 3 attempts before a reset. Simples.

I enjoyed the rant. I woudl add the point that forcing people to have so many logons forces them to use a simplier password or set of password than they might normally do. If I only have to remember one or two passwords then they can be complex.

Also users need showing how to build complex passwords....i.e. swapping "e" for "3" for example. It's not rocket science.

0
2
Facepalm

or you could...

...implement single signon like we have. It remembers all your passwords for you and types it in to your sensitive applications, even if you're not there (if you forget to lock your PC - like most people here). Abusive email to the Director - no problem, he won't even know it was you.

0
0
Silver badge

It's a question of password management

First of all, don't make the requirements to strong. If you want your people to have at least 3 digits and 3 letters in their passwords, they need to change every month, you'll end up with passwords like June2012.

In some cases it may be wise to write down passwords onto a sheet of paper you carry around with you, or even a plain passwords text file. However those instances are rare and need to be well thought out. Don't put such a file onto a computer you neither can secure nor own. (e.g. an iPhone)

However the main point is to use public key authentication whenever possible.

1
0

In user testing

For websites we found most people have 3 passwords of various complexity that they always re-use. Force them to do something else and they forget them and are likely to use a standard guessable one. IOW, let people enter what they want to enter.

I'm all for password unblanking functionality as well. Off by default but if you're at home what does it matter if the cat can see over your shoulder? How many of us are in cyber-cafes logging in anyway?

Password blanking is the illusion of security, nothing more.

7
0
Bronze badge

Re: In user testing

@Andy Farley

"I'm all for password unblanking functionality as well."

I agree and I use it for the long pass phrase I use in various places.

When I'm at home, nobody else can see my screen.

At work, there's a solid wall behind me, so the same applies.

1
0
Anonymous Coward

Sections 43 & 44 of the Terrorism Act 2000

Having 13 passwords at work is good practice from a security point of view, but the people who implement these things tend to be strange people who are neither like nor quite understand normal human beings.

Ultimately, you need to balance security with employing normal members of the public who are doing normal office jobs. All these weirdos do is breed contempt for employers and cause stress to normal human beings.

You don't need to protect your own IT systems from your regular employees (unless your HR department and security staff on the door have failed to do *their* jobs already), only spies and rogue employees, who'll still find a way around 13 passwords to do bad deeds.

Sadly, I've met too many of these obsessive IT systems admins or people with some kind of say over how IT works in an organisation, and they're generally highly paranoid individuals who think every other college is either corrupt, incompetent, an arsehole, part of a clique, clueless, or use some other trick to hoodwink everyone else into employing them. They see themselves as the only person in the whole company who does their job well and takes things seriously, the irony being that they're almost always clueless themselves or take weeks to do what normal IT staff do in an hour.

Like I said, it would be great for security if everyone had to remember 50 passwords and change them all every day, but what kind of life would that be for a human being?

If you want to roll out IT systems that have inherent flaws that need 13 passwords to fix, you need to fix the IT system, not the humans. It's like Black & Decker expecting their customers to be genetically altered so that their hands better fit the designs of their tools, rather than redesigning their tools to for human hands.

All of which makes me think that one day babies really will be microchipped so that computers can detect who's using them and work out whether that person should/can be where they appear to be...

It'll be like Terminator, but without Skynet.

1
0
Silver badge

i use a commercial password manager

Of course, since I'm the system admin and network admin, it does serve to protect system passwords that need to be accessed by users other than myself. Fortunately, it comes with the option to allow users to store personal (business personal?) passwords. I use it to store everything, since I'm in charge. My only problem with the application is that while I can search for any of the system userids that I have stored, it doesn't have a similar function to search my personal passwords....and I have over 70.

Every website gets its own username (email address...I'm the email admin as well) and password.

The only ones I have issues with are those that limit the length. For those, I just generate a long password and in the account notes indicate how many characters to actually use.

If you care which one I use, I'll post it.

0
0
Silver badge

This is why the world is slowly moving to identity management

SSO is the future, but for SSO to succeed properly, we all need to pay attention to proper identity management. Many consumer facing websites (and almost all 'social' apps) will now support login via OAuth from Google or Facebook. This is good, but limits a user to sites that support their chosen identity provider

What needs to improve is WAYF protocols to allow a site to say "Okay, I need to identify you, but I don't really mind who does it", allowing all identity providers to be amalgamated into one true identity source, minimising the work required for both service providers and identity providers.

SSO - particularly SAML - has been made obscenely complex by tool makers (Sun, MS, et al) who have a vested interest in making the protocols so complex and fiddly that in order to implement them properly, you need their libraries to do it, and their tools to produce the metadata. The tag line should be "SAML - from the same people who brought you SOAP".

SAML also has one of the most bizarre transports known to computer science - PAOS, or 'Reverse SOAP'. Eurgh.

0
0
Silver badge

Re: This is why the world is slowly moving to identity management

The trouble with that approach is that people are getting leery about trusting the SSO providers. Almost all moves towards simplification involve trusting some third party in an atmosphere that's steadily progressing towards "Trust No One" (as "trust" facilities get big bulls-eyes on their backs for industrial spies).

0
0
Go

Passwords are the past

With the development of smartphones and other portable kind of computers, I do have to wonder why are we still using passwords. Why can't we have something like a general hardware token, like the ones some banks give out, but general? Can be your smartphone with a "Google Authenticator"-style application. One that works like this:

1. Generate a public/private key pair (say, with PGP or similar)

2. Upload the public part to the website or service where you need to authenticate yourself.

3. Put the private key in your smartphone in secure storage (not your SD card, altnough if it's encrypted I guess it can go there too).

4. Each time you need to log in, you pop your smart phone app up, you enter a password (or screen pattern) to obtain access, then generate a six digit code (that lasts 30 seconds) that you input into the service/website to gain access.

If you're paranoid, you could store a key pair for each service you use, and then select it from a list after you unlock your app. There are also plenty of other ways to be even more paranoid: make the password not work unless your bluetooth headset is connected to your phone too for example, but then you'd only have to secure your own phone in the most paranoid way thinkable, not the entire Internet per individual user.

1
0

Re: Passwords are the past

Your password-free system requires a password

0
0
Anonymous Coward

I sympathize with the author - and I work in IT Security myself. Many of the "security procedures" that make life difficult for the users are in fact adding very little value - if any - in term of security.

I would rather have users using long strong passphrases which are only renewed every 6 or 12 months. Double that with single-sign-on or identity federation, hunt and eliminate the situations where the users are forced (even if just for convenience) to share passwords with others (not by punishing the users, but by finding out why was the sharing needed in the first place, and offering an alternative secure way of working).

There are many technologies which can actually simplify the life of the users - and increase their productivity as a result. But, from my experience, the biggest obstacle in deploying those is... wait for it... The Management! On more than one occasion I've sign amazing short-sightinness, in the name of "cost savings" and "efficiency".

That, my dears, is the real challenge.

1
0
Anonymous Coward

I use Password Safe but there's some danger in that also if your computer is compromised, it's game over for all your accounts, many of which may be sensitive.

I'd be interested in a small device with no network connectivity to hold your passwords in an encrypted database like password safe. Select a password and have it display a QR code. Scan the code with your phone or with a cheap (hypothetical) USB device on PC and the password is copied to the clipboard. It's a few extra steps but at least it gives you a way to store your passwords and access them without losing all of them if desktop/phone is compromised.

Provide some way to connect the device to a PC to backup the database but be careful not to allow the device to be backdoored this way if a person had physical access.

0
0
Anonymous Coward

Hmm...

The trouble with putting something into the clipboard is that it's still in memory, unencrypted. If your machine is compromised, it's still fairly easy to find. I'm not sure what the best way to do it would be, possibly an app that puts the password directly into the password field in the web site you are visiting and instantly submits the page would work. However, I suspect that this would be compromisable as well, even if you're using in-private browsing or its equivalent.

0
0
Trollface

I know the firm...it was El Reg!

Been El Reg 'registered user' since Christ was a corporal. To comment, Reg website wanted me to sign up as a NEW USER, which I attempted to do, using the same decades-old primary email address. Now it says, that one is taken, please log in...

It must be AWFUL to work there! ROTFFLMFAO

1
0
This topic is closed for new posts.

Forums