Just use a password manager.
Now, what was the question again?
The life of the security IT professional would be a lot easier if people were capable of remembering enough passwords so that they didn't need to reuse them. That was the considered opinion of Facebook’s head of security Alex Stamos and Google’s security princess (her actual Chocolate Factory job title) and Enigma 2017 …
Using a password manager requires a trusted computer. What if the only available computer is communal or the person travels a lot without benefit of a laptop?
Your smartphone is "communal"?
Also, password managers tend to use encryption and a master password, and at least in the case of KeePass also support multiple databases (each strongly encrypted with a unique master password), so questions of trust and sharing are moot.
These databases can also be accessed directly by KeePass over the network via SFTP and other protocols, so they're available to all your devices running KeePass (every major OS is supported) in every location, whether at home, on the road or at work.
Personally I run it on the (Linux and Windows) desktop at home, and on Android when I'm out, and all three systems share the same encrypted database on the same FTP server.
Even if I forget my smartphone or it runs out of juice, I can always run the portable version of KeePass on whatever system I have available at my destination.
It certainly beats writing hundreds of passwords down on Post-It notes.
Your smartphone is "communal"?
But your smartphone is connected to that great community in the sky known as the internet. As soon as someone can sneak a key logger on to it, all your password are belong to them. Not just for the sites you use from that phone, every password in your safe!
For pity’s sake, stop reusing passwords
Tell that to Podesta. According to Assange, Podesta's password was "password".
A trusted computer/device for a password manager is the key problem. While my home PC/laptop might be fairly trustworthy, I would not put them up there as unhackable. As for my Android phone - please, just don't go there!
A possible solution is something like the old RSA key-fob that could be used to salt+hash some account detail to provide a complex password. As it is off-line it is practically impossible to hack without an agent physically compromising it, and it is small enough to be carried with your house/car keys, etc, where ever you go. Many UK banks use card reader things to the same ends, but a more general purpose one would be good.
USB style devices are all very well, but need the PC to be cooperative (so no play on corporate locked-down machine) and your fscked if you bought a new Macbook and forgot your fist full of dongles.
My smartphone is sometimes lent to wife, kids, even on occasion colleagues who need to make a call when their battery is dead (mine is an ancient Nokia so lasts longer than all of theirs added together).
"Your smartphone is "communal"?"
Smartphone? What smartphone? Even in 2017 not all of us carry a permanently-on surveillance device everywhere.
Would you consider your phone (or other portable device) a trusted computer?
Or a deterministic password generator, like - a plastic card in your wallet
NO. It has to operate on untrusted airwaves and is MUCH easier to nick or hack.
"As soon as someone can sneak a key logger on to it, all your password are belong to them."
In that case you have a problem irrespective of how you store your passwords.
Well, let's examine the options.
Option #1 is reuse the same password for hundreds of services, from banking to email, thus losing everything in the event that this one password is compromised once on any one of those services, such as that dodgy phpBB forum you visited last week.
Option #2 is access an encrypted database of passwords over an encrypted connection behind a firewall on a system running antivirus and other security software, with the remote possibility that all of those security measures might simultaneously fail and you'll become the only person in history to be compromised by a keylogger that defeats the KeePass "Two-Channel Auto-Type Obfuscation" anti-keylogger technology.
I punched those numbers into my probability calculator and it says ... "1" is more likely.
I use option 1.5 - A small number of hard+unique passwords for important stuff (Financials, home computer, message boards I frequent often, etc). A few hard+shared passwords for non-critical things I trust, but also wouldn't be mortified by a compromise on (message boards I don't care about so much, work PC - mainly due to their crappy password rules!), mentally-generated-on-the-fly soft passwords for all those crappy sites that insist you have an account do do things that shouldn't actually need one for (usually linked to likewise-generated throw-away email accounts).
"Option #2 is access an encrypted database of passwords over an encrypted connection behind a firewall on a system running antivirus and other security software, with the remote possibility that all of those security measures might simultaneously fail"
We were talking about using a password safe on a smartphone which fails many of the above conditions. I looked at the obfuscation system you referenced and it looks like a fine way to guard passwords in the safe but it does nothing to protect the password to access Keypass itself. That is the real issue.
So these overpaid asswipes reckon its the fault of the user and not the fault of the other overpaid asswipes who keep losing all the passwords from badly secured websites.
No; users must accept some responsible for their own security and use strong unique passwords, via a separate strong encrypted password store (not just in an OS user account), because however good a site's security is, some may eventually suffer a compromise, including by side attacks and staff, especially from/via lower paid outsource staff!
Security is a process and never absolute, because there is an arms race between the defenders and the attackers, and there can be unexpected bugs in security.
How many sites that require passwords actually *need* them? How many shops require a login for what is in all likelihood a single transaction? Do they really need to keep details of my name and address and credit card?
I'm starting to see some shops not require a login and password to make the one time or occasional purchase.
Fine. If you don't want to revisit the shop and reuse the account, just give it a random string for a password. (Mash some keys into a text editor until it looks suitably gibberish, then copy and paste it into the password and confirmation boxes. Remember to close the text file without saving.)
More importantly, though: always, always make sure to untick the "record my card information for future purchases" option. That way, if anyone does crack your account, they're still no closer to being able to spend your money.
What annoys me more is sites - like El Reg, for instance - that require a password that does need to be reused, and does need to be remembered, for a transaction that has close-to-zero impact if compromised. If someone cracks my El Reg password, about all they can do is make some silly and/or offensive comments in my username. I make those myself already, so I'm willing to accept that risk.
"If someone cracks my El Reg password, about all they can do is make some silly and/or offensive comments in my username. I make those myself already, so I'm willing to accept that risk."
Or they could use it to post politically incorrect stuff and stain your reputation. Or worse, post CP links and get the attention of the law on you.
The lack of
human intelligence is the problem ...... everywhere. And aint that the gospel?
In humans though, may that be default and normal.
Or maybe remembering a bunch of things that are intentionally hard to guess just isn't a very good way for humans to authenticate themselves ?
It's often a good idea to match the solution to the problem : if you need to do a thing often, choose something that you're good at.
What are humans good at remembering? Probably something involving patterns. Shapes, music, phrases. The problem there is that to enter a reasonably complex pattern, you need an interface that's good at it. Maybe that's easier to solve than trying to make your passwords rememberable but obscure.
Maybe it's better to learn whether or not the problem at hand is even tractable.
Consider the First Contact problem. How can Alice and Bob prove their identities to each other if they've never net before? This is essentially the problem we face every time we register to a new site. We don't really know who runs the site, and the site doesn't know a thing about us.
The thing is, the First Contact problem is logically intractable. With no common point of reference, there's no way for Alice to prove she is Alice and not someone else posing as Alice. Not even Trent can help since Trent can be a double agent and has to be vetted himself, creating a Turtles All The Way Down conundrum. It's a Catch-22. You need common ground to create trust, but you need trust to create common ground.
That's why we can't seem to find a simple solution: because there's no solution full stop. We're just trying to make impersonation as hard as possible, but unfortunately we're stuck for the ride. Making things harder for the imposter makes things harder for US, and there's no way to unlink the two since the imposter's job is to BE us, essentially: right down to the DNA if they gotta. And inversely, easier for us is easier for the imposter. Worst yet, it seems the medium is UNhappy: not easy enough for us but not hard enough to thwart the imposter. So, basically, what now, especially when the public demands unicorn solutions?
I don't think we care that we can't identify someone we've never met before.
All we normally want to do is identify that it's the same person that set up the account, or the same person that a bank knows about, or the same person that lives at a certain address. Who that person actually is can't ever be proven : what matters is that the second and subsequent contacts match the first.
A password (retained secret) is fine for this, as are other tokens such as certificates. In some cases, that certificate needs to be verified by another party such as a bank.
That's why we can't seem to find a simple solution: because there's no solution full stop
Eh? You're talking about trying to solve a different problem here....
Or maybe remembering a bunch of things that are intentionally hard to guess just isn't a very good way for humans to authenticate themselves ?
Bingo! see https://xkcd.com/936/ for how it SHOULD be done.
Human memory, or the lack of it, is the biggest security bug on the 'net
I suggest that it's much, much wider than that. Humans ignore simple laws like "don't use your mobile phone whilst driving"; perhaps they think that they won't get caught (unfortunately quite likely true) but in any event accidents happen to other people, not them.
Human stupidity, more like, as per Einstein's well known thought on the subject. The vulnerabilities of IT systems are publicised ad nauseam so there has to be something more than "memory" to account for people failing to take simple basic steps to protect themselves.
Phrases do seem to be the easiest to remember.
But what happens when your memory is SO bad that your recall instead produces "donkeyenginepaperclipwrong"?
"Bingo! see https://xkcd.com/936/ for an opinion on how it SHOULD be done.
Fixed that for you.
And the reason I made that fix because it's an opinion I do not share.
For a start, the end panel's claim that "You've already remembered it" was wrong for me the first time I read it - it was a couple of years of seeing references to (and re-reading) that strip before the example password finally committed itself to my memory.
Then there's the problem that it's just one password, and it's seemingly just a random string of things with no context - so if someone goes to a particular website they use and needs to log in, how do they remember if their password was correcthorsebatterystaple, versus typicalzeusapplemarch which they used on another site, or walletbottlemonksplatter from another, and so on.
IMO, it only potentially solves the problem if we only ever need one password - and people using just one password is a part of the problem under discussion.
Edit: Lest I forget (see the problem?) my own solution is to use KeePass. Can't recommend it enough.
Like many people I have a number of accounts - but many of them are for sites like the register where the consequences of a hack are insignificent. For such sites I often reuse simple passwords - for other sites with financial data (eg PayPal) I use strong passwords that are unique to each site.
An easy way to generate fairly strong memorable passwords - concatenate a car registration number, a friends name and the name on a bit of equipment.
eq XNO123SWendyHUDL2 (not a password that I have ever used!!!)
That's funny, I've got the same combination on my luggage.
It must become a habit to never reuse passwords for any public resources, and even most private resources, otherwise you may accidentally reuse a password for something security critical or later discover that an insignificant resource suddenly becomes significant, with significant costs e.g. compromise causing loss of reputation, social costs, slander costs, or unintended leakage of critical information. Using different user identifiers can also be a good idea to make compromise even harder and to block other security risks including cross-site profiling/spamming.
Passwords should never be derived from any publicly discoverable information associated with a person, because this information could be automatically looked up and used by automated cracker scanners; long, secure-random-generated passwords are generally much more secure.
Everyone should be using a secure (local or remote end-to-end encrypted) password store to keep most user/password details safer than human memory or insecure external storage like unencrypted files or written/printed notes.
I re-use the core part of several passwords, but salt them with certain characteristics of the sites they are used on. This means if one of them is leaked, it can't be used anywhere else. The flaw in the scheme is if the plain text is leaked, a human could work out the salting scheme I use.
"Like many people I have a number of accounts - but many of them are for sites like the register where the consequences of a hack are insignificent. For such sites I often reuse simple passwords"
I used to use that scheme -- until one of those sites had their password database stolen. The sheer annoyance of having to change dozens of passwords all over the web made me switch to using a password manager for "low value" sites. For some very critical things I still use a memorized password.
Visual and spatial challenges are far easier on the brain than letters and numbers that adhere to artificial rules. Some people visualise PIN's by their "shape" on a keypad. A London black cab driver would be able to recite every street and every landmark between any two streets in London, this is probably because of the way human memory "leads into" each step of a journey. We all do this to a greater or lesser extent, but not to the extent of annotating the images of the journey with street names, which is part of a cabbies' training. How many of us can recite whole chunks of Alice In Wonderland or a Tennyson poem? But what password protected sites give us this as a choice? Coupled with this is the need for more lenience in the occasional slip of the word, which may be due to forgetfulness on our part when dreaming something up. For instance it might be possible for a user to be excused forgetting the exact case and punctuation used in elements of Break, break, break et al, but to use gray instead of grey would be a grave error.
Humans aren't wired for passwords like HJ78#2hhj*2 that many IT policies force on their users, but we are quite good at remembering things that can be visualised.
For Example, what if my Amazon password was "99 ice cream loving honey badgers ate my hamster!" I reckon that's a lot easier to remember than HJ78#2hhj*2, and it has plenty of entropy. This is not my Amazon password, but if it was it would be easy to remember. Amazon now do Top Gear. Top Gear has a thing about honey badgers. The hamster, well that's obvious, and if there hasn't been a race between Mr Whippy and a kebab van*, well there ought to have been. It all goes together to make a memorable password.
What is really needed are systems that can take longish passwords and some training to get people to be creative.
(*British readers will know exactly what My Whippy and a kebab van are. I suspect the rest of the world has no idea, which is probably why Top Gear haven't done this race.)
...and this "cultural enclosure" makes them more secure*.
(Not sure about My Whippy though - I remember Mr Whippy - you must have gone to a school where they had more -er- exclusive tuition lol).
*I went to a seminar once where some American company launched some software or other. The screenshots had these weird first names and surnames in them. The presenter felt he needed to apologise for them. He did so by explaining that the people responsible for the Powerpoint were asked to pitch it to us Brits, and they were trying to come up with authentic English names (e.g., Archibald, Enid, etc.).
"... My Whippy ...", er, sorry folks. I meant "... Mr Whippy ..." but that also sounds so wrong.
What about DISABLED people, though? Visual puzzled are lost on the blind, audio puzzles lost on the deaf, yet sites are legally obligated to accommodate them.
Unless you are the pinball wizard there are still choices, just as there can be with traditional password entry. Having written software for a provider of IT equipment for the visually impaired I can say this segment of the population is not without facilities to visualise password cues. Deaf people can see images and use a keyboard, so not sure what the problem is there.
BLIND people CAN'T. That's why image-based CAPTCHAs get sites in trouble. The best systems kind of require full sensual acuity to work, but of course not all of us have that, so the law requires fallback methods...which miscreants can exploit by simply claiming to be blind and so on to get simpler puzzles.
with the aid of a very nice bottle of Ardbeg scotch.
“Passhword reushe, it’s the worsh proble on the inter in thing”
Yes, those sites that insist on a password length longer than you normally use - so you have to remember a "non-standard" pattern.
Or those that impose a short maximum length - same problem.
Or those that insist on stupid combinations - so you have to remember that this site has a % (or whatever). Or those that impose restrictions the other way.
I have a system that allows me to use a different password for each site - by using something that's common to most things, combined with something that's different for each site. Yes, if someone got hold of a number of passwords then they'd be able to figure out the system - but if that happens that I've almost certainly got far worse problems. But there's no way that given a single password hacked from a single site you'd be able to log into any other site.
But, this system is blown apart by the above mentioned, well meaning, idiots who for various reasons stop me using something that my system deals with.
It might not be politically correct, but that's a fact nonetheless. If there is one thing that I've learned over the last 40+ years of working with computers & networks, it would be that humans, as a group, are ineducable when it comes to personal security.
I think it was Einstein who said “Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
Indeed. For example my wife has KeePass with AutoType at her fingertips, and uses Firefox to remember her passwords for sites. Despite this she uses the same two passwords everywhere. Until I notice, anyway.
Was it Gary Clail who sang, "There's something wrong with human nature" ?
As soon as you realise that all these sites are insecure, as you can just log in with a username and password anytime and from anywhere in the world, then the problem goes away.
Just don't keep any private data on them and use the same password everywhere - job done.
Biting the hand that feeds IT © 1998–2017