June 21, 2005 at 5:46 pm
According to Jesper Johansson, senior security program manager at Microsoft, the security industry is giving out the wrong advice by forbidding people to write down their passwords. Strong passwords are impossible to remember and lead to people picking easy passwords or using the same password across all the systems that they access.
And using the same password across all systems us poor security. I tend to agree with that in most cases because if one system is compromised then all of them are. However, for the administrators, it's problematic if all systems have different passwords. Then the cost (in time) of administering these systems goes up. I admit that in most of my jobs I've used the same sa password on all servers and the same administrator password on all systems. The caveat is that we change those passwords often, usually every 30 days and always when an administrator leaves. While a security breach would leave all systems vulnerable, the window of opportunity is fairly small.
Bruce Schneier says that it's impossible to remember strong passwords. And now password cracking programs are hip to the 3 for e and 0 for o replacements (and others). Plus with distributed cracking programs and cheap hardware, it takes less and less time to crack passwords for anyone that truly wants to get at your systems.
It's quite a quandry for people. To me there are two problems we are trying to solve. One is protecting systems for the administrators. These are more techincally competent people and should be required to build stronger passwords. The system that I liked the best over the years was the central storage of all our administrator passwords (Windows Admin, SQL, Exchange, service accounts, etc.) in a central storage file. We used Password Safe for this on a network share accessable to administrators only. We changed the file password periodically and scripted changes of the various passwords every 30 days. Usually we'd solicit some theme and assign an administrator to change the passwords.
The other problem is how to get users to create and deal with complex passwords. Of all the suggestions that I've seen, I think writing them down is a good idea. Make stringent requirements, 12 characters, mixed case, numbers, etc., require changes often, but allow them to write them down. Not on sticky notes, not posted, but maybe a card that they keep in their wallet or purse. Or these days, maybe their cell phone.
Now if we could just somehow secure your cell phones. Maybe outlaw Bluetooth?
Steve Jones
June 21, 2005 at 9:49 pm
I agree, passwords should be written down. This is especially true for IT staff for DR purposes and in the event that you're not around when the password is needed, like when you're on holidays
Another case is the infrequently used password. We have a Telnet application that provides the ability to auto-login. So you don't enter the username and password each time you use the application. The security is pretty good in that it requires very strong passwords and they expire pretty regularly. The only catch is that once the password expires you need to enter the old password before you can create a new one and it's amazing how easily you forget something when you don't actually use it.
--------------------
Colt 45 - the original point and click interface
June 21, 2005 at 10:16 pm
Actually, I've been using pass-phrases lately.
They usually meet the complexity requirements (of, say, Windows 2003 Server's default policy), can be quite long and are easy to remember.
It is becoming a major problem these days. On top of passwords, we have PINs for ATM, your mobile phone account, your CityLink account (for us Melburnians), secret questions and a plethora of other codes.
Is the answer to this somthing along the lines of biometrics? Don't know, but I'm running out of storage for all my codes, pins and passwords!
June 22, 2005 at 7:06 am
I think here's where knowing foreign languages helps - I know smatterings of several - enough to coin a "pass phrase" in a mixture of a couple of languages that would make any sense only to me.... Throw in some special characters to this mix and you're good to go....
I also have a method (in my own madness)....where everytime I have to change my network password at work, I just keep stripping the outermost right, then the outermost left and then recycle it back to the beginning when the 2 year cycle (or whatever it's set to) is over....
**ASCII stupid question, get a stupid ANSI !!!**
June 22, 2005 at 8:26 am
The language idea is great. Never thought of that, but my smattering of a couple languages might make me safer.
June 22, 2005 at 8:38 am
Si!
**ASCII stupid question, get a stupid ANSI !!!**
June 22, 2005 at 11:09 am
My solution for keeping a large number of passwords is to keep them on my Palm PDA in a passworded, encrypted database. I didn't find an existing password keeper that I liked, so I wrote my own.
If the PDA is lost or stolen, the passwords are still secure (encryption is the *only* security on a Palm). There's also a PC reader for the database, which uses the same password as the PDA version.
John
June 22, 2005 at 9:06 pm
When coming up with complex passwords, I think of a set of related songs or tunes that seems appropriate to the setting. (For instance, last job I used "old Saturday Morning TV shows".) Then I take a phrase, turn it into acronyms, toss in punctuation and funky characters (and foreign translations if they jump right out), and end up with something no one's going to guess.
Example A: The Banana Splits Show. A key line from the them song: "Fleegle, Bingo, Drooper and Snork". Password:
F,B,D&S.
Example B: Line from the Sesame Street intro song: "Sunny day, keepin' the clouds away" becomes
S2d,kt-ca#
[where "S" from "Sun", 2 from "ni", which is Japanese for 2; "-" because there's a pause there in the song, and "a#" comes from away (weigh)]. Spelling this out makes it seem awkward, but when I hummed along I never mis-typed it.
Added bonus: when you cycle the password out, you can challenge your friends to figure out what the old password was based on. "Lt,aefh!", anyone?
June 23, 2005 at 1:09 am
Personally I do not think it's a good idea to write passwords down (also notes get lost...).
At work we are forced to use strong passwords. I can not remember these difficult passwords, so I choose a combination of keys on the keyboard that is easy to perform. Apparently my fingers have a better memory than I do, because this system never failed me yet (it's also handy for remembering phonenumbers, actually any type of information that needs input via keys).
Only thing to beware of is to change the password in case of a different keyboard (either via software or hardware).
Hans
June 23, 2005 at 2:47 pm
Sushila, how did you know my sa password was set to 'si'. I'm kidding of course, but I've seen system admin passwords nearly as ridiculous as that one. My favorite was an SQL installation where the password had been set to blank. Not a blank password mind you, but literally the word 'blank'.
I lectured my parents at length when they finally got online last year about the importance of using secure passwords and not writing them down anywhere. And just when I finally thought my message had gotten across, you won't believe what I got for Christmas - it was a little book to write down all my user names and passwords.
My hovercraft is full of eels.
June 23, 2005 at 11:26 pm
I think password set to "blank" is a stroke of genius - who'd ever think it could be that?!?!
Are you sure the "little book" wasn't to write down names & phone #s - you mean there're actually books for unames and pwds ???? Wonder who thought of marketing that one! (must be the kind of parent who tells his pilot son to watch out and not "fly too high!")<;-)
My favourite is when I had to deal with variable names in Spanish...that was a quick immersion course all right!
**ASCII stupid question, get a stupid ANSI !!!**
June 24, 2005 at 3:42 am
I a previous job, passwords used to be written sown, put in a sealed envelope, signed across the flap and stored in the fireproof safe in the personnel department, along with a set of backup tapes and other items they needed secure.
In times of need these rarely used passwords could be extracted and used (only by specific people and under HR supervision) and then updated and re-stored for next time.
June 24, 2005 at 9:17 am
It actually was the equivalent of a name and address book, but it had been printed sold for the purpose of recording user names and passwords. My e-mail, my office account, etc. If I can find it, I'll see if I can post a jpeg somewhere.
After reading this thread, I'm actually of a mixed mind when it comes to documenting passwords (among other things ). If they're completely secured somewhere as the previous post suggested, I can see the use in that as long as this access is strictly controlled.
Single sign on is another thing though, and for the most part this is something that I am against. Yet I do see it as an attempt to address the issue of trying the keep track of so many user names and complex passwords particularly in an environment where HIPPA policies (which in turn affect password policy enforcement) are in full force.
Our previous SSO application had a serious flaw where if you logged onto an application from an end-user's PC the authentication was cached. Then the next time that user logged in to the same system, he/she would get in with your credentials. Not a good thing.
My hovercraft is full of eels.
June 24, 2005 at 10:16 am
The safe storing is a good idea and one I've used in smaller companies. Give a sealed envelope to the CFO/Accountant to store. That way if I disappear, he can get the domain admin accounts.
June 24, 2005 at 10:24 am
That's why there is movement towards biometrics and one time pads like the secure tokens from RSA Security. There isn't a password to remember, per se, although there is usually something like a PIN. However, the fact that there is a some aspect of that "password" changing every few seconds makes it nigh impossible to crack yet still permitting someone a reasonable amount of info to remember. Security experts are now starting to go down the path of recommending this not only for remote users coming in through VPN but for any privileged accounts. It solves a lot of these types of issues that you get with increasingly more complex passwords.
K. Brian Kelley
@kbriankelley
Viewing 15 posts - 1 through 15 (of 17 total)
You must be logged in to reply to this topic. Login to reply