Passwords Under Pressure

  • mjh 45389 (8/2/2016)


    My smartphone uses fingerprint technology. However it became an issue when I burnt and blistered my finger! There is another in but it is relatively insecure which negates, in my mind, the increased security of finger print technology.

    I am in favour of limiting connectivity with increased password length and complexity as more areas as accessible/changeable...

    Phones will let you save up to 5 finger prints. My one does anyway!

    I once met a guy at passport control at Heathrow - he'd been kept aside because his fingerprints didn't scan. He told me this happened to him every time he flew international because he "didn't have fingerprints". He hadn't lost them in a fire or anything like that, he'd just never had them.

  • The various people having issues with fingerprints is interesting.

    I expect their is a sizable number of individuals who regularly damage or obstruct their finger prints through work / play or accident.

    I'm thinking of the majority of manual trades / sports / maybe some musicians - you can develop quite heavy calis on fingers through playing the guitar for instance.

    cloudydatablog.net

  • There is enormous variance in what is allowed for passwords at different sites. I have a lot of passwords (about 200) in my safe - the longest 32 characters long (longer allowed, but 32 seems enough currently) with upper and lower case and special symbols and the shortest 7 characters, upper case and numeric only (a site which asks for a set of 3 characters from the password each time you log in - so clearly it stores the passwords using at best a reversible cipher, not a hash; combined with the tiny password range I think of that as not secure at all). Quite a few sites now seem to allow 20 or more characters (20 is the length I usually generate) and accept upper case, lower case, and some smallish number special symbols, but there are still too many that restrict to 16 characters (or 12 characters or 10 characters or even 8 characters) and/or have case-insensitive passwords (do they use a case-insensitive hash ,eg by converting to upper case before using something like MD4? I suspect not, they probably store the passwords either in the clear or using a reversible cipher) and/or don't allow special characters and/or restrict the alphabet to exclude accented characters like é and è, and/or have other rules that greatly reduce the search space for brute force attacks.

    So I get the impression that about half the sites I use have security designed by people I would never have given responsability for security design. This impression is reinforced by the number of times my browser tells me a login page (or other secure page) includes insecure content (which it doesn't download, of course - if that makes the page unusable, strike one more site from those I'm prepared to use), and a certain bank (not a UK one) lost all hope of me ever trusting it when it told me that insecure junk on its login page didn't matter. Other sites appear to have good security - no complaints from browsers, no apparent restriction on password length (tested by seeing if getting the 257th character of a 257 word password wrong prevented login - if it does, the site is hashing at least the first 257 characters), no detected restriction on what characters you can have in the password.

    I get very annoyed by sites that adopt practices that they think increase security but whose only actual effects are to make life more difficult for users and reduce security. The classical idiocies are forcing excessively frequent password changes and/or preenting paste into password areas - both of these lead in practice to shorter passwords with a more restricted set of characters (for example not using lower case L because it can be mistaken for 1 when looked up in a password safe).

    If we could get all the people out there designing security just to make their password systems sane and easy to use in conjunction with a decent password safe, it would be a vast improvement on the current situation. The trouble is that the incompetents (at least half the people out there doing security) won't take up any of the newer stuff (2FA and so on), only the people who already have security pretty well right will add the new stuff - except for a few who try to add the new stuff and do it insecurely (eg if the second factor involves a mobile phone, they should allow two mobile numbers to be registerd, not just one, and it must provide a number of pregenerated 2nd codes that can be used when the mobiles are not usable - with clean and secure methods for cancelling pregenerated codes and replacing mobile numbers; anyone dim enough to restrict passwords to 12 characyers is too dim to do any of that).

    Tom

  • Tom has made a lot of good points here. It is surprising how many obviously store passwords in clear text or, at best, synchronous encryption. Even worse when you get told to trust them as they are in the process of dealing with it. Trust? 15 years ago maybe but now when it has been obviously a bad practice for so long? Trust gone. Pathetic attitude to security. (FYI This was one of the UK's major ISPs earlier this year.)

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Dalkeith (8/2/2016)


    The various people having issues with fingerprints is interesting.

    I expect their is a sizable number of individuals who regularly damage or obstruct their finger prints through work / play or accident.

    I'm thinking of the majority of manual trades / sports / maybe some musicians - you can develop quite heavy calis on fingers through playing the guitar for instance.

    My wife, recently retired from teaching school would, every five years or so need to renew her license which included refreshing her recorded fingerprints. The last time the officer told her that hers had worn down almost to nothing. Apparently shuffling paper all those years is another culprit.

  • "a site which asks for a set of 3 characters from the password each time you log in - so clearly it stores the passwords using at best a reversible cipher, not a hash; combined with the tiny password range I think of that as not secure at all)"

    I was surprised that webroot does this. One more reason to use a pw manager that allows for a) long complex passwords and b) all different.

    The best one I think I've ever encountered was, "There is none". Think of Abbott and Costello.

    "What's the password?"

    "There is none"

    "The site keeps asking for a password, there has to be one. What is it?"

    "There is none"

    🙂

  • Eric M Russell (8/1/2016)


    Rod at work (8/1/2016)


    Steve, I don't have an answer to your question. However, your article has opened my eyes to the fact that what I've experienced over the last couple of decades, isn't something that should work in all situations. I've never even thought of the possibility of someone needing to login very quickly, but your example makes sense. You can't have someone in an operating room waiting to go through a two factor authentication that also might include some Captcha verification. ("I'm sorry madam we let your husband die on the operating table, but we were busy trying to identify what the Captcha image was so we could log in...")

    Bottom line, there isn't a one size fits all, when it comes to passwords and how they should be used to authenticate someone.

    I believe the key to security is not just "least required privilege" but also "least required connectivity". For a number of different reasons (security, dependability during a natural disaster, cost containment, etc.), equipment in a hospital operating room should be functional without relying on network connectivity. Hackers can't get at a system if there is no IP port, and we must ask ourselves how much value does that open network port really add to the process of treating the patient.

    Some voting districts in US are failing audits and having to replace their shiny new voting machines due to issues with wifi connectivity. In many cases they weren't even using wifi, they chose to remain paper based for security reasons, but the presence of the wireless networking end point still left them vulnerable to hacking.

    Virginia Finally Drops America's Worst Voting Machines

    https://www.wired.com/2015/08/virginia-finally-drops-americas-worst-voting-machines/

    If you voted in a Virginia election any time between 2003 and April of this year, your vote was at serious risk of being compromised by hackers.

    That’s the assessment reached by Virginia’s board of elections, which recently decertified some 3,000 WINVote touchscreen voting machines after learning about security problems with the systems, including a poorly secured Wi-Fi feature for tallying votes.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Steve Jones - SSC Editor (8/1/2016)


    LastPass had an issue, but not incredibly unsecure. The issue was patched quickly.

    It's not game over if your password manager is compromised. It's no worse than if you have other compromises, plus you have a domain of places to actually understand how to go change passwords in which places.

    Unless, of course, you aren't aware of the hack until after your bank accounts have been cleaned out and a dozen credit cards registered in your name (but a different billing address) and...

    Password managers are the holy grail of hacking, since they not only have all your passwords they ALSO show which websites those passwords are for. Worse, those websites contain all sorts of PII like your home address, answers to secret questions for password reset, etc.

    Given the speed of automation a hacker could not only grab every single one of your passwords, they could also lock you out of your own accounts while ruining your life and reputation, putting you to weeks of effort to try and undo the damage.

    How is that not game over?

    Especially when LastPass (at least) had some serious (and apparently easy to exploit) problems *that had been there for a while* that it took a white hat next to no time to find.

    Brr.

  • I use 1Password as my password manager. However, for the logins I don't actually enter the complete password but will instead obfuscate a common prefix. For example, if the actual password is something like "PortisheadH7K11", then I'll store the password as "P*H7K11". That way if the app or data file is compromised, it's still not giving away the family jewels easily.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell (8/2/2016)


    I use 1Password as my password manager. However, for the logins I don't actually enter the complete password but will instead obfuscate a common prefix. For example, if the actual password is something like "PortisheadH7K11", then I'll store the password as "P*H7K11". That way if the app or data file is compromised, it's still not giving away the family jewels easily.

    thats interesting but certainly reduces the usefulness. i like copy paste, especially when on mobile

  • Steve Jones - SSC Editor (8/2/2016)


    Eric M Russell (8/2/2016)


    I use 1Password as my password manager. However, for the logins I don't actually enter the complete password but will instead obfuscate a common prefix. For example, if the actual password is something like "PortisheadH7K11", then I'll store the password as "P*H7K11". That way if the app or data file is compromised, it's still not giving away the family jewels easily.

    thats interesting but certainly reduces the usefulness. i like copy paste, especially when on mobile

    It does mean that the app can't be leveraged for auto-completion, but that's a trade-off I'll accept for the additional security.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • funbi (8/2/2016)


    mjh 45389 (8/2/2016)


    My smartphone uses fingerprint technology. However it became an issue when I burnt and blistered my finger! There is another in but it is relatively insecure which negates, in my mind, the increased security of finger print technology.

    I am in favour of limiting connectivity with increased password length and complexity as more areas as accessible/changeable...

    Phones will let you save up to 5 finger prints. My one does anyway!

    I once met a guy at passport control at Heathrow - he'd been kept aside because his fingerprints didn't scan. He told me this happened to him every time he flew international because he "didn't have fingerprints". He hadn't lost them in a fire or anything like that, he'd just never had them.

    What I found amazing was that once my finger had healed the fingerprint was unchanged. Nature can often amaze one!

  • Eric M Russell (8/2/2016)


    I use 1Password as my password manager. However, for the logins I don't actually enter the complete password but will instead obfuscate a common prefix. For example, if the actual password is something like "PortisheadH7K11", then I'll store the password as "P*H7K11". That way if the app or data file is compromised, it's still not giving away the family jewels easily.

    Great idea!

  • funbi (8/2/2016)


    I once met a guy at passport control at Heathrow - he'd been kept aside because his fingerprints didn't scan. He told me this happened to him every time he flew international because he "didn't have fingerprints". He hadn't lost them in a fire or anything like that, he'd just never had them.

    The only biometric checks at Heathrow for EEA or Swiss nationals or for registered travellers from other countries that use facial biometrics are facial checks. So I guess that was someone from somewhere different who had a fingerprint validated visa.

    Edit: A UK fingerprint-validated visa must be a real pain for someone like that guy. We ought to have an alternative for such people.

    Tom

  • TomThomson (8/2/2016)


    funbi (8/2/2016)


    I once met a guy at passport control at Heathrow - he'd been kept aside because his fingerprints didn't scan. He told me this happened to him every time he flew international because he "didn't have fingerprints". He hadn't lost them in a fire or anything like that, he'd just never had them.

    The only biometric checks at Heathrow for EEA or Swiss nationals or for registered travellers from other countries that use facial biometrics are facial checks. So I guess that was someone from somewhere different who had a fingerprint validated visa.

    Edit: A UK fingerprint-validated visa must be a real pain for someone like that guy. We ought to have an alternative for such people.

    When I came through passport control at Heathrow on my South African passport/UK indefinite leave to remain visa I had to scan my fingerprint at the desk. I remember submitting it as part of my biometrics for the UK visa application. Definitely not just facial checks unless that has changed in the last 1.5 years.

Viewing 15 posts - 31 through 44 (of 44 total)

You must be logged in to reply to this topic. Login to reply