Curse

Inde · Jul 13, 2009, 03:41 PM // 15:41

Thought this was an interesting piece on Slashdot.org

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

Quote:

ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat If a larger credential space is needed it appears better to increase the strength of the user ID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.

You can see the full paper here: http://www.usenix.org/event/hotsec07.../florencio.pdf

Helix Dreadlock · Jul 13, 2009, 03:54 PM // 15:54

*runs to the control panel*

Kattar · Jul 13, 2009, 03:56 PM // 15:56

Yep, makes sense. No reason to try and hack your password when I can just steal it.

lewis91 · Jul 13, 2009, 04:17 PM // 16:17

Hasn't this been the case for ages? Ive been keylogged a few times ages ago due to my imbecile of a brother downloading crap.

Still make my passwords "strong" for extra reinsurance which i now see is void.

rodzilla · Jul 13, 2009, 04:23 PM // 16:23

Don't use sites that don't have a good reputation, never give your passwords to anyone, if you write your passwords down, keep them under lock and key. Many sites that have bots/hack programs also have trogens/keyloggers in them. if you use high risk sites you will get hacked sooner or later.

ARMPTOK · Jul 13, 2009, 04:51 PM // 16:51

That's scary. Somebody should send a message to the guys that make those websites.
*stares at gmail*

Sun Fired Blank · Jul 13, 2009, 05:10 PM // 17:10

Password strength is akin to the lock on your front door. Just because you have a secure lock doesn't mean they can't get into your house; they could break some part of your frame, your lock or your door. They could steal or manufacture a key. They could simply enter via some other unsecured part of your house. They could, given enough time and chances, pick your lock. Nevertheless, you want a lock sufficient to discourage potential intruders.

This article is not an excuse to have weak passwords. Rather, the point is that password strength, as one component of defense-in-depth strategies doesn't have to be particularly high to ensure security, and that policies concerning password strength can be self-defeating.

It should be noted that 21-bits is a ten-character password, assuming that password has sufficient entropy to an observer; that is, another person cannot reasonably guess your password. The reality is that a password's actual entropy is often lower because of things like: number preference (particularly the number one), letter preference / avoidance, number placement (particularly at the end of passwords), use of capitalization (at the start of passw0rd), use of dictionary words, disuse of dictionary words because of letter preference, use of names, simple substitutions (0 for o), use of personal or family information, etc.

Helix Dreadlock · Jul 13, 2009, 05:17 PM // 17:17

huh....gotta bookmark this.

Nerel · Jul 13, 2009, 05:30 PM // 17:30

Suggesting that 'strong' passwords are no longer effective seems like poor logic, the strong password is as effective as it ever was. A weak password is just as likely to be guessed or brute forced as ever...

Just because someone can use the password if you give it to them (phishing) or they steal it (logging) does nothing to discourage the practice of using strong passwords. It just means you need to PROTECT the password, the same as you ever did.

Inde · Jul 13, 2009, 05:50 PM // 17:50

I really like how I link an article and get responses from people who didn't bother to read the article or summary. I only know this because of what some are suggesting. Perhaps they did though and are just focusing on the wrong aspect of it. To clarify a bit, they said that strong passwords are not as fool proof as everyone makes them out to be. This is coming from the side of those who have to manage servers like this by the way, not from an end-user perspective. The title is a bit misleading. Hey, I do it too, I understand.

It's a long read but for those who will take the time... they are presenting an interesting scenario where it's not the password but the UserID that needs to be made stronger. Something that I have rarely seen suggested and is really confined for the most part to the hands of the website. How public they want to make those user id's.

I'll post the conclusion so that you can see what the article was getting to:

Quote:

We examine the question of attacks on password-protected web accounts. We conclude that forcing users to choose strong passwords appears misguided: this offers no defence against the common password stealing attacks and there are better means to address bulk guessing attacks. We show that it is the combined size of the userID plus password key-space rather than the password key-space alone that protects large institutions against bulk guessing attacks. Greater security for the institution can be achieved by allowing users to keep relatively short passwords, so long as they choose longer userID's. This reduces the number of break-ins
that an attacker with fixed resources can expect, and reduces the burden on users. For smaller institutions, i.e. those with hundreds rather than millions of users, there appears to be little reason to use strong passwords so long as good lockout (e.g. three unsuccessful logins freezes the account for a time) are in place.

sir wan · Jul 13, 2009, 06:42 PM // 18:42

didnt we alrdy know this, hard password is pure for bruteforce + guessing.

TheodenKing · Jul 13, 2009, 07:29 PM // 19:29

I'm glad I'm one of the intelligent people that can handle using "strong passwords" without risking a seizure.

But anyway, the best advice I can give people regarding their GW passwords is this:

1) Don't share your passwords with anyone (not your brother, not your gf, not your best friend).
2) Use something you can remember, but is abstract enough that someone else can't guess it.
3) Don't write it down, and don't store it on your computer. Memorize it like you would words to your favorite song. If you have multiple passwords and are afraid you'll forget them, store them somewhere secure, preferrably not near your computer.
4) Don't use the same password for your GW account as you do anything else (for example your guru password or your NCSoft password or your Yahoo Email password, etc). Consider also having different passwords if you have multiple GW accounts.
and 5) Change it fairly often (at least once per month)

Inde · Jul 13, 2009, 07:55 PM // 19:55

*sigh* Maybe I am not being obvious enough. This article is exploring so much more then passwords. It's really an interesting idea that, as I mentioned above, I haven't seen explored. The concept of UserID's needing to be more secure. We've all heard the mantra of strong passwords and clearly it's NOT enough.

Everyone repeats over and over again that if an account is compromised it's because of your password not being strong or giving that out. What if your UserID was also just as secret/strong/hidden. It would increase security. I thought it was an interesting concept but the message is kind of getting lost in this thread. We all ready know about strong passwords, repeating it over and over isn't going to further this discussion as it's not JUST about passwords.

Elder III · Jul 13, 2009, 10:03 PM // 22:03

I am intrigued by the concept of stronger/hidden user IDs - it seems logical, but I don't know enough of programming and/or hackin' to verify or disavow their thesis. In any case, basic Internet Safety is just like safe sex - very simple concept but so many ppl just don't do it.

ne33us · Jul 13, 2009, 11:30 PM // 23:30

"What if your UserID was also just as secret/strong/hidden. It would increase security."

Maybe, but personally, as a user, I strongly reject the possibility to change all my usernames just for increased security.
If I was an administrator, having no feelings for the users but only for my precious security, I would enforce it

Other than that...

"Login procedure using image code" (patented?) is an option that is not taken in account in that text.

Besides Phishing, Keylogging and case 5c (which I believe it was put there just to poke me in the eye) it seems to be a very solid and secure way to authenticate a user everywhere, using existing so called "non secure" credentials.

Are there any drawbacks that I'm not considering here ?

(I see it coming "Individuals with Special Needs")

Nerel · Jul 15, 2009, 01:25 AM // 01:25

Quote:

Originally Posted by Inde

*sigh* Maybe I am not being obvious enough. This article is exploring so much more then passwords. It's really an interesting idea that, as I mentioned above, I haven't seen explored. The concept of UserID's needing to be more secure. We've all heard the mantra of strong passwords and clearly it's NOT enough.

That's awesome, and clearly something that is out of the end users hands when our user ID is more or less forced upon us, and often publicly displayed in the case of forums... GW and any game, app or web service that requires a valid email and uses it as the user ID is an example of 'forced upon us'.

Mayhap the article is of interest to those who 'run' web services, sites (such as yours) or similar such things, but clearly isn't relevant to the 'end users' for whom 'strong password' and 'keep your password secure' seem too difficult to understand, by and large.

Phishing and key logging aren't a new phenomenon, having been around for... seemingly for ever, really, certainly longer than a decade now...

Can phishing reveal the User's ID? of course it can, people are stupid. Can a key logger catch a User's ID? Duh! Can a user ID be guessed or brute forced? Same as a password... the other forms of 'obtaining' user passwords mentioned in the article (Shoulder surfing, console access vs stored passwords etc...) all apply just as easily to the User's ID.

User ID's are largely NOT secret, and often considered public information, they've already failed the first the step of being secure.

Much can be done on the authentication side of the login process to make it more secure, little can be done for the end user's short string of characters used to identify themselves (User ID + password) other than keeping them secure, and that is (currently) only an option for the password in the majority of scenarios.

rick1027 · Jul 15, 2009, 11:23 AM // 11:23

for the brute force attacks it would be harder but for those who get hacked via keyloggers it isnt gonna change anything. the old rules are still the most important dont go to nefarious sites watch what you download keep your virus scanner and firewalls up to date and yes dont use easily guessed passwords.