Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 18 Jun 2002 22:06:10 -0600 (CST)
From:      Ryan Thompson <ryan@sasknow.com>
To:        freebsd-security@freebsd.org
Subject:   Password security
Message-ID:  <20020618204711.I65632-100000@ren.sasknow.com>

next in thread | raw e-mail | index | archive | help

Hi all,

My staffers are using plain old passwords for logins. ALL logins are
via SSH from various platforms, using passwords. Some are logging in
from Windows clients that don't support much else. And, on the
security/convenience continuum, I won't have much of a network to
secure if nobody gets any work done. :-)

I'm well aware of the inherent insecurity of what your average human
can remember. It's currently a weak link for us, so it is one aspect
of our security that I would like to improve. So, for the purposes of
this message, please assume all other avenues have been secured. ;-)

So, given the limitations of remote access (from machines assumed to
be insecure), and some fairly dumb Windows clients, what are some
solutions to password security?

The best I've come up with so far is to issue random passwords, from
an array of 68 possible characters (alpha num and some easily-typed
symbols). I issue two passwords for each user. One is short enough to
be remembered with a small effort (6 characters, entropy > 2^36,
assuming my randomizer is up to par). The second password is longer
(10 characters, > 2^60), and is designed to be printed on a small card
that the user carries with them like a token or a key. Obviously, you
could argue the merits of shorter vs. longer keys. My choices are
still quite arbitrary at this stage. New passwords would be issued at
regular intervals. (Remember, these are staff members. I can do that.
:-)

I realize there is nothing particularly novel about this idea.

When staffers log in, they just append both passwords, obtaining a 16
character password with 2^97 possibilities. (*not* worth the effort
required to brute force, given the other weaker avenues available).

So, the idea is that a much better overall entropy is obtained, like
using a secret password plus a physical key. The unlikely worst case:
an attacker knows this system (password length and character set),
physically mugs a user, is able to obtain the system password hash,
AND has the resources to brute force the remaining 6 character
remembered secret. This still gives the staff member several hours to
change his or her password if he/she suspects the key was compromised.

I know that people *want* to re-use their favorite dictionary
password(s)... so there will be *some* resistance to a system like the
above... but does anyone have any comments on either the system from a
password security standpoint, or from a managerial/practical
standpoint? Have you done something similar? Completely different?

I'm not really interested in a "passwords are bad" debate, unless
there are readily available technologies of which I'm not aware that
can be deployed across many dumb insecure computers across an insecure
network.

Thanks!

- Ryan

--
  Ryan Thompson <ryan@sasknow.com>

  SaskNow Technologies - http://www.sasknow.com
  901 1st Avenue North - Saskatoon, SK - S7K 1Y4

        Tel: 306-664-3600   Fax: 306-664-3630   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020618204711.I65632-100000>