From owner-freebsd-security Tue Jun 18 21: 6:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 5EB1037B407 for ; Tue, 18 Jun 2002 21:06:11 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5J46A569751 for ; Tue, 18 Jun 2002 22:06:10 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Tue, 18 Jun 2002 22:06:10 -0600 (CST) From: Ryan Thompson To: freebsd-security@freebsd.org Subject: Password security Message-ID: <20020618204711.I65632-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, My staffers are using plain old passwords for logins. ALL logins are via SSH from various platforms, using passwords. Some are logging in from Windows clients that don't support much else. And, on the security/convenience continuum, I won't have much of a network to secure if nobody gets any work done. :-) I'm well aware of the inherent insecurity of what your average human can remember. It's currently a weak link for us, so it is one aspect of our security that I would like to improve. So, for the purposes of this message, please assume all other avenues have been secured. ;-) So, given the limitations of remote access (from machines assumed to be insecure), and some fairly dumb Windows clients, what are some solutions to password security? The best I've come up with so far is to issue random passwords, from an array of 68 possible characters (alpha num and some easily-typed symbols). I issue two passwords for each user. One is short enough to be remembered with a small effort (6 characters, entropy > 2^36, assuming my randomizer is up to par). The second password is longer (10 characters, > 2^60), and is designed to be printed on a small card that the user carries with them like a token or a key. Obviously, you could argue the merits of shorter vs. longer keys. My choices are still quite arbitrary at this stage. New passwords would be issued at regular intervals. (Remember, these are staff members. I can do that. :-) I realize there is nothing particularly novel about this idea. When staffers log in, they just append both passwords, obtaining a 16 character password with 2^97 possibilities. (*not* worth the effort required to brute force, given the other weaker avenues available). So, the idea is that a much better overall entropy is obtained, like using a secret password plus a physical key. The unlikely worst case: an attacker knows this system (password length and character set), physically mugs a user, is able to obtain the system password hash, AND has the resources to brute force the remaining 6 character remembered secret. This still gives the staff member several hours to change his or her password if he/she suspects the key was compromised. I know that people *want* to re-use their favorite dictionary password(s)... so there will be *some* resistance to a system like the above... but does anyone have any comments on either the system from a password security standpoint, or from a managerial/practical standpoint? Have you done something similar? Completely different? I'm not really interested in a "passwords are bad" debate, unless there are readily available technologies of which I'm not aware that can be deployed across many dumb insecure computers across an insecure network. Thanks! - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message