From owner-freebsd-security Wed Jun 19 6:16:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12]) by hub.freebsd.org (Postfix) with ESMTP id 28FFF37B412 for ; Wed, 19 Jun 2002 06:16:09 -0700 (PDT) Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181]) by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g5JDFsr20990; Wed, 19 Jun 2002 09:15:55 -0400 Message-ID: <3D108570.70409@potentialtech.com> Date: Wed, 19 Jun 2002 09:21:52 -0400 From: Bill Moran User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0rc1) Gecko/20020502 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ryan Thompson Cc: freebsd-security@freebsd.org Subject: Re: Password security References: <20020618204711.I65632-100000@ren.sasknow.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There were a lot of excellent responses, I'm going to add my $.02. Hopefully it will be helpful. Ryan Thompson wrote: > My staffers are using plain old passwords for logins. ALL logins are > via SSH from various platforms, using passwords. Some are logging in > from Windows clients that don't support much else. And, on the > security/convenience continuum, I won't have much of a network to > secure if nobody gets any work done. :-) > > I'm well aware of the inherent insecurity of what your average human > can remember. It's currently a weak link for us, so it is one aspect > of our security that I would like to improve. So, for the purposes of > this message, please assume all other avenues have been secured. ;-) There are some tricks to improve the "average human's" memory. Poetry is one of them. Most people can memorize a few lines of poetry (or a song) rather easily. Increase the length of their passwords to 10+ and then tell them how generate them: Take a line of poetry or a line from a song and make an acronym from it. For example, I had to memorize a silly poem in 6th grade that I have never been able to forget: "The reason for the Pelican is difficult to see His beak is clearly larger than there's any need to be" The poem is actuall much longer (and I remember the whole flippin thing), but just those two lines give me "trftpidtshbiclttantb" as a password, 20 characters, and while I don't know for sure, it would seem to me that there's more entropy in that than in any "word" password. Most people already have dozens of songs memorized, so it works. This is more of a "stupid human trick" than brave new technology, but it may be helpful to you. > The best I've come up with so far is to issue random passwords, from > an array of 68 possible characters (alpha num and some easily-typed > symbols). I issue two passwords for each user. One is short enough to > be remembered with a small effort (6 characters, entropy > 2^36, > assuming my randomizer is up to par). The second password is longer > (10 characters, > 2^60), and is designed to be printed on a small card > that the user carries with them like a token or a key. Obviously, you > could argue the merits of shorter vs. longer keys. My choices are > still quite arbitrary at this stage. New passwords would be issued at > regular intervals. (Remember, these are staff members. I can do that. > :-) Actually, that's an excellent procedure. Looks like you've already done most of your homework. I'm assuming that you've already looked into these other issues, but just in case: Monitor everything. Disable accounts that experience x successive unsuccessful logins Obviously, you have some *serious* security concerns. > So, the idea is that a much better overall entropy is obtained, like > using a secret password plus a physical key. The unlikely worst case: > an attacker knows this system (password length and character set), > physically mugs a user, is able to obtain the system password hash, > AND has the resources to brute force the remaining 6 character > remembered secret. This still gives the staff member several hours to > change his or her password if he/she suspects the key was compromised. I wouldn't be worried about folks getting mugged, so much as someone being lazy with the security of their system password hash. In this case, an account disabling policy will help, because the account will be disabled before the cracker can brute force it. Many folks will expose their password to others out of laziness and never really notice it. (Just do an experiment and stand behind 5 people while they're logging in and see how many actually hide what they're typing from you.) Another issue is user education. If security is that critical to your network, I would implement a mandatory user education program. Use it to: 1. Explain what's going on and how it works. 2. Instruct on best practices. 3. Scare the crap out of them. > I know that people *want* to re-use their favorite dictionary > password(s)... so there will be *some* resistance to a system like the > above... You might be able to use the poetry method above to ease things. > I'm not really interested in a "passwords are bad" debate, unless > there are readily available technologies of which I'm not aware that > can be deployed across many dumb insecure computers across an insecure > network. Passwords are fine, users are bad ;) -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message