From owner-freebsd-security Wed Jun 19 15:49:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id DBA1A37B403 for ; Wed, 19 Jun 2002 15:49:11 -0700 (PDT) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.11.6/8.11.6) with ESMTP id g5JMn5837415; Wed, 19 Jun 2002 16:49:05 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 19 Jun 2002 16:49:04 -0600 (CST) From: Ryan Thompson To: Bill Moran Cc: freebsd-security@FreeBSD.ORG Subject: Re: Password security In-Reply-To: <3D108570.70409@potentialtech.com> Message-ID: <20020619154831.Q32240-100000@ren.sasknow.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bill Moran wrote to Ryan Thompson: > There were a lot of excellent responses, I'd like to echo the same to the list; thanks to all of you for the plethora of responses and good discussion. This thread is actually not getting as far off track as I thought it might by now :-) > There are some tricks to improve the "average human's" memory. > Poetry is one of them. Most people can memorize a few lines of > poetry (or a song) rather easily. Increase the length of their > passwords to 10+ and then tell them how generate them: Take a line > of poetry or a line from a song and make an acronym from it. Yes, very good idea. I have tried similar strategies in the past, and had problems with compliance. (People inevitably tried it, got tired of the "new thing", and changed their password back to what it was before). I guess the problem was that the users still had access to set almost arbitrary passwords for themselves... so going back to old habits was too easy. I probably should have persisted with this and made it work. Issuing passwords, at least, guarantees some level of password uniqueness and entropy.. provided users don't do foolish things like tape it to their monitor because it's too long to remember. :-) Thus, I can restrict access to the passwd binary, and print the wallet cards with new keys every month, and assist with the memorization of the new short passwords. (Which, if I use the "poetry" idea in some way, will be much easier). > poem is actuall much longer (and I remember the whole flippin > thing), but just those two lines give me "trftpidtshbiclttantb" as a > password, 20 characters, and while I don't know for sure, it would > seem to me that there's more entropy in that than in any "word" Yes, certainly. Calculating the entropy of that beast would be a bit difficult... One could just say 26^20, but if I know (or guess) it's English, and every letter doesn't occur with nearly the same probability, it's less than that. If I happen to know your algorithm, and have a dictionary of poetry and/or lyrics handy, it's a *lot* less than that. If you can mix upper/lower and add punctuation (i.e., "Lo, Fred's chickens laid 24 eggs!" => "L,F'scl2e!", makes for a stronger password). More stats than I'd like to do at the moment. :-) The truth is passwords based on "human" algorithms are usually suprisingly hard to break. Things like q4w3e2r1t0y fool password crackers regularly, and usually require brute-forcing. So, short answer is, yes, your password likely wouldn't be vulnerable to brute-force or standard dictionary attacks. More effort than required to attack other avenues, which is really the important thing. > password. Most people already have dozens of songs memorized, so it > works. This is more of a "stupid human trick" than brave new > technology, but it may be helpful to you. :-) > > The best I've come up with so far is to issue random passwords, > > from an array of 68 possible characters (alpha num and some > > easily-typed symbols). I issue two passwords for each user. One is > > short enough to be remembered with a small effort (6 characters, > > entropy > 2^36, assuming my randomizer is up to par). The second > > [...] > > Actually, that's an excellent procedure. Looks like you've already > done most of your homework. I kind of like it myself. > I'm assuming that you've already looked > into these other issues, but just in case: > Monitor everything. Yep. Log to line printer.. Account audits.. Throughput monitoring (logins, attempts, bandwidth, etc).. Remote monitoring.. The list goes on. > Disable accounts that experience x successive unsuccessful logins Exponential backoff works well enough. I suppose we could trigger stronger (email) warnings to sysadmins and users after a number of unsuccessful attempts. > Obviously, you have some *serious* security concerns. Doesn't everybody? :-) More than anything, password security is weak, yet fairly trivial to strengthen. So I wouldn't be doing my job if I didn't do something about it *before* an attacker takes the initiative :-) > > [...] > > I wouldn't be worried about folks getting mugged, so much as someone > being lazy with the security of their system password hash. In this > case, an account disabling policy will help, because the account > will be disabled before the cracker can brute force it. Many folks > will expose their password to others out of laziness and never > really notice it. Agreed. > [...] > to your network, I would implement a mandatory user education > program. Use it to: > > 1. Explain what's going on and how it works. > > 2. Instruct on best practices. > > 3. Scare the crap out of them. Good points. Of course we already have a security policy (10 clearly written pages, supplemented with links to other sources for those who want a more detailed understanding). I personally present the security policy to new employees and informally discuss the important points one-on-one. A security quiz follows, re-enforced with soda and snacks. Policy seems to sit better when accompanied by food for some reason. :-) > > I know that people *want* to re-use their favorite dictionary > > password(s)... so there will be *some* resistance to a system like > > the above... > > You might be able to use the poetry method above to ease things. Good idea. I might just do that. > > I'm not really interested in a "passwords are bad" debate, unless > > there are readily available technologies of which I'm not aware > > that can be deployed across many dumb insecure computers across an > > insecure network. > > Passwords are fine, users are bad ;) :-) - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901 1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-664-3630 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message