Friday, May 27, 2011

On Passwords

This has been bugging me for years but it comes up again and again. So it's time for passwords - a case study:
  • Passwords are important, hardly anyone doubts that (well at least for some passwords). Still people don't act accordingly. I know a company that has a policy(wtf!) that the password for any company related account is required to always be the same as the user name. (I mean wtf?!?)
  • Passwords are sensitive.
    • Still a lot of servers do auth in plain without encryption. At any stage in between anybody with access to the wire can see them. This is scarier than you might think. For example my dorm has switches that let you read the traffic of hundreds of other people.
    • Even if that is not the case you still have to trust the other end (and that they know what they are doing). I administrate a lot of computers and the people i work with are a rather capable team. I am pretty sure i can vouch for their good will, so i would trust this end. Nevertheless we for example had our ldap passwords stored in plain text and synced them into our university backup system, since we didn't set up the server initially and never thought about.
  • Passwords are difficult to get right: This is has many aspects
    • they should be memorable. It doesn't help if you have to carry it around in a pocket to know it
    • they shouldn't be too short and lala is too short ;)
    • they should be somewhat safe You know the drill, alphanumeric, capitalization, not based on a dictionary word...  Read this and laugh. If you find the full list, you'll be surprised how sexed up thelist is. When setting up our new shell server, we ran all passwords against cracklib as an audit and over half of them fell through!
    • they shouldn't be too safe. It's a sad reality but some setups even if they allow it are plain incapable of processing certain chars/encodings whatever. I had to have my university computer account reset because they had a fuckup in their system rendering passwords with umlauts different when entered and read back. This is germany for christ's sake. How many times a week must they have had this problem?!?
    • they shouldn't all be the same. Most people use the same password over and over, if you get one you potentially have a lot of accounts (i verified this a couple of times).You'd be scared if i had actual figures proving how many people do that.
      There is a difference to be made here: I asked the most tech affine and security conscious people i know and they on average had something like 5 or 6 different personal passwords. The point is they usually have an unobvious scheme of adjusting it and incorporating part of the sites name or similar into it to make them different for each site
A lot of this gone wrong can be learned by bad example from the security "experts" at HBGary and their recent fuckup. So we have all these ideas and that's all nice in theory, but:
  1. Why, oh why does every single site have to make up another different insane requirement for passwords. Please use sane somewhat lenient minimum requirements. I propose 7 chars min, one letter, one other and possible an upper case letter.  I can understand requiring numbers or special chars, a minimum length or not all lower/upper case but why the heck would you impose a maximum length of 8 (!) chars or no caps or requiring numbers only. All these make it more predictable, less easy to remember (i still hit sites where none of my standard passwords can be adapted to be accepted) and less safe in the long run. You don't gain security you lessen it!
  2. If you insist on restricting your passwords firmly, please, please add your requirements to the login page! I have reset my password countless times on many sites only to remember it when i read the reqs when asked to set the new passwords. That would usually help me more than anything. I have turned to writing the reqs in the security question because it's easier that way.

No comments:

Post a Comment