[LINK] Guidance re Passwords

Karl Auer kauer at biplane.com.au
Sat Jul 23 11:22:58 AEST 2011 

On Sat, 2011-07-23 at 10:40 +1000, Roger Clarke wrote:
> Alternative ''single-factor authenticators' include:
> -   what you have, such as a hoozit that generates a one-time password
>      each time the user needs to authenticate themselves, or a digital
>      signing key.  (By hoozit I mean some kind of device.  We used to
>      call such things a widget, but that word's come into common usage)
> -   what you are, i.e. a biometric
> -   where you are, e.g. your IP-address or device-ID
> -   what you do, e.g. the time-signature of the key-strikes when
>      you're typing your password

I find "hoozit" alienating and odd. Pick a normal word. "Gadget" would
be fine.

Something you know, that others are unlikely to know - such as your
birthday or mother's maiden name. In practice, most such things are
surprisingly well-known by others, or at least very easy to find out.

That someone else vouches for you.

That someTHING else vouches for you. For example, by placing a keypad
inside a locked room, you have to have the key to the room AND the right
combination for the keypad. The room lock is "vouching" that you are
authorised to use the keypad. (This is a lay explanation of defence in
depth).

> Digital signature technologies have theoretical appeal, but also 
> multiple vulnerabilities.  (Among other things, the use of the 
> signing key may be protected by a password, which represents a weak 
> link in the security chain).

Maybe just say that any security is only as strong as its weakest link?

> Biometrics, contrary to the nonsense put about by marketers, are 
> highly vulnerable as well, in particular because a biometric is not a 
> secret, can be easily captured and replayed, and in some cases is 
> easily spoofable.

It's also non-revokable. This is IMHO it's most devastating weakness.

> by a hoozit, or sent to the user when it's needed, but via a 
> different channel.

Channel is a techy term. Use something more everyday.

> Authentication security needs to be traded off against practicality. 
> Because all of the alternatives are awkward, and none are foolproof 
> or attacker-proof anyway, passwords are here for the long haul.

"Attacker" is a techy term too. Needs simple explanation.

> -   using the same password for multiple accounts;  and/or
> -   recording their passwords in one or more locations, which
>      -   may be local to them or remote from them
>      -   may or may not be hidden and
>      -   may or may not be protected, e.g. by another, 'master' password

None of these are bad per se, they are only bad in particular
situations.

> 1.  Guessing of the Password
> Do not use as obvious words, or obvious data associated with you 
> (e.g. your birthdate, your name, a close relative's name).
> If the account is issued with a default password, only use that 
> password once, to gain access the first time, then immediately change 
> it.
> ('Remember Murdoch's once-successful paper 'The News of the World').

Unfortunately, the only sane way to use a password is to choose along
random sequence. ANYTHING else is eminently crackable.

> 3.  Visual Observation of the Password

Also security cameras...

> Obscure your password records by encrypting them (whether manually,

No normal human being can effectively manually encrypt a password in any
useful time. Remove the word "manually".
 
> 9.  Compromise of the Password-Reset Process

Write (on paper!) to your bank (or whoever) stating that they are under
NO circumstances to permit your password to be changed by any method
other than you personally fronting at their premises with suitable
identification. If the password is then compromised by someone faking
out the bank over the phone, you are covered. You'd only go to this
length with a high-value thing like a bank account.

Regards, K.


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://mailman.anu.edu.au/pipermail/link/attachments/20110723/76dbe7ec/attachment.sig>

More information about the Link mailing list