[LINK] Guidance re Passwords
Tom Cleary
tom.cleary at gmail.com
Mon Jul 25 01:59:02 AEST 2011
Roger,
Would it be worth while also mentioning some of the attempts to make use of
passwords safer, such as "password safe"?
My impression is that the major issue with people and passwords ( apart from
"rational rejection" of the security process, but that's a different
problem... ) is that the complexity and increasing need to change them
frequently has reached the point that it's too hard for the "normal person"
to keep up.
The measures which try to automate the bothersome bits of password
management are at least a start at trying to extend the life of passwords,
but sadly, I think most folks acknowledge that the "sell by" date of
passwords is at best passing, at worst long gone....
However much we try to improve handling of the most widely deployed security
measure in the world, if it's broken maybe we should be advocating putting
down our injured pet? ;-)
Regards,
tom.
On Sat, Jul 23, 2011 at 8:40 AM, Roger Clarke <Roger.Clarke at xamax.com.au>wrote:
> A correspondent on BrowserID issues has asked me a question about the
> use of 'password managers'.
>
> It prompted me to think about what guidance we give consumers (and
> employees, students, etc.) in relation to passwords and their
> protection.
>
> Surprisingly, a quick web-trawl found little of much use - although
> there are plenty of 'how to select a good password' pages, some of
> them daft (i.e. of the form 'make sure your passwords are so
> complicated that you can't possibly remember them').
>
> It's good to see that this is better than most:
> http://www.staysmartonline.gov.au/factsheets/factsheet_15
> (I like this bit: 'To make a password easy to remember, think of a
> pass phrase and then change some of the characters to make it a
> strong password'; although the examples are unrealistic).
>
> Can linkers point to other useful guidance pages?
>
> A 20-minute tap at the keyboard produced the below. Feedback appreciated.
>
> _________________________________________________________________________
>
>
> What Everyone Ought to Know About Passwords
>
> Very Tentative, One-Pass Draft of 23 July 2011
>
> Passwords are widely used as a means for authenticating a person's
> authority to use an account. The logic underlying a password is that
> it's something that only the (or an) authorised person should know.
>
> A password alone offers only a low level of security, because it's so
> easily compromised, i.e. discovered by someone else.
>
> Alternative ''single-factor authenticators' include:
> - what you have, such as a hoozit that generates a one-time password
> each time the user needs to authenticate themselves, or a digital
> signing key. (By hoozit I mean some kind of device. We used to
> call such things a widget, but that word's come into common usage)
> - what you are, i.e. a biometric
> - where you are, e.g. your IP-address or device-ID
> - what you do, e.g. the time-signature of the key-strikes when
> you're typing your password
>
> Digital signature technologies have theoretical appeal, but also
> multiple vulnerabilities. (Among other things, the use of the
> signing key may be protected by a password, which represents a weak
> link in the security chain).
>
> Biometrics, contrary to the nonsense put about by marketers, are
> highly vulnerable as well, in particular because a biometric is not a
> secret, can be easily captured and replayed, and in some cases is
> easily spoofable.
>
> The most effective approach is multi-factor authentication,
> particularly including a one-time password - which may be generated
> by a hoozit, or sent to the user when it's needed, but via a
> different channel.
>
> Authentication security needs to be traded off against practicality.
> Because all of the alternatives are awkward, and none are foolproof
> or attacker-proof anyway, passwords are here for the long haul.
>
> Remembering even one password is bad enough, but remembering a lot of
> passwords is even more challenging, especially for the accounts that
> you use infrequently. It's therefore common for people to take risks
> such as:
> - using the same password for multiple accounts; and/or
> - recording their passwords in one or more locations, which
> - may be local to them or remote from them
> - may or may not be hidden and
> - may or may not be protected, e.g. by another, 'master' password
>
> Below are some security risks with passwords, and approaches to
> reducing the likelihood that you will suffer from them.
>
> How seriously you should take this advice depends on how much harm
> you could suffer if someone else acquires your password and operates
> on your account.
>
>
> Password Vulnerabilities and Threats, and Safeguards
>
> 1. Guessing of the Password
> Do not use as obvious words, or obvious data associated with you
> (e.g. your birthdate, your name, a close relative's name).
> If the account is issued with a default password, only use that
> password once, to gain access the first time, then immediately change
> it.
> ('Remember Murdoch's once-successful paper 'The News of the World').
>
> 2. 'Brute Force' Guessing of the password
> (Programs have been written that test large numbers of combinations
> of characters. They are typically based on a 'dictionary attack').
> Do not use simple words. At least mis-spell them, and preferably use
> unlikely (but memorable) combinations of letters, digits and
> punctutation marks, e.g. (it's published, so don't use this one!)
> pass?w0rd
>
> 3. Visual Observation of the Password
> (Someone sees what you keyed in, or which keys you hit).
> Don't key your password into a field that displays in clear on the screen.
> Don't key your password when someone is watching your hands. (This
> applies *especially* to your flatmates, family-members and workmates).
> Obscure the keys you strike by putting your hands or body in the way.
> Change your password very shortly after it may have been observed,
> e.g. when you've used it in an Internet cafe or airport lounge.
>
> 4. Electronic Observation of the Password
> (The term 'key-logger' refers to malware that can detect what you key in).
> Install, maintain and run 'brand-name' anti-malware software. You
> need to be confident in that software, so don't accept dodgy-looking
> offers.
> When in a relatively secure environment (hopefully this includes at
> home), prefer a mouse-based user-interface (where you click on the
> relevant characters on the screen, rather than typing them on the
> keyboard).
> But this is insecure in a public space like an Internet cafe.
>
> 5. Interception of the Password
> (Someone or something in the network sees the password as it goes by).
> Do not provide a password unless you're on an encrypted link
> (e.g. uses SSL/TLS which displays 'https' in your web-browser).
> Do not send your password in an unencrypted email-message.
>
> 6. Phishing of the Password
> (Someone tricks you into sending your password to them).
> Do not click on a hotlink in an email and then enter your password.
> Only ever enter your password when you are confident you are
> communicating with the right server, e.g. you've typed the URL from a
> reliable source, or you're using a bookmark that you previously typed
> in.
>
> 7. Compromise of One Account's Password Compromises Other Accounts
> Do not use the same password for more than one account.
> OR
> Do not use the same password for more than one *important* account.
> It's less risky to use one password for the myriad accounts you're
> forced to have but where the harm would be minimal even if it's
> compromised (e.g. commentators' accounts, e-mailing list admin
> accounts, subscriptions to paid content, reviewers' accounts).
>
> 8. Discovery of Passwords in Storage
> Do not record your passwords. (But that's difficult advice to follow!).
> Record not the passwords, but reminders of what the passwords are.
> Do not record all of your passwords or reminders in one place.
> Obscure the fact that they are passwords or password reminders.
> Obscure your password records by encrypting them (whether manually,
> or using crypto software together with a crypto-key and/or 'master'
> password).
> Prevent other people accessing the record, e.g. carry it on you,
> whether on paper or in a device that isn't network-connected.
> Do not store your password-related records remotely over a network;
> or, if you do, then make sure that it's crypto-protected against the
> organisation that stores it for you, and against others.
>
> 9. Compromise of the Password-Reset Process
> (It's normal for there to be a way to override the password on an
> account, and generate a new one. It then has to be re-issued,
> usually to the email-account that you nominated when you opened the
> account).
> Record the email-address that you used when you opened each account.
> Make sure that you have access to that account, and that no-one else has.
>
> 10. Continued Use of a Compromised Password
> If you have any reason to suspect that someone may have discovered
> your password, get into a relatively secure environment and then
> change it.
> If you have used any password for a long time (and protection of the
> account is important), assume that it's been compromised, and change
> it.
> How long is 'a long time'? It's inversely proportional to the damage
> that someone can do to you if they get into your account, i.e. the
> more important the account, the more often you should change the
> password.
>
>
> --
> Roger Clarke http://www.rogerclarke.com/
>
> Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
> Tel: +61 2 6288 1472, and 6288 6916
> mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
>
> Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
> Visiting Professor in Computer Science Australian National University
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>
More information about the Link
mailing list