Security thoughts
Doug Jewell
pretty much every day, but also another 4 applications and 3
web-based apps that I use about once a week, and about
another half-dozen web-based apps that I use maybe once or
twice a month. All systems require a username/password
combination for security, and all have enforced rules for
changing passwords and of the format of the password. eg
some require punctuation, some won't allow punctation, some
require digits, some require a mix of case, a couple will
only allow lower case, some will reject passwords that are
based on a dictionary word, one even rejects passwords that
it deems "pronouncable". Most of them will only allow
password change when the system decides it is time to change
- you can't change on demand.
The net result is that even if you try to keep a common
password, you will soon end up with a dozen different
passwords, many of which are seemingly random sets of
characters. So today when I jotted one of the new passwords
into my PDA, I commented to my manager, "if someone ever
found my pda they'd have access to everything", she replied
"all mine are in a notepad in my drawer, so even easier to
get at".
It occurred to me - all the efforts that the various program
designers have gone to to try to make their stuff secure has
resulted in the complete opposite. The strict rules would
probably be ok if the one system was all their users ever
had to use. But because we have multiple systems, the only
way to remember the multitude of passwords is to write them
down. As soon as a password is written down it is only as
secure as the place it is written. In my case it is on my
pda which requires a 4 digit pin to access, so moderately
secure. In my managers case, it is as secure as the top
drawer in her desk in her unlocked office, so not secure at all.
If all our application suppliers could standardise on one
set of rules for passwords, didn't enforce changes but
allowed on-demand change, (maybe with a warning after 30
days), then we could standardise on one password that could
be committed to memory, and the security would be greater
than a system that requires a new set of random characters
every 7 days.
--
What is the difference between a duck?
Rod Speed
I let Roboform keep track of all the passwords. It allows
them to be stored on an encrypted USB stick etc.
> If all our application suppliers could standardise on one
> set of rules for passwords, didn't enforce changes but
> allowed on-demand change, (maybe with a warning after 30
> days), then we could standardise on one password that could
> be committed to memory, and the security would be greater
> than a system that requires a new set of random characters
> every 7 days.
Trouble with that one password approach is that if it gets compromised
on one of the systems its used for, you can end up comprehensively fucked.
You can never be sure that particularly with the online passwords,
that some fool wont end up having the system compromised.
Doug Jewell
> Doug Jewell wrote:
<snip>
>> secure as the place it is written. In my case it is on my
>> pda which requires a 4 digit pin to access, so moderately
>> secure. In my managers case, it is as secure as the top
>> drawer in her desk in her unlocked office, so not secure at all.
>
> I let Roboform keep track of all the passwords. It allows
> them to be stored on an encrypted USB stick etc.
automatic filling like roboform appears to. Unfortunately a
system like roboform can't be used at work - our machines
are locked down so we only have basic user access. Even
plugging a thumb drive in requires an administrator password
to allow it to install, so we can't use external software,
no thumb drives, etc. That side of the system is nice and
secure - annoyingly so sometimes - but at least we don't
have problems with nasties, and keeps it relatively simple
for the IT guys to maintain.
>
>> If all our application suppliers could standardise on one
>> set of rules for passwords, didn't enforce changes but
>> allowed on-demand change, (maybe with a warning after 30
>> days), then we could standardise on one password that could
>> be committed to memory, and the security would be greater
>> than a system that requires a new set of random characters
>> every 7 days.
>
> Trouble with that one password approach is that if it gets compromised
> on one of the systems its used for, you can end up comprehensively fucked.
to memory would be harder to compromise than a notepad in a
drawer.
>
> You can never be sure that particularly with the online passwords,
> that some fool wont end up having the system compromised.
administered by half a dozen or so different divisions,
hence the different rules. There is no external internet
access to these systems, so unless someone was in the
building, they've got no chance. But once someone does get
in the building...
Obviously what my manager does is against company procedure,
and for that matter having mine in my PDA is too. We are
instructed not to write passwords down, but I don't think it
would be humanly possibly to remember them all.
Rod Speed
> Rod Speed wrote:
>> Doug Jewell wrote:
> <snip>
>>> secure as the place it is written. In my case it is on my
>>> pda which requires a 4 digit pin to access, so moderately
>>> secure. In my managers case, it is as secure as the top
>>> drawer in her desk in her unlocked office, so not secure at all.
>>
>> I let Roboform keep track of all the passwords. It allows
>> them to be stored on an encrypted USB stick etc.
> The app I have for my PDA tracks them ok, but doesn't have
> automatic filling like roboform appears to.
Yeah, thats its main advantage. Not only auto filling, but also auto logon etc too.
> Unfortunately a system like roboform can't be used at work - our machines are locked down so we only have basic user
> access.
You could run it on your PDA so it doesnt matter if the PDA gets stolen etc.
> Even plugging a thumb drive in requires an administrator password to allow it to install, so we can't use external
> software, no thumb drives, etc.
You dont have to use it like that, its just more portable that way.
> That side of the system is nice and secure - annoyingly so sometimes - but at least we don't have problems with
> nasties, and keeps it relatively simple for the IT guys to maintain.
You can still use roboform.
>>> If all our application suppliers could standardise on one
>>> set of rules for passwords, didn't enforce changes but
>>> allowed on-demand change, (maybe with a warning after 30
>>> days), then we could standardise on one password that could
>>> be committed to memory, and the security would be greater
>>> than a system that requires a new set of random characters
>>> every 7 days.
>> Trouble with that one password approach is that if it gets compromised on one of the systems its used for, you can
>> end up comprehensively fucked.
> I'd be inclined to think having a single password committed to memory would be harder to compromise than a notepad in
> a drawer.
Yes, but automating it with roboform is much better
than both and you can never be fucked over by the
password getting compromised on any system.
There is always some risk that one of the systems you have
a password on is run by an arsehole that deliberately keeps
passwords in a way that he can use them anywhere he likes.
>> You can never be sure that particularly with the online passwords,
>> that some fool wont end up having the system compromised.
> All our web-based systems are internal intranet anyway, but
> administered by half a dozen or so different divisions,
> hence the different rules. There is no external internet
> access to these systems, so unless someone was in the
> building, they've got no chance. But once someone does get
> in the building...
Sure, but everyone really needs something that can handle all their passwords, not just some of them.
> Obviously what my manager does is against company procedure,
> and for that matter having mine in my PDA is too. We are
> instructed not to write passwords down, but I don't think it
> would be humanly possibly to remember them all.
Dunno, it might be feasible to come up with just one or two that do work in all systems.
You'll always need more than just one because some system mandate changing them.
So you will always need at least two and its no big deal if you can remember which
one is the current one on a particular system because you can just try the other one
if one fails.
Frank Slootweg
[...]
> Obviously what my manager does is against company procedure,
> and for that matter having mine in my PDA is too. We are
> instructed not to write passwords down, but I don't think it
> would be humanly possibly to remember them all.
So don't stress about it. Unworkable "company procedures" are the
responsibility of those who wrote them. Make things *as* workable for
*you* and don't make them *less* secure than your manager's. If it's
really *your* PDA, then get some file-encryption software for it and
encrypt your file-with-passwords. That protects you against the PIN code
being cracked or/and any kind of physical access to the PDA.
Hunter
The problems with implementing a single-signon system can be huge.
Firstly if one account/password is compromised then all systems are
compromised, not a great security model.
Secondly different "systems" may have different non-compatible methods
of authentication. One may be based on an active directory account for
example (I love the fact most systems allow for this, it does make
things much easier even if one password being compromised does lead to
access to more systems this way), another may have its' own internal
account management and be of a proprietary nature, and it can be
nightmarish trying to synchronise passwords (by the nature of them being
secure and encrypted) between different systems. Anyone who's ever gone
through the nightmare of trying to sychronise active directory passwords
with EDir for example will remember this sort of thing with a shudder.
Thirdly some of the systems may not be hosted locally and be managed by
a different IT crowd with their own policies and procedures, and there
is no way either side is likely to expose the required functionality to
the other side to manage a working password synch (although in some
cases this is achievable in a secure manner, such as populating an ADAM
for authenticating to the remote system, if the remote end is willing to
use this for authentication purposes).
Plenty of other potential nightmares too.
In relation to complex passwords we recently had (and are still in) a
battle with the Office of the Auditor General over the very same
problem. Complex passwords may be considered more secure by a propellor
head, but in a real world environment with real people the social
reality of complex passwords is that they will be less secure due to the
methods people will take to "remember" them.
The audit says we're not secure due to us allowing non-complex
passwords, but the problem is these little runts from OAG have never
really worked in IT departments from what I can tell, they have no
concept of the "sticky note on the monitor" phenomena that occurs if
people are forced to change their password every month for a complex
password, or of the massive load this places on the helpdesk with
perpetual calls to reset passwords (and where is the security in
trusting a phonecall for a password reset? We had to do it with complex
passwords due to the fact work would have ground to a halt every month
if we did not).
After a couple of months of trialing complex passwords (off our own
backs, with no OAG involvement) it became very apparent that simple
passwords with 3 monthly changes in the vast majority of cases had the
average user able to remember the passwords, the sticky notes
disappeared, the phone calls for password changes stopped. The passwords
may have been more "crackable" in theory, but in reality they were more
secure as you didn't just have to walk into someone's office and look at
their monitor (or under their keyboard was another big one) to get the
password any more. A couple of years later enter the OAG, reality has no
place in their little world, just what their cheat sheets tell them. So
currently we're refusing to budge and they're threatening us with doom
and destruction unless we implement a much less secure system.... Really
wonder why I work for the govt sometimes, too many fuckwits that don't
have a clue.
who where
Marts
> Obviously what my manager does is against company procedure,
> and for that matter having mine in my PDA is too. We are
> instructed not to write passwords down, but I don't think it
> would be humanly possibly to remember them all.
For years we didn't have to deal with this crap. Then something happened in the
US and a Bill was passed that forced corporations to adopt tighter security
measures. Because the company that I work for (or rather its parent) does
business in the US it was forced to adopt the rules.
So, for years all of my passwords were single letter ones.
Now, some might say that this is folly. But first, whoever may have tried to log
in as me would have needed to know that I used a single letter p/w. If I never
told anyone they'd assume that I did what everyone else did - use my date of
birth, first born's second name spelled backwards or whatever.
We have not had any security breaches. The only problem was that of people
forgetting to log off the computers that they were using and someone coming
along and upon discovering this error, to fiddle with their settings or to send
off silly emails or whatever.
That shit still happens today, even with long character, convoluted passwords...
Marts
> Where I work, there are 2 main applications that I use
> pretty much every day, but also another 4 applications and 3
> web-based apps that I use about once a week, and about
> another half-dozen web-based apps that I use maybe once or
> twice a month. All systems require a username/password
> combination for security, and all have enforced rules for
Same where I am.
One of my passwords was a series of 8 numbers followed by a letter and a
punctuation mark.
That was the minimum required.
And we are forced to change it every 2 or so months.
So, when they started this bullshit (prior to that my password was a single
letter) I started with 11111111m. Then it became 22222222m. and so on.
If I reverted to say, 111... it would tell me that it was too close to the last
6 passwords.
Currently it's the model number of a motorbike that I like with a punctuation
mark at the end of it.
That logs me into the work network.
Some apps retrieve my password from my profile. Others, such as a web based
program called Maximo request that same password but it has to be entered
manually. Previously it was retrieved from my profile, but they changed it as
they thought that this login process was slowing the system.
So, when I change my computer login p/w I also change the ones that require
independant logins, such as the payroll program (a HR system that allows me to
change banking details, enter leave applications, view payslips and so on), a QA
system called Paradigm Internet and some home grown Access databases that we use
internally.
And all of this is driven from the IT weenies over in Pommyland who think that
we're here to service their requirements, rather than they being there to enable
us to do the work that actually earns the company money which pays their wages.
Marts
> In relation to complex passwords we recently had (and are still in) a
> battle with the Office of the Auditor General over the very same
> problem. Complex passwords may be considered more secure by a propellor
> head, but in a real world environment with real people the social
> reality of complex passwords is that they will be less secure due to the
> methods people will take to "remember" them.
And how many of these propellor heads and shiny bums - (c) RS - themselves store
their own passwords on less secure media?
Marts
> The app I have for my PDA tracks them ok, but doesn't have
> automatic filling like roboform appears to. Unfortunately a
> system like roboform can't be used at work - our machines
> are locked down so we only have basic user access. Even
> plugging a thumb drive in requires an administrator password
> to allow it to install, so we can't use external software,
What a bugger. Everyone here has their own thumbdrives on which they store their
documents and stuff. Otherwise it would make it too difficult to take work home
or to back up copies of stuff.
It's about the only thing that we can do without admin access levels.