[clug] [OT] all text passwords == secure?

steve jenkin sjenkin at canb.auug.org.au
Sat Aug 25 20:51:32 MDT 2012 

Thanks for the link.

My favourite guys to hate, "The Whizkids", didn't believe in sudo+ssh,
but in logging on as 'root' or the DB user with "super secret" passwords
only known to a dozen of their closest friends...

They used common words and replaced 'o' with '0' (letter-oh with zero),
'i' with '1' and other outstanding security practices. Passwords were
never changed in the nearly 12 months I was on the project: would've
been very inconvenient for them.

I've never seen anything documented that demonstrates "frequently
changing your password" is useful. IBM enforced that policy from very
early on - which meant all the good folk there had guessable passwords.
They used a 'stem' and just added the month number. Eg. steve08 is
august and steve09 is september.

Marcus Ranum suggests learning one long random string and keeping it
secret. Do you even keep a written copy in your high-strength safe?

The idea of picking something memorable and transforming it into a
humanly processable form is good.
But concatenating full words is NOT one of the ways...

The only things we can know for sure about Security on the Interwebs:
 - allowing O/S's to be sold full of security holes doesn't promote security
 - allowing systems to be deployed without someone legally responsible
for their security/patching/update doesn't promote security
 - post-fact scanning (check for known viruses) is a very poor sort of
defence. Also known as "shutting the gate after the horse has bolted".

And "stronger passwords" - that's useful for a small class of
threats/compromises.
BUT, like the recent WIRED story shows, the Interwebs security model is
broken: Every site runs its own authentication/identification system,
without reference to, or co-ordination with anyone else. [OpenID, no]

Which forces people to write down all their passwords - or have a tool
that 'manages' passwords for them. Hiding the process in a digital App
doesn't make it any better, only creates a more dangerous false sense of
security.

Around the mid-1990's this was 'the standard' in Corporate networks, and
has been steadily replaced by SSO (Single Sign On)...

That solution only works because all the systems are within one trust
boundary, administered by the one group. And a Single Point of
Compromise comes with a Single Point of Management.

Who can you trust??? hard to know.

SSO doesn't scale to the Interwebs... I've not seen a solution posited
that does or can.

I agree with your assessment of this article: Fool's Comfort.


5,000 wds on more of what I didn't like about the whizkids :-(
<http://stevej-on-it.blogspot.com.au/2012/08/battling-whizkids-how-i-kept-my-website.html>

Scott Ferguson wrote on 26/08/12 11:42 AM:
> In a hyperbolic article about computer security in The Canberra Times:-
> http://www.canberratimes.com.au/act-news/clouds-darken-in-cyber-space-20120824-24rh2.html
> Microsoft chief security adviser James Kavanagh advices:-
> <quote>
> pick good passwords, stringing three to four words together. Example:
> ''Mydogsandy''.
> </quote>
> 
> But wait, there's more. Sadly.
> Dumb triumphs over stupid in a competition of words for the biggest pile
> of FRUD. That's R for Ridiculous.
> 
> Nope - no MS campaign here (seriously), just journalistic stupidity
> milking ignorance and spreading confusion about an internet crime.
> 


-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list