[clug] [OT] all text passwords == secure?

Scott Ferguson scott.ferguson.clug at gmail.com
Sat Aug 25 23:35:33 MDT 2012


On 26/08/12 12:51, steve jenkin wrote:
> Thanks for the link.
> 
> My favourite guys to hate, "The Whizkids", didn't believe in sudo+ssh,
> but in logging on as 'root' or the DB user with "super secret" passwords
> only known to a dozen of their closest friends...

and worse - sshpasswd used for root logins. One attack gains access to
everything.

The old problem - humans are lazy.

> 
> They used common words and replaced 'o' with '0' (letter-oh with zero),
> 'i' with '1' and other outstanding security practices. Passwords were
> never changed in the nearly 12 months I was on the project: would've
> been very inconvenient for them.

I can think of two Group 8 departments where the local administrator
password on every computer is a leet word in every password dictionary I
use.

> 
> I've never seen anything documented that demonstrates "frequently
> changing your password" is useful. IBM enforced that policy from very
> early on - which meant all the good folk there had guessable passwords.
> They used a 'stem' and just added the month number. Eg. steve08 is
> august and steve09 is september.

IBM still do that - I think it's a good policy, it helps limit how long
people can have unauthorised access. But as you point out, human
laziness weakens it. PEBKAC is always a problem.

> 
> Marcus Ranum suggests learning one long random string and keeping it
> secret. Do you even keep a written copy in your high-strength safe?

No - I have a formula I use, I don't remember any passwords, just how I
create them. PIN numbers are worse - I can only remember where my
fingers go - for which reason I've had to have my PINs reset on occassion.

> 
> The idea of picking something memorable and transforming it into a
> humanly processable form is good.
> But concatenating full words is NOT one of the ways...
> 
> The only things we can know for sure about Security on the Interwebs:
>  - allowing O/S's to be sold full of security holes doesn't promote security

True - but relying on developers is no panacea. We no more "know" when a
system is secure than we "know" if we have cancer developing in our body
somewhere.

>  - allowing systems to be deployed without someone legally responsible
> for their security/patching/update doesn't promote security
>  - post-fact scanning (check for known viruses) is a very poor sort of
> defence. Also known as "shutting the gate after the horse has bolted".

I try and explain it to people as a system whereby photographs are taken
of convicted burglars and compared to pictures of people entering your
house. Too bad if they're a successful burglar - and the burglar has to
try and burgle someone at least once before they're convicted.

Heuristics is GIMPing a moustache, beard, and sunglasses onto pictures
of convicted burglars. :-)

> 
> And "stronger passwords" - that's useful for a small class of
> threats/compromises.
> BUT, like the recent WIRED story shows, the Interwebs security model is
> broken: Every site runs its own authentication/identification system,
> without reference to, or co-ordination with anyone else. [OpenID, no]

Cuts both ways. A central authority is centralised risk.
As Puddin' Head Wilson said "put all your eggs in one basket and watch
that basket".. ;-p

> 
> Which forces people to write down all their passwords - or have a tool
> that 'manages' passwords for them. Hiding the process in a digital App
> doesn't make it any better, only creates a more dangerous false sense of
> security.

KWallet is great. Add gpg and regular backups.
Not perfect as senility is out to get me... :-)

> 
> Around the mid-1990's this was 'the standard' in Corporate networks, and
> has been steadily replaced by SSO (Single Sign On)...
> 
> That solution only works because all the systems are within one trust
> boundary, administered by the one group. And a Single Point of
> Compromise comes with a Single Point of Management.
> 
> Who can you trust??? hard to know.

Best trust no one until a single unbreakable integrity shell is
implemented. You won't be disappointed :-D

> 
> SSO doesn't scale to the Interwebs... I've not seen a solution posited
> that does or can.

It is a high value target - and the more faith people invest in it the
greater the damage when, if, it is compromised.

> 
> I agree with your assessment of this article: Fool's Comfort.

What also concerns me is that if doesn't help educate people of the real
cloud risks, because it continues that trend of not defining what they
mean when they say "cloud". Let alone the silly example of how cloud
instances can be stripped of data because of not using the "right" disk
encryption (sigh). I blame the journalist, not the people being quoted.

<snipped>

Kind regards


More information about the linux mailing list