[clug] [OT] all text passwords == secure?

Scott Ferguson scott.ferguson.clug at gmail.com
Sun Aug 26 03:15:21 MDT 2012

On 26/08/12 17:17, Sam Couter wrote:
>> On 26/08/12 12:51, steve jenkin wrote:
>>> I've never seen anything documented that demonstrates
>>> "frequently changing your password" is useful.
> Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:
>> IBM still do that - I think it's a good policy, it helps limit how
>> long people can have unauthorised access. But as you point out,
>> human laziness weakens it. PEBKAC is always a problem.
> Humans are an essential part of the security process. If you're not 
> taking them into consideration then you have failed.

PEBKAC *is* taking them into consideration. Pick a few major security
breaches and you'll find it might be a different dog each time, but it's
the same leg action (convenience denies responsibility and trumps
obligation when there's no retribution).

Some quick thoughts:-

Because a significant number of people won't use good passwords (it's
too hard to remember and I refuse to learn any techniques) then it
creates problems.

1. Lazy (and stupid) has it's own mass, mass = gravity (but Johnny
doesn't wash his hands, why should I?) A small problem grows (and then
people compete to vary it). Those that do the right thing suffer because
of those that won't. Every one gets audited even those that don't
require auditing. Loss of productivity all round, loss of esteem amongst
those that do the right thing (penalised, but not doing the right thing).

2. The lowering of security increases the incidences of data loss - more
decreases in productivity, and increases in costs.

3. A significant proportion of security problems originate inside an
enterprise - increasing audits and complexity increases the motivation
for people to create security problems. My experience is that when an
employee attacks the employers system the greatest damage is done by
those the usually did the correct thing - no grudge like the righteous one.

You can approach the problem two ways:-
1. enforce quality passwords - now people start writing passwords down.
This creates another security problem - people using the logins of
others. Which leads to more auditing to ensure no one leaves the
password stuck to the monitor (or under the keyboard). PEBKAC persists -
so now the passwords are still written down but carried around, and lost
outside the premises. You see where this is going? It's the - you've
breached the conditions of your employment so many times that we can't
bear the cost anymore, but we can't sack you because "everybody does it"
so you get to work from home (what's second prize a paid vacation?).
Fortunately that doesn't happen often in the ACT, but it does happen
down south. :-(

2. give in to lazy and issue hardware authentication (rainbow keys),
which does little to reduce the problem (idiot proofing doesn't work).
Because now you are transferring trust to an external entity *and* the
weak password/password written down + lost/borrowed rainbow key comes
into play.  Fingerprints? Fail. Iris scans? Fail.
3. introduce an alternative system where those that won't - get the
boot. Rarely practical.

> If your password policies make passwords hard to remember for the
> humans who have to use them, they will make passwords easier to
> remember by subverting your policies. I also use the
> incrementing-number trick at work, so by forcing me to change my
> password they've gained exactly nothing. Why bother?

A common point of view, and a too common problem. I'd bet you're a
public servant - I say that because, as has already been pointed out,
people tend to do the same things. Most public servants used a word for
a password (my experience), when rising support costs forced the
implementation of password rotation they responded by adding a number.
"what - I can't use bilbo as a password any more" "I'll use bilbo1"
And it's not like they all got together and workshopped it - it's just
human nature (expend no more energy than absolutely necessary -
thermodynamics law no#2).

Perhaps the answer is make it someone else's
problem? I don't think that is going to work - certainly it hasn't so
far because it's putting all the eggs in one basket.

Some might argue that if people can't be bothered learning to remember
passwords for work, they don't deserve a job. Not a popular point of
view (and not practical). Particularly amongst those whose wage is
roughly twice the cost of keeping a computer on their desktop (desktop
support, backend, mid-range, nog etc). Computers in the work place are
supposed to be a productivity tool - and investment that brings a
profit, they've become a social symbol that reduces the productive
working day to less than 4 hours.

Others insist that they "should" be allowed to bring their own devices
into the work place and connect to the network. And Ffffacebook access
on the work computers is also a "right" - like Social email, and
non-work phone calls.

Perhaps the government should pass laws against furniture with sharp
corners so that people can enjoy the convenience of walking where ever
they like without barking their shins.

I don't know the answer - but "it's too hard" so "why bother" is not it,
neither is passing the buck. I suspect greater segmentation of
vulnerabilities is the right approach, but current trends are for less
and less segmentation.

Kind regards

More information about the linux mailing list