[clug] [OT] all text passwords == secure?

Scott Ferguson scott.ferguson.clug at gmail.com
Sun Aug 26 16:53:26 MDT 2012

On 27/08/12 08:19, Sam Couter wrote:
> Scott Ferguson <scott.ferguson.clug at gmail.com> wrote:
>> A common point of view, and a too common problem. I'd bet you're a 
>> public servant
> I am.
>> people tend to do the same things. Most public servants used a word
>> for a password (my experience)
> I do not and have not since I was a naive teenager twenty years ago.

But you're not 'most public servants'. i.e. not merely a computer
operator. ;-)

> I have in the past been part of an admin team that ran a password 
> cracker over our own users hashed passwords.

I use john (the ripper) for a similar thing.

> We notified people with bad passwords but there was no management
> support for forcing change.

It's a difficult thing - part of the "but no one else does" problem. In
one instance a particular department (not federal or ACT gov) has a
"three strikes and you work from home" policy which is much abused. :-(

> In any case, my work password is reasonably secure and is not weak
> in comparison with the other security practices in use.

Most likely there is also a policy in place that locks out attempts
after a number of failures within a given time period.

My experience is that some of the people that do need to be told to
improve their passwords, are the people that will try and circumvent
good policy. Leads to that problem where rather than rewarding those
that do follow policy without the threat of a stick (like yourself) are
penalised by being subjected to the same audits, training session,
constant reminders etc, developed to force the recalcitrant to implement
good security.

>> And it's not like they all got together and workshopped it - it's
>> just human nature (expend no more energy than absolutely necessary
>> - thermodynamics law no#2).
> Exactly. Fighting against that is a losing battle. The answers lie 
> elsewhere.

Absolutely. Every time you don't reward those that do the right thing
you just make the problem larger. Aside from more segregation of risks
(separate systems with additional logins) I can't see an answer, and you
can see the problems with that approach - less exposure in each
instance, but it increases the existing problem (good password policy is
hard). Now if the education system taught basic mnemonics (and
education) it might reduce the difficulty some people have.
I favour my password formulae[*1] - but a lot of people get vision
problems, hypertension, and blinding headaches, when attempting it. :-/


I've seen lots of presentations for biometric and presence based
authentication systems... which are much hyped. But every one I've
looked at had gaping holes - and significantly higher costs.

At some point it will become unsustainable to allow unfettered computer
use for all employees. It ceased to be economical for a majority of
public servants some years ago ie. the cost didn't justify the return on
investment at >$12K pa just to put a desktop computer in front of some
who reads and produces documents, and accesses a database.

Locked down thin clients that only feature applications *needed* for the
job are strongly resisted - unfettered email and internet use,
powerpoint presentation production, pdf editing, printing of non-work
material, DVD burning, movie watching, music playing etc are now "human
rights". People can get very offended if you question their ability to
be their own system and network administrators - even though it's not
their equipment.

No exaggeration - in one, un-named, quasi-gov, enterprise the union
rebelled at the idea that staff should be made to use computers in the
lunch rooms for private email, in their own time. The big stick is not
the answer there - it's a psychological problem as staff were genuinely
upset - ignore that and you have a serious security problem.

Kind regards

More information about the linux mailing list