Sunday, 24 April 2005

There's slashdot conversation taking place about using and enforcing cryptographically strong passwords (it's all about passphrases, people, passphrases - read my experiences here). In that thread, someone linked to an old and quite perfect social engineering example that I had not seen in a while. In my field I see and hear some of the funniest (or rather scariest) stories about situations like this.

From an IRC chatroom:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

Pretty darn funny - unless it's you.

Of course, much of the /. conversation has evolved into the requisite noise and talk about how the original question is a moot point because passwords are dead, etc etc etc blah blah blah shashdotadnauseum...

And, since we need something useful to go with the something-funny/scary, here's some information worth reading about how to make it possible for users to remember and use cryptographically strong authentication without having to resort to post-it's and .txt files on the computer:

The Great Debate: Pass Phrases vs. Passwords

  • Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
  • Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
  • Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

Add/Read: Comments [1]
IT Security | Tech
Sunday, 24 April 2005 09:19:41 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by: [Referral]
Monday, 25 April 2005 13:17:18 (Pacific Standard Time, UTC-08:00)
One thing I highly recommend is something like KeePass Password Safe or Password Safe. They both do the same thing: store passwords. KeePass is a little bit better and I've been using Password Safe for a while loyally until I couldn't take it any longer.

Basically it reduces all of the passwords you have to keep in memory down to just one: the password to unlock it. Problem is if you lose the password, all of it is gone. Also if someone were to guess it then all your passwords are compromised. You do trade a little security for convenience but I keep my password a nice long passphrase that I can remember quite easily. I'm down to just my Windows password and this password that I have in memory at all times. I do have others I keep in memory but that's because it's hard for me to forget them. I can only keep upwards of about 6-8 passwords before they start running together, so something like this is a life saver.

I also like it because it's not tied to the browser or whatever. If you change Windows profiles, those passwords are gone. The same occurs in Firefox if something happens and it's cache is hosed.

It sure beats sticky notes and .txt files on your computer. Even if the .txt is encrypted with EFS it's a bad idea because if your Windows profile is hosed, the key that unlocks the file is hosed too. You'd think there would be a way to transfer it but I don't think there is. Personally I'd rather be locked out of something because *I* screwed up, not the software or system it's built on. It's basically what happens if I say forgot a locker combination. It wouldn't render the locker useless, just my contents until someone broke the lock and replaced it.
Comments are closed.