November 8, 2010 at 10:34 am
In addition to strong passwords, at the application level, we practice fairly stringent segregation of duties. No one person can create a complete set of transactions of any type. A dishonest employee would need a bunch of user accounts and passwords. It is an additional layer and not terribly hard to implement.
November 8, 2010 at 10:45 am
Richard Warr (11/8/2010)
W!OW34f34D3h54qo looks like a nice strong password but it's just SQLServerCentral moved "one key up" when you type it in. Use that method in conjunction with a memorable phrase (like the initial letters of the opening line of a favourite song) and you'll have something memorable but not guessable.The key point is to have a password that you can remember without having to write it down anywhere.
And that doesn't bypass the "one password to rule them all" syndrome. You need to have a password that's memorable, impossible to guess, and site/app/whatever specific.
Otherwise, you run into the problem that's shown in http://www.xkcd.com/792/. It doesn't matter how strong your password is, if it's known to anyone but you.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
November 8, 2010 at 10:48 am
Craig-315134 (11/8/2010)
Revenant wrote:'Security based on biometric data is not a good idea because just like any other data, your biometric data can stolen - and if it is, you cannot change it... '
Fundamentally, this is true, although the 'theft' is likely to be rather grisly in nature. (The literally eye-popping scenario in 'Angels and Demons' is not terribly far-fetched; I recall reading of a car-theft in Germany, in which the owner's finger was detached to gain access to the high-end car.)
My major concern with biometric security, however, is not theft; up to nine additional digits may be scanned, for example, should the first's scan be compromised.
Rather, it is biometric's probabilistic nature in which I think the problem lies, at least when finger scans are used. Recognition errors may be reduced, but never eliminated, due to the changeable nature of sensor behaviour under different environmental conditions (temperature and humidity, for example); and little research is being made into the changeability of the physical characteristics upon which the biometric data itself is based (to what extent do our fingerprints or retinas change as we age?)
Also, you have to be sensitive to things like, how do you fingerprint someone without hands?
And, what happens if all your bank data is protected by your fingerprint, and you get into an argument with a table saw and suddenly don't have that fingerprint any more? Retinal scans on someone who loses an eye, gets certain types of ocular cancer, et al, again can result in locking you out of your own data. That might be fine if you're able to take the necessary trip to an office to re-identify yourself and get a different finger scanned in, but what happens if you're overseas and lose that all important finger and now can't pay for your hotel for the night because your ATM card is tied to it?
My favorite reason to start using fingerprints, however, would be all the high-security situations in which someone would have to tell you, "okay, now give me the finger".
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
November 8, 2010 at 10:53 am
I used the password safe in the past, but became spooked by the idea that anyone who puts a keylogger on my machine would be able to acquire every single password in the password safe. A keylogger is well within the realm of possible attacks - I've seen them installed by drive-by malware downloads. And conferences like DefCon are touting "how to make your own home-brew USB devices" with microcontrollers for the purpose of compromising systems.
Here are the recommendations I find most sound:
1. Use the password safe program, but on a separate dedicated computer that never gets connected to any network (e.g. an old laptop or netbook). Physically remove or disable the network adapter(s).
2. Use old-fashioned paper and pen and a notebook, and keep it in a $100 gun safe near your desk. When the passwords are written down, come up with a pattern for creating them, and write them down in some sort of veiled fashion that would prevent a third party from being able to understand them. (Example: decide you will always capitalize A,E,I,O,U,F,L,R and that every password will also end in $ followed by the first letter of what is being secured [e.g. "B" if it's Bank of America], but when the passwords are written, write all lowercase and omit these extra rules, simply commit them to memory).
November 8, 2010 at 11:17 am
I'm pretty sure we've talked about this before on this site. Maybe not in the exact context of whether or not to write down a password, but password policies in general. Here is my standard response on all password policies:
I find the 90 day password expiratoin policy to be a nuisanse as well as a completely worthless and unproven "security measure". Instead you should be educating people to use more friendly, easier to type, but at the same time more mathematically secure, "password phrases". For example, I don't know what the exact password policy is here in terms of length and character usage, but let's say you enforce that a password must have at least one lower case letter, upper case letter, number, special character, and be at least seven characters long. To keep things basic, let's say that character set size comes to a total of 72 possible characters (26 + 26 + 10 + 10) (we just use the special characters above the numbers). Now for a seven character password, the total number of password permutations is only:
72^7 = 10030613004288
Now let's say instead you focus your efforts on educating people to use a "password phrase" instead. Naturally these are going to be longer in length, come from a smaller character set size, but be faster and easier to type as well as easier to remember. As another example, let's say a "passwor phrase" comes from the character set made up of simply lower case letters and a space. For a whopping 27 possible characters. As I said, due to their nature, a "password phrase" will almost always be longer than a regular password. In this example, all it takes is a mere 10 characters and the "password phrase", even with it's significantly reduce character set, becomes 20 times harder to hack than the seven character password.
27^10 = 205891132094649
I believe that if corporations got rid of their lame password restriction policies and instead focused their efforts on educating people to use "password phrases", it would reduce the tech support time that is spent on people not being able to log in or do other things simply because they forgot their password. Remember, using something like "password policy sucks" is actually faster to type for most people, easier to remember, and more mathematically secure than something like "vj74%kduj".
SQL Server and all other applications should do what Windows does and that is delay multiple login attempts if the first three fail. That makes brute force hacking of passwords very inefficient. If the system will only let you attempt to login once every three seconds, nobody is going to waste their time with a brute force attempt.
Finally, when it comes to having multiple passwords for multiple systems (or websites for normal people), I think that's ridiculous too. I think people should have two passwords. One for their email system and one for everything else. This is all that is necessary in most cases because if your password is compromised on one site or for whatever reason you forget it (which you shouldn't because you only have two), the typical "Reset My Password" mechanism will send an email to your email account with the changed password for that site. So a hacker could have your second password and email address, but they will not be able to get into your email account to intercept these.
November 8, 2010 at 11:46 am
Dictionary words aren't as secure as you make them out to be. A dictionary word has far less entropy than a random sequence of characters, hence the concept of a dictionary attack.
The word "password phrase sucks" may indeed have 27 characters, but these are three of the most 2000 used words in the English language.
A lowercase letter or space has 27 possibilities... let's call it 32 for simplicity's sake... that's 5 bits of entropy (2^5=32). 27 characters * 5 bits = 135 bits of entropy. True only if each character has a random value.
The most commonly used 2000 words in the English language, are worth at most, 11 bits of entropy (2^11=2048). Three such words ("password phrase sucks") are worth, at most, 33 bits of entropy.
huge difference between 33 and 135 bits.
Passphrase should be much longer than three words.
November 8, 2010 at 12:26 pm
Mike Caldwell (11/8/2010)
Dictionary words aren't as secure as you make them out to be. A dictionary word has far less entropy than a random sequence of characters, hence the concept of a dictionary attack.The word "password phrase sucks" may indeed have 27 characters, but these are three of the most 2000 used words in the English language.
A lowercase letter or space has 27 possibilities... let's call it 32 for simplicity's sake... that's 5 bits of entropy (2^5=32). 27 characters * 5 bits = 135 bits of entropy. True only if each character has a random value.
The most commonly used 2000 words in the English language, are worth at most, 11 bits of entropy (2^11=2048). Three such words ("password phrase sucks") are worth, at most, 33 bits of entropy.
huge difference between 33 and 135 bits.
Passphrase should be much longer than three words.
Pass-limericks? Pass-haikus? The passibilities are endless! (Sorry, couldn't resist.)
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
November 8, 2010 at 12:33 pm
Mike Caldwell (11/8/2010)
The word "password phrase sucks" may indeed have 27 characters, but these are three of the most 2000 used words in the English language.
Mike, where do you get your facts from? Can you cite other references? I will list three:
http://www.world-english.org/english500.htm
http://www.paulnoll.com/Books/Clear-English/English-3000-common-words.html
http://esl.about.com/library/vocabulary/bl1000_alph1.htm
The words, "password", "policy", and "sucks" (and even "suck") do not appear in any of those lists. So I have to question your facts. (Note that in my post the exact example I used was "password policy sucks", not what Mike has listed above, "password phrase sucks".)
Finally, my example was just that, an example. The simplest one I could find to prove a point (the point being permutations of character sets). While your point about dictionary attacks is somewhat valid, I would hope that most people would not restrict themselves to just lower-case letters. Including one upper-case letter of a proper noun for example, or having a small phrase with a comma in it or some numbers, exponentially increases the mathematical strength of their pass phrase, obviously. The point is to take the concept of the example and apply it.
November 8, 2010 at 2:04 pm
Michael.Beeby (11/8/2010)
If you write it down and someone observes and manages to login as you, then you have a potential repudiation problem (means that you may have to prove that what happened next was not actually you).
Your password = your responsibility. If anything happens on your pc under your username, then its your responsibility, either for not choosing a strong password that you can remember, or for not locking your computer when you walk away from it.
November 9, 2010 at 6:47 am
Mike Caldwell (11/8/2010)
Dictionary words aren't as secure as you make them out to be. A dictionary word has far less entropy than a random sequence of characters, hence the concept of a dictionary attack.The word "password phrase sucks" may indeed have 27 characters, but these are three of the most 2000 used words in the English language.
A lowercase letter or space has 27 possibilities... let's call it 32 for simplicity's sake... that's 5 bits of entropy (2^5=32). 27 characters * 5 bits = 135 bits of entropy. True only if each character has a random value.
The most commonly used 2000 words in the English language, are worth at most, 11 bits of entropy (2^11=2048). Three such words ("password phrase sucks") are worth, at most, 33 bits of entropy.
huge difference between 33 and 135 bits.
Passphrase should be much longer than three words.
You are overlooking the fact it doesn't matter if it's only 33 bits of entropy. The question is *which* 33 bits of the domain are we talking about? And can the attacker be sure it's only 33 bits? Because you also have to consider order, the presence or absence of spaces, mixing in capitals, etc. Not to mention someone might use a longer or shorter one.
Then add permanent lockouts after 3 attempts and... 🙂
And no, lockouts aren't an effective DDOS attack vector, as it's possible to script an unlock routine for the entire active user base--assuming you use the Windows security method and not the SQL server one.
November 9, 2010 at 7:58 am
One thing that seems to be missing is discussion of the threat vector.
To protect from an external threat a hard password, written down on a notepad, locked in the server room, and changed whenever someone leaves, is probably the best solution you can come up with. It helps if each service account is locked to a particular machine as well.
To protect from an internal threat, an oft changing, easy to remember but hard to guess password is probably best.
In the server room, the biggest threat is probably the person who is about to be/has just been terminated, this requires a fast and foolproof way to change and document all the server passwords (and a security escort).
Overall some sort of single use password such as a SecureID fob is best for human use, but won't work for service accounts AFAIK. It also doesn't seem viable for third-party (web-based) accounts.
Biometrics give a false sense of security because they appear to be two factor. However, what the biometric scanner does is convert the biometric to a bitstream which is "something you know" that can be inserted into the data stream between the scan pad and the processor (Or, in fact before the scan pad in the case of the gummi bear attack). Biometrics can work IF you also have a person watching the scanner, but at that point an RFID badge that pulls up a picture on the guard's screen is probably better.
--
JimFive
November 9, 2010 at 8:18 am
You are overlooking the fact it doesn't matter if it's only 33 bits of entropy. The question is *which* 33 bits of the domain are we talking about?
You seem to misunderstand what 33 bits of entropy means. It means that a brute force attack would have to make 2^33 attempts to break the password. It doesn't matter "which" 33 bits we are talking about because 33 bits IS the entire domain.
It is trivial to take the most common 2000 words and string two to four of them together in any order with arbitrary capitalization and L33T substitution to create a dictionary attack. (google: Rainbow Tables)
Your goal, as a password creator is to create a password that is NOT in the rainbow table. Unless you are being specifically targeted, that's all it takes to be (reasonably) safe.
If you ARE being specifically targeted you have to be more careful. The rainbow table will be made specific to you, so you can't use any identifying words (Names, birthdates, locations, etc). And staying out of the rainbow table isn't enough. Theft can get your password if you wrote it down. Key-logging, WiFi snooping, infiltration of your friends can all reveal your password given enough time and effort. If you are a specific target you need to be vigilant and one step ahead of your opponent. The good news is that almost no normal people are specific targets, most attackers are going after targets of opportunity.
All that being said: Yes, pass-phrases are currently better than passwords because the attacker doesn't know which you are using and is going after the low-hanging fruit. All you need to do is make sure that you don't become the low-hanging fruit due to complacency.
--
JimFive
November 9, 2010 at 8:59 am
So I use a fingerprint reader on my Win 7 laptop and it's great. Very convenient, especially as I can boot from my fingerprint and log in.
However, there still is a password for my account. Ultimately it's a backdoor, so I need to be sure it's strong. My guess would be that there always is some password, even when biometrics are in use. Most biometric systems have a backup for the simple reason that biometrics can be lost. You could lose your hands/fingers, or even create a scar. With fingers you have 10 to register, but what about retina? Only two, and I'm not sure if a hangover might cause issues there.
I like the idea of stringing a phrase together, and I use that, though I do typically add a number or symbol instead of a letter somewhere.
Note that even if there are 2^32 things to try, that's not what needs to be tried. Arguably someone could hit on the first try, or they might hit in the first half of attempts. Lockouts and timers, while annoying, help to make brute force, even rainbow tables, impractical in most places. However if someone targets you, then things like your birthday, wedding anniversary, kids' names, etc. aren't good choices.
November 9, 2010 at 9:38 am
Steve,
Re: Fingerprint reader
How many copies of your fingerprints do you think exist on your laptop (Case, screen, keyboard) at any given time?
How hard do you think it would be for someone to create a copy of one of those fingerprints and use it to log on to your laptop?
Does your fingerprint get you past your Hard Drive encryption?
--
JimFive
November 9, 2010 at 9:49 am
James Goodwin (11/9/2010)
Steve,Re: Fingerprint reader
How many copies of your fingerprints do you think exist on your laptop (Case, screen, keyboard) at any given time?
7, or 32,768
How hard do you think it would be for someone to create a copy of one of those fingerprints and use it to log on to your laptop?
Not sure, but I suspect it's not overly difficult.
Does your fingerprint get you past your Hard Drive encryption?
--
JimFive
Very valid security issues. I hadn't much considered the steal fingerprint item. Might have to revisit this.
yes
Viewing 15 posts - 16 through 30 (of 56 total)
You must be logged in to reply to this topic. Login to reply