Re: Education End Users about Passwords - Was - RE: john the ripper

From: Byron Sonne (blsonne_at_rogers.com)
Date: 12/10/03

  • Next message: Paul Bakker: "Cisco Catalyst 4006 CatOS Password Hash" 
    Date: Tue, 09 Dec 2003 19:14:49 -0500
To: pen-test@securityfocus.com

    > End User education is the greatest defense.

    End user education is almost completely useless when it comes to
    passwords. Unless you live in a land where users are sensible ;)

    I'm not just aimlessly capping on user communities; I've been an admin
    for over 10 years now in various places and people are all the same when
    it comes to passwords. That is to say that pretty much everyone sucks at
    password hygiene.

    There's no way around this; all it takes is one day when they're in a
    rush and they're forced to change their password... so they write it
    down. From there a habit is formed. Next one gets written down. Perhaps
    someone nearby notices where they write them, and they get copied and/or
    passed around.

    Make them too long, people write them down. Too short, they're easily
    cracked or guessed. Frequent password expiration? they get written down
    again. Infrequent? that's a security issue. Checked against a database
    of easily cracked passwords? they get written down. Forced inability to
    reuse patterns (ie. jan1a, feb2b, mar3c, etc.)? They get written down.

    The only viable solution, in my opinion, is the use of some kind of
    token (a la SecureID) or biometrics (not fingerprint based, those are
    way too easy to fool). With tokens they can keep a more comfortable
    password and change it on a more comfortable basis, and it doesn't
    matter too much if it gets cracked since they still need to append the
    token information to the end of the password to authenticate. Facial
    recognition is unreliable. Eye scans are good, although I don't want to
    have to worry about someone ripping out my eyeballs to crack a system ;)

    Cheap, easy, secure... pick two :)

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Paul Bakker: "Cisco Catalyst 4006 CatOS Password Hash"