Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by martyb on Friday August 24 2018, @09:25AM   Printer-friendly
from the what-protects-YOUR-luggage? dept.

Submitted via IRC for AndyTheAbsurd

Somewhere in Western Australia, a government IT employee is probably laughing or crying or pulling their hair out (or maybe all of the above). A security audit of the Western Australian government released by the state’s auditor general this week found that 26 percent of its officials had weak, common passwords -- including more than 5,000 including the word “password" out of 234,000 in 17 government agencies.

The legions of lazy passwords were exactly what you -- or a thrilled hacker -- would expect: 1,464 people went for “Password123” and 813 used “password1." Nearly 200 individuals used “password” -- maybe they never changed it to begin with?

Almost 13,000 used variations of the date and season, and almost 7,000 included versions of “123.”

[...] The traditional guidelines for strong passwords -- make them long and complicated, use symbols and a mix of upper and lowercase letters, change them regularly -- were making it easier for hackers, Paul Grassi of the National Institute of Standards and Technology told NPR last June. The organization’s current guidelines for good passwords are that they should be simple, long and easy to remember. It suggests using normal English words and phrases that are easy for users but tougher on hackers.

If you want to keep your accounts secure, pick something that’s lengthy and memorable, and if you change it, switch more than a single letter or digit. And for heaven’s sake, don’t use the word “password.”

Source: https://www.washingtonpost.com/technology/2018/08/22/western-australian-government-officials-used-password-their-password-cool-cool/?noredirect=on


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by Rich on Friday August 24 2018, @10:27AM (6 children)

    by Rich (945) on Friday August 24 2018, @10:27AM (#725729) Journal

    So, how many bits of entropy does a good password need? For crypto, we can assume that 128 bits are borderline acceptable. Now try to get these 128 bits into something Joe Q. User can remember. Salted hashes try to come to the rescue: if the hash is complex enough, even the NSA couldn't break a simple 5-digit (100k choices, roughly 16 1/2 bits) code (but then your local system couldn't compute the hash in your lifetime...).

    So, assume an adversary has 10 million times more computing power (roughly 24 bits) and is supposed to take a year for what a hash needs 1/10 sec (roughly 28 bits). That's at least 52 bits that have to appear to be random.

    For the password choice, assume that you can't count the bits of the bytes in it, but you have a stream of tokens, where (simplified) each token can be any dictionary word, ascii number, separator, whatever. The kind of component that's "easy to remember" You find you'll be hard pressed to get more than 12-14 bits of entropy from such a token, much less if the "important" ones are limited to 2 or 3, and the remainder is just single-digit numbers or punctuation. So even a "Secret/Code:987" complexity style doesn't cut it, and that's already too hard to type on mobile devices.

    And all these consideration are with a salt, that has it's own pitfalls: E.g. once the adversary has rainbow tables, you've lost. So where does this leave us?

    I've seen large business systems being secured with smart cards (and keyboards with a reader), but these are probably impractical in everyday use. I think what's needed is an external hardware password dispenser that's worn like a key on a keychain. Rugged like a USB dongle, contactless power, contactless transmission, so no wear here, and no batteries to go bad (though a battery might be needed for mobile use). A little display for what password is being requested, and an approve button. Optional on-device PIN lock for the truly paranoid. Maybe a legacy mode with keyboard emulation for PCs. Didn't eevblog have a look at something like this when it was kickstarted?

    The CPU vendors will of course try to talk you into their digital restrictions managing logic for storing passwords. So they can lock you in and sell a back door, too.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Friday August 24 2018, @11:28AM (2 children)

    by Anonymous Coward on Friday August 24 2018, @11:28AM (#725743)

    Bits, schmits, I'm using hunter2 because it wasn't on their list! Security for the win!!

    • (Score: 3, Funny) by isostatic on Friday August 24 2018, @12:43PM (1 child)

      by isostatic (365) on Friday August 24 2018, @12:43PM (#725767) Journal

      I see that as

      Bits, schmits, I'm using ******* because it wasn't on their list! Security for the win!!

      • (Score: 2) by Gaaark on Friday August 24 2018, @01:53PM

        by Gaaark (41) on Friday August 24 2018, @01:53PM (#725793) Journal

        Hey! How'd you know my password was

        Bits, schmits, I'm using ******* because it wasn't on their list! Security for the win!! ?

        --
        --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
  • (Score: 0) by Anonymous Coward on Friday August 24 2018, @12:39PM (1 child)

    by Anonymous Coward on Friday August 24 2018, @12:39PM (#725764)

    I've seen large business systems being secured with smart cards (and keyboards with a reader), but these are probably impractical in everyday use.

    The smart cards were always a hassle, but the company I work at has mostly switched over to TPM+PIN for logins. From the user perspective, they have to setup a PIN on every computer they use and have to use 2-factor auth when they need to use their password instead (e.g. to verify their identity to setup their PIN). My understanding is that the PIN works like the PIN to log into an encrypted smartphone: there's a "secure chip" of some kind that stores the user's private key and releases it when presented with the proper PIN and is designed to resist attempts to brute force or otherwise trick it into giving up the private key. How well those protections work is another question, but those attacks involve physical access to the computer, at which point they could have just installed a keylogger to grab a password.

    Passwords are really poor for security for many reasons; one of them is that humans are bad at coming up with and remembering complex enough ones that they are actually difficult to guess. If an organization's computer use patterns mostly involve employees logging in from a small number of machines assigned to them, then private key login is a fairly minor burden for the users (if the user always uses the same computer, then it could probably be set up so the user doesn't even know the difference). And should probably be combined with a password manger that generates passwords for you for any services the user needs to log in to that do require a password.

    • (Score: 1) by Ethanol-fueled on Friday August 24 2018, @10:38PM

      by Ethanol-fueled (2792) on Friday August 24 2018, @10:38PM (#726055) Homepage

      We use RSA SecurID, which is fucking wonderful (in before NSA hacked lolz) because you can use the number pad to type it all in with one hand, with none of the infuriating bullshit password requirements which cause users to use passwords like "Password123" etc.

  • (Score: 2) by darkfeline on Saturday August 25 2018, @04:19AM

    by darkfeline (1030) on Saturday August 25 2018, @04:19AM (#726139) Homepage

    >How much entropy is needed?

    Not a lot if you're using 2FA, you need just enough to keep someone out between the time noticing you lost a key and revoking it.

    --
    Join the SDF Public Access UNIX System today!