SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
SoylentNews
Submitted via IRC for AndyTheAbsurd
The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.
It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."
Source: SC Magazine
This discussion has been archived.
No new comments can be posted.
DHS Warns Against “Password Spray” Brute Force Attacks
|
Log In/Create an Account
| Top
| 30 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
The last time I saw him he was walking down Lover's Lane holding his own hand.
-- Fred Allen
(Score: 5, Informative) by FatPhil on Sunday May 12 2019, @02:36PM (9 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by JoeMerchant on Sunday May 12 2019, @03:58PM (8 children)
TOTP is a crock.
Checking passwords against spray attacks' one million most common passwords and denying _those_ passwords would be much more effective.
TOTP with a requirement of 8, no two consecutive, characters, and 3 of: upper case, lower case, numeric, special can quickly lead to "degenerate" passwords such as: Q1q1q1q1 just due to the fatigue of having to come up with a new, compliant, not used before, password every month, or whatever your chosen TOTP interval is.
Longer change intervals, less stupid requirements, and longer length requirements (12 characters?) can get stronger passwords in use like: correcthorsebatterystaple
🌻🌻 [google.com]
(Score: 1, Informative) by Anonymous Coward on Sunday May 12 2019, @07:05PM (4 children)
Your comment makes clear that you don't know what TOTP is and mistook it for password expiration.
TOTP stands for Time-based One-Time Password. The output of the algorithm is equal to the HMAC-based One-Time Password of a secret key, but with the current Unix time as the counter and the window length. HOTP parameters are a hash algorithm, secret key, and a counter. First you take the shared secret key, put that into the HMAC algorithm using the agreed-upon hash and current time as a counter. You then take that result and truncate it by taking the four least significant bits to get an offset, which you then use to select 31 bits from your result using a different algorithm. That number is turned into a positive signed number. Then using the length of your TOTP password (d), you then take the number modulo 10^d to get your final returned value. That password is accepted for three password windows (past, current, future) to allow for skew in the clocks and password entry.
The important notes are that current TOTP passwords cannot be used to figure out past or future TOTP passwords. Also, it only counts as something you have, because anyone that knows all the parameters can generate arbitrary TOTP values.
(Score: 2) by FatPhil on Sunday May 12 2019, @10:41PM (3 children)
Therefore it's something you *know*, not *have*, but I presume you mis-typed, as you seem to be mostly on top of things.
> shared secret key
However, not on top of things enough to be willing to address this issue from my gpp.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Informative) by Anonymous Coward on Monday May 13 2019, @12:58AM (2 children)
No, it is a "have" because most people save the compiled list of parameters+key to an authentication app, (e.g. Google Authenticator, FreeOTP, or Authy), rather than keep it memorized and calculate it manually each time. This app, by definition, is a "soft token" and tokens are "something you have."
And I wasn't trying to address your issue, I was addressing my parent's misunderstanding of what TOTP is. By its nature, you can't have a "salted and hashed" version of the secret key, because both sides have to have the same key, or the algorithm won't work. The second you salt it or hash it or whatever, the result just becomes another parameter to the algorithm or the new secret key, because both sides have to have the same information to calculate the same TOTP. That is a well-know and obvious pitfall of TOTP, but the algorithm was mean to cover a completely different threat model than passwords, not replace them.
(Score: 2) by FatPhil on Monday May 13 2019, @11:00AM (1 child)
I write my password down on a post-it note, and am so lazy I enter it using OCR via the webcam - is that something I know, or something I have.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @02:43AM
A written-down password is something you know, changing the medium doesn't change the original threat model reason for that authentication mode. If you are having a hard time with this, think of the TOTP token like an SSH key. The fact that you could theoretically remember all the parameters and a hundreds, if not thousands, of bits long pseudorandom number doesn't change the fact that it is supposed to be something you carry around in the proper form for authentication, as opposed to being locked in your memory.
(Score: 2) by crafoo on Sunday May 12 2019, @10:06PM (2 children)
I'm not familiar with TOTP. Password requirement as you stated will ensure 100% of them are written down and close-to-hand on a convenient sticky note pad.
(Score: 3, Interesting) by JoeMerchant on Monday May 13 2019, @02:02AM (1 child)
Yeah, AC is probably right - I took the "Timed" "One Time" to mean what our forced expiration policy does at work: you choose your password following their BOZO constraints, then you can only keep that password for a certain amount of time, at which point you must choose a new one - not a repeat of any password you have ever used before.
The priceless joke of corporate passwords is that they're in the Active Directory system, so you are forced to use this same password flipping everywhere, including when you've got your laptop hooked up to conference room displays - about once a year I see somebody entering their password for like the 20th time of the day on a big shared screen and the cursor focus isn't where they thought it was, so the whole room gets to see their password - for EVERYTHING, and of course the meeting is more important than running and changing it immediately, so ALL of their so-called secure accounts are vulnerable to anyone who saw it for at least an hour, in many cases I think they don't even bother to change it until the next mandatory expiration anyway. For extra fun, you can also get a sense of what they use to make their passwords memorable, combinations of their children's names and birthdays seem to be a popular choice.
🌻🌻 [google.com]
(Score: 2) by pipedwho on Monday May 13 2019, @04:08AM
And don't forget the two digits at the end that usually equal the multiple of timed expirations that have occurred since they started working at the company.
Years ago I was a working with a big company that had their password database (plaintext naturally) compromised. Everyone was forced to reset their password (for Nth time since they had a 3 month password expiration policy) - and naturally they'd been conditioned to use their usual tricks for modulating their passwords. In a penetration test, our guys ran the old password system against the newly reset passwords and 90+% of the passwords were a simple modulation of a base password (mostly just adding 1 to a counter, or a date).
We recommended they get rid of their time password expiration policy and only force password resets for good reasons. Told them to get rid of the upper/lower/number mix and just increase the minimum password length to 12 digits. Users were given methods to avoid using 'bad' words for their passwords (like usernames, dates, counters, etc). Passwords were no longer kept plain text (but that doesn't help protect against easy to guess passwords when compromised hash tables can be attacked). And the users were explicitly told they had to change their password due to a compromise, and would no longer be asked to periodically change their passwords, so should come up with something secure.
After the next password reset, our pen testers could only get into about 0.5% of the accounts with a week long effort of dictionary attacks, modulations on the cracked password database, and targeted attacks on information gleaned from user social media profiles. Half a percent is pretty good for this sort of thing. Most companies come in orders of magnitudes worse when they create stupid password policies.
On a positive note, NIST has changed their best practice password strategy to explicitly recommend not using timed password expiration, and also not to require a mix of uppercase/lowercase/digits.