Submitted via IRC for AndyTheAbsurd
Somewhere in Western Australia, a government IT employee is probably laughing or crying or pulling their hair out (or maybe all of the above). A security audit of the Western Australian government released by the state’s auditor general this week found that 26 percent of its officials had weak, common passwords -- including more than 5,000 including the word “password" out of 234,000 in 17 government agencies.
The legions of lazy passwords were exactly what you -- or a thrilled hacker -- would expect: 1,464 people went for “Password123” and 813 used “password1." Nearly 200 individuals used “password” -- maybe they never changed it to begin with?
Almost 13,000 used variations of the date and season, and almost 7,000 included versions of “123.”
[...] The traditional guidelines for strong passwords -- make them long and complicated, use symbols and a mix of upper and lowercase letters, change them regularly -- were making it easier for hackers, Paul Grassi of the National Institute of Standards and Technology told NPR last June. The organization’s current guidelines for good passwords are that they should be simple, long and easy to remember. It suggests using normal English words and phrases that are easy for users but tougher on hackers.
If you want to keep your accounts secure, pick something that’s lengthy and memorable, and if you change it, switch more than a single letter or digit. And for heaven’s sake, don’t use the word “password.”
(Score: 3, Interesting) by Rich on Friday August 24 2018, @10:27AM (6 children)
So, how many bits of entropy does a good password need? For crypto, we can assume that 128 bits are borderline acceptable. Now try to get these 128 bits into something Joe Q. User can remember. Salted hashes try to come to the rescue: if the hash is complex enough, even the NSA couldn't break a simple 5-digit (100k choices, roughly 16 1/2 bits) code (but then your local system couldn't compute the hash in your lifetime...).
So, assume an adversary has 10 million times more computing power (roughly 24 bits) and is supposed to take a year for what a hash needs 1/10 sec (roughly 28 bits). That's at least 52 bits that have to appear to be random.
For the password choice, assume that you can't count the bits of the bytes in it, but you have a stream of tokens, where (simplified) each token can be any dictionary word, ascii number, separator, whatever. The kind of component that's "easy to remember" You find you'll be hard pressed to get more than 12-14 bits of entropy from such a token, much less if the "important" ones are limited to 2 or 3, and the remainder is just single-digit numbers or punctuation. So even a "Secret/Code:987" complexity style doesn't cut it, and that's already too hard to type on mobile devices.
And all these consideration are with a salt, that has it's own pitfalls: E.g. once the adversary has rainbow tables, you've lost. So where does this leave us?
I've seen large business systems being secured with smart cards (and keyboards with a reader), but these are probably impractical in everyday use. I think what's needed is an external hardware password dispenser that's worn like a key on a keychain. Rugged like a USB dongle, contactless power, contactless transmission, so no wear here, and no batteries to go bad (though a battery might be needed for mobile use). A little display for what password is being requested, and an approve button. Optional on-device PIN lock for the truly paranoid. Maybe a legacy mode with keyboard emulation for PCs. Didn't eevblog have a look at something like this when it was kickstarted?
The CPU vendors will of course try to talk you into their digital restrictions managing logic for storing passwords. So they can lock you in and sell a back door, too.
(Score: 0) by Anonymous Coward on Friday August 24 2018, @11:28AM (2 children)
Bits, schmits, I'm using hunter2 because it wasn't on their list! Security for the win!!
(Score: 3, Funny) by isostatic on Friday August 24 2018, @12:43PM (1 child)
I see that as
Bits, schmits, I'm using ******* because it wasn't on their list! Security for the win!!
(Score: 2) by Gaaark on Friday August 24 2018, @01:53PM
Hey! How'd you know my password was
Bits, schmits, I'm using ******* because it wasn't on their list! Security for the win!! ?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 0) by Anonymous Coward on Friday August 24 2018, @12:39PM (1 child)
The smart cards were always a hassle, but the company I work at has mostly switched over to TPM+PIN for logins. From the user perspective, they have to setup a PIN on every computer they use and have to use 2-factor auth when they need to use their password instead (e.g. to verify their identity to setup their PIN). My understanding is that the PIN works like the PIN to log into an encrypted smartphone: there's a "secure chip" of some kind that stores the user's private key and releases it when presented with the proper PIN and is designed to resist attempts to brute force or otherwise trick it into giving up the private key. How well those protections work is another question, but those attacks involve physical access to the computer, at which point they could have just installed a keylogger to grab a password.
Passwords are really poor for security for many reasons; one of them is that humans are bad at coming up with and remembering complex enough ones that they are actually difficult to guess. If an organization's computer use patterns mostly involve employees logging in from a small number of machines assigned to them, then private key login is a fairly minor burden for the users (if the user always uses the same computer, then it could probably be set up so the user doesn't even know the difference). And should probably be combined with a password manger that generates passwords for you for any services the user needs to log in to that do require a password.
(Score: 1) by Ethanol-fueled on Friday August 24 2018, @10:38PM
We use RSA SecurID, which is fucking wonderful (in before NSA hacked lolz) because you can use the number pad to type it all in with one hand, with none of the infuriating bullshit password requirements which cause users to use passwords like "Password123" etc.
(Score: 2) by darkfeline on Saturday August 25 2018, @04:19AM
>How much entropy is needed?
Not a lot if you're using 2FA, you need just enough to keep someone out between the time noticing you lost a key and revoking it.
Join the SDF Public Access UNIX System today!
(Score: 4, Funny) by Bill Evans on Friday August 24 2018, @10:46AM (1 child)
(Score: 3, Funny) by Nofsck Ingcloo on Friday August 24 2018, @02:07PM
XKCD did, indeed, get it right, but in a different cartoon:
https://xkcd.com/538/ [xkcd.com]
1984 was not written as an instruction manual.
(Score: 0) by Anonymous Coward on Friday August 24 2018, @11:09AM (1 child)
What prize do these outstanding individuals win?
(Score: 0) by Anonymous Coward on Friday August 24 2018, @05:27PM
fat ass government leaches who purposely (when your lazy, stupid ass chooses a lame password, you're doing it on purpose) put the tax payers systems at risk should at least be fired. sensitive stuff should get the sacks of shit charged. there is no accountability for these criminals though. yet.
(Score: 2) by crafoo on Friday August 24 2018, @11:28AM
The reality is that we need something better than passwords for identification/authorization. People cannot be expected to remember the vast number of passwords required, even just counting the systems at a single place of employment. I counted about 6 for work (they've worked hard to consolidate) - that are changed monthly, have uppercase/lowercase/special character requirements, and that cannot reuse a previous password (ever). Sorry, odds are even just at 6 I am going to forget one of those due to the password requirements. I write them down and stick them in the desk. Sue me.
The facts are clear. People are forced to write them down and/or use very simple, easy to remember passwords. A system that requires humans but does not account for the limitations of humans to be secure is going to fail. If we are lucky, we will look back on 1994-20XX as this weird in-between time when we still relied on passwords for authentication.
(Score: 0) by Anonymous Coward on Friday August 24 2018, @11:33AM (6 children)
I hate to point out the obvious, but Pasword123 meets the following password criteria:
If the requirements were "meet three of these four requirements: uppercase, lowercase, number and special character" then Pasword123 is a perfectly cromulent password.
(Score: 2) by isostatic on Friday August 24 2018, @12:40PM
If the requirements were "meet three of these four requirements: uppercase, lowercase, number and special character" then Pasword123 is a perfectly cromulent password.
And it really pisses me off when I can't use 9cba85bfc0a59571084224659fae60e5 as a password on these sorts of sites
(Score: 2) by Gaaark on Friday August 24 2018, @03:07PM (2 children)
Oh, I'm sorry, sir. I'm anaspeptic, phrasmotic, even compunctuous to have caused you such pericombobulation by using that password!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 0) by Anonymous Coward on Friday August 24 2018, @04:49PM (1 child)
Cute, but none of those would be valid passwords. Stay out of the dictionary, you slacker!
(Score: 4, Funny) by bob_super on Friday August 24 2018, @06:16PM
My password is "impervioustodictionaryattacks", you insensitive clod !
(Score: 2) by Freeman on Friday August 24 2018, @06:18PM (1 child)
For some reason, whenever someone uses the word cromulent, I think think of some british dude eating a tasty crumpet.
The really hilarious thing I just found on https://en.oxforddictionaries.com/definition/cromulent [oxforddictionaries.com] is this: "Origin 1990s: first used in the US animated television series The Simpsons."
Also, hey! How did you guess our IT's password policy! Ok, it's not that exactly, but it's not much better.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Friday August 24 2018, @11:15PM
Yes indeed, those silver-tongued Simpsons embiggen us all.
(Score: 0) by Anonymous Coward on Friday August 24 2018, @12:49PM (2 children)
Stick to the classics.
(Score: 2) by bob_super on Friday August 24 2018, @05:18PM (1 child)
It's a problem if you travel to non-qwerty countries.
(Score: 2) by rcamera on Friday August 24 2018, @07:05PM
/* no comment */
(Score: 2) by DannyB on Friday August 24 2018, @06:06PM
I can't believe nobody has suggested 12345 yet.
Especially if you ROT13( 12345 )
Q. How much did Santa's sled cost?
A. Nothing. It was on the house.