SoylentNews is people
SoylentNews
NIST recently published their four-volume SP800-63-3 Digital Identity Guidelines. Among other things, they make three important suggestions when it comes to passwords:
-Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases.
-Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise.
-Let people use password managers. This is how we deal with all the passwords we need.
These password rules were failed attempts to fix the user. Better we fix the security systems.
Does this mean we can stop composing our passwords like Q*bert?
(Score: 3, Interesting) by RedBear on Wednesday October 11 2017, @08:15AM (4 children)
I gave up a couple years ago and decided to go with a password manager. I chose a commercial one that provides good syncing between different types of devices, and integrates with all major web browsers. Enabled 2FA on the password manager to drastically decrease the likelihood someone can ever gain access to my password database. It even supports those USB hardware encryption keys if you want to go that far. Enabled 2FA on every other service I use that supports it, which includes many banks as well as things like Google and iCloud. Have backup email addresses, also protected by 2FA, to recover access if I somehow lose access to the main email account.
Finally realized recently that if you give meaningful (i.e. "rememberable") answers to those stupid security questions they will probably be guessable by anyone who is trying to steal your identity. The attacker will already have a ton of personal info about you. So I use the password generator in the password manager app to generate short random character passwords for the security questions. Usually there are a pair of security questions, so the odds of anyone being able to get through that are basically zero. I just have to remember to store the questions and answers in the notes for that account in the password manager.
I'm tired of self-described security geeks mocking password managers as being the ultimate in stupidity. After patiently working my way through all my accounts over two years I now have whittled my way down to 100 different active accounts and each uses a unique, random, and (if the site/service supports it) extremely long password. There's a lovely security dashboard in the password manager that tells you exactly how many passwords you're reusing, how many are insecure in some way (too short or too simple), and how many are really old and should probably be changed. I no longer know 99% of my own passwords. I log in using the integrated browser plugins, which only works if I've logged into the main password manager app, which is only installed on my own computers and devices, which are all encrypted and secured to the best of my ability. If I wanted to I could enable 2FA not just per device but for every time I attempt to login to the password manager. And I could have a session timeout, so I wouldn't just be logging in whenever I restart the machine. If it seems necessary I'll take those steps.
It's time to acknowledge that online services are getting hacked and exposing billions of accounts so frequently that you have to be a nutcase to reuse any password even twice anywhere on the web. Unless you're autistic and can remember 100 different random passwords, you have no rational choice but to use some kind of password manager at this point. But I'm sure someone will have the gall to try and tell me I'm somehow less safe now than I was when I only had a half-dozen different simple passwords, reused on dozens of different websites over a 25-year period. Maybe I'm not perfectly safe, but I've made myself the kind of target that would take more effort than 99.999% of the other targets online. 100 different online services is a huge attack surface when so many sites are being compromised every day. I'm sure many people use even more online services than I do. If any one of my accounts is ever compromised it should lead to exactly zero compromises on other sites. That isn't true for an awful lot of people online. Identity thieves have no good reason to target me as long as there are still billions of people who reuse simple passwords on every site they visit.
Nothing is perfect, including password managers. But password managers allow regular people a way to escape being the low hanging fruit of the Internet by drastically reducing their attack profile.
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
(Score: 3, Informative) by pTamok on Wednesday October 11 2017, @09:16AM (2 children)
You describe the benefits of using a password manager very well.
What I would say, if I put on my paranoid security geek hat on, is that they are a simply MASSIVE target for malware, and the malware only needs to get lucky once.
You are probably aware of a number of compromises of (Windows, but also other e.g. Android) systems that are around, that give the attacker full ring '0' access (or even ring '-1') to systems* - this means that an attacker will be able to (a) exfiltrate a copy of your password database and (b) also be able to access all of memory to grab the key to the database, which can be exfiltrated as well. The recent issue of Kaspersky Anti-Virus taking a copy of NSA software form a contractor's PC demonstrates the process. So by using an online password manager, especially one that shares across multiple platforms, means you have a huge vulnerability profile: a compromise of your phone could give access to all your passwords.
This is a strong argument against using online password managers. They are incredibly convenient, and demonstrate that if you want people to do password security properly, it must be easy to use - but they are very much an 'all your eggs in one basket' affair, and multiplatform ones are only as secure as their most vulnerable platform.
I won't go so far as to say that you shouldn't use a password manager. People's (and companies' ) attitude towards security risks varies, so there is no 'one size fits all' solution, but please be aware of the vulnerabilities of the platforms you use, and evaluate the risk of your password manager being compromised, and what effect such a compromise might have on you.
I would recommend using an offline, air-gapped password manager. Such a thing is not easy to find. Having unique, strong passwords for every service you use is a good idea. Really.
*Look at the capabilities of the Intel Management Engine, and the AMD equivalent. Even if the 'Black hats' can't current leverage those capabilities, I would be unsurprised to learn that Intelligence Agencies can. For most people, that is not an issue, as they are not 'persons of interest' to the intelligence agencies, and are happy to share all their personal information with them - if they were not happy to trust the intelligence agencies and government control of said agencies in their country's best interests, then there would be a great deal more protest. The 'average Joe/Josephine' regards national security agencies as essentially benign for ordinary folk. Quite possibly correctly.
(Score: 4, Interesting) by RedBear on Wednesday October 11 2017, @12:09PM (1 child)
We are not in disagreement. Offline air-gapped password store (that never touches a USB device either) is a great idea if you're dealing with anything more important than some personal accounts. But nobody will ever go to those lengths for personal things, just like nobody has ever bothered to change their passwords regularly, use random passwords, use long passwords, or use different passwords for different services. What the password manager does for us is it reduces the attack profile from a completely unmanageable [my computer] + [200 very badly run web services] to just [my computer]. From totally out of our individual control to kinda, sorta in our control.
If you get malware on your machine that is capable of stealing passwords from your password manager, similar malware could also just scan files or any other open applications that might be storing your passwords. Such things have existed for decades. That's just the reality of imperfect computing security in an imperfect networked world. Best we can do is use password managers that don't do dumb things like transmitting unencrypted data across the internet or storing your passwords locally in the clear.
If you're running a nuclear facility, a password manager is probably not a great idea. Then again, the reality is that people who run such facilities often make such terrible security choices that a password manager could actually be an improvement. How's that for a scary thought?
¯\_ʕ◔.◔ʔ_/¯ LOL. I dunno. I'm just a bear.
... Peace out. Got bear stuff to do. 彡ʕ⌐■.■ʔ
(Score: 1) by pTamok on Wednesday October 11 2017, @01:49PM
Modded you up. I agree entirely that laziness trumps security, and you once again point out the real benefits of password managers.
And I agree re: nuclear facilities, and in fact many process-control and SCADA applications. Security is just not baked in. If somebody messes with process control in an oil refinery, or a chemical plant, or a dam, really nasty things could happen.
(Score: 0) by Anonymous Coward on Wednesday October 11 2017, @12:00PM
I highly recommend password managers, but not commercial ones. Use one of the well vetted open source ones. With a commercial manager, nobody but the company has any idea whether or not the crypto used to store the passwords is crap or not, until it is too late. With open source password managers, a few greps will tell me which crypto library is used, which algorithm, and what mode/mac is used. A quick peek at the relevant files will indicate whether or not the password and key data is protected from being swapped out to swap space or the page file and whether any kind of stretching on the master password is used. It really doesn't take long, and you really don't even need to do all this because it has already been done. The open source password managers that are commonly recommended have already been vetted.
You don't even need to use a password manager if you are using full disk encryption and don't leave your machines running unattended; assuming you can prevent shoulder surfing. In this case, a text file will do. If you get some kind of malware or don't secure your OS, all bets are off.