Password Insecurity

Discussion in 'privacy problems' started by driekus, Mar 7, 2016.

  1. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I thought people here would get a laugh from this.

    The company I work for instituted strict password policy (with expensive training) including all the standard restrictions. The one that struck me as odd is that no three letters can be contained in dictionary word. My first attempt at a password was:
    $!32a79Pr0meth@s789!
    I would consider a secure password but rejected because of met.

    IT told me it contains dictionary combination so is insecure. IT they told me to make your password up this way:
    $(3 letters one upper)(four digit year). eg $Dgu2010

    I told him that was ridiculous advice. I manage 23 field guys, many with basic computer literacy. My guys on getting this advice:
    $Xxx2016
    Where if you think about it what is the most easiest thing to remember (hint: there initials).

    I spoke to the higher ups and they insist it is secure and that my recommendation (diceware) is dumb because it contains dictionary words.
    Note that I work in a sensitive industry with SCADA controllers and the like.

    Am I missing something here?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Sad :(

    But I gotta say that remembering passwords is the hardest part. There's also a cost for forgotten passwords. Maybe not as bad as compromised passwords. But say it's the passphrase for an RSA key. And there's some server with SSH password authentication disabled. Lost passphrase => meatspace visit. Worse, if it's a LUKS passphrase, loss => reinstall and lost data.
     
  3. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I think your superiors need to do some more homework on password security. Brute force attacks are easily dealt with. Look at the whole Apple/FBI conflict if you need a good example. Having a few characters in a password be a word that is in some dictionary of some language is not going to make it easy to guess if the rest of it bears no logical connection or relationship with it.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    You're right about it being "funny". Regrettably typical, and it's also reflected in maniac restrictions on what you can/can't put in the fields.

    Presumably, despite the importance/sensitivity, they won't spend any money on a password manager like Lastpass - or even use free ones like Keepass. One of the nice things about Lastpass is that it does allow for password sharing between users which I guess is necessary for at least some SCADA devices.

    While I like Diceware very much, I tend to reserve that for a restricted number of strong master passwords, which give you access (sometimes plus Yubikey 2FA) to the great number of subsidiary passwords that one needs - via password managers. Relevant to your requirement, I do have those with basic computer literacy using these schemes - most of the time, that's pretty invisible, and better than attempting to remember half-baked attempts at strong passwords.
     
  5. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    It is really about the threat management, how valuable and vulnerable are data and how accessible are the computers.
    My company forces password change every few months, so we stick new ones to the monitor, still some find it hard to login.
     
  6. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    Agreed, I walked round my work areas today and saw my guys with sticky note passwords on their monitors. I tried to mitigate the situation by introducing a new method:
    Take a 8+ character word. Substitute the vowels with symbols, a=@, e=3, i=1, o=0 and u =#. It at least got them away from sticky noting the passwords on the screen. Now they sticky the cipher on their screen which is better than nothing.

    IT didnt appreciate my complexity analysis of their password courtesy of password haystacks https://www.grc.com/haystack.htm

    In terms of threat level, we are a major utility. So I think we are pretty much up there.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    It's also sometimes useful to ask people to "decorate" the passwords they write down on their screens(!) with some short pin or other, which they have to remember. This also works with Lastpass if you want that.

    I'm willing to bet that the access control to the Scada devices isn't too good either, and potentially allows the passwords to be sniffed by some compromised internal machine, or for the Scada controllers to be directly attacked..... the rabbit-hole continues...
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    PS - this attack on Ukrainian power operations (and scada equipment) might provide a salutary message:

    http://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

    A sophisticated attack stole credentials, and they didn't use 2FA, although they had reasonable segregation and firewalls. Standing back, it seems to me that 2FA plus segregation is one of the only defences that is going to have legs medium term, dicking around with password policies is not. It's eminently possible to do, without huge amounts of money but it does take some will and sophistication. Our strange world means that there's little incentive because of effective corporate immunity and someone else bearing the cost.
     
  9. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,914
    They can check the passwords with web pages or preferably offline apps like this

    http://rumkin.com/tools/password/passchk.php

    then they'll see passwords like "$Dgu2010" are weak and like "$!32a79Pr0meth@s789!" (hell, how to remeber it? :eek:) are strong.
     
  10. driekus

    driekus Registered Member

    Joined:
    Nov 30, 2014
    Posts:
    489
    I have a good memory and when you break down the password in a way I understand it is easy to remember.

    Ran into one of the guys implementing 2FA and mentioned what happened. It took a few seconds for it to click but it stunned him when he realized. Very challenging to get people who have basic computer literacy to create something secure. Half do not have internet at home so this is really foreign to them.
     
  11. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    Human beings are incapable of being truly random. So when you ask people to create a password between 8-12 mixed characters, letters, and symbols. They create passwords that are convenient to memorize and easy to brute force. Best practice should be to:
    • avoid single sign-on systems
    • IT department should generate and issue a pass-phrases
    • two/three-step verification
      • IT issued passphrase
      • user generate password
      • key card
    Passwords are pretty much bust in my opinion because of the complexity and length actually required versus real-world practicality and what people can tolerate. The IT department should expire issued pass-phrases and use the key card system to track login attempts to specific terminals. The important thing is that they make sure to track and prevent any remote system login attempts and enforce adequate security training and follow-up on site. Distributing IT issued pass-phrases is surprisingly simple if you make a point of doing it first thing in the morning. We did this at the small engineering company that I worked for and distributed them to employees at start of the morning meeting. Employees that were showing up late were given a slip with their time card requesting they collect their daily login. Imagine it might be a bit different working for a large enterprise.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Except when they recognise that fact, and use and memorise a very limited number of Diceware (real physical dice) generated long strong master passwords, plus a password manager backed by 2/3FA. In the business context, the strong passwords and recovery contexts are managed by IT, ditto certificate management and other secrets. The users can then get by with memorising some relatively shorter passwords, and have the complexity hidden by the 2FA, password manager, and login-lockout security. Of course you then have to attend to the integrity of the client itself, which is a whole 'nuther can of worms!

    Agree with your points.
     
Loading...