Re: proper password handling

["Mario A. Spinthiras" <mario () netway com cy>]

Isaac Van Name wrote:
> As always, Mario, I enjoy reading your posts as they are entertaining, if
> not always considering an alternate opinion.  That being said, I agree 100%
> that three-way authentication with biometrics is a strong method that should
> be employed.  For a company that is at all worried about security (which
> should be every company), this is worth the investment.
>
> However, in cases where, for whatever reason, the company will not go that
> route, there are reasonable alternatives.  In this respect, I have to say
> that Robert's quote is not a bad idea, although I would not call it the
> "best" solution.  The best solution would be a member of a multiple-point
> authentication method, like the one above.
>
> In a company that doesn't want to go the "best" route, you have to improve
> what you already have as best as you can.  Consider this:  Yes, we can fire
> everyone that writes down a password because they can't remember it but,
> then, all the offices in my workplace (except mine) and probably everyone
> else's would be empty.  (Office personnel != computer literate) in most
> cases.  Educate, threaten, warn, discipline... and they still do it.  It's a
> fact of life.  We're just smarter and more capable than them.
>
> One thing I've noticed time and time again about network security is that
> you have to take into account who you're securing.  For instance, if some
> office personnel need 3 websites to perform job-related tasks, but you
> decide you don't want anyone to have internet access, then you'll probably
> get fired quickly.  Same with passwords... if you set the standard so high
> that employees just keep getting fired, management will probably plant a
> foot in your hind quarters and give you a nudge.
>
> You already know that they're going to write down the password, so work off
> of that.  Make a password between 11-14 characters and a "passphrase" inside
> of it (starting at a random location) that's 4-6 characters long.  Make the
> passphrase something they can remember with a pneumonic ("I have 2 Dogs" =
> Ih2D).  Let them write down the rest of the password ("j4f6QA15") and tell
> them where the passphrase goes (after the 4 = "j4Ih2Df6QA15").  Now, you can
> complain that security is compromised (and it is to an extent), but you also
> have to consider how the REST of it can be compromised:
>
> How long would it take to brute-force a 12-character password?  True, it
> would take less time if you knew the written 8 characters, but you'd still
> have to "brute" the passphrase for an undetermined amount of characters at
> any position in the written portion... quite a daunting task still.
>
> Then, if they write down their pneumonic, shoot them.  They deserve it.
> Enforce what you know they can handle, and make that meet your security
> needs.  It's worked for me so far, and I still have a job.  One thing to
> remember, too:  No matter how much you secure your network, it will ALWAYS
> be susceptible to compromise... you just have to defend as best as you can.
>
>
> Isaac Van Name
> Systems Administrator
> Southerland, Inc.
> ivanname () southerlandsleep com
>
>
> "What good would you do with an ignorant employee? Ignorance is grounds for
> dismissal..." - Mario Spinthiras
>  
> Open Source developing at its finest:
> "Written in vim, W3C valid and UTF-8 encoded, for her pleasure."
>  
> Disclaimer:  This email is intended only to be used to feign intellectual
> mastery of a subject or superhuman command of the English language, when
> profanity is involved.  By reading this email, you are agreeing to cease all
> correspondence with the sender upon realizing your own ignorance, and
> furthermore to refrain from taking legal action against said sender when
> your compounding ignorance crushes your inadequate self-esteem.  Have a nice
> day.
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Mario A. Spinthiras
> Sent: Wednesday, October 04, 2006 1:19 AM
> To: Robert.Graham () bt infonet com
> Cc: security-basics () securityfocus com
> Subject: Re: proper password handling
>
> Robert.Graham () bt infonet com wrote:
>   
> > The best solution I ever heard of was from the Security Guru himself,
> >     
> Bruce
>   
> > Schneier:
> >
> > Create passwords with a secret string that you commit to memory, in the
> >     
> middle.
>   
> > Write down the password with everything but this special string. Then,
> >     
> from the
>   
> > user side, it simulates two factor authentication (something you have[the
> >     
> paper]
>   
> > and something you know [your secret string]). Even if the paper is lost or
> > compromised, the damage is minimal. Ideally, once the paper is
> >     
> compromised, the
>   
> > password is changed, but the secret string may be re-used. Best would be
> >     
> to lock
>   
> > up a safe copy so that should the carry copy be lost, that password can be
> >     
> reset
>   
> > easily and quickly.
> >
> > Today, with so many passwords, it's not possible to create strong ones
> >     
> that can
>   
> > be remembered.
> >
> >
> >
> >
> > Robert J Graham | Security Engineer | Global Security Group | BT Infonet |
> >     
> Tel:
>   
> > +1 310 335 4454  | E: robert.graham () bt infonet com |
> >     
> http://www.bt.infonet.com
>   
> >     
> ---------------------------------------------------------------------------
>   
> > This list is sponsored by: Norwich University
> >
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The NSA has designated Norwich University a center of Academic Excellence 
> > in Information Security. Our program offers unparalleled Infosec
> >     
> management 
>   
> > education and the case study affords you unmatched consulting experience. 
> > Using interactive e-Learning technology, you can earn this esteemed
> >     
> degree, 
>   
> > without disrupting your career or home life.
> >
> > http://www.msia.norwich.edu/secfocus
> >
> >     
> ---------------------------------------------------------------------------
>   
> >   
> >     
> Fortunately for me I have the tendency of judgement with regards to who 
> is considered a guru or not in any matter whatsoever. In this case my 
> judgement does not fail me and the feedback from it gives me the 
> negative impression with regards to "guru" statements.
>
> A password is not something you write down. I do not know which madman 
> started such a foolish practice but if there was a prize in 
> computational security I presume he would have won it many times over.
>
> The above practice is not based on "what you know" and "what you got" , 
> because the two end up being compbined in the same exact place at the 
> application layer which means that it was in vein to proceed doing so. 
> All it is is a missing string. That still gives administration and 
> management of a firm the "doubt" that they will write it down since the 
> principle is based on two parts to complete a whole passwords.
>
> The above practice is simple A DOUBLE "WHAT YOU KNOW" authentication 
> process which in my eyes and many righteous administrators out there... 
> IS COMPLETELY WRONG.
>
>
> If you want more on creating a wonderfully constructed authentication 
> process which concludes security at its finest I suggest you search 
> through my posts with regards to biometric three way authentication : 
> "What you got , What you know , Who you are"
>
>
> Enjoy!
>
> Regards,
> Mario A. Spinthiras
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>
>
>
>
>   
Dear Isaac,

I'm glad to hear that an enforced security policy works for you. 
Fortunately or unfortunately this list is not based for the finest words 
in the English language and picking "entertaining" to describe my posts 
is definitely not a matter of intelligence.

Indeed based on that theory you have a point. Bruteforcing such a 
password would take a long long time. But then again it simply makes 
"security" within your company a procedure almost authonomous to human 
beings where it should be principle , not procedure.

That way you have a better chance of "defending" as you said when other 
cases come up requiring sensitive information but not as would be 
applicable to passwords.

Also I agree with your last phrase

No matter how much you secure your network, it will ALWAYS
be susceptible to compromise... you just have to defend as best as you can.



Indeed you are absolutely right. If employees , management , non tech staff knew our principles , they would be a lot 
better off worrying about the human error. but then again if everyone did what we do , everyone would be techs and not 
pips :)


Regards,
Mario A. Spinthiras



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------