|
Home > Archive > General Discussion > June 2005 > Should we write passwords down? Sure, say Netgear and Microsoft...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Should we write passwords down? Sure, say Netgear and Microsoft...
|
|
| freak 2005-06-09, 11:24 am |
| As posted on www.infosecweb.com :
This from slashdot.org:
quote:
Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
Here's a link to this "theory"...
quote:
Contrary to much "expert" advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.
The above is from Netgear's Guide to Internet Security.
Whose side are these people on, anyway? This is the most ludicrous junk I have come across in a long time. The bottom line is that what we need to do is train our users (which is rule #1 of InfoSec) and responsibilize them into using their brain instead of a piece of paper...
I cannot believe that Microsoft, of all companies, considering the bad name they have when it comes to security, would advocate this sort of behavior. The bottom line is that for most companies out there, a user ID and pw combo is the one and only mode of authentication in use. It is almost criminal to allow users to write passwords down, because we all know that they will not secure that piece of paper. God forbid they were taught how to use their heads instead. Son of a gun, if you hired an employee who can't remember an 8-character password, then chances are, you shouldn't have hired them in the first place! This is ridiculous. This is catering to the lowest common denominator because the alternative requires strong vision, a willingness to to do the right thing even if it means going against the natural grain.
Last I checked, employees worked for corporations - not the other way around. Enough pretending that they need to be babied. They need to do the job they have been assigned to do, and are getting paid to do, and they have to do it in the manner that the company deems appropriate - or they can seek alternate employment.
So there.
(Not that this topic annoys the crap out of me, or anything...)  | |
| acruth7284 2005-06-09, 1:27 pm |
| Well time to bust out my pad o paper again, because we all know that Microsoft never makes mistakes.  | |
|
| good one 
But seriously, this is so ludicrous to me. Scary, even, because instead of training users the way they should be trained, we are enabling them to be mediocre and threaten network security everywhere. Let's face it: crackers are already smart enough. They don't need the help | |
|
| Freak,
how do you deal with new passwords to memory, and how many diffrent passwords do you deal with at work and home, and along with user name(s)? | |
|
| I use passphrases to create passwords, to help memorize them. I use keys inside of those passwords to reuse the same random core for different purposes. And I trained my brain to remember passwords because that's the point of a password: to remain a secret.
Passwords are like underwear: you shouldn't share them, you shouldn't leave them lying around in public, and you should change them regularly | |
| maxmax79 2005-06-09, 4:53 pm |
| quote:
Originally posted by freak
Passwords are like underwear: you shouldn't share them, you shouldn't leave them lying around in public, and you should change them regularly
True, but how do you enforce a policy to not write down passwords? Do you make regular trips to offices and cubicles and look for post-it notes on the monitors and under the keyboards? Also it has been my experience that the higher up the food chain you go in a company the worse this situation gets. The higher-ups are not going to want to put in place a policy that punishes people like themselves.  | |
|
| I am not a wrench turner. I work as a consultant. In other words, I create the security policies - including the password policy - for companies. I advise them on what they should do. It is their job to enforce their policies, as it should be.
I do run a fair amount of vulnerability assessments for banks, medical practices, credit unions, hospitals, etc... during which I do walk around the organization's space and look for such occurences. With their blessing, I also run password cracking utilities to verify that the user base does indeed deploy acceptable passwords per their password policy... | |
| mir92 2005-06-09, 10:59 pm |
| Freak,
can you give a example of this in practice?
quote:
Originally posted by freak
I use passphrases to create passwords, to help memorize them. I use keys inside of those passwords to reuse the same random core for different purposes. And I trained my brain to remember passwords because that's the point of a password: to remain a secret.
Passwords are like underwear: you shouldn't share them, you shouldn't leave them lying around in public, and you should change them regularly
| |
| enforcer 2005-06-10, 6:58 am |
| quote:
Originally posted by freak
Passwords are like underwear: you shouldn't share them, you shouldn't leave them lying around in public, and you should change them regularly
But surely you have an underwear draw to keep them in when you are not using them | |
| Farrell 2005-06-10, 1:16 pm |
| quote:
Originally posted by mir92
Freak,
can you give a example of this in practice?
Computers make yo brain hurt n yo fingers ache. --> cmybhnyfa624.! | |
| maxmax79 2005-06-10, 4:29 pm |
| quote:
Originally posted by freak
I am not a wrench turner. I work as a consultant. In other words, I create the security policies - including the password policy - for companies. I advise them on what they should do. It is their job to enforce their policies, as it should be.
I see..You come in and fill the executives heads with grand ideas come up with some plans that would easy to implement and impossible to enforce and then you laugh all the way to the bank!
quote:
Originally posted by freak I do run a fair amount of vulnerability assessments for banks, medical practices, credit unions, hospitals, etc... during which I do walk around the organization's space and look for such occurences. With their blessing, I also run password cracking utilities to verify that the user base does indeed deploy acceptable passwords per their password policy...
Can you give us some examples of the software you use to crackpasswords? Any free ones? | |
|
|
| curiousgeorge 2005-06-10, 7:23 pm |
| Pass phrases are just that- phrases... except with a twist.
Usually you substitute certain letters for numbers. i.e. 1 instead of i, 3 instead of e, or 0 (zero) instead of o (letter o).
An easy phrase to remember: I love beer
Translated into a password: 1l0v3b33r
You are so cool
Urs0c00L
It is June
1t1sJun3
Babies druel
B@b13sdru3l
Get it?
We use pass phrases for everything.
btw, with HIPPA and SOX now law, banks and hospitals don't allow outside consultants to run password cracking utilities, even for a vulnerability assessment. It puts all of the legally protected information available to people who legally do not have any right to view it. That only opens them up to a lawsuit for anyone who finds out they allowed that to be done. Outside consultants run network vulnerability assessments and security audits, but they don't actually hack a machine.
A good lock-out policy needs to be enforced as well as a good password policy.
quote:
I am not a wrench turner. I work as a consultant.
That reminds me of the commercial where two consultants are telling an exec about a large technical improvement that needs to be put in place. The exec says "That sounds great. When can you begin?". The two consultants look at each other, then reply, "We don't actually know how to DO what we propose." Beware of any "consultant" who doesn't know how to enforce the policies they suggest. | |
| kalex 2005-06-12, 10:52 am |
| Was fortunate enough to attend an excellent presentation by Bruce Schneier (author of Applied Cryptography, CTO of Counterpane Internet Security, and publisher of a most excellent free newsletter Crypto-Gram)
earlier this year, and he said basically that yes, if you're too dumb to remember your password, by all means write it down on a piece of paper and stick it in your wallet. His reasoning? A hacker isn't likely to steal your wallet, and anyone who finds your lost wallet isn't likely to be a hacker. Just don't be so dumb as to write your passwords down on Post-It sticky notes and stick them on your monitor or the bottom of your keyboard. | |
| marathoner 2005-06-12, 12:54 pm |
| The point I take is that if you give users really strong passwords and train them never to write them down and never to use the same one for different things they will forget the ones they don't use daily and you will incur support expenses in password recovery. (GREAT FOR US but not likely to make the biz owners happy, it's a non revenue expense for them)
Employees don't really CARE about security like the owners and security people do. They care about keeping their jobs and getting work done fast to impress the boss. If securitiy is breached it's not their problem, especially if the co. had a crappy sec. policy to begin with and it's not really their fault. And owners CARE but they don't understand things.
How productive could you be in the physical world if you had to open six padlocks just to get to your desk and you are not allowed to carry the keys you have to keep them hidden somewhere the sun don't shine.
If you have a strong password like
%Ux98-~p0Il<&
it is not a matter of dumb to remember it. It is precisely what make it strong is no one can guess that, and no one can remember even if they see it.
OTOH, having an open MSWord doc file called my passwords on any computer in the network is not so good either.
Retinal scans anyone? | |
| freak 2005-06-13, 11:25 am |
| quote:
Originally posted by curiousgeorge
btw, with HIPPA and SOX now law, banks and hospitals don't allow outside consultants to run password cracking utilities, even for a vulnerability assessment. It puts all of the legally protected information available to people who legally do not have any right to view it. That only opens them up to a lawsuit for anyone who finds out they allowed that to be done. Outside consultants run network vulnerability assessments and security audits, but they don't actually hack a machine.
A good lock-out policy needs to be enforced as well as a good password policy.
That reminds me of the commercial where two consultants are telling an exec about a large technical improvement that needs to be put in place. The exec says "That sounds great. When can you begin?". The two consultants look at each other, then reply, "We don't actually know how to DO what we propose." Beware of any "consultant" who doesn't know how to enforce the policies they suggest.
The Act is called HIPAA, not HIPPA. This said, most consultants who create policies and run VAs and RAs do NOT implement them simply because it goes AGAINST the point of hiring them in the first place, which is separation of duties. This concept is of primordial inportance especially when it comes to GLBA or SOX.
The bottom line is that as a shop, you have to decide what services you will provide: security consulting, or implementation. You cannot do both for the same client, as that would be a direct violation of the above-mentioned principle of separation of duties. The Feds sure don't like it. And it makes sense! If you set a network and its defenses, why should you be the one evaluating it? That responsibility should clearly fall on someone else. | |
| enforcer 2005-06-13, 11:41 am |
| quote:
Originally posted by marathoner
Retinal scans anyone?
NO THANKS!!!
don't want anyone ripping my eyeballs out, just so they can log on to my PC.  | |
| curiousgeorge 2005-06-13, 9:38 pm |
| You're confusing implementation with administration. As a consultant you should be formulating a seucurity strategy, implementing it, then executing knowledge transfer to the client to show them how to administer it after you're gone. That's what Professional Services divisions do in major companies. That's why I say beware of any consultant who's not a wrench turner.
But I just had to call you out on hacking into computers at banks and hospitals just to make sure password policies were being used. Other than that being a violation of HIIPA and SOX, you would be able to verify the same information through a normal security audit. But I guess you'd have to be a wrench turner to know that. | |
| mssilver94 2005-06-14, 7:31 am |
| I once had a lengthy argument w/a manager of a well known ISP re: their policy to publish customers passwords. I objected strenuously to this unwarranted and unauthorized breach of my system security. They publish thru written letter to customers and on their in-house tech computer screens of each customers' account. This Earthlink employee saw no security violation and had the audacity to suggest passwords need frequent change.
Well, frequent password changes are unrealistic -- I live an iLife. and have numerous, numerous accounts that must be protected. Password security is a problem under these circumstances which provides an opportunity for an entrepenuerial type to come up with a solution. In the meantime, I maintain tight reigns on my network ( stealth to ping attempts ) and stay away from quetionable sites.
If anyone has suggestions about what more I can do to ratchet down my network, please advise.
Thanks.
_______
Common sense: Not common enough.Earthlink Common sense: Not common enough. | |
|
| quote:
Originally posted by curiousgeorge
You're confusing implementation with administration. As a consultant you should be formulating a seucurity strategy, implementing it, then executing knowledge transfer to the client to show them how to administer it after you're gone. That's what Professional Services divisions do in major companies. That's why I say beware of any consultant who's not a wrench turner.
But I just had to call you out on hacking into computers at banks and hospitals just to make sure password policies were being used. Other than that being a violation of HIIPA and SOX, you would be able to verify the same information through a normal security audit. But I guess you'd have to be a wrench turner to know that.
Again, it's not HIIPA, it's HIPAA. Before you try and give others lessons, make sure you get the basics straight.
Furthermore, I used to be a wrench turner working as a network engineer for many years. It's just that there is no money in that line of work anymore. Not to mention that it is fun to look at new horizons.
Finally, when I run a VA or an RA, the deliverables that I hand to my clients include not only the findings, but also a ste-by-step way to fix them. For example, if the TCP/IP stack on a server is not hardened, that part of the report shows them what registry keys should have been present and how to paliate the issue.
My point is that I do not go in and enter those registry keys on their servers.
As for "hacking" servers, again you are using the wrong term. I do not hack boxes that belong to my clients unless I am hired to run a penetration test. Hell, they even give me a full admin user account to use for the time it takes to run the VA. There's no need to hack. The point I was making before you took it upon yourself to attack me - one more time, I might add... you really must have some big inferiority complex. It's quite pathetic - is that if you are going to deploy a password policy that includes strong passwords, it is a good idea as an organization to run regular audits to make sure that the policy is being taken seriously by the employees. Whether the org itself runs the password cracking utilities, or wether they hire us to run them for them monthly is a different matter. It's a simple issue of defining the appropriate scope of work.
Once again, you have accomplished nothing more than butting into a conversation about a topic you only know a little about, to try and place a personal attack. I thought we were beyond that by now. Don't you have some computer lab to oversee, college IT guy? | |
| Farrell 2005-06-14, 5:49 pm |
| quote:
Originally posted by freak
Again, it's not HIIPA, it's HIPAA. Before you try and give others lessons, make sure you get the basics straight.
Furthermore, I used to be a wrench turner working as a network engineer for many years. It's just that there is no money in that line of work anymore. Not to mention that it is fun to look at new horizons.
Finally, when I run a VA or an RA, the deliverables that I hand to my clients include not only the findings, but also a ste-by-step way to fix them. For example, if the TCP/IP stack on a server is not hardened, that part of the report shows them what registry keys should have been present and how to paliate the issue.
My point is that I do not go in and enter those registry keys on their servers.
As for "hacking" servers, again you are using the wrong term. I do not hack boxes that belong to my clients unless I am hired to run a penetration test. Hell, they even give me a full admin user account to use for the time it takes to run the VA. There's no need to hack. The point I was making before you took it upon yourself to attack me - one more time, I might add... you really must have some big inferiority complex. It's quite pathetic - is that if you are going to deploy a password policy that includes strong passwords, it is a good idea as an organization to run regular audits to make sure that the policy is being taken seriously by the employees. Whether the org itself runs the password cracking utilities, or wether they hire us to run them for them monthly is a different matter. It's a simple issue of defining the appropriate scope of work.
Once again, you have accomplished nothing more than butting into a conversation about a topic you only know a little about, to try and place a personal attack. I thought we were beyond that by now. Don't you have some computer lab to oversee, college IT guy?
He does have a point though -- its a lot easier to suggest the rules than to enforce them. However, you as an advisor cannot enforce the rules, you can merely suggest what should be done and let the department enforce it. If everyone is not involved in security, then there will be a problem. | |
| curiousgeorge 2005-06-14, 10:41 pm |
| From your last post, it makes me wonder if you even know what a password policy is. A password policy isn't an announcement handed out in a memo. It's a computer policy that is enforced whether the user base likes it or not. That said, why would you need to run a password cracking utility on a machine just to see if the user base is taking the password policy seriously? And if you're the consultant who came up with the security policy, why didn't you suggest a lockout policy that keeps password cracking utilities from being run on machines, require long passwords, regular changing of passwords, inability to use the last x number of passwords, and require passwords to meet complexity requirements?
If you run a basic security audit, you can pick up on all of those items. And there would not be a need to run password cracking utilities on machines because a good security policy would prevent them from running in the first place.
And please don't tell me all you do is run a utility that performs a VA on each server, then just hand the results over to them. My security guy runs the same utility on all of our servers once a quarter. You are right. It does give a detailed description of how to fix the vulnerabilities. If that's all you do, you should be ashamed. The utility only takes about 5 minutes to run against each server.
First you're not a wrench turner, then you were a wrench turner for years. Then you aren't an implementer, then you are. You seem to change your stance if you feel it gives you an out when confronted with a question. You're lack of real-world experience is very apparent.
I'll go back to managing my team of engineers on my 3,500 node network with over 100 servers. And you go back to your home-based test lab of 4 computers. I can't stand noobs who haven't spent one day administering a production environment trying to act like they have years of expert experience. Just keep teaching. That's where you belong.
I can, therefore I do.
I cannot, therefore I teach. | |
| enforcer 2005-06-15, 6:24 am |
| CG and Freak, take your blossoming romance out of the forum please. | |
|
| Amen, brother.
Someone please let me know when the grown-ups have come back in the room and the children have been sent to bed (or back to their Playstations and X-boxes) where they belong. Sheesh. | |
|
| Yawn.
No worries, Enforcer. I made my point a long time ago. CG can say what he wants, it's not like anyone is fooled by his belligerent attitude. |
|
|
|
|