This has piqued my interest. I have been touting the practice that
you remember a sentence that has numbers in it, like "Get knocked
down 7 times, get up 8." and then taking the first initial of each
word, using digits for numbers, and keeping in the punctuation, so
that you would get a password of: "Gkd7t,gu8." (looks pretty random,
right?) This way users can still keep their bad habits like using
their spouse's birthday, whatever, but they get a good password out
of it:
My wife Helen's birthday is May 22, 1970.
becomes
MwHbiM22,1970
I remember reading a paper where the author, a university professor,
let 1/3 of his students (in some CS 101 course) pick their own
passwords (with no instruction), told 1/3 to use randomly generated
passwords, and told the remaining 1/3 to use the above procedure. He
then ran John the ripper against all of the passwords and also kept
track of how many times the user had to call the help desk to get
their passwords reset. He found that the random passwords and the
sentence-initial-letter passwords were equal in strength, and that
users picking their own passwords and users using the sentence-
initial-letter-passwords called the help desk the same amount of
times, while the users with randomly generated passwords called the
help desk much more often. So this seems to validate the password-
from-a-sentence idea, but...
What worries me about this approach is that there might be some way
to make breaking the passwords faster using statistics about which
letters are more likely to be the first letter in a word, or that
some famous phrases from literature, TV, movies, etc. would be used
so commonly that the attacker could pre-load strings generated from
these famous phrases into his password dictionary.
Anyone know anything about this?
Daniel DeLeo
On Sep 25, 2006, at 6:17 PM, Ken Kousky wrote:
One way to discourage users from writing down passwords is to stop the
idiotic practice of expecting them to remember strong passwords - they
can't! So if you're imposing a policy of strong passwords you must
assume
they'll be written down. Strong passwords are a token.
Strong passwords, by definition can't be remembered. They have to
change
frequently and they're not to be used on multiple systems which
would expose
them to the "weakest link" syndrome.
Here's Kousky's Algorithm - we've been teaching it for five years
and it's
still better than most simple alternatives.
One option to help is to let them write them down - even tape them
to their
machines, but leave a four digit pin missing from the string. It
can be
after each capital letter in the string so what is written down is:
Kw3$34Q3@AS
But the real submitted password requires my four digit pin: 1234 be
inserted
after each capital letter ... that is, after the K goes a 1, after
the Q
goes the 2, etc.
Real submitted string is
K1w3$34Q23@A3S4
If you don't get over the crazy idea of strong passwords you're
part of the
problem. We need strong strings to submit over the wire or on a
laptop and
that can best be served by multifactor solutions.
We consider this one and a half factors. Strong factors are hard to
duplicate and you know if they're missing.
You might also check out our paper for '02 - "Strong Passwords are an
Oxymoron"
Regards
KWK
IP3 Inc.
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On
Behalf Of Mario A. Spinthiras
Sent: Monday, September 25, 2006 7:52 AM
To: MandommGmail
Cc: security-basics@securityfocus.com
Subject: Re: Security procedure question
Even so if the method i mentioned previously on this thread is
applied ,
even if the user is foolish enough to avoid or unable to understand
and
apply the theory of a password then maybe they shouldn't be working
anywhere near computers - but thankfully for the unbelievably
stupid my
method works since it applies to the following criteria:
1. Who you are (Biometric authentication)
2. What you know (The password of the unintelligent ignorant user)
3. What you have (The usb stick with the key on it)
To my opinion, any user not following a company's security policy
should
be either arrested for possible industrial espionage and/or
sabotage of
the company. The minimum impact should be his/her dismissal from the
company as an employee.
Regards,
Mario A. Spinthiras
MandommGmail wrote:
I'm concerned about a user leaving the id and password on paper
in or
near the laptop.
There is no way one can defend against a user who decides to stick a
sticky pad on his laptop and leaves his password there. The best
encryption tool does not defend against human stupidity.
Alex
----- Original Message ----- From: "Saqib Ali"
<docbook.xml@gmail.com>
To: "Brown, Sam" <sbrown@ashe.ucla.edu>; <mario@netway.com.cy>;
<lists@hwf.cc>
Cc: <security-basics@securityfocus.com>
Sent: Friday, September 22, 2006 1:26 AM
Subject: Re: Security procedure question
If you don't mind, can I ask what product you selected? There are
some
full/whole disc encryption implementations that support TPM. See the
URL for description:
http://en.wikipedia.org/wiki/
FDE#Full_disk_encryption_and_Trusted_Platform_M
odule
If your laptops are TPM enabled the full disc encryption software
can
wrap the decryption key with TPM, so the user won't have to remember
or note down an extra username/password.
On 9/20/06, Brown, Sam <sbrown@ashe.ucla.edu> wrote:
We're going to be deploying whole disk encryption to our laptops so
I am
interested in hearing how others have distributed the software
encryption ID's and passwords to users. I'm concerned about a user
leaving the id and password on paper in or near the laptop.
Sam Brown
----------------------------------------------------------------------
-----
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
----------------------------------------------------------------------
-----
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you
unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or
home
life.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----
----------------------------------------------------------------------
-----
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----
----------------------------------------------------------------------
-----
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------
-----
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
