So as many of the readers may be aware there was recently a series of “attacks” against some folks in the security industry, although details are light it appears that someone was able to compromise one system – say a blog – obtain the password and then use that same password to compromise other systems – say an email account.
I have been meaning to post on this since I often find myself signing up for various on-line things (porn, bittorent sites, and of course my “Breaking 2 Electric boogaloo” fan club group ) but I have a poor memory so I use the same password everywhere (in case you are curious it is hoff1 or chrishoff1, if it requires more than 5 characters) and realized, of course, that if I use that same password/uname to access some backwoods, hillbilly site, that site could be compromised and now the nefarious interlopers would have my access credentials for a whole host of systems.
Well I thought I had better change my behavior, but I was stuck with the same problem of having to remember multiple passwords, which became a pain, so I switched to passphrases to deal with my memory issues. passphrases are easier to remember, have higher entropy, and are more secure? Well that isn’t completely true, but hey 1 out of 3 ain’t bad – MSFT has some good discussion on passwords vs. passphrases (here), (here), and (here).
Ok so they are easier to remember, let’s test this out using passwords..
System 1 (this blog) password = hoff1
System 2 (my email) password = choffis2
System 3 (my other email) password = choffis3
System 4 (my bank) password = choffis@ss (need this one to be real secure)
See I quickly forget which is which and I am stuck with the problem of having to periodically reset them and then it screws up my whole game plan.
Quick anecdote: While I was with Gartner I was talking to one of the largest school districts in the country, at the time they had implemented a very draconian password policy – must be 8 characters minimum, must include alphanumeric, must be reset every 60 days, can never use the same password twice, account would lock out after 3 bad password attempts, etc..anyway the user population was, for the most part, only part-time computer users and were really struggling to come up with creative passwords for their various systems, additionally they found several of the faculty was writing the passwords down so they could remember – Bueller anyone? The result was a 40% increase in technical support calls to perform password resets (No they had not yet implemented single or reduced sign on and no they had not yet implemented a mechanism for a user to provision themselves or reset their own passwords) this was impacting budget and was costing real hard dollars, and they experienced no material improvement in security access controls, in fact they probably created more opportunities for compromise than they removed.
Anyway let’s see what happens when I switch to passphrases…
System 1 (this blog) password = hoffistheman
System 2 (my email) password = hoffisthemanforhotmail
System 3 (my other email) password = hoffisthemanforyahoomail
System 4 (my bank) password = hoffisthemanforallmybankingneeds
Although this doesn’t do much for my security, it does offer some benefits, one is it is a lot easier to remember, 2 if I need to make a change or reset I can simply change everything from “istheman” to “isnttheman” and I achieve goal #1, and 3 if someone compromises system 1 they are not automatically granted access to system 2, unless of course they have read this blog posting.
In the end passwords suck, they do little for security and create a lot of headaches, which of course is why even people in security tend to reuse the same password. In the 60’s hippie chicks rallied around a “burn your bra” mantra, perhaps it is time for a “burn your password” mantra – OK, I can rally around the bra thing, but as useless as passwords or passphrases are, we are still at their mercy for most of our computing practices.