Passwords Suck!

So as many of the readers may be aware there was recently a series of “attacks” against some folks in the security industry, although details are light it appears that someone was able to compromise one system – say a blog – obtain the password and then use that same password to compromise other systems – say an email account.

I have been meaning to post on this since I often find myself signing up for various on-line things (porn, bittorent sites, and of course my “Breaking 2 Electric boogaloo” fan club group ) but I have a poor memory so I use the same password everywhere (in case you are curious it is hoff1 or chrishoff1, if it requires more than 5 characters) and realized, of course, that if I use that same password/uname to access some backwoods, hillbilly site, that site could be compromised and now the nefarious interlopers would have my access credentials for a whole host of systems.

Well I thought I had better change my behavior, but I was stuck with the same problem of having to remember multiple passwords, which became a pain, so I switched to passphrases to deal with my memory issues. passphrases are easier to remember, have higher entropy, and are more secure? Well that isn’t completely true, but hey 1 out of 3 ain’t bad – MSFT has some good discussion on passwords vs. passphrases (here), (here), and (here).

Ok so they are easier to remember, let’s test this out using passwords..

System 1  (this blog) password = hoff1

System 2 (my email) password = choffis2

System 3 (my other email) password = choffis3

System 4 (my bank) password = choffis@ss (need this one to be real secure)

See I quickly forget which is which and I am stuck with the problem of having to periodically reset them and then it screws up my whole game plan.

Quick anecdote: While I was with Gartner I was talking to one of the largest school districts in the country, at the time they had implemented a very draconian password policy – must be 8 characters minimum, must include alphanumeric, must be reset every 60 days, can never use the same password twice, account would lock out after 3 bad password attempts, etc..anyway the user population was, for the most part, only part-time computer users and were really struggling to come up with creative passwords for their various systems, additionally they found several of the faculty was writing the passwords down so they could remember – Bueller anyone? The result was a 40% increase in technical support calls to perform password resets (No they had not yet implemented single or reduced sign on and no they had not yet implemented a mechanism for a user to provision themselves or reset their own passwords) this was impacting budget and was costing real hard dollars, and they experienced no material improvement in security access controls, in fact they probably created more opportunities for compromise than they removed.

Anyway let’s see what happens when I switch to passphrases…

System 1  (this blog) password = hoffistheman

System 2 (my email) password = hoffisthemanforhotmail

System 3 (my other email) password = hoffisthemanforyahoomail

System 4 (my bank) password = hoffisthemanforallmybankingneeds

Although this doesn’t do much for my security, it does offer some benefits, one is it is a lot easier to remember, 2 if I need to make a change or reset I can simply change everything from “istheman” to “isnttheman” and I achieve goal #1, and 3 if someone compromises system 1 they are not automatically granted access to system 2, unless of course they have read this blog posting.

In the end passwords suck, they do little for security and create a lot of headaches, which of course is why even people in security tend to reuse the same password. In the 60’s hippie chicks rallied around a “burn your bra” mantra, perhaps it is time for a “burn your password” mantra – OK, I can rally around the bra thing, but as useless as passwords or passphrases are, we are still at their mercy for most of our computing practices.

15 thoughts on “Passwords Suck!

  1. For Mac users out there I recommend 1Password. It allows me to use extremely strong passwords (for my banking accounts, for example, I use different 32 digit totally random passwords) and not worry about keeping them straight. They have an iPhone version that is a start, as well as an online repository that provides a place to store everything (and is protected behind two very strong passwords).

    KeePass is almost as good on Windows to do largely the same thing.

    Is this a panacea? Nope. But it does make it harder to perform a brute force or library attack against my key accounts.

  2. @ Mike

    Great point man – there are a host of 3rd party password managers, although as Mike mentions not a panacea, they can be really useful. Some of them like 1password are actually easier than entering a password since it adds a button to the safari toolbar.

  3. Methinks your passwords suck for other reasons 😉

    When I made that comment on Twitter about passwords re: Shimmy’s predicament, I’ll bet at least 10% of folks sheepishly said to themselves “Self, I really *do* need to stop using the same password for everything…”

    It’s always the little things that undo you…


  4. Pingback: hoffistheman

  5. Pingback: Network Security Blog » My password is amritrules

  6. Breaking 2 was a ripoff, man – gotta go foundational on that and stick with the original. 😉

    I used to have the 3-tiered password approach –

    .My “secure” site pw (complex and changed often)
    .A throwaway pw for sites I’ll likely never visit again
    .An often-used relatively strong one for sites I visited regularly (email, Susanna Hoff fan club.)

    Then I went through the same thought process you relate in this blog entry – so I second Mike’s password manager idea –

    In fact, I _don’t even know_ my passwords for 99.44% of the sites I visit.

    I run my password manager from an Ironkey that I can access from most systems (get that full Mac support up Ironkey!) and also has their Tor based secure sessions network loaded in Firefox.

    Worst case scenario, if I can’t access one of my multiple copies of the password database, I can always do a password reset.

    As a second tier thing, whenever I sign up for a site I use a unique email alias for that site. That way, I can also get a heads up on any comprised or un-privacy minded sites if email starts coming in to that alias. (Hello, Careerbuilder??)
    Time will tell if I’m over the top on that one, but what the hey.

  7. There’s a few assumptions that I would challenge.

    1) Is it really bad to write down passwords? For a home user, no, not really, unless you don’t trust those who have access to your home or safe. For corporate users, maybe. Especially if they keep the password near their computer or office.

    This can take the form of “digitally writing” them down in a PasswordSafe type of app. Ask any IT dept where they keep their passwords. They certainly don’t try to memorize them all, they write them down!

    Then, like physical locks, we’re only talking about key control. Whether you’re talking key control for passwords, tokens, ID cards, or lock keys, we still don’t remove any challenges by switching away from passwords.

    2) Is it really bad to reuse passwords? I would counter that it is not necessarily all that bad. I sign up for 5 porn sites, 3 forums that I’ll never post more than 5 times on, and other sites just to get access or post comments. Must they all be different? If I value all of those sites very low, and relatively equally low, I can get away with using some dumpy password for them all. Hell, I should value any and all forums extremely low, since they are notoriously attacked.

    For my banks and other valuable accounts? I use often-unique passwords which I change occasionally. And rather than try to complicate my life by memorizing them, I write them down and store them safely.

    Passwords do suck, but I think they suck far less than any alternatives we have right now. At least with passwords, my main challenge is the universal challenge of key control. That at least keeps my life simple, without getting aggravated about such little things.

  8. @lonervamp

    Well I challenge your challenges

    1. If a home user only has to access his accounts from home, then sure write them down, wallpaper the bathroom with 57hytx87* if you want. The problem is that people like to access their accounts from work, on the road, in their hotel room, from the corner Starbucks, and sometimes from the backseat of an El Camino while war driving with a Pringles can antenna – which means they would have to carry them around, which means they will lose them or have them stolen. Another problem is that I don’t know about you but I can barely keep track of really important documents, like my taxes, so unless I keep my passwords next to the computer in a box labeled “passwords” or something I will lose them

    2. Yes, it is bad to reuse passwords because you are a. bound to make a mistake and use that password for something you care about and/or b. cracking that password and compromising more than 1 crappy site means that I increase the chances that I can find out more information about you, perhaps an email address I wasn’t aware of or your home # or address or a link to that picture you really wouldn’t want anyone to see.

    Is any of this that big a deal? depends – if someone breaks one of your passwords and uses it to deface your blog, post confidential or intimate information about your personal life and demeans you publicly then it matters more than if it doesn’t even happen.

    But in any case there are tools that can do this for you so it is kind of a moot point

  9. Not to say I think I’m right or anything, but I thought it fair game enough to challenge those assumptions. 🙂

    RE: 1.1 – You’re right. If I had to bank from work, I might be out of luck if I don’t recall my password. But that’s where things like reminders or password remailing helps. Even one of the best pieces of advice, PasswordSafe, isn’t really good enough if someone is on a system they don’t control and can’t extract their passwords.

    Then again, I might challenge that by that time (or sooner!) they shouldn’t be accessing such places from such networks/systems.

    Or if they need to and do so often enough, they will remember the password or use some pneumonic to better remember it.

    What if someone writes them down, but has zero context with them, for instance a piece of paper with but three things on it: password123***, passwordABCdef, password098765. If I drop that slip and you find it, does it do you much good? Did you inherently know one was my work domain admin account?

    Sadly, these examples do start to break down in how practical or realistic they are with “normal” people. Slip of paper often? Put it in wallet! …With a business card that has my gmail address and workplace on it that password 1 goes to…doh!

    RE: 1.2 Oh, I do keep my passwords written down nearby, in a journal. Sort of my backup to PasswordSafe. Obviously it is not labeled as such, but if you’re consistent with what you do with passwords, you don’t need obvious notes.

    RE: 2: I agree with you. That’s why I would suggest valuing the accounts and how important they are. If I sign up for 5 forums all using the same dumpy user/pass combo, if you crack one and then can own all 5, I don’t really care. But yes, you’re right, maybe I slipped up and left some juicy tidbit behind. However, that’s a different issue and likely public info regardless of the state of the password.

    But ok, let’s say I’m out of parries and passwords suck. What is better? 🙂

    In the end, I will say passwords leave a lot to be desired, but so does so much else in life, including password alternatives. I think passwords are here to stay and am quite happy with them.

  10. For Mac home users using 1Password is the best solution as already mentioned.

    For ebanking I just use a txt encrypted with AES-256 file which has the passwords and other important information (ebanking related).

    However, guys, bruteforcing a Bank account is a fantastic scenario. We’re not talking about sshd here. After 3 failed attempts you’re locked out and the user is notified by phone call and/or email.

    At least, that’s what happens in Greece 🙂

  11. @ lonervamp

    One of the problems with password reset and/or mail new/old password – is I as an attacker can you use it to screw with you, through a DoS for account lockout or by owning your email and then locking you out of your own account, I actually believe this happened to PDP or Shimel, I forget which.

  12. I agree with ya, but I’m not sure what can be better.

    That might beget a discussion on whether usernames should be considered private information, especially if I could dos you like that. 🙂 Don’t look at me, I don’t know why you get the “Your password has been reset” email every 2 minutes!

  13. Pingback: The 11 Worst Ideas in Security « Amrit Williams Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s