Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Ethics of Passwords

by Nitsuj (Hermit)
on Aug 14, 2000 at 19:01 UTC ( #27752=perlmeditation: print w/replies, xml ) Need Help??

Here is an interesting thought. What is the most ethical way to deal with passwords to a site for use by the general public?

When dealing with an educated group of users, it is obvious that the passwords should be encrypted somehow, so that neither the outside world, nor the site administrators can read the list, thus closing the temptation/possibility of someone unscrupulously reading the password list, and potentially gaining access to user accounts on another site. That is not to even mention to additional protection that this offers from crackers.

I say an educated group of users, because these are the people who won't, flip out and complain if you change their password in order to allow them to resume access to the site after having lost the original. I know it sounds inane, but I have recieved calls before yelling at me about how I changed their password to some crazy mix of letters and numbers, and obviously, I am a complete *******.

Is it better to maintain a plain-english list of passwords on my site, allowing me to automatically send them their password back to them, thus avoiding this situation?

I would have to say no. So, where to from here? ALTERNATIVES!

I think that I shall start with the obvious
  • Birthdate
  • Mother's maiden name
  • Some backup password
  • Names of rock stars
  • @#$^$^#%^# (Profanities)
Of course, these require extra overhead and longer registration forms. So, what IS the answer that I am looking for? Perhaps a long form letter explaining WHY their password is so crazy... or a redirection to a web page, that has the option to change their password on it? This is the solution that I am leaning towards at the moment. Perhaps some other monks could lend me suggestions... bearing in mind that the users that this site is aimed towards can barely turn on a shower without much help, let alone be troubled with anything more difficult than a mouse click on their computer. Also, this could be a fun thread to start suggestions of what to change the passwords to ;-)

Just Another Perl Backpacker

Replies are listed 'Best First'.
RE: Ethics of Passwords
by KM (Priest) on Aug 14, 2000 at 19:18 UTC
    Plaintext passwords is bad! Bad Bad Bad! I think you are on the right track with sending them to a web page (email, or user agreement) which explains why passwords given to them are 'crazy' looking, and how they can then change them themselves to the more easily cracked 'favorite color' password they are likely used to. When regsitering on your site, do you have a 'Write a question to help remember your password', and 'Answer' boxes? This helps people remember their passwords, as well as 'Enter your username and your password will be mailed to you' thing. Although many users are dolts, security shouldn't be loosened to accommodate them, rather tightened to protect themselves from themselves (remember, some people still have post-it notes of their passwords sticking to their monitors). Just MO :)

    Cheers,
    KM

      SOME people have their passwords on post-its? I remember a certain job I was on for the Air Farce. They had very complicated password requirements. 8 chars, upper and lower case, plus digits and special chars, etc. They would run crack every weekend and reset your password if it was easy to break. The kicker to the whole thing was the little statement at the bottom of the page. To paraphrase, it said - "We realize these requirements will make your password hard to memorize. Therefore, we reccommend writing it down and keeping it in your wallet or desk drawer."
      Scary, no?
      This was, however, a resctricted access network. As far as a general access network, I tend to agree with KM. I know that having an option to have your password emailed is great, but it still leaves some holes that may or may not worry you depending on what you're protecting.
      For example:
      • Being able to email a password means that it's still stored in cleartext somewhere unless you're using an encryption scheme that is reversible (not a one-way hash)
      • Emailing passwords in cleartext means that somebody could intercept them.

      Of course, security always comes at the price of usability, so if a password compromise won't cause major damage (loss of data, credibility, life) clear text may be the best solution.
        Being a member of the Air Force Reserves as well as someone
        who actually sits in the Base Network Control Center and
        changes passwords for people, I can honestly say that I have
        NEVER told anyone to write down their password. However, you
        are quite correct as to the requirements for our passwords,
        which are minimum 8 characters, using uppercase, lowercase,
        special characters, and numbers, and you need to use at least
        three of the four categories in your password.

        For me to actually change your password, you would have to come
        to the NCC in person, and present your identification card. At that
        point, I would instruct the person as to what the password policy is,
        and let them type in their own new password. Or if the person in question called
        and is someone who I know, and recognize their voice, I will change the password,
        to a generic one, then force them to change it upon logging into the system.


        TStanley
        I worked for the State of Pennsylvania for a while in their student loan department, and the passwords we had to access the student files had this pattern:
        the first letter must be a letter, the second a single digit, and the rest must be a mix of upper and lower case with one punctuation mark somewhere in the mix. Passwords expired every 30 days, and they kept track of the last 30.
        Needless to say, the majority of people were not happy with these restrictions, and it was not uncommon to see someone with a sheet of paper listing all of their passwords....
RE: Ethics of Passwords
by Anonymous Monk on Aug 14, 2000 at 22:09 UTC
    Quite frankly, it scares me when I forget the password to a web-site, throw my email address in a form, and they send it to me. I mean, why would you want to do that? The person doesn't remember their password anyway, so why not assign a new one? How does it help anyone to maintain plain text (or ROT13 (or some other useless encryption method)) passwords? Just allow them the option to change it. That way if you send them the password "8%dlEi=Q" they don't have to live with that, although I would add some functionality to ensure that the password is >= 6 chars and includes >= 2(digits or special chars). Use their email and a hint to allow them to have a new password assigned.
RE: Ethics of Passwords
by ivory (Pilgrim) on Aug 14, 2000 at 23:18 UTC
    If you let them know what kind of a password is expected of them from the get-go your life will be much easier. At school, our passwords couldn't be (or contain) dictionary words, and they had to include some sort of punctuation/caps/numbers. We also couldn't use numbers as letters to form a word (e.g. m0m or d4d), and we had to change passwords frequently and couldn't use anything even similar to one we had used previously. It was kind of tough at first, but no one really complained because we knew from the start.

    Ivory

RE: Ethics of Passwords
by bastard (Hermit) on Aug 14, 2000 at 23:57 UTC
    Well, i'm not sure if there are any algorithm pairs out there that would work, but how about a public/private key pair, where you would encrypt the passwords with the public key. To check the passwords for login, you would again re-encrypt with the public key and compare the encrypted results (similar to standard hashes, The only problem, IIRC is that public key algorithms generally don't generate the same results on the same piece of text 2 times in a row.)

    If you end up with a user that can't remember their password, you just decrypt it with you private key (kept in a safe place of course). And hand it back to them.

      (similar to standard hashes, The only problem, IIRC is that public key algorithms generally don't generate the same results on the same piece of text 2 times in a row.)
         That's deliberate - most PK algorithms add a salt value to the plaintext to avoid any weaknesses due to repeat-encryption. If you just do a plain PK encryption (RSA sounds like a good idea given the patent expires in about a month) then it is repeatable (for hash purposes) and decryptable given the secret key.

         If you would rather stick with something like PGP though, you could always encrypt the password when it is changed, but keep a hash of the password as well for verification.

RE: Ethics of Passwords
by lindex (Friar) on Aug 15, 2000 at 16:30 UTC
    Well the last ISP I worked for maintained a pretty simple
    policy for passwords that worked out well.
    We randomly generated them all and never stored them.
    Sure the users didnt like weird long passwords but they never
    complained much after we explained to them how much that improves security.
    so its easy:
    • Randomly generated a password on account creation
    • If password is lost, match secret phrase (mother maiden name, etc ..)
      and reset it with another randomly genereated password.
    • Make sure have a explanation on your page as to why you password policy is secure.



    lindex
    /****************************/ jason@gost.net, wh@ckz.org http://jason.gost.net /*****************************/
RE: Ethics of Passwords
by Hot Pastrami (Monk) on Aug 15, 2000 at 19:15 UTC
    Here's what I'd do... one-way encrypt the users' passwords in storage, but send a one-time e-mail to their provided address which reads "Keep this message for future reference." However, one shouldn't underestimate the clever destructiveness of the generic-brand user.

    If the occasion should arise that you NEED to e-mail the user a password, and you are concerned that the user may object to "sDFf34ggR," you might have one randomly auto-generated by combining 2 or more words from a LARGE list of pre-selected words, so you'd get things like "MONKEYCHAIR" and "FRISKYPERL". Heck you could even tack a random 2-digit number on that if you want a little more security; most of the level-headed users won't complain about only TWO random digits (I know, when I say "most of the level-headed users" it is more correct to say "'both' of the level-headed users"). Such passwords are quite easy to remember.

    Alan "Hot Pastrami" Bellows
    -Sitting calmly with scissors-

      Unfortunately, this is not such a great idea. The average person has a vocabulary of between 2000 and 5000 words (i'm not totally sure about those numbers, but i'm on the same order of magnitude). So assuming you can use up to 5000 words and make things easy to remember (which is the whole point), that gives you a search space of 25,000,000. That would be crackable minutes. Add on two random digits increases the search space by a factor of 100. That gives you 2,500,000,000 passwords to check, which is checkable in an hour or two at the most.

      Bottom line is, dictionary words never make secure passwords. English text only has about 1.5 bits of entropy per letter. At work, we strongly discourage our users from using dictionary words from any language

      -Mark
      mlogan@ccs.neu.edu

RE: Ethics of Passwords
by randomblue (Beadle) on Aug 15, 2000 at 18:19 UTC
    A desktop admin at a place where I used to work had a lovely scheme for default passwords: a sequence of four digits, followed by a licence-plate-type combination of letters from the user's first and/or last name.

    So, for example, a user with the name Andrew Johnston would be given a default password of 0714jstn or aw9901Jn, or 28drej82, etc.

    Sure, it's not exactly as secure as a fully random password, but it's easier to remember, not as likely to be changed to 'nameofgirlfriend', and still pretty hard to guess -- especially if a couple of $'s or &'s were to be thrown in..

      While I was stuck in traffic last night staring at license plates I thought of this post. This is a likely bad idea for a password scheme. Why? Because anyone who knows the scheme can more easily crack a password. If I know you will be using 0-9 in four places, and letters from a name for the rest, I know that if the name is Sam Jones there are only 17 (10 numbers 7 letters, since the s is repeated) possible characters per place, with only 4 of them being digits. So if the password was between 8 and N places, you can do the math to see the finite number of possabilites. And, as some of us know, people don't change easy to remember default passwords unless they are forced to :)

      Cheers,
      KM

        You're right, of course.

        But I should have clarified my thoughts. Notice how I mentioned sticking non-alphanumeric characters into the mix? The scheme I mentioned would not work if it were used precisely every time. But I think it's a good general idea for generating passwords , at least for low-risk access, like desktop workstations in the marketing department.

        Take a pseudo-random mix of letters that's pronounceable or has a meaningful association in case it's forgotten, and add several arbitrary numbers that have a pattern (like 6786 or 1641), stick in a punctuation mark or two, and you have a decent, hard-to-break password. But that's just common sense, I guess.

        Of course, arbitrary-length passphrases are so much better and easier to remember...

RE: Ethics of Passwords
by She-wolf (Sexton) on Aug 16, 2000 at 19:07 UTC
    I know this is a Perl site but I'm going to give a Java answer that I just found.
    I recently found a Javascript password utility on javascript.internet.com. It has an admin page where you can input passwords and users as well as pages that info will redirect them to. You press a button to produce the necessary code and it automatically encrypts the password and page redirect name. If nothing else, you can look at it and try to figure out how it does the encryption and then reads the inputed version and matches it to the encrypted version.
    Like I said, a Java solution but it might help make your ethical question moot. She-wolf "Wha? I don't get it."
      Can you give an exact URL? I would NEVER EVER do any password creation with JavaScript, but would like to take a look at the script to see how holey it is.

      Cheers,
      KM

        http://javascript.internet.com/passwords/login-coder.html

        She-wolf
        "Wha? I don't get it."

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlmeditation [id://27752]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (4)
As of 2022-09-28 09:00 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    I prefer my indexes to start at:




    Results (124 votes). Check out past polls.

    Notices?