|
RE: Ethics of Passwords
by KM (Priest) on Aug 14, 2000 at 19:18 UTC
|
Plaintext passwords is bad! Bad Bad Bad! I think you are on the right track with sending them to a web page (email, or user agreement) which explains why passwords given to them are 'crazy' looking, and how they can then change them themselves to the more easily cracked 'favorite color' password they are likely used to. When regsitering on your site, do you have a 'Write a question to help remember your password', and 'Answer' boxes? This helps people remember their passwords, as well as 'Enter your username and your password will be mailed to you' thing. Although many users are dolts, security shouldn't be loosened to accommodate them, rather tightened to protect themselves from themselves (remember, some people still have post-it notes of their passwords sticking to their monitors). Just MO :)
Cheers,
KM | [reply] |
|
|
SOME people have their passwords on post-its? I remember a certain job I was on for the Air Farce. They had very complicated password requirements. 8 chars, upper and lower case, plus digits and special chars, etc. They would run crack every weekend and reset your password if it was easy to break. The kicker to the whole thing was the little statement at the bottom of the page. To paraphrase, it said - "We realize these requirements will make your password hard to memorize. Therefore, we reccommend writing it down and keeping it in your wallet or desk drawer."
Scary, no?
This was, however, a resctricted access network. As far as a general access network, I tend to agree with KM. I know that having an option to have your password emailed is great, but it still leaves some holes that may or may not worry you depending on what you're protecting.
For example:- Being able to email a password means that it's still stored in cleartext somewhere unless you're using an encryption scheme that is reversible (not a one-way hash)
- Emailing passwords in cleartext means that somebody could intercept them.
Of course, security always comes at the price of usability, so if a password compromise won't cause major damage (loss of data, credibility, life) clear text may be the best solution.
| [reply] |
|
|
Being a member of the Air Force Reserves as well as someone
who actually sits in the Base Network Control Center and
changes passwords for people, I can honestly say that I have
NEVER told anyone to write down their password. However, you
are quite correct as to the requirements for our passwords,
which are minimum 8 characters, using uppercase, lowercase,
special characters, and numbers, and you need to use at least
three of the four categories in your password.
For me to actually change your password, you would have to come
to the NCC in person, and present your identification card. At that
point, I would instruct the person as to what the password policy is,
and let them type in their own new password. Or if the person in question called
and is someone who I know, and recognize their voice, I will change the password,
to a generic one, then force them to change it upon logging into the system.
TStanley
| [reply] |
|
|
|
|
I worked for the State of Pennsylvania for a while in their student loan department, and the passwords we had to access the student files had this pattern:
the first letter must be a letter, the second a single digit, and the rest must be a mix of upper and lower case with one punctuation mark somewhere in the mix. Passwords expired every 30 days, and they kept track of the last 30.
Needless to say, the majority of people were not happy with these restrictions, and it was not uncommon to see someone with a sheet of paper listing all of their passwords....
| [reply] |
|
|
|
|
RE: Ethics of Passwords
by Anonymous Monk on Aug 14, 2000 at 22:09 UTC
|
Quite frankly, it scares me when I forget the password to a web-site, throw my email address in a form, and they send it to me. I mean, why would you want to do that? The person doesn't remember their password anyway, so why not assign a new one? How does it help anyone to maintain plain text (or ROT13 (or some other useless encryption method)) passwords?
Just allow them the option to change it. That way if you send them the password "8%dlEi=Q" they don't have to live with that, although I would add some functionality to ensure that the password is >= 6 chars and includes >= 2(digits or special chars). Use their email and a hint to allow them to have a new password assigned. | [reply] |
RE: Ethics of Passwords
by ivory (Pilgrim) on Aug 14, 2000 at 23:18 UTC
|
If you let them know what kind of a password is expected of them from the get-go your life will be much easier. At school, our passwords couldn't be (or contain) dictionary words, and they had to include some sort of punctuation/caps/numbers. We also couldn't use numbers as letters to form a word (e.g. m0m or d4d), and we had to change passwords frequently and couldn't use anything even similar to one we had used previously. It was kind of tough at first, but no one really complained because we knew from the start.
Ivory | [reply] |
RE: Ethics of Passwords
by bastard (Hermit) on Aug 14, 2000 at 23:57 UTC
|
Well, i'm not sure if there are any algorithm pairs
out there that would work, but how about a public/private
key pair, where you would encrypt the passwords with the
public key. To check the passwords for login, you would
again re-encrypt with the public key and compare the encrypted
results (similar to standard hashes, The only problem,
IIRC is that public key algorithms generally don't generate
the same results on the same piece of text 2 times in a row.)
If you end up with a user that can't remember their password,
you just decrypt it with you private key (kept in a safe place of course).
And hand it back to them.
| [reply] |
|
|
| [reply] |
RE: Ethics of Passwords
by lindex (Friar) on Aug 15, 2000 at 16:30 UTC
|
| [reply]
[d/l] |
RE: Ethics of Passwords
by Hot Pastrami (Monk) on Aug 15, 2000 at 19:15 UTC
|
Here's what I'd do... one-way encrypt the users' passwords in storage, but send a one-time e-mail to their provided address which reads "Keep this message for future reference." However, one shouldn't underestimate the clever destructiveness of the generic-brand user.
If the occasion should arise that you NEED to e-mail the user a password, and you are concerned that the user may object to "sDFf34ggR," you might have one randomly auto-generated by combining 2 or more words from a LARGE list of pre-selected words, so you'd get things like "MONKEYCHAIR" and "FRISKYPERL". Heck you could even tack a random 2-digit number on that if you want a little more security; most of the level-headed users won't complain about only TWO random digits (I know, when I say "most of the level-headed users" it is more correct to say "'both' of the level-headed users"). Such passwords are quite easy to remember.
Alan "Hot Pastrami" Bellows
-Sitting calmly with scissors-
| [reply] |
|
|
Unfortunately, this is not such a great idea. The average
person has a vocabulary of between 2000 and 5000 words (i'm
not totally sure about those numbers, but i'm on the same
order of magnitude). So assuming you can use up to 5000
words and make things easy to remember (which is the whole
point), that gives you a search space of 25,000,000. That
would be crackable minutes. Add on two random digits
increases the search space by a factor of 100. That gives
you 2,500,000,000 passwords to check, which is checkable in
an hour or two at the most.
Bottom line is, dictionary words never make secure passwords. English text only has about 1.5 bits of entropy
per letter. At work, we strongly discourage our users from using dictionary words from any language
-Mark
mlogan@ccs.neu.edu
| [reply] |
RE: Ethics of Passwords
by randomblue (Beadle) on Aug 15, 2000 at 18:19 UTC
|
A desktop admin at a place where I used to work had a lovely scheme for default passwords: a sequence of four digits, followed by a licence-plate-type combination of letters from the user's first and/or last name.
So, for example, a user with the name Andrew Johnston would be given a default password of 0714jstn or aw9901Jn, or 28drej82, etc.
Sure, it's not exactly as secure as a fully random password, but it's easier to remember, not as likely to be changed to 'nameofgirlfriend', and still pretty hard to guess -- especially if a couple of $'s or &'s were to be thrown in..
| [reply] |
|
|
While I was stuck in traffic last night staring at license plates I thought of this post. This is a likely bad idea for a password scheme. Why? Because anyone who knows the scheme can more easily crack a password. If I know you will be using 0-9 in four places, and letters from a name for the rest, I know that if the name is Sam Jones there are only 17 (10 numbers 7 letters, since the s is repeated) possible characters per place, with only 4 of them being digits. So if the password was between 8 and N places, you can do the math to see the finite number of possabilites. And, as some of us know, people don't change easy to remember default passwords unless they are forced to :)
Cheers,
KM
| [reply] |
|
|
You're right, of course.
But I should have clarified my thoughts. Notice how I mentioned sticking non-alphanumeric characters into the mix? The scheme I mentioned would not work if it were used precisely every time. But I think it's a good general idea for generating passwords , at least for low-risk access, like desktop workstations in the marketing department.
Take a pseudo-random mix of letters that's pronounceable or has a meaningful association in case it's forgotten, and add several arbitrary numbers that have a pattern (like 6786 or 1641), stick in a punctuation mark or two, and you have a decent, hard-to-break password. But that's just common sense, I guess.
Of course, arbitrary-length passphrases are so much better and easier to remember...
| [reply] |
|
|
RE: Ethics of Passwords
by She-wolf (Sexton) on Aug 16, 2000 at 19:07 UTC
|
I know this is a Perl site but I'm going to give a Java answer that I just found.
I recently found a Javascript password utility on javascript.internet.com. It has an admin page where you can input passwords and users as well as pages that info will redirect them to. You press a button to produce the necessary code and it automatically encrypts the password and page redirect name. If nothing else, you can look at it and try to figure out how it does the encryption and then reads the inputed version and matches it to the encrypted version.
Like I said, a Java solution but it might help make your ethical question moot.
She-wolf
"Wha? I don't get it." | [reply] |
|
|
Can you give an exact URL? I would NEVER EVER do any password creation with JavaScript, but would like to take a look at the script to see how holey it is.
Cheers,
KM
| [reply] |
|
|
| [reply] |