Thursday, May 26, 2005

Meta-commentary on passwords

I just ran across Passwords and Security along with the other articles about how Microsoft says it's okay to put passwords on paper.

The one thing missing in all this discussion about how to choose and store reusable passwords is their fatal flaw -- reusability.

The problem with passwords isn't that somebody might write them down, it's that they are static, unchanging for days, weeks, months, years. Once intercepted (by a keylogger, from a buffer, in transit on the network, at the destination, etc) a "reusable password" is the ultimate definition of being vulnerable to a "replay attack".

One Time Password schemes such as SecurID (and their competiton such as Safeword, Cryptocard, etc) doesn't gain it's vastly improved security because it takes the password out of the user's hand and keeps them from writing their passwords down on paper. OTPs are more secure because while they are still passwords, they are no longer reusable passwords.

In fact, OPIE (nee S/Key) is a free and very functional OTP scheme that actually encourages the user to write down (print out) a list of passwords on paper... one time passwords which you cross off the list as you use them.


Blogger Vin said...

You are correct, of course -- but to be *completely* accurate I suppose we also have to acknowledge that (in the absence of a one-time password or some other form of replay-resistant 2FA) long and complex passwords do offer greater resistance to automated crackers which try to retrieve the user's password from encrypted or hashed formats.

(It would make these repetitive waves of debate over authentication options a lot more intelligent if we could get IT pros to use language that acknowledges that -- like everything else in security -- there are gradients, relative degrees of security, associated with different authentication systems and different AAA technologies.)

I, like the guy from MS, don't see any logic in denying a corporate employee who has to remember 50 or 60 passwords the appropriate authorizations to write them down (and store them at least as safely as he carrys his cash), or maybe to store them in an encrypted file.

If he can't write them down, any half-clueful user will find other ways to make the task manageable -- some of which (like using one password for everything, when he can) may entail additional and more dangerous risks.

Debates about authentication in isolation are fine but incomplete. To buttress any authentication system on a multi-user system, we also need (among other things;-) granular authorizations that realistically and appropriately restrict the range of privileges the user is given -- restrictions that should be based in part on the "relative* trustworthiness of the authentication process. Security ain't binary.

Token-based two-factor authentication, resistant to replay, and hopefully supported by encrypted links, is obviously the best first-line defense option -- but if you can't have that, both IT Admins and users gotta do what they gotta do, to stay sane and keep the crown jewels as safe as possible.

All these Draconian password policies -- rules about minimum complexity, and rules requiring password changes every 30 days -- are really just the IT industry's reaction to the fact that, even encrypted or hashed, stored passwords are often vulnerable to extended and table-based dictionary attacks.

(Here, the threat isn't at the user's end, it's in the host server and the network. The poor user, who typically bears the brunt of both an impossible multiple password burden and the scorn of IT pros, is ultimately the innocent here! Most of this interminable debate about passwords is CYA antics from IT managers, corporate bean-counters, and vendor reps, as they frenetically try to shift the burden of responsibility for system insecurity onto the folks who have the least control over the security model. Professionals! Bah humbug!)

Unfortunately, many enterprises have been slow to accept the idea that strong authentication is worth, per user, the cost of, say, the speakers attached that user's PC.

Now for the consumer (and small business) universe -- ah, but for that I should wait until you offer another "meta-commentary," right?

Thanks again for your timely and sensible blog comments. They are appreciated.


Thu May 26, 05:23:00 PM CDT  

Post a Comment

<< Home