Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
the company I work for used to have a password criteria of a minimum of 8 characters with your typical one number, one upper case and 1 special character and you couldn't use dictionary words or anything that resembled a phrase, but know we have gone to a minimum 18 characters but we can now use phrases
So I would like to ask the expert on security what is more secure
I'm not a Security expert but I have been running Linux a long time and I can tell you that an 8 or 18 character (regardless of how many upper and lower case letter and numbers are used) password is just the tip of the ice burg:-
There are other things like machine hardening to consider for protecting your company servers.
-Set a BIOS password
-Implement a firewall
-Encrypt the drives
-Create an encryption password and engage in the practice of further machine hardening.
Neither are secure, now that you've posted them on the internet.
Short passwords, 8 characters as an example, are no longer secure. It doesn't matter how "well hidden" your secret word is, or even how random it is. Common computers can now easily go through all possible printable ASCII character combinations when there's only a small number of them. Short passwords are simply brute-forced, no cracking sophistication like dictionary lookup is needed any more.
I use random passwords now, generated by a password wallet program - in my case, KeePassX, but there are others. And never the same password for two different functions/websites. I start off with 30 characters, including everything possible, but sometimes have to back that down to something shorter as some websites won't accept passwords of that length.
The downside is, I don't know my own passwords. That's a plus for security, but a negative if your device that runs the password wallet is unavailable. You could export and print your passwords from the wallet and store them in your safe as a backup.
As far as your original question, I don't think either of your two example passwords are any good. The first one, I can easily recognize how you tried to obscure the text "password" in there. If I can see that, a cracker program can see it faster. Your second example is longer, but it's a very common phrase. Just like in Wheel Of Fortune, if someone saw only
betwxxxxxxxockxxxxxaxxxrdxxlxxe
They'd be able to guess the entire phrase easily. Once you have the basic phrase, your simple letter substitutions would be trivial to crack.
Use a long-ish phrase, but make it a nonsense phrase. Something like "Worm rock single submerged Nigeria rocket hair" Without the spaces, and with some letter-for-letter substitutions. Chances are you could remember that phrase, as nonsensical as it is, but it's doubtful anyone else would easily come up with that jumble of words.
While I can't tell you exactly how secure or unsecure your two password examples are, I can tell you what's sub-optimal about them.
There are a number of criteria to evaluate the strength of a password. The simplest is how difficult is a brute force attack, which is not necessarily a true evaluation, but can be illustrative for comparing. In a pure brute force force attack every possible combination is attempted. So, the math is fairly simple. If you select characters from a population of lower case and upper case letters, numbers and 10 special characters then your population consists of 72 characters. So, the number of possible combinations that make up a password is 72 to the password length power. In other words, compare your two passwords. The 8 character password has 72 to the 8th possibilities. Your 18 character password has 72 to the 18th possibilities, a much larger number. Again this is not the final, true strength, there are other factors involved. But it is good for an initial comparison.
As far as your original question, I don't think either of your two example passwords are any good. The first one, I can easily recognize how you tried to obscure the text "password" in there. If I can see that, a cracker program can see it faster.
But its all about time right? for for example if my password was !P@$$w0rd342! it would take less time to crack than !P@$$342w0rd!
Quote:
Originally Posted by haertig
Your second example is longer, but it's a very common phrase.
and that what I don't understand from the company why just add more characters when know I can do phrases but before I couldn't, and I did just like you said I made my own phrase with still some randomness
Quote:
Originally Posted by frankbell
Generally, the longer the password, the more secure it is.
I agree but then again if I can do phrases as my example then what's the point of a longer password, all I did was prolonged the inevitable, so I'm not any more secure than using my old example password
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Whenever I come across a limit on the maximum length of a password (that's below something sensible like 256 characters) I always think "They need to fire their security officer right now". There is no reason at all to have a maximum length under something like 256 so storage of enormous passwords doesn't become an issue.
That said, I think it should be assumed that passwords will be found and systems put in place to limit any damage caused by that -- for OS logins that usually means tight user permissions and decent backups, for example, and for websites such as Amazon they monitor IP addresses versus orders and lock the account if they see something suspicious (I know, they locked my account when I ordered some expensive earphones on my phone).
For more security there are also smart cards, tokens and USB dongles -- al three of which I use for various systems at work -- to give two-factor authentication. I have to say though that losing them is a real pain especially if the replacement process is long-winded and can lead to leavers tokens being kept around "just in case" which is a security risk in and of itself.
That said, I think it should be assumed that passwords will be found and systems put in place to limit any damage caused by that -- for OS logins that usually means tight user permissions and decent backups.
For more security there are also smart cards, tokens and USB dongles -- al three of which I use for various systems at work -- to give two-factor authentication. I have to say though that losing them is a real pain especially if the replacement process is long-winded and can lead to leavers tokens being kept around "just in case" which is a security risk in and of itself.
The new password rules are for a windows machine, I suggested we use the tokens we already have as you said for a 2 authentication, hopefully it doesn't go on deaf ears, but then again I em just a number
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
One place I worked we had tokens where you needed to enter a 4-digit pin to get the code -- another layer of security again but it could be annoying if somebody forgot their code. The tokens they use where I am now are RSA and just keep generating numbers every thirty seconds (or something like that). I think the infrastructure for tokens like that could be pricey and get the impression smart cards are cheaper and easier to implement but I could be wrong.
No matter what the password-length, the entropy of any password is negligible.
Actually, I suggest that your company should consider moving away from passwords (alone ...) altogether, and to adopt some form of two-factor authentication.
For instance, every employee might carry a key-fob that, when pressed, generates a six-digit number. You enter that number (immediately ...) when you log in, because, in a minute or so, that number will have changed. No matter what your password currently is, it must be accompanied by a number generated very-recently by a fob that you alone are in possession of.
"Two-factor authentication" relies on (1) something that you know,and (2) something that you possess.
- - -
In addition:
Allinternal authentication (i.e. "system-to-system") should use some "central authority" ... LDAP (MS-OpenDirectory), or Kerberos. They should not use "passwords" to authenticate with one another. Rather, the secure central authority knows who they are and what they are allowed to do, and every piece of software consults it.
For instance: an internal web-server or file-server or database(!) does not ask for a password, and no passwords are embedded into anything. Instead, LDAP (say) provides trustworthy authentication of the machine ("who you are"), and trustworthy authorization ("what you can do"), without the use of "shared secrets" of any sort.
Likewise, once you're "in," you're not asked for additional passwords of any sort: it's already known who you are and what you can do. Passwords are not necessary.
"Road Warriors" should use VPN that is secured by unique digital certificates, not "PSKs = Passwords." Each certificate is assigned uniquely to only one computer and may not be used to initiate more than one session at a time. It is password-protected (encrypted) as a further safeguard against unauthorized use. If any computer is lost or stolen, its certificate is revoked, and its access "drops dead." Even if one knows how to decrypt the certificate, it can never again be used. A successful VPN connection takes them to ... a portal where they must enter their user-id, password, and the current number on their fob.
Last edited by sundialsvcs; 01-24-2017 at 03:22 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.