LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-27-2008, 01:21 PM   #1
kenhtanaka
LQ Newbie
 
Registered: Feb 2008
Posts: 2

Rep: Reputation: 0
Password checking has room for improvement


I'm hoping that the password checking code will be improved. I have a number of systems (most are Red Hat Enterprise Linux Client 5.1) to generate passwords for on a regular basis because of password aging, and it seems that halfway through changing my passwords one of the systems complains that my password is too simplistic/systematic.

I develop an algorithm so I can use the same approach on all the systems, helping me to remember or recreate the password mentally as needed, yet producing a unique password for each system, meeting all the recommended upper/lower/number/punctuation/no-dictionary-word requirements. I just had a system reject ><21+]\';P-]|P[}CdefbgT for being too simplistic/systematic! Maybe the "def" part is too easy to guess? what a hindrance to productivity--back to the drawing board. (I posted the sample password since I abandoned that algorithm. I've also had to abandon algorithms that create 30-50 character passwords too.)

Another knowledgeable user suggests that a shorter password is less likely to trip the "systematic" pattern detector in the passwd utility. So instead of focusing on secure passwords that are different from any I have used before, the incentive is shifting to do the minimum that will pass.

Last edited by kenhtanaka; 02-27-2008 at 01:25 PM. Reason: Tried to get rid of smilie in password
 
Old 02-27-2008, 01:37 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by kenhtanaka View Post
I'm hoping that the password checking code will be improved. I have a number of systems (most are Red Hat Enterprise Linux Client 5.1) to generate passwords for on a regular basis because of password aging, and it seems that halfway through changing my passwords one of the systems complains that my password is too simplistic/systematic.

I develop an algorithm so I can use the same approach on all the systems, helping me to remember or recreate the password mentally as needed, yet producing a unique password for each system, meeting all the recommended upper/lower/number/punctuation/no-dictionary-word requirements. I just had a system reject ><21+]\';P-]|P[}CdefbgT for being too simplistic/systematic! Maybe the "def" part is too easy to guess? what a hindrance to productivity--back to the drawing board. (I posted the sample password since I abandoned that algorithm. I've also had to abandon algorithms that create 30-50 character passwords too.)

Another knowledgeable user suggests that a shorter password is less likely to trip the "systematic" pattern detector in the passwd utility. So instead of focusing on secure passwords that are different from any I have used before, the incentive is shifting to do the minimum that will pass.
Hello kenhtanaka, welcome to LQ!!!

FYI, there's a checkbox option to disable smilies when you make your post. Also, please keep in mind that resurrecting dead threads is something we aren't fond of here at LQ. Instead, you could start a new thread and maybe reference the dead one in your post. Of course, that isn't practical in some cases and we do treat resurrections on a case-by-case basis. Anyhow, I've moved your post to a thread of it's own and I look forward to a great discussion.
 
Old 02-27-2008, 06:54 PM   #3
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,087

Rep: Reputation: 407Reputation: 407Reputation: 407Reputation: 407Reputation: 407
Passwords.

Don't get me started. Well you have done so, so here goes....

[Rant]

I work in what is supposed to be a "secure" environment. I also work with three different "secure" computer systems [That they are all win-something doesn't matter].

On Day One I was asked to choose passwords. I did, and I chose secure ones that I knew I would be able to remember. I have a good system for this ( that I am not prepared to divulge )

But the different sysadms have decided that I need to change my passwords at various intervals (like 3 weeks, 4 weeks, and 5 weeks) so every few weeks, one of the systems asks me for a new password. The new password cannot be anything like the old ones (it remembers my old passwords for a year). This soon gets out of hand, I cannot remember all these passwords, that I have to keep changing and making difficult to guess (and therefore remember). And which one is for which system?

If someone gave me a password of
Code:
><21+]\';P-]|P[}CdefbgT[/
then there is no way I am going to remember it. Especially across 3 systems with similarly stupid passwords, that I am forced to change at differing intervals.

So what do you think I, as a user, who needs to login to do my job, does, if you force these stupid passwords and repetitive changes, on me?

I write them down and probably stick them on a post-it note on my monitor / keyboard / desk.

Sysadms and management are happy "Everybody has difficult-to-guess passwords (checked by some stupid program) and then they have to change them every two weeks. So we are SECURE!"

No you aren't. My passwords are now in plain view. So are everybody else's. (I have asked around: most users now have a similar tactic). Instead of improving security, you have worsened it.

This is "The law of unintended consequences". Read up on it.

[/Rant]
 
Old 02-28-2008, 04:43 AM   #4
Deleriux
Member
 
Registered: Nov 2003
Posts: 89

Rep: Reputation: 16
Well I was going to tell you how to do it.. but from your tone you know way more than any of us about password security so dont see the point.
 
Old 02-28-2008, 11:47 AM   #5
kenhtanaka
LQ Newbie
 
Registered: Feb 2008
Posts: 2

Original Poster
Rep: Reputation: 0
To tredegar,

I'd be tempted to change all passwords at the 3 week interval, if the systems on 4 and 5 week schedules will allow changes more frequently than required (hopefully they haven't set a minimum time that exceeds the maximum password aging time for other systems). You could then use a similar approach for coming up with passwords for all of them. But it could be you have too many systems, and changing all passwords at once is more trouble than having a consistent password theme for them all.

I once carried a smartcard that generated a 6 digit number every 3 minutes. The first 5 characters of the password never changed, I just appended the 6 digits from the smartcard display. Each user's card generated a different sequence. I had to keep track of the card, but I found this so much easier to use than the traditional password aging approach, since the non-changing part of the password was the same for all the systems I accessed.

-Ken

P.S. Good rant. Maybe some IT departments somewhere will learn something from these posts.
 
Old 03-01-2008, 12:41 PM   #6
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Quote:
Originally Posted by Deleriux View Post
Well I was going to tell you how to do it.. but from your tone you know way more than any of us about password security so dont see the point.
You're right. He does.

It's well documented that there's a great many things which will cause users to willfully disregard company password policies. Among the many, here's a few of the bigger ones:

* Requiring really complex passwords - These are a right bitch to remember when you're asking users to come up with a 15 character password which contains all of the following: Uppercase letters, lowercase letters, punctuation, numbers, and no letter repeated more than twice. Make them change it too often or have to enter it too often (because of a lack of SSO--or at all in the case of absurdly long passwords) and you're just begging for people to start looking for ways to "beat" the system. Not to beat the Microsoft horse, but I'm rather fond of citing NT's two default password checking modules as a form of structured hostility towards admins. One which lets you pick pretty much anything you like as a password, and the other which requires crazy 15-character passwords that only immigrated wunderkinds can remember. Thank goodness they at least made it possible to write more modules.

* Requiring the user get the password right in a very small number of tries - Really, the issue here is one of sheer paranoia without adequate research. Someone trying to just guess someone else's password is probably going to get it rather quickly if they know the person well and reasonable policies aren't being followed, but they're going to need a lot of tries to do it. Capslock keys, morning fat-fingeritis, and generalized hypo-caffienation problem can cause everyone a few problems here and there, but when an employee knows that failing to enter their password correctly in the first 3-5 tries means they're going to be locked out of everything for half the morning (or at least as long as it takes to make calls through to support to get it reset), they are going to start deliberately using stupid passwords everywhere or hiding postits under their keyboards just to avoid risking being locked out. 10 is probably a much better number, and 20 isn't too far from it. Someone trying a genuine brute-force attack on a passworded login is going to exhaust either of those numbers in an eyeblink (which is the correct time to lock the account), so it's not really necessary to make the user live in fear of a few typos. On the converse, having reasonable and clearly defined password policies (prevention measure) and something (like a cron job running JtR) that checks every few days for violators and will immediately lock the accounts of violators (which is a detection measure) will also make these same people hurriedly reconsider using bad passwords.

* Requiring the user to login, again, and again, and again - Session timeouts have their place, and having one password for everything a user does is probably not always the best fit, but for most situations in a complex IT environment, avoiding a reasonable SSO (single-sign-on) solution can and will do more harm than good. Rank and file users can probably do with having "just" one password, but when a user wears more than one "hat" or has some job functions which warrant extra responsibility be exercised on their part (like a manager accessing HR or payroll data, or an admin reconfiguring a domain controller) it's pretty darn reasonable to have even those users only login once for all their "joe" duties, and use different credentials when it comes to something like say, signing off on that 10,000 dollar equipment expenditure or offlining the company backup server--both of which are definitely not something one does more than a few times a week, if that often. The magic phrase here is "spheres of responsibility". Kerberos might be a pain in the neck, but at least it lets you quickly cut someone's access to everything at once should they leave the company in a tiff. If you make someone have to type in their password 20 times a day, you can bet that if you do an audit, you're going to find users who have figured out how to use the Windows macro recorder so they can just hit a key that will enter their password for them.

Last edited by evilDagmar; 03-01-2008 at 12:56 PM.
 
Old 03-01-2008, 12:49 PM   #7
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Quote:
Originally Posted by kenhtanaka View Post
To tredegar,

I'd be tempted to change all passwords at the 3 week interval, if the systems on 4 and 5 week schedules will allow changes more frequently than required (hopefully they haven't set a minimum time that exceeds the maximum password aging time for other systems). You could then use a similar approach for coming up with passwords for all of them. But it could be you have too many systems, and changing all passwords at once is more trouble than having a consistent password theme for them all.

I once carried a smartcard that generated a 6 digit number every 3 minutes. The first 5 characters of the password never changed, I just appended the 6 digits from the smartcard display. Each user's card generated a different sequence. I had to keep track of the card, but I found this so much easier to use than the traditional password aging approach, since the non-changing part of the password was the same for all the systems I accessed.

-Ken

P.S. Good rant. Maybe some IT departments somewhere will learn something from these posts.
Sounds like you're talking about SecureID. Those hard tokens are really quite nice and eliminate the "static passwords == sitting ducks" problem pretty handily.

The thing here is that there's basically three things that can be checked to authenticate a user in order to prove they're who they say they are:

1. "Something you know" - like hey, a secret word. Weakness: They can be forgotten.
2. "Something you have" - like a hard token or smart card. Weakness: They can be lost.
3. "Something you are" - in a word, "biometrics". Fingerprint scan, iris scan, palm geometry scan, etc. Weakness: Somewhat varies, but tend to require something rather drastic very likely unpleasant to happen to the user. Also expensive.

Generally it's much, much more effective to use two-factor (i.e., more than one of the above three) authentication than it is to up the ante (like, requiring harder to guess passwords) on any of the three alone.

Last edited by evilDagmar; 03-01-2008 at 12:51 PM.
 
Old 03-01-2008, 01:02 PM   #8
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
On the whole, smart people with a lot of passwords to remember will just go buy a cheap PDA and use something like YAPS or SplashID which encrypt (wow this is important) their password databases and give a user an easy way to pull something out of their pocket, enter a "decent" password, and then pull up the forgotten password they've not seen or even thought about in a month. (Don't ask me about which ones might remind users about password freshness, I've not had time to look into this.)

Yes, someone could jack their PDA, but very few chronic PDA users would fail to notice this and would know to start making calls to have their passwords changed immediately should the equipment fall into the wrong hands. One doesn't crack IDEA overnight (not yet anyway).

...and on a good note, most of the hard token vendors have software-based versions of their tokens, so one can use SecureID from the PDA, or barring that, S/KEY isn't all that bad (and it is cheap) if the communication channel is an encrypted one.

Last edited by evilDagmar; 03-01-2008 at 01:03 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with checking if opensuse 10.2 password is correct through php derekalan18 SUSE / openSUSE 2 02-03-2008 12:03 PM
Fedora 7 feels like a big improvement conanm4 Fedora 8 06-10-2007 10:13 PM
LXer: GNOME 2.18 shows incremental improvement LXer Syndicated Linux News 0 04-04-2007 02:31 AM
Checking a password with PAM/Winbind? quill18 Programming 1 05-25-2005 04:12 PM
Linux and Fonts: A guide to improvement rgbrock1 Linux - General 2 04-27-2005 10:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration