We were recently at a customer’s site, and we were discussing passwords. They had concerns about their user’s passwords as they explained to us their personal difficulty of remembering passwords. The end result for them was that they normally just performed a simple derivation on as easy to remember seed. For example, say “jane”, their dog’s name, is the seed. They would then permute “jane” to create a password, such as “1jane” or “abcjane”. Cracking these passwords is fairly easy, even more so, if the target knows you and customizes/limits their dictionary.
(I like to diverge into stories, so please hang in there or jump to the bottom.)
-
Back when I was an undergraduate maths concentrated in Computer Science (CS) major at St. Mary’s College of Maryland, the science building had two computer labs, one small lab dedicated to CS majors and the other lab open to all. The doors to the labs and buildings had card readers that functioned as door locks, and your student identification card functioned as a key. CS majors were supposed to have access to the building and the CS lab at all times using their student identification cards according to our professors, but this never quite worked out. Around 11PM, the building and both labs would lock to all students, even CS majors. Additionally, motion detectors in the labs would turn on.
So, what did we do? We complained to the school quite a bit, which normally resulted in us being told we could call campus security to open up the CS lab, but this was never an easy task and generally failed to translate into the next semester. So, we just circumvented the complexity. Around 10:30Pm, one of us would head off to the the CS lab. When 11PM approached, we would tape a piece of paper over the motion detector to disable it, and then we would either unlock a window or stay in the lab. Security normally made passes through the building after 11PM, but we were just working, if they even happened to notice us in the shuttered CS lab.
The problem here is not the user, it is the complexity and/or difficulty of using the system. The end result is that most people will fall into two categories, those that do not use the system at all, and those that find a way to simplify and/or circumvent it. In either case, it can hurt the goals of an individual or an organization.
To our discussion at hand, we have so many accounts and most authenticate using passwords, that it rapidly becomes overwhelming to keep up with and manage. So, how do we handle it?
We choose pseudo-random looking passwords 8 or more characters in length and just write them down on a piece of paper. By pseudo-random, we mean selecting random characters from the keyboard (letters, numbers, symbols) until at least 8 characters have been picked. We are wary of our human capacity for generating patterns, so we keep an eye on your previous passwords as we generate new ones to make sure our passwords do not all follow the same trend. (There are also password generation tools out there, but we find these to be overkill.) We protect that paper containing our passwords as we would, say, our checkbook. Clean and easy.
This has worked well for me personally for over a decade. The best part is that pieces of paper do eventually wear out, at which point you have to move to a new piece of paper, and, much like moving locations, it forces you to clean out the accounts you no longer use and reminds you of nifty things you forgot you even had. Good housekeeping.
Update: Look at this.
PwdHash is an browser extension that transparently converts a user’s password into a domain-specific password. The user can activate this hashing by choosing passwords that start with a special prefix (@@) or by pressing a special password key (F2). PwdHash automatically replaces the contents of these password fields with a one-way hash of the pair (password, domain-name). As a result, the site only sees a domain-specific hash of the password, as opposed to the password itself. A break-in at a low security site exposes password hashes rather than an actual password. We emphasize that the hash function we use is public and can be computed on any machine which enables users to login to their web accounts from any machine in the world. Hashing is done using a Pseudo Random Function (PRF).
A major benefit of PwdHash is that it provides a defense against password phishing scams. In a phishing scam, users are directed to a spoof web site where they are asked to enter their username and password. SpoofGuard is a browser extension that alerts the user when a phishing page is encountered. PwdHash complements SpoofGuard in defending users from phishng scams: using PwdHash the phisher only sees a hash of the password specific to the domain hosting the spoof page. This hash is useless at the site that the phisher intended to spoof.
via a post to cypherpunks
[...] (Of course, the key here – see Appendix A – is choosing good passwords. This blog commented on passwords way back when the blog first started.) [...]
[...] Authentication information needs to hold the same importance to people as the keys to their homes or safety deposit boxes, and be just as easy to use – that can be hard to achieve. I posted on passwords a long while back. [...]