Human memory, or the lack of it, is the biggest security bug on the 'net
The life of the security IT professional would be a lot easier if people were capable of remembering enough passwords so that they didn't need to reuse them. That was the considered opinion of Facebook’s head of security Alex Stamos and Google’s security princess (her actual Chocolate Factory job title) and Enigma 2017 …
-
-
-
Tuesday 31st January 2017 21:02 GMT Oh Homer
Re: "the only available computer is communal"
Your smartphone is "communal"?
Also, password managers tend to use encryption and a master password, and at least in the case of KeePass also support multiple databases (each strongly encrypted with a unique master password), so questions of trust and sharing are moot.
These databases can also be accessed directly by KeePass over the network via SFTP and other protocols, so they're available to all your devices running KeePass (every major OS is supported) in every location, whether at home, on the road or at work.
Personally I run it on the (Linux and Windows) desktop at home, and on Android when I'm out, and all three systems share the same encrypted database on the same FTP server.
Even if I forget my smartphone or it runs out of juice, I can always run the portable version of KeePass on whatever system I have available at my destination.
It certainly beats writing hundreds of passwords down on Post-It notes.
-
Tuesday 31st January 2017 21:27 GMT Vector
Re: "the only available computer is communal"
Your smartphone is "communal"?
No...
But your smartphone is connected to that great community in the sky known as the internet. As soon as someone can sneak a key logger on to it, all your password are belong to them. Not just for the sites you use from that phone, every password in your safe!
-
Wednesday 1st February 2017 19:17 GMT Oh Homer
Re: "sneak a key logger"
Well, let's examine the options.
Option #1 is reuse the same password for hundreds of services, from banking to email, thus losing everything in the event that this one password is compromised once on any one of those services, such as that dodgy phpBB forum you visited last week.
Option #2 is access an encrypted database of passwords over an encrypted connection behind a firewall on a system running antivirus and other security software, with the remote possibility that all of those security measures might simultaneously fail and you'll become the only person in history to be compromised by a keylogger that defeats the KeePass "Two-Channel Auto-Type Obfuscation" anti-keylogger technology.
I punched those numbers into my probability calculator and it says ... "1" is more likely.
-
Thursday 2nd February 2017 03:13 GMT LaeMing
Re: "sneak a key logger"
I use option 1.5 - A small number of hard+unique passwords for important stuff (Financials, home computer, message boards I frequent often, etc). A few hard+shared passwords for non-critical things I trust, but also wouldn't be mortified by a compromise on (message boards I don't care about so much, work PC - mainly due to their crappy password rules!), mentally-generated-on-the-fly soft passwords for all those crappy sites that insist you have an account do do things that shouldn't actually need one for (usually linked to likewise-generated throw-away email accounts).
-
Thursday 2nd February 2017 20:51 GMT Vector
Re: "sneak a key logger"
"Option #2 is access an encrypted database of passwords over an encrypted connection behind a firewall on a system running antivirus and other security software, with the remote possibility that all of those security measures might simultaneously fail"
We were talking about using a password safe on a smartphone which fails many of the above conditions. I looked at the obfuscation system you referenced and it looks like a fine way to guard passwords in the safe but it does nothing to protect the password to access Keypass itself. That is the real issue.
-
-
-
Wednesday 1st February 2017 08:45 GMT Paul Crawford
Re: Trusted computer
A trusted computer/device for a password manager is the key problem. While my home PC/laptop might be fairly trustworthy, I would not put them up there as unhackable. As for my Android phone - please, just don't go there!
A possible solution is something like the old RSA key-fob that could be used to salt+hash some account detail to provide a complex password. As it is off-line it is practically impossible to hack without an agent physically compromising it, and it is small enough to be carried with your house/car keys, etc, where ever you go. Many UK banks use card reader things to the same ends, but a more general purpose one would be good.
USB style devices are all very well, but need the PC to be cooperative (so no play on corporate locked-down machine) and your fscked if you bought a new Macbook and forgot your fist full of dongles.
-
-
-
-
Tuesday 31st January 2017 20:40 GMT Infernoz
Re: Try blaming the correct people next time.
No; users must accept some responsible for their own security and use strong unique passwords, via a separate strong encrypted password store (not just in an OS user account), because however good a site's security is, some may eventually suffer a compromise, including by side attacks and staff, especially from/via lower paid outsource staff!
Security is a process and never absolute, because there is an arms race between the defenders and the attackers, and there can be unexpected bugs in security.
-
-
-
Tuesday 31st January 2017 23:42 GMT veti
Re: Try blaming the correct people next time.
Fine. If you don't want to revisit the shop and reuse the account, just give it a random string for a password. (Mash some keys into a text editor until it looks suitably gibberish, then copy and paste it into the password and confirmation boxes. Remember to close the text file without saving.)
More importantly, though: always, always make sure to untick the "record my card information for future purchases" option. That way, if anyone does crack your account, they're still no closer to being able to spend your money.
What annoys me more is sites - like El Reg, for instance - that require a password that does need to be reused, and does need to be remembered, for a transaction that has close-to-zero impact if compromised. If someone cracks my El Reg password, about all they can do is make some silly and/or offensive comments in my username. I make those myself already, so I'm willing to accept that risk.
-
Wednesday 1st February 2017 13:23 GMT Charles 9
Re: Try blaming the correct people next time.
"If someone cracks my El Reg password, about all they can do is make some silly and/or offensive comments in my username. I make those myself already, so I'm willing to accept that risk."
Or they could use it to post politically incorrect stuff and stain your reputation. Or worse, post CP links and get the attention of the law on you.
-
-
-
-
-
Tuesday 31st January 2017 19:37 GMT Adrian 4
Bad humans ?
Or maybe remembering a bunch of things that are intentionally hard to guess just isn't a very good way for humans to authenticate themselves ?
It's often a good idea to match the solution to the problem : if you need to do a thing often, choose something that you're good at.
What are humans good at remembering? Probably something involving patterns. Shapes, music, phrases. The problem there is that to enter a reasonably complex pattern, you need an interface that's good at it. Maybe that's easier to solve than trying to make your passwords rememberable but obscure.
-
Tuesday 31st January 2017 19:53 GMT Charles 9
Re: Bad humans ?
Maybe it's better to learn whether or not the problem at hand is even tractable.
Consider the First Contact problem. How can Alice and Bob prove their identities to each other if they've never net before? This is essentially the problem we face every time we register to a new site. We don't really know who runs the site, and the site doesn't know a thing about us.
The thing is, the First Contact problem is logically intractable. With no common point of reference, there's no way for Alice to prove she is Alice and not someone else posing as Alice. Not even Trent can help since Trent can be a double agent and has to be vetted himself, creating a Turtles All The Way Down conundrum. It's a Catch-22. You need common ground to create trust, but you need trust to create common ground.
That's why we can't seem to find a simple solution: because there's no solution full stop. We're just trying to make impersonation as hard as possible, but unfortunately we're stuck for the ride. Making things harder for the imposter makes things harder for US, and there's no way to unlink the two since the imposter's job is to BE us, essentially: right down to the DNA if they gotta. And inversely, easier for us is easier for the imposter. Worst yet, it seems the medium is UNhappy: not easy enough for us but not hard enough to thwart the imposter. So, basically, what now, especially when the public demands unicorn solutions?
-
Tuesday 31st January 2017 20:36 GMT Adrian 4
Re: Bad humans ?
I don't think we care that we can't identify someone we've never met before.
All we normally want to do is identify that it's the same person that set up the account, or the same person that a bank knows about, or the same person that lives at a certain address. Who that person actually is can't ever be proven : what matters is that the second and subsequent contacts match the first.
A password (retained secret) is fine for this, as are other tokens such as certificates. In some cases, that certificate needs to be verified by another party such as a bank.
-
-
-
Tuesday 31st January 2017 21:54 GMT Commswonk
Re: Bad humans ?
Human memory, or the lack of it, is the biggest security bug on the 'net
I suggest that it's much, much wider than that. Humans ignore simple laws like "don't use your mobile phone whilst driving"; perhaps they think that they won't get caught (unfortunately quite likely true) but in any event accidents happen to other people, not them.
Human stupidity, more like, as per Einstein's well known thought on the subject. The vulnerabilities of IT systems are publicised ad nauseam so there has to be something more than "memory" to account for people failing to take simple basic steps to protect themselves.
-
-
Wednesday 1st February 2017 08:58 GMT VinceH
Re: Bad humans ?
"Bingo! see https://xkcd.com/936/ for an opinion on how it SHOULD be done.
Fixed that for you.
And the reason I made that fix because it's an opinion I do not share.
For a start, the end panel's claim that "You've already remembered it" was wrong for me the first time I read it - it was a couple of years of seeing references to (and re-reading) that strip before the example password finally committed itself to my memory.
Then there's the problem that it's just one password, and it's seemingly just a random string of things with no context - so if someone goes to a particular website they use and needs to log in, how do they remember if their password was correcthorsebatterystaple, versus typicalzeusapplemarch which they used on another site, or walletbottlemonksplatter from another, and so on.
IMO, it only potentially solves the problem if we only ever need one password - and people using just one password is a part of the problem under discussion.
Edit: Lest I forget (see the problem?) my own solution is to use KeePass. Can't recommend it enough.
-
-
-
Tuesday 31st January 2017 20:00 GMT Duncan Macdonald
Reuse of passwords
Like many people I have a number of accounts - but many of them are for sites like the register where the consequences of a hack are insignificent. For such sites I often reuse simple passwords - for other sites with financial data (eg PayPal) I use strong passwords that are unique to each site.
An easy way to generate fairly strong memorable passwords - concatenate a car registration number, a friends name and the name on a bit of equipment.
eq XNO123SWendyHUDL2 (not a password that I have ever used!!!)
-
Tuesday 31st January 2017 21:22 GMT Infernoz
Re: Reuse of passwords
It must become a habit to never reuse passwords for any public resources, and even most private resources, otherwise you may accidentally reuse a password for something security critical or later discover that an insignificant resource suddenly becomes significant, with significant costs e.g. compromise causing loss of reputation, social costs, slander costs, or unintended leakage of critical information. Using different user identifiers can also be a good idea to make compromise even harder and to block other security risks including cross-site profiling/spamming.
Passwords should never be derived from any publicly discoverable information associated with a person, because this information could be automatically looked up and used by automated cracker scanners; long, secure-random-generated passwords are generally much more secure.
Everyone should be using a secure (local or remote end-to-end encrypted) password store to keep most user/password details safer than human memory or insecure external storage like unencrypted files or written/printed notes.
-
Tuesday 31st January 2017 21:33 GMT Anonymous Coward
Re: Reuse of passwords
I re-use the core part of several passwords, but salt them with certain characteristics of the sites they are used on. This means if one of them is leaked, it can't be used anywhere else. The flaw in the scheme is if the plain text is leaked, a human could work out the salting scheme I use.
-
Tuesday 31st January 2017 23:12 GMT Orv
Re: Reuse of passwords
"Like many people I have a number of accounts - but many of them are for sites like the register where the consequences of a hack are insignificent. For such sites I often reuse simple passwords"
I used to use that scheme -- until one of those sites had their password database stolen. The sheer annoyance of having to change dozens of passwords all over the web made me switch to using a password manager for "low value" sites. For some very critical things I still use a memorized password.
-
Tuesday 31st January 2017 20:46 GMT Ken Moorhouse
Humans are not wired for passwords...
Visual and spatial challenges are far easier on the brain than letters and numbers that adhere to artificial rules. Some people visualise PIN's by their "shape" on a keypad. A London black cab driver would be able to recite every street and every landmark between any two streets in London, this is probably because of the way human memory "leads into" each step of a journey. We all do this to a greater or lesser extent, but not to the extent of annotating the images of the journey with street names, which is part of a cabbies' training. How many of us can recite whole chunks of Alice In Wonderland or a Tennyson poem? But what password protected sites give us this as a choice? Coupled with this is the need for more lenience in the occasional slip of the word, which may be due to forgetfulness on our part when dreaming something up. For instance it might be possible for a user to be excused forgetting the exact case and punctuation used in elements of Break, break, break et al, but to use gray instead of grey would be a grave error.
-
Tuesday 31st January 2017 21:40 GMT Swiss Anton
Re: Humans are not wired for passwords...
Humans aren't wired for passwords like HJ78#2hhj*2 that many IT policies force on their users, but we are quite good at remembering things that can be visualised.
For Example, what if my Amazon password was "99 ice cream loving honey badgers ate my hamster!" I reckon that's a lot easier to remember than HJ78#2hhj*2, and it has plenty of entropy. This is not my Amazon password, but if it was it would be easy to remember. Amazon now do Top Gear. Top Gear has a thing about honey badgers. The hamster, well that's obvious, and if there hasn't been a race between Mr Whippy and a kebab van*, well there ought to have been. It all goes together to make a memorable password.
What is really needed are systems that can take longish passwords and some training to get people to be creative.
(*British readers will know exactly what My Whippy and a kebab van are. I suspect the rest of the world has no idea, which is probably why Top Gear haven't done this race.)
-
Tuesday 31st January 2017 21:51 GMT Ken Moorhouse
Re: British readers will know exactly what My Whippy and a kebab van are
...and this "cultural enclosure" makes them more secure*.
(Not sure about My Whippy though - I remember Mr Whippy - you must have gone to a school where they had more -er- exclusive tuition lol).
*I went to a seminar once where some American company launched some software or other. The screenshots had these weird first names and surnames in them. The presenter felt he needed to apologise for them. He did so by explaining that the people responsible for the Powerpoint were asked to pitch it to us Brits, and they were trying to come up with authentic English names (e.g., Archibald, Enid, etc.).
-
-
-
Wednesday 1st February 2017 07:13 GMT Ken Moorhouse
Re: What about DISABLED people, though?
Unless you are the pinball wizard there are still choices, just as there can be with traditional password entry. Having written software for a provider of IT equipment for the visually impaired I can say this segment of the population is not without facilities to visualise password cues. Deaf people can see images and use a keyboard, so not sure what the problem is there.
-
Wednesday 1st February 2017 13:27 GMT Charles 9
Re: What about DISABLED people, though?
BLIND people CAN'T. That's why image-based CAPTCHAs get sites in trouble. The best systems kind of require full sensual acuity to work, but of course not all of us have that, so the law requires fallback methods...which miscreants can exploit by simply claiming to be blind and so on to get simpler puzzles.
-
This post has been deleted by its author
-
-
-
-
-
Tuesday 31st January 2017 21:37 GMT SImon Hobson
Actually, lets blame the sites ...
Yes, those sites that insist on a password length longer than you normally use - so you have to remember a "non-standard" pattern.
Or those that impose a short maximum length - same problem.
Or those that insist on stupid combinations - so you have to remember that this site has a % (or whatever). Or those that impose restrictions the other way.
I have a system that allows me to use a different password for each site - by using something that's common to most things, combined with something that's different for each site. Yes, if someone got hold of a number of passwords then they'd be able to figure out the system - but if that happens that I've almost certainly got far worse problems. But there's no way that given a single password hacked from a single site you'd be able to log into any other site.
But, this system is blown apart by the above mentioned, well meaning, idiots who for various reasons stop me using something that my system deals with.
-
Tuesday 31st January 2017 22:21 GMT jake
But users ARE the problem!
It might not be politically correct, but that's a fact nonetheless. If there is one thing that I've learned over the last 40+ years of working with computers & networks, it would be that humans, as a group, are ineducable when it comes to personal security.
I think it was Einstein who said “Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe."
-
Wednesday 1st February 2017 04:17 GMT djnapkin
Re: But users ARE the problem!
Indeed. For example my wife has KeePass with AutoType at her fingertips, and uses Firefox to remember her passwords for sites. Despite this she uses the same two passwords everywhere. Until I notice, anyway.
Was it Gary Clail who sang, "There's something wrong with human nature" ?
-
-
Tuesday 31st January 2017 22:50 GMT adam 40
All websites are fundamentally insecure
As soon as you realise that all these sites are insecure, as you can just log in with a username and password anytime and from anywhere in the world, then the problem goes away.
Just don't keep any private data on them and use the same password everywhere - job done.
Biting the hand that feeds IT
