On Sun, 02 Mar 2014 15:01:09 -0500, Roy Smith wrote: > Security is as much about cryptography as it is about human factors and > business drivers. You can make things resistant to brute-force attacks > by using longer keys, but people are still going to pick bad passwords.
Yes. But: > You can force them to pick "good" passwords by rejecting their first 37 > choices, but all that does is encourage them to write the passwords down > on sticky notes. There is nothing wrong with writing passwords down on sticky notes. (Well, figuratively speaking. Perhaps not *literal* sticky notes, since they are too easy to lose.) You have to ask, what is the threat you are trying to defend against? If your threat is that the Secret Police will break your door down at 3am, and smash your fingers one at a time until you give them your passwords, then strong passwords that only you remember will not save you. If the threat is that your little brother will log into your hotmail account and send rude messages to your school friends, then writing your password down on a Postit and sticking it on the computer is insecure, but keeping it in your wallet or purse may be secure enough. Today, one of the biggest (but not the only) threats most people face is the mass theft of passwords from idiot organisations that store them in insecure databases as plain text. There's not much we, the users, can do about that, except complain complain complain when it happens. Possibly sue, on the basis that storing passwords as plain text is not within a million miles of best practice or even standard practice. Another threat comes from black-hat hackers breaking your password. Whether they want *your* password specifically, or just picked your account randomly, this is where strong passwords can have a good effect. Until such time as an attacker can reach through the Internet to read the password on your Postit Note, writing down your strong password and keeping it by your computer is an effective way to counter this threat. > And, yes, you can make things more secure with 2FA, but there's a cost > there. You have to purchase and manage the infrastructure. More than > that, there's lost business if potential customers prefer a competitor's > product because it's easier to access. Many of the known insecure > systems we use today are not that way because the people who run them > are stupid; they're that way because the people who run them have worked > the numbers and decided the cost to implement more secure systems would > exceed the risk exposure. While in principle you are right, in practice I think that most of these people and organisations start from number of dodgy assumptions, starting with "Meh, it'll never happen...". They underestimate the risk, underestimate the consequences, ignore costs that don't apply solely to them (e.g. the cost of spam sent from tens of millions of compromised PCs and gmail accounts), overestimate the strength of their half-baked solutions, and ignore the portion of their user-base who actually does want better security. When they do make a half-hearted attempt at security, it's often security theatre, e.g. I have a bank account with one bank that doesn't let you type your password, instead you have to click keys on a simulated keyboard on screen. You're limited to *six* (SIX!!!) case-insensitive alphanumeric characters, letters and digits only. And then, to add insult to injury, they have the fecking cheek to hassle you every few months to change your insecure password for another insecure password, thus increasing the chance that you'll forgot what it is and lock yourself out of the account. This encourages people to choose even weaker passwords, so they won't forget them. Another bank I use eschews such ridiculous "security" and actually provides you with a real cryptographic key for which you have to provide a passphrase. A passphrase limited to *eight* alphanumeric characters. And I think it is case-insensitive, although I haven't actually tried it. I expect that these idiots spent more time, effort and money *preventing* their users from putting in strong passwords than they would have spent to allow strong passwords. > We recently got a frothing email from a user, which basically said, "You > farking idiots, you emailed me my password in plain text!" It turns > out, his user name was the same as his password and what we had sent him > (in response to an account recovery query) was his username. In > response to that, we altered our account generation process to forbid > passwords which are too similar to your chosen username or email > address. Which, of course, means we've taken one more step down the > road to forcing our users to write their passwords on sticky notes. That's a good thing. People have managed physical keys for *centuries*. Yes, there are a class of threats where you lose your key, or someone steals it, or makes a copy, but the risks are well-understood and can be managed even by your grandmother. We have good solutions for those problems that work well, and many of them apply just as well to sticky notes with secure passwords written on them. -- Steven D'Aprano http://import-that.dreamwidth.org/ -- https://mail.python.org/mailman/listinfo/python-list
