Where *nix and security meet the general public
Easy passwords that are secure?
Passwords are in our everyday lives. We use them to log into our PC’s, to do our banking and a lot online sites require you to have username a password in order to order something or write a comment etc.
At work when you log into our machine you are required to give a password. And then they even want you to change it every so often! So you have to remember all these passwords on almost a daily basis. Great, as if that wasn’t difficult enough, the Administrators at work want to ?increase? security by making password criterias, meaning that the password has to match a certain pattern and complexity (e.g.: has to have at least one upper case character, numbers and letters and special characters like ! # etc.). So now you have to remember quite a few passwords AND even quite complex ones.Wow, quite a strain on your mind isn’t it? Well yes it is so people tend to write the passwords down somewhere, be it on the ?traditional cliché? Sticky Note, or in a notebook or in a file called passwords on your PC or home directory at work. Great.
Now here is the caveat: Anyone (and I mean ANYONE) with medium IT or social engineering skills can either guess those passwords or obtain them in one way or another. The worst case is if someone obtains the password list of your company (or Windows SAM file) and runs John the Ripper or any other password cracking utility against it. Simple passwords are guessed in almost no time and to illustrate I did a benchmark on cracking passwords later on in this post.
First however let me introduce you to the concept of ?what you know?. This is part of the multi-factor authentication which is based on these concepts:
- something you know
- something you have
- something you are
Something you are is biometrics, like fingerprints and retina scans, Something you have is for example a SecureID password token which generates a one time password , however this can also be an access card or Smartcard. Something you know is a password, PIN code or anything that you know and have to give. A lot of time for remote access the 2-factor principle is used, mostly factor 1 and 2, something you know and something you have. This works for example with the SecureID token, it requires you to give a PIN and then uses that PIN with a generated number (which changes every XX seconds) in order to generate a one time passcode. Cool eh? The good about this approach is, its VERY secure, the problem with this is that every time you want to access something you have to generate the passcode which is good until you leave your SecureID at home or loose it.
Now the question remains, how to make secure yet easy to remember passwords? Well a simple approach is to ?think outside the box?. Why are people so fixiated on ?passwords?? Passphrases are much simpler to use and MUCH more secure. To show what I mean by this I made a simple benchmark, as I mentioned above.
I created 3 users (test1, test2, test3) on my linux system (shorty). Each one has a version of the word ?password? as its password. I then ran john the ripper against the 3 users and waited to see how long it would take to crack each one.
Here is a graph that that, in my opinion speaks volumes already even before I keep going:
Yes you saw right, test3’s password (pass word) took 1800seconds (30 minutes) and it still was not done cracking. test1’s password (password) took 0.3seconds to crack and test2’s password (password2) took 3.18 seconds.
Now here is the point I am trying to make: what prevents you from using even SIMPLE phrases as a pass?phrase? ? Say your wife is Mary, and your passphrase is ?i love mary?. That would be quite a challenge for brute-force password crackers since you can also write ?I love Mary? etc. And the likelyhood of cracking this is pretty low yes it is very easy to remember (if you love Mary that is :))
Of course given enough time anything can be cracked however you will definately NOT be on the top of the ?charts? when someone does a password audit at your work or a password file gets leaked on the internet from a webservice that you use.
No TagsPopularity: 6% [?]
Pages: 1 2
Interesting blog post but I’ll not try to crack your password. The cost of electricity I probably need to try cracking your password and the 20 euros will cost me more than it good return
Honestly, the encrpyted part is only this = 3OwMyqixjYOtyKT1S4Q7
The rest are just linux informations. Especially the 99999 is the administrator rights. While i don’t think it’s worth cracking it as we wouldn’t know if it authenticate… But by the look at the encrypted part, it’s most likely a standard encryption… probably 128 - 256 bits encryption.
Based on cracking the password? I doubt anyone will do it… Probably, those computer science students who is interested on some challenges… hahaha…
[…] Now, if you take these steps or points into consideration your user education or security training class all of a sudden looks more like a group discussion with you as a leader. And THAT is the way it should be. If the user feels empowered by actually interacting in the security training, it makes them feel less forced. Let them get to their own conclusions regarding why passwords should be complex. You can always give them pointers about issues like passwords, like I described in the Easy yet secure passwords article. If you can transform your security training into a security awareness discussion where everyone is relaxed and can speak their mind, i guarantee you that your users will become your biggest ally in your defense. They will be much wary regarding social engineering attacks, they will rather delete a funky mail then open it and they will handle company information MUCH more careful. I have also given classes about how to teach well and I have gotten feedback from even educational institutions that this approach works very well. And if you like giving your class, you will all of a sudden find yourself requested to give classes maybe not just in your company. If you have any experiences or more pointers to share, please do so, or if you want to get more info regarding this just drop me a line. But if you can implement even just a few of the points your class will be MUCH better then the generic user security training that everyone despises. […]
Maybe you can try Fingerprint Scanner.
I agree, and nowadays a lot of new laptops come with a Fingerprint reader though they can be fooled fairly easily too and probably faster then using a really good password/passphrase.
I would love to test some retinal or facial recognition software but where to get it from….without paying a hefty price tag.
//Flosse
Let them get to their own conclusions regarding why passwords should be complex. You can always give them pointers about issues like passwords, like I described in the Easy yet secure passwords article. If you can transform your security training into a security awareness discussion where everyone is relaxed and can speak their mind, i guarantee you that your users will become your biggest ally in your defense.