
Changing Passwords - yan
http://www.schneier.com/blog/archives/2010/11/changing_passwo.html
======
shrikant
Schneier Fact No. 27[1] seems particularly relevant in light of the [very
useful, but preaching to the choir maybe?] advice he's handing out here:

 _Most people use passwords. Some people use passphrases. Bruce Schneier uses
an epic passpoem, detailing the life and works of seven mythical Norse
heroes._

No wonder he uses a password manager, eh?

[1] <http://www.schneierfacts.com/fact/27>

------
tptacek
This advice is back-assward.

The attacker who uses your stolen password is just as likely to be trying it a
year from now than he is to be trying it the moment he captures it. Maybe he's
not even the person who originally stole it. A stolen password for an account
whose password isn't regularly changed is a backdoor that can't be patched or
detected. It's actually more valuable in some ways than a rootkit.

This isn't idle punditry. Maybe once a year, I end up on a penetration test
that works its way onto internal networks or desktops, and _every one_ of
those engagements _invariably_ has a "here's the chapter of the report where
we ended the universe" because one person saved a password somewhere a year
ago and never changed it.

Yes, attackers will mount active attacks, and yes, attackers will install
backdoors. But they will also sweep your machine for textual passwords and
then bank them.

There are classes of passwords that don't merit regular changes. Your one-off
passwords for sites like Reddit (please, don't share passwords between sites)
don't need changing. I'm also not religious about changing single-purpose
rarely-changed Keychain-generated passwords.

The rest of them, change at least once a year.

~~~
iuguy
> The attacker who uses your stolen password is just as likely to be trying it
> a year from now than he is to be trying it the moment he captures it.

Although this might sound a bit off to other readers, this actually correlates
quite well with what we see in the (suddenly now sexy) APT space when a
network gets 're-popped'. If the attacker has been in before they'll usually
have some good intel on the Internal network structure and will often try old
passwords, then potentially variants of them assuming the same lockout as when
they took the configs/policies.

I can also vouch for the pen test story. It's also why I generally take last
year's report with me, as it usually helps me find out what the password was.
We don't usually write the password down in the report but do give subtle
clues to jog the tester's memory.

I'm not sure what you mean about sweeping the machine for textual passwords.
It's not uncommon to search the filesystem for files containing a current
password or 'password', 'username' etc. but it's not that common in the wild
as it generates a lot of i/o and can raise suspicions. The last thing you want
is for the end user to ctrl-alt-del and see notepad.exe using a load of disk
activity. Of course an adversary worth their salt would've migrated to a
different process by then but even so, if you're wondering why is csrss.exe
thrashing the drive like that, then you might have something worth
investigating.

For places like reddit, I'd say sharing passwords between sites is fine as
long as you're comfortable with them all being compromised. I have the same
passwords for things I don't really care for as far as compromise is concern.
For more important information assets I find it better to adopt a defence in
depth approach than to rely on several hundred passwords alone.

~~~
LiveTheDream
What is the APT space? Guessing it has nothing to do with the advanced
packaging tool. ("apt" is not very google-able, and no acronyms particularly
stood out to me).

~~~
tptacek
I'm hoping he doesn't mean "Advanced Persistant Threat" (gag), which is a
marketing term invented after the Google/Aurora debacle to try to sell
products and services ("APT defenses") on a "don't let this happen to you"
message.

He might mean "Application Penetration Test", except that app pentests rarely
pivot to internal networks and passwords (they're usually part of the software
development lifecycle and are about "is this app safe to deploy").

~~~
iuguy
No I do mean Advanced Persistent Threat, and the term pre-dates Aurora by a
few years, it's just been misappropriated by Mandiant's marketing department
and then every man and his dog has smelt money.

Traditionally we've used the term Targeted Attack or CNE (meaning Computer
Network Exploitation), but people tend to ask what that is. I die a little
inside when I use the APT term, but people who get it, get it, and people that
listen to marketers (rightfully) act suspicious.

The attacks are real and have been going on since the 90s, but it's not as
clean cut as people make out. The primary distinguishing factor is the 'P' for
persistence, not necessarily the 'A'. Anyone selling on a "don't let this
happen to you" message is obviously selling bunk. You're either a target or
not for this stuff, and that depends on a whole load of factors. If you're not
a target then your biggest similar threat is probably broad malware attacks
(more associated with botnets) or unfocused criminal activity. If you're
susceptible to APT, it's because you've already been hit. That's why "don't
let this happen to you" doesn't work - it will happen, and it will happen
again. The trick is to detect it and kick the buggers out before they cause
any (qualified) damage.

You make an interesting point about App Pen Tests. I'm surprised that you say
that it rarely pivots. We do all the time. We routinely face people who say
Cross-Site Scripting isn't an issue, until we show them different ways of
attacking their users - as opposed to the dull alert('XSSLOL');

Likewise for SQL injection I certainly find that breaking in and hunting
around leads to all kinds of things you otherwise wouldn't see. If you're not
trying to break in, it's not really a 'Penetration' test as much as the app
equivalent of a Vulnerability Assessment.

------
batasrki
It's amazing how much of this is alleviated by something like 1Password or
LastPass which I currently use. It'll generate a strong random password for me
and remember it so I don't have to write it down. Changing passwords is just
as easy.

~~~
Timothee
Absolutely. I use 1Password myself and, as a safety measure, recently changed
a bunch of my passwords at once and it was a real breeze.

Go to a site, go to the account page, asked 1Password to generate a new
password, 1Password detects what's happening and asks if I want to update the
login info, go to next site.

I was able to change the password for all my important accounts in a matter of
minutes.

------
smarterchild
> And two, it's far more important to choose a good password for the sites
> that matter -- don't worry about sites you don't care about that nonetheless
> demand that you register and choose a password...

I actively use terrible and crappy passwords for certain sites, when I'm more
worried about someone getting the password than someone getting access to my
account on that site.

~~~
jdp23
excellent point. i have a generic password i use for low-security sites where
i don't particularly care about people getting access to my account.

------
pchristensen
I use this process: <http://www.joelonsoftware.com/items/2008/09/11b.html>

Works even better now that there's an iOS client:
<http://www.passwordtouch.com/>

~~~
gvb
KeePass works well too. It is cross-platform (I've used it on Win7, linux,
android, and the iPhone and it does more platforms as well).

<http://keepass.info/>

~~~
eli
Same here. It was the only one I found that worked well on Windows and Mac
(Android/iPhone is just a bonus)

------
atleta
Actually I think that forcing users to change their passwords doesn't really
improve security and it may well decrease it.

Good passwords are hard to memorize and if I'm forced to change it every few
months then I can do two things: change it as little as possible (e.g add a
number or a character at the end and cycle between them as allowed) or use a
weak password (and maybe do the same with it).

Now if one has a lot of accounts and passwords and tries to be safe and use an
app like passwordsafe then the ignorant service operators (e.g. my bank...)
who force frequent password changes can turn life into a really bad experience
forcing us to do password changes every few days on one system or the other
(or just force the user to give up on secure passwords).

Now if someone wants to secure their system then they should use two factor
authentication. Now that everybody has a mobile phone, basically everybody has
a secure token. (I know that mobile phones are not that 'tamper resistant',
still they are something that an attacker has to have their hands on. And
you'll probably notice if you loose your phone sooner than you would notice
your purse.)

------
pyre

      > Someone committing espionage in a private network is more likely to
      > be stealthy. But he's also not likely to rely on the user credential
      > he guessed and stole; he's going to install backdoor access or
      > create his own account. Here again, forcing network users to
      > regularly change their passwords is less important than forcing
      > everyone to change their passwords immediately after the spy is
      > detected and removed -- you don't want him getting in again.
    

Most likely if a {corporate,government} spy _is_ caught, the institution will
try to keep it under wraps as much as possible. Only telling employees to
change passwords in the event that such a thing happens is tantamount to
admitting it having happened.

If you worked for a company that never made you change your password, and all
of the sudden there was a one-time corporate directive that everyone had to
change their password, what would you think? That somehow security had been
compromised.

------
Kilimanjaro
You would think changing passwords every month is more secure, when in fact is
much less secure for the reasons he explained.

People tend to get tired of remembering passwords so they write it down on a
post-it and stick it on the monitor.

How is that for secure?

~~~
tptacek
I don't think it's possible to extract "much less secure" from that post (he
has carefully hedged it to avoid writing anything falsifiable). The only
downside he's explicitly cited is that he _thinks_ it might cause people to
pick less secure passwords.

I have a hard time buying this argument, because people pick godawful
passwords anyways; the very few people who pick decent passwords are probably
not derailed too much by a periodic change requirement.

And, for what it's worth: Schneier himself advocates writing passwords down.

------
mattmanser
I thought he might finish off there at the end with key passwords, like the
email account that all the change of password notifications go to.

As once that one's compromised, you've pretty much been compromised everywhere
on the internet apart from maybe banks that require phone or fax steps for
password changes.

