
When passwords attack: the problem with aggressive password policies - shawndumas
http://arstechnica.com/business/news/2011/10/when-passwords-attack-the-problem-with-aggressive-password-policies.ars
======
markkum
Good article, though the whole premise of people being forced to manage
passwords is screwed. We are working hard at Mepin - www.mepin.com - to get
rid of passwords one by one. Our premise is that people are much more capable
of managing a key - a physical key like a phone or a USB key. Care to agree?

~~~
jayfuerstenberg
I'm obviously biased as I created KEYBOX, an iPhone app for easily managing
passwords, amongst a whole host of other secrets.

So take my below answer with a grain of salt...

I'm surprised by all the attempts to replace the password with non-secret keys
be they facial recognition (face prints?), fingerprints, or other...

I can login to your facial recognition screen just by holding up your photo.
Fingerprints are little more difficult but the technology exists.

But if I am not in possession of your password I'm going to be spending a
lifetime cracking it.

Conclusion: Keys are not secrets and can be easily copied. Passwords ARE
secrets.

Yes, passwords can be difficult to remember but that's a different problem.

If you want to see secret/password management done right check my website (
<http://www.jayfuerstenberg.com> )

~~~
markkum
Umm ... your conclusion is kind of funny and wrong. You might not be familiar
with cryptography, modern smartcard technologies, and how those can actually
keep a secret.

I agree with your assessment on facial recognition and fingerprints, though
the biggest problems with the fingerprint authentication are the lack of
ubiquitous sensors and privacy issues.

But password manager software is better than nothing ;)

~~~
jayfuerstenberg
I'm quite familiar with cryptography and the principles of secret keeping. I
am not as knowledgable about smartcards I admit.

Is there something that makes a smartcard based USB key work differently when
held by a person other than its rightful owner?

My impression of them, perhaps incorrect, is that they are akin to Hanko (
<http://en.wikipedia.org/wiki/Hanko_(stamp)#Japanese_usage> ). Basically a
system of using possession combined with a fairly unique set of data as a
means of distinguishing and authenticating its owner. But in practice its far
less than perfect.

~~~
markkum
Good smartcard in general cannot be copied and it will not work without the
user's pin code. It can also lock itself if the pin code is entered wrong too
many times. But most importantly, the keys/certificates inside the smartcard
can be revoked remotely if the smartcard is lost. So even if the wrongful
holder of the key has somehow got hold of the pin code, he cannot use the key
for long.

Nothing is perfect of course. The risk/threat is very similar to someone
stealing your phone and has somehow gotten to know your master password to
your password management software. However, password management does not
really solve neither the usability or the security problems of usernames and
passwords ... although a good piece of software can certainly help.

~~~
jayfuerstenberg
Thanks for the thorough reply! It sounds promising.

------
colkassad
Where I work we have a plethora of username/passwords for everything from
benefits to paystub management to expense reporting, not to mention desktop
logins. I gave up long ago trying to remember/write down them all, save for my
desktop. I just initiate a password reset whenever I use them. Unfortunately,
a lot of these services are outsourced so I could see the complication in
setting up some kind of single sign in.

------
peterwwillis
What are the risks of a password attack?

    
    
      * Someone can watch you type in the password
      * Someone can receive/sniff/keylog you typing in the password
      * Someone can find the password database and crack it
      * You might tell the wrong person the password
      * If you wrote the password down, someone might find it
      * More i'm not thinking of (probably)
    

There is some kind of attack that will work to get your password, I guarantee
it. So stop obsessing over it. Just make one difficult password, keep it for a
long time (as suggested in the article) and make use of a second
authentication factor.

Use a keyfob from PayPal or Verisign combined with OpenID ($5-$40; there are
other cheap keyfobs out there too). Soft keyfobs are free and (while not
impenetrable) present a new mandatory additional attack vector that increases
complexity. It's less secure, but you can also use an SMS-based system for
another free and cross-platform alternative.

~~~
markkum
Phishing is the biggest risk/threat. An average user is typing in his username
and password if presented with a decently familiar login form no matter what
the browser address bar or the rest of the web page says. Unfortunately the
PayPal and Verisign keyfob security codes can also be phished.

~~~
jayfuerstenberg
This is regrettably very true.

