peer review or password changing paper

Christopher Browne cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Sun Aug 31 18:24:04 UTC 2008 

On Sun, Aug 31, 2008 at 12:56 PM, Neil Watson
<tlug-neil-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org> wrote:
> Hi folks,
>
> Please have a look at this brief paper about password security.  Can you
> find any flaws?
>
> http://technocrat.watson-wilson.ca/blosxom/computer/password-changes.html

I think you focus too much on validating the "combinatorial result" of
how long it may be expected to take to crack a password when that's
not really the focus of the problem.

The numerics can stop earlier, with two comments:
1.  In principle, 8 characters could imply 5.76x10^14 possible passwords;
2.  In practice, the tendancy to make them easy to remember diminishes
the size of the set really substantially, because people aren't
terribly good at remembering, let alone creating, random patterns.

Furthermore, it is very difficult to impose *truly* careful practice.
The following thoughts fall out...
3.  If users are creating their own passwords, the results are likely
to contain regular patterns that will make them relatively easy to
guess.
4.  If they are forced to change passwords frequently, then it is
likely that they will respond with actions that will, in fact, worsen
security.  For instance:
  a) They may codify some personal policy for creating a pattern (e.g.
- January's password being "chris-jan", February's being "chris-feb",
and so forth), such that if an adversary can guess or capture a past
password, they may readily guess a newer one.
  b) They may write the password down on a Post-It note, or in some
other such location, convenient for access by both friend and foe.  If
this happens, then the "strength" of the password (e.g. - how
difficult it is expected to be to guess) becomes irrelevant.
5.  A common problem today is that the sheer volume of systems
requiring passwords is increasing, including such things as:
 - Voicemail (home, work, cellular)
 - Email accounts (perhaps multiple of them)
 - Networked filesystems
 - Internet-based access to banks, also ATM PIN#s
 - Social Networking sites (Facebook, Slashdot, ...)
 - ECommerce (e.g. - Amazon, ...)

If one uses the same password for multiple systems, then a
vulnerability in one can lead to multiple systems becoming vulnerable
by proxy.

On the other hand, using distinct passwords means having *many*
secrets to remember and protect.

Being forced to change some of the passwords monthly adds to the
personal "administrative burden," whilst, as observed, this is only a
"best practice" when working with 1970s non-networked mainframes.

If you're solely thinking about how to handle password generation,
then I'd suggest talking about how to generate memorable, yet random,
passwords.  This seems a good "seminal source":
http://www.multicians.org/thvv/gpw.html
-- 
http://linuxfinances.info/info/linuxdistributions.html
"The definition of insanity is doing the same thing over and over and
expecting different results." -- assortedly attributed to Albert
Einstein, Benjamin Franklin, Rita Mae Brown, and Rudyard Kipling
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list