Just wondering..
"... Failing that, NCSC advocates the three unique words method, as popularised by web comic XKCD...."
Just wondering if this audit found anyone using the password "correct horse battery staple"
Britons began using the word "vision" in their passwords after prime ministerial advisor Dominic Cummings was caught travelling across the country from his parents' farm in Durham to Barnard Castle "to test" his eyesight, according to research from Pen Test Partners (PTP). Not only that but the words "covid", "corona" and “ …
Oh Lord!
That reminded me of an outback TV show where some red neck antipodean actually used the term "horse barn"!? It's a wonder I didn't have a coronary or a brain haemorrhage, a fucking horse barn, do you mean a stable, like wot they had 2000 years ago when baby Lord Jesus was born!?
> "handsfacespace"
My internal monologue responded to these adverts with "bass in the place!" and imaginary rave-style handwaving ... and shortly afterwards "The Skewer"* put samples of the advert over a drum'n'bass backing :)
* one of the later episodes at https://www.bbc.co.uk/programmes/m000czyb
// raises virtual pint to John Holmes -->
Years back I worked somewhere that enforced monthly changes of password.
Had to be upper and lower letters, digits, special characters, Could not reuse a password you had previously used. At least 8 characters long.
Pretty much everyone in the company password for this month would be some minor variation of
Nov-2020
Fits all the rules, and hard to forget. Secure? Not so much.
I worked in a place where the admins ran about 200 servers. The security on them was laughable, but someone up high mandated that each machine had a unique root password, randomly generated using mixed case alphanumerics.
Still, if I was ever in work out of hours, and needed to access one of the machines, I wouldn't need to call sometime if I didn't know the password... I'd just go into the large open plan office (I e. everyone from secretaries to phone operators, to help desk call loggers...) and pick up one of the many root-password sheets left on the desks...
Same system at the place I worked at. We had two, which would interrupt your work at random times during the working day. After we'd exhausted all the obscenities telling the machine what we thought of it, everyone went to the Month-year system.
I doubt if management cared that nearly everyone in the place used the same password; it wasn't a security-sensitive system anyway. Especially as it wasn't unknown for people to log in as other people on occasion if there was some server problem.
What is nice now is that when you have cloud systems that synchronize with your on-premise users directory, it takes some time for the new password to be replicated.
So once you have your new password you keep being pestered by various applications over the next few hours asking you to re-authenticate.
It helps ensure that you memorize the new complex password...
Or is there an API for the domain to allow reading input of new passwords before they are set ?
There's certainly something that is required to enforce the policy where previous passwords are not reused but unless it's self-contained it's an attack waiting to happen.
Papa can identify base words that are used within an organisation and see how these change over time
Without more details this sound like BS. Or Windows security is worse than we thought. If passwords are properly salted and hashed this isn't possible. However, I have recently read some reports on domain passwords leaking…
https://www.pentestpartners.com/penetration-testing-services/papa/
"It extracts the encrypted hashes from the domain and sends them, over a secure connection, to our dedicated password cracking servers.
All cracked passwords are then returned to the Papa tool where administrators can get detailed information about the domain as a whole and perform trend analysis to view the impact of password policy changes."
What is "enough"?
Depending on the tools used, the effort put in and the time allowed, any password can be cracked if the authentication interface allows enough attempts. The fault lies as much in that interface as it does in the choice of password.
Apart from which, will someone at last explain cogently how the hell "complexity" makes passwords "secure"?
[1] Apparent randomness is not randomness - it's impossible for a human to mentally generate a truly random string as we have a problem called "memory" that prevents us ensuring the true independence of the elements of any sequence.
[2] Randomness is a property of sets, not of the members of sets. If all your passwords are identical, it doesn't matter that they're all the same highly entropic string of characters. Thus the "security" of your corporate passwords is primarily a property of the entire set of passwords, and variation within that set is its most important characteristic.
[3] A highly entropic string is not necessarily secure against attack anyway. It's only secure against human guessing. An attacker using rainbow tables works from the hash to the string, so it doesn't matter two hoots what that string is as it's going to be found eventually via the relevant path through the table.
[4] Length is important, but only up to practical limits. If it's too short, a password is open to easy guessing because there won't be many to choose from (how many three letter strings are there?). But if it's required to be too long, people will find ways to simplify their own problem - creating and remembering it, rather than yours - ensuring it robust against attack. So it won't be.
The ultimate reality is that, properly managed, passwords provide sufficient assurance for some tasks but not for others. For those others there are alternatives such as multifactor (not biometrics, which are identifiers, not authenticators).
how the hell "complexity" makes passwords "secure"?
Often wondered that too, but I suppose it depends what you mean by "secure". The thing that most people are trying to protect against by using passwords is some miscreant - without inside knowledge - being able to access the protected account / function / whatever. Typical opportunistic miscreants will, for reasons of economy, check common passwords and their variants first, followed by dictionary words. The idea behind a random collection of characters isn't that it is inherently more difficult to brute-force "sf7*sd:[" than "abcdefgh" (they have the same level of "complexity" assuming they are from the same namespace) but that any sane opportunistic attack will always check "abcdefgh" first. Thus someone using the former password may never suffer a proper attack, because someone using the latter will be compromised first.
If the target is sufficiently high-value and can be attacked over a longish period of time then any single password will eventually be discovered.
The company I work for had a six-week (I think) mandatory password reset cycle and all the usual rules in place and I know that many people did, indeed, manage to get around those rules by using passwords the equivalent of passw0rd01 followed by passw0rd02.
They also had a three-strikes rule for local logins, but not for remote access, and (latterly) a reset policy that required some kind of authentication that it was actually the user requesting the password change and not somebody else.
When lockdown started, one of the very first things they did was up the three-strikes to a five (IIRC) strikes rule, but they also completely removed the six-week reset requirement. I imagine they've also now applied the five-strikes to external access, but I'm not going to test it :-)
M.
It's not that complex. Eight characters are enough to protect against online attacks, but if someone gets the hash and can attack it offline, they are not that much. On top of that, the uppercase is the first letter, and the digits are at the end, and one of those digits is 1. Those are very common cases, which means that the brute force tool will try those very early, which in turn means that they count relatively little for complexity. So it's only better than eight lower-case letters by a small factor. That's not much at all.
pTG7mp2A would already be significantly better, as it would stay hidden until the attacker starts attempting to switch cases on all subsets of letters, and inserting any digit anywhere. That enlarges the search space by a fairly big factor. The problem is that making company rules that actually result in good passwords is very difficult and extremely annoying.
Personally, I think XKCD is right: I would just use three uncommon or four common words, randomly chosen from dictionaries of all languages I speak, in sequence and in lower case. The problem is - aha - stupid company rules. As soon as I have to throw in special characters, mixed case and numbers, the password becomes exponentially harder to remember, without actually getting much more difficult to attack. At that point, I usually just give up and use a regular password. And nevermind sites that actually have a max password length...
And nevermind sites that actually have a max password length...
And which site was it - some years ago - where it was discovered that it allowed you to set a password of almost any length, but it only actually stored and checked the first eight characters?
I discovered very early on that it was possible to reset the PIN on my bank card to a sequence of more than the regulation four digits, and had a five digit password for some years, which worked fine in the ATMs that were basically all I needed the PIN for in those days. When chip-and-pin came along some of the early terminals didn't like five digits so I reverted to four. I have no idea what the situation is these days, perhaps I ought to give it a go again.
M.
"And which site was it - some years ago - where it was discovered that it allowed you to set a password of almost any length, but it only actually stored and checked the first eight characters?"
Not just some years ago, I've had the same problem recently. It's quite confusing when using a password manager and so are pretty damn sure you're not typing in the password wrong. Eventually discovered that there was a character limit when entering or resetting the password, but not during account creation.
I still only use case or numbers if/when a system doesn't let me set a password without them, which is often. Other annoying rules are "a punctuation mark that doesn't appear in numbers" and "no repeated character".
After I was caught out with my Unlong43 format, I adopted rando mword sovfi velet thers which I can memorise individually and then as a set, making one password which I can type if I must. However, I miskey a lot of the time. When required, an O, O!, or 0 can be added at the end when setting and using the password.
If necessary the letters are from dice rolls: I customised dice to roll 0/1/2, 0/3/6, and 0/9/18, totalling a letter from 1-26 (A to Z), or 0, which I discard and throw again, along with repeats. I've also got a customised fidget spinner since I had trouble finding dice for sale.
A drawback of English in words password as a, is that you are inputting about 1 bit of random with each letter, if someone knows that you have an English language passphrase. You might as well type a binary number, if you remember one. I think that my random letters have about 4 and a half bits of random, each.
I still have a risk or often an actuality of typing a password into the wrong device or service, which is awkward when one is your Brazilian drug dealer on the dark web and the other is your bank. Speaking hypothetically, of course.
The fundamental problem is that we've always considered passwords as ways to give us access to systems so folks don't consider anything except their own immediate convenience (coming up with something simple that just comes to mind right now).
They're not, they're ways to deny others access. That point has needed ramming home for over two decades, but nobody has made much of it. Advising people about how to create passwords without explaining forcibly what they're really for is and always has been a complete waste of time.
Going back about 20 years when we had userid and passwords for about 30 machines. We had very strong corporate rules about what was a valid password. One team had a scheme such as take the month NOV, increment the letters by one NOV -> OPW, permute letters of team member's names, add in part of the machine name, and give it a stir.
I asked them how they remembered the passwords. They said the algorithm was very complex and easy to get wrong, so they wrote them up on the white board (for all to see). You had to know that the 10th password in the list was for machine "Firefly".
A couple of years later the company introduced a rule all white boards had to be cleaned at the end of the day, and we had a clean desk policy.
I had a nice box under my desk, and every evening I obeyed the clean desk policy by picking up my wire storage rack and my day-book and popping both in the box. The pen went on top. Every morning, opened it and restored. We also had to walk miles to a recycling point with paper, as we weren't allowed trash-cans by our desks. A day's worth went into the box and the next morning, on my way to the coffee station, I passed a manager's desk. He had his very own recycling box (because he couldn't be arsked, So important, etc) and popped my trash in there.
Poetry in motion.
If you start with part of some lyrics you like, eg
If you've been bad oh Lord I bet you have
turning into
beenLORDohBAD
with some special chars:
beenLORD><++ohBAD
and then increment
been00LORD><++oh00BAD
maybe do not use month and year for the numbering. But a significant part of the machine/account name can easily go in there as well. Brute force or rainbow tables just don't work anymore when you start to use 20+ characters.
An over-officious BOFH at a place I worked introduced Lotus Notes-level of password changiness on a dev server without notice, to universal dismay. He'd brook no argument, his boss backed him up and was big enough to not be too fussed about physical threats. He and I sat back-to-back with a whiteboard between us, on which I wrote my password in foot-high letters every time I had to change it, always some variant of "Martin is a twat".
The bugger of it is, though, he *wasn't* that much of a twat, he was actually a good guy who wanted things to work, even though he was quite wrong in this case.
If you're reading this, Martin ... pint sometime? Twat.