Friday, January 06, 2012

Errata for Errata security

Sorry about the title, best I could come up with late at night.

The blog post Passwords: uniqueness, not complexity from Robert David Graham (@ErrataRob) at Errata Security isn't bad, but it is not all that good either. Based on the recent - should I say ongoing - breach of #stratfor, Robert recommends unique passwords instead of having complex passwords. I would ask "why not both?". Let me explain...

Let us begin with the .. rumor .. that #stratfor got hacked due to lack of proper hardening and system maintenance. No, a blank password is not a bad password, it is evidence of incorrect installation and hardening, and a strong sign of weak computer security audits.

1. Long, complex, case-senstive passwords with multiple characters
That advice in the MSNBC article comes from Morgan Slain, CEO of SplashData. He actually recommend the  "use a short sentence" trick, which I've been saying for quite some time already. Actually I say "use a positive sentence, something that you WANT to remember". Passwords are a mandatory pain to most of us, something that users normally doesn't want to remember. Use something that you want to remember.

Robert David Graham says "That's wrong advice", saying that passwords should be unique instead. I'd say Robert is 50% correct. Why not do both long, complex & unique?

With a password manager (LastPass, Keepass, or your selection of similar software), you can create long, complex and unique passwords. Bonus point: you don't need to remember them anymore. Not that password managers are for everyone; mom would most certainly reject the idea of downloading, installing, and learn how to use one for starters. "Give me something that I don't need to learn anything about, just make it work for me".

My password for Facebook is both long & strong! but really not that difficult to remember, right?

2. "...little to lose if hackers guess it."
Except for the embarrassment of course, which in some cases should be seen as part of overall reputation risk. "If person X uses password as his password at hacked site X, who knows how that person will handle  & secure confidential data at other places?". Trust is hard to get, but easy to loose.

Another aspect is the eternal discussion of "I've got nothing to hide" (San Diego Law Review, Professor Daniel Solove examines the argument).

3. Three tiers of websites
First; I've got multiple e-mail addresses. Even if you compromised all of them, you would not be able to get access to all my accounts. There are services out there that doesn't (entirely) rely upon e-mail for account verification and passwords resets you know... Although very common of course, and an area of security where many do step into pitfalls.

Second (fact): MANY e-mail providers, including large ISPs, does not support encryption for pop3/imap/smtp communication, so no matter what your e-mail password might be, it is easily sniffed off your network. If you happen to use https to reach your e-mail it gets harder of course, but of course SSL is not broken, and we all trust every CA on the planet, right?

Third: the definition of tiers used. My primary e-mail is not accessed using webmail, I'm part of the old POP3 generation, although encrypted these days. I think the same applies to many others, if not running it off Microsoft Exchange or similar services.

Ranking e-commerce sites like Amazon etc as second on your list is .. weird. I say that from my Norwegian point of view: unless I'm acting as a complete idiot and give away my pin/password or OTP for my online bank on purpose, I WILL GET MY MONEY BACK if hacked. Heck, the technical implementation at my bank even allows me to use my username as my password. Pretty cool, huh?

The important thing you forgot with your tier definition is the sites that carry sensitive information about you as a person. Think privacy laws. At least here in Norway, my salary, my bank statements etc are "secrets", but we have 2 levels of personal information here. Top level: Race, sexual preferences, political view and memberships, religious views and a little more. Lower level: anything that can be used to identify a single citizen of Norway. IP address, phone number, you name it.

Based on those definitions, Facebook keeps more sensitive information about me than my bank. Who should have the better security? (and what does reality look like?)

--

Now this is very important for me to say: I completely agree with you @ErrataRob on your conclusion: "Your first password policy shouldn't be complexity, but uniqueness".

Using sentences you want to remember, I think one would be able to do both uniqueness, and complexity comes from length. (Password entropy calculation on anything up to length 8 is a lost case - length 8 can be rather easily broken, period).

4 comments:

  1. I get the impression that you and @erratabob are talking slightly past each other from your different viewpoints here.. especially since you seem to agree on Robert's main point.

    Robert subscribes to the idea that "security is like dogdeball, you're fine as long as you're not a target" (I think it was Richard Beijtlich who said something that).
    As such, the argument that uniqueness trumps length/complexity is a sensible security trade-off for a lot of situations.
    I mean.. how many of the Stratfor customers would really have been better off with a much stronger password? What additional protection would it give them?
    Someone else recently wrote (on passwords): "You have to analyse the threat model", which is something a lot of the password analysis reports out there seems to forget. I see Robert's post as a reply to them.

    As I like to put it myself: Passwords only have to be good enough.

    ReplyDelete
  2. Since Stratfor actually did use password hashing, a better password could potentially save their customers from

    1) embarrassment (for some maybe more important than others)

    2) Lower risk of getting compromised at other sites, due to password reuse, since the password would be "unbreakable". @Purehate_ is above 96% cracked now, meaning there still are at least 30K+ account passwords that are "safe". If those passwords are reused at other sites, they are - for the time being - safe. (I would still enforce a password change though).

    If I read it correctly on Twitter, Anonymous claims that they have compromised other sites based on the data from Stratfor. Unconfirmed yet, but I wouldn't be surprised if we'll see clear evidence of that soon.

    Analysing the threat model is a good idea, but should never prevent you from implementing a bare minimum. Otherwise known as "good practice", it is hard to see that Stratford did that in terms of implementation, hardening and maintenance.

    As for the incident handling, information to customers etc AFTER the leak, it looks like they are handling the situation professionally.

    ReplyDelete
  3. Hi Per

    I agree with you on the points you are making, and although I am interested in security, I am not a security "geek" and don't know everything I probably should have known, the points you are making seems very valid based on my logic.

    I've noticed that you, and other blogs, recommend LastPass, and based on this I have been using LastPass for a while, and so far, I like what I'm seeing. The only issue I'm a little worried about, is whether I can trust LastPass (or other similar solutions). Do you have any information that could "ease my worrying" :-)

    ReplyDelete
  4. 30k accounts might be safe still, but for how long? And are they safe because the weren't bruteforced yet, or because they didn't apply the right word list, pattern or table to them?
    We don't even know that these passwords fit any definition of "strong".

    It's just a matter of time until they are cracked, and every day it's less and less time, as tools and computing power evolves. Even if we can move users to the "use a sentence" practice, which I strongly support myself, there is no telling how soon cracking or tables will catch up. Users might accept sentences, but not of unlimited length.

    No, secure sites and proper hashing/encryption will have far, far more to say than creating very strong passwords. What we need is to get rid of the blindingly obvious passwords, and the reuse problem.

    ReplyDelete

All comments will be moderated, primarily for spam. You are welcome to disagree with my posts of course.