26.7.07

crypto? is that some Southern kid's name?

i'm always amazed at the mental unfitness of the large majority of my country's population. on auditing the passwords for a small section of a network, i found that despite the strict password policy, all the passwords but three - out of several hundred - were words. the policy demands alphanumerics and mixed case, so most users had a "Password123"... oy.

i asked a couple users what the hell was with that. the response?

"Well, normal people can't remember codes."

like fuck they can't. i'm a normal person, apart from being slightly better educated than the general public, and i remember about 10 different alphanumeric codes with random punctuation marks for all the different shit i have to authenticate to in a day. if you have to use each code once or twice a day, it really isn't difficult to memorize them; and these students only have the one system password that's enforced to be so complex. the rest of their passwords, for all the things i keep finding them wasting their time with - Bebo or Myspace, usually (you know what i think of Bebo and Myspace) - are set by themselves, of course, and they're uniformly simple.

so what's the problem? why can't these kiddies remember one code? i guess that's a question for a psychologist. my problem is that when they can't remember it, they write it down; and when they write codes down, the security of the system is down to someone not finding the paper.

obviously, that ain't acceptable. my solution with my own citadel was to implement a token system, which i'm in the process of linking to a chip in my hand (more on that when it's more developed) - and i'm unfortunately not allowed to RFID my coworkers. but i still think the token idea stands, and i'd kill to have a say on whether or not it's implemented here.

here's how the simplest token protocol works, from the seminal textbook, Ross Anderson's Security Engineering:

you have a token, a little transponder thing that can be shaped like a key, or a button, or even embedded in your ID card or something. i have a gate, or a door. you walk up to the door, and your token sends a string to the door's reciever:

token -> gate: serial number, {serial number, onetime number}


the stuff in braces is encrypted under a key known to both the transponder and the reciever, meaning my gate can then decrypt it, check that the two serial numbers match, check that the onetime (Anderson calls it a nonce, but in my country that's slang for a child molester...) hasn't been used already (this way i know you're not just replaying someone else's earlier access attempt) and lets you in.

now, replace the gate with the logon system, and you're flying. it's a little more difficult than that, unfortunately, so i won't be seeing it around here anytime soon. unfortunately, the fact remains:this kind of system is the only way to let normal people slack off remembering their codes.

so, users, you got a choice: either ya remember your damn password, or you let the University's totally non-medically qualified, slightly paranoid security nut embed machinery in your hand. okay?

...where y'all going?


Lepht

8 comments:

Equus Pallidus said...

Thanks for letting folks know I am a bad typer, because I am, but you are wrong about my spelling, it is pretty poor. Also I am dyslexic and a sort of a savant in a way, there are certain subjects I know and I can see through the BS. And I read people quite well.

Now I shall read this post :)

Equus Pallidus said...

Man you just nailed me, Working for the Feds, security is one of the highest priorities, and I have at least 5 different passwords that have to be changed every ninety days and none of them are at at the same time, or I would just change them to the same thing all at once. The passwords are required to have a minimum of 12 Characters of lower case, upper case and separate characters, I often forget them. any suggestions?

Equus Pallidus said...

Special character, not separate.

Equus Pallidus said...

If you have some real Ideas about this, there are 250 Employees where I work FT Worth, I don't know where you live, but I would surely recomend to the management to hire you to help us keep up with them, by giving a lecture on passwords.

Equus Pallidus said...

Oh wait, you are out of the states, I remember now, wouldn't work.

Lepht said...

yeah, with my qualifications and track record it's difficult for me to even enter the States on a tourist visa, never mind get a green card. i'm fairly sure that'd be close to impossible.

the passwords are something i've never had trouble with, if only because the people who taught me my shit would never let me use anything other than strong ones. generally, the brain can't remember random strings of information, so you got two of the best options to make your random password meaningful (after you used a generator or whatever to create a pass in the first place):

1. sing it. i'm not kidding, neurologically you're about ten times as likely to remember the thing if you can give it a rhythm or a melody in your head. it don't have to be out loud; truth be, i've had to bitchslap students for chanting complex passwords aloud in public labs.

2. make it into an acronym or a simple passage; for example, if your pass was JgitWaF! you'd look at it and go Johnny goes into the Woods and Farts!

not that i wouldn't kill to observe Ft. Worth security, that is. especially with regards TEMPEST, i'd have a lot of good tips to pick up there. alas, foreign national.

L

Equus Pallidus said...

Good advice my biology teacher told me to remember that "King Phillip Came Over From Germany Stoned" Kingdom Phylum ect....

Lepht said...

yeah, it's always good if you can do both. the worst thing you could possibly do is write them down, or have them all the same code; either of those methods means i'm one crack away from full access to your system, instead of seven separate ones like it's meant to be.

oh yeah, and you wanna get the newest version of Firefox if you can't spell; it spellchecks for you as you type. enjoy

L