[109156] in Cypherpunks
Surf Guru's password advice bad? (fwd)
daemon@ATHENA.MIT.EDU (Anonymous)
Fri Mar 12 05:04:19 1999
Date: Fri, 12 Mar 1999 10:48:20 +0100 (CET)
From: Anonymous <nobody@replay.com>
To: cypherpunks@algebra.com
Reply-To: Anonymous <nobody@replay.com>
This is a copy of a message sent to Gloria Mitchell (gloria_mitchell@zd.com),
who sticks her name on their daily email updates and receives their daily
comments and complaints, about their Surf Guru's advice on passwords, which was
decidedly not something to use on high-security systems. The problems I see
with security coverage in the news make me wonder about the accuracy their
coverage of other fields. Then again, minor mistakes in other fields are
usually more acceptable; in security, a minor mistake may be searched for and
exploited by malicious hackers, whereas in graphics, you're not going to face
major consequences if something isn't antialiased when it should be.
On to the letter...
Briefly put: Yahoo! Internet life should consider telling the readers that
their Surf Guru's advice on passwords (11 Mar 99) shouldn't be applied where
high security is a must. Before I started studying computer security, I often
took advice that led to far less security than I wanted or needed -- all
without ever knowing there was the slightest chance of a "break" -- and I'm
afraid that many readers who need better security may be misled like I was.
That's the meat of the message -- thanks for reading it -- but if you prefer a
full-blown polemic, scroll down...
The more technical the issue is, the worse the media (generally) are at dealing
with it -- which often leaves security types out in the cold -- but I was
unpleasantly surprised to find Yahoo! Internet Life's Surf Guru section widely
distributing a tip which is a security threat to systems which might be
attacked by anyone determined -- to quote the most recent Y-Life Daily:
** TODAY'S TIP: ASK THE SURF GURU **
Today: Jackie asks, "How do I develop a good password I won't forget?" By
following the example of certain strippers, says the Surf Guru.
http://www.zdnet.com/yil/content/surfschool/guru/guru990311.html
(URL and text reformatted)
Admittedly, it is a better method than some I've heard (including James Randi's
method, mentioned in the same column), but the reply fails to mention that it
has definite limits; any system likely to be a target for pranks or worse needs
a better password, perhaps a pronounceable one generated by an automated
password generator (as is mandatory at some ISPs). Users who want to consider
the validity of a password they make up might want to consider computer
security expert Markus Kuhn's "collision bet guideline."
http://www.mail-archive.com/cryptography%40c2.net/msg00591.html
By this guideline, anyone using personal information for a password would be
told to use it in an original, unguessable way, not in one particular form.
Password-cracking utilities already manipulate the user's name so they can
quickly guess passwords that are trivial manipulations of it, and can easily be
configured to do the same with whatever other information the hacker provides
it. Kuhn notes that SIGINT agencies (the world's top hackers, if you wish to
call them that) almost certainly have refined password-guessing systems.
There isn't an obvious, easy way out of work when choosing a password intended
for a high-security application: what's easily thought of and remembered is
often easily guessed, too.
If it doesn't seem like there are many sites that really need highly secure
passwords, it's ignorance, not experience, behind that perception; many hackers
are determined enough to try to track down the kind of information involved in
efficiently guessing at the password if the prize is a few minutes of write
access to a large Web site and the status in the hacker community afforded them
by their hack.
Of course, if Y-Life stands by the claim, I recommend they open a telnet server
at www.zdnet.com and ask anyone with the ability to wreck the site once logged
on over that connection to alter their password in accordance with the Surf
Guru's advice, thereby betting their security on the same assumptions they ask
their readers to swallow. Anyone wishing to petition them to do so -- a copy of
this message is being sent to the Cypherpunks list -- is heartily encouraged
to.
