[153602] in North American Network Operators' Group
Re: Dear Linkedin,
daemon@ATHENA.MIT.EDU (Alec Muffett)
Fri Jun 8 17:28:27 2012
From: Alec Muffett <alec.muffett@gmail.com>
In-Reply-To: <4FD266D2.6060600@mtcc.com>
Date: Fri, 8 Jun 2012 22:28:19 +0100
To: Michael Thomas <mike@mtcc.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 8 Jun 2012, at 21:55, Michael Thomas wrote:
> With apps and browsers that
> can remember passwords why are we still insisting that users generate
> and remember their own bad passwords? That's one reason that I
> find the finger wagging tone of that Linkedin post extremely =
problematic --
> they have obviously never even considered thinking beyond the current
> bad practice.
That's a fair point, well made; in practice I try to educate people on =
how to choose a good password by showing them bad ones and giving them a =
list of "Don'ts"; giving them a tool would be easier but then you have a =
race to the bottom for platform neutral tools which are well-written, =
don't repeat plaintexts and don't serve off a central authority like a =
website.
In some ways when faced with a challenge like that I would prefer people =
learned how to pick their own.
One pentester-friend of mine can now determine which in department =
employees of his customer reside because each department circulated its =
own rules on "how to choose a secure password" and the =
templates/technique are distinct from one department to the next. He =
brute-forces a password (possible because the passwords are 8 =
characters-ish and reasonably short, thereby making templates =
irrelevant) and then reprograms his cracking software to mess with the =
per-department template to crack the rest of the users in a shorter =
time.
Having people make up their own passwords reduces scope for that sort of =
behaviour - you crack some of the clueless folk but the overall quantity =
of breaks may be reduced.
Also: someone earlier mentioned "the password anti-pattern" - just to =
clear up a misapprehension, password security is not itself the =
aforementioned "anti-pattern"* but instead the actual "password =
anti-pattern" is (for example) surrendering your Blog password to a =
third party like Flickr so that it can post photos to your blog on your =
behalf.
This sort of problem is solved by OAuth which community (unsurprisingly) =
is from whence the password-anti-pattern term was popularised; Google's =
"application-specific password" scheme addresses another aspect of the =
same issue.
More concisely the "password anti-pattern" is "giving your password away =
or using it untowardly".=20
-a
