Can't Recall Passwords? Write Them Down

[zencoder]

Originally posted here by MsMittens
As the saying goes... Memory is the 2nd thing to go as you get older.

Yeah, and I forget what the first was...

But seriously...I can't believe everyone is still buying RSA tokens. And I'm not knocking RSA (yet...in this post...), I launched my foray into an infosec career on administrating and engineering ACE/Server. But they are SO DAMNED EXPENSIVE. I can't believe how much they charge, after seeing the alternatives. It's like Bose systems. I've been told that, nearly 50% of the money you spend on a Bose goes back into marketing and brand recognition.

But it is good to hear multi-factor authentication is becoming more prevelant. I've had to explain ad naseum to many MANY students that knowing a username, password, and PIN is *not* 3 factor authentication...it's still all just data you memorize.

[Egaladeist]

Hi MsM,

Memory is the 2nd thing to go as you get older.

I thought Memory was ' Impossible to get rid of! '

Eg

[the_JinX]

Just to help my failing memmory.. the 3 factors..

1. ARE
2. HAVE
3. KNOW

Right ??

[MrLinus]

Just to help my failing memmory.. the 3 factors..

1. ARE
2. HAVE
3. KNOW

Yup. I tend to split the ARE into two: ARE (static biometric -- iris, retina, fingerprint, DNA) and DO (dynamic biometric -- voice, signature, typing style)

[zencoder]

Originally posted here by the_JinX
Just to help my failing memmory.. the 3 factors..

1. ARE
2. HAVE
3. KNOW

Right ??

Correct.

Something you KNOW i.e. username and PIN

Something you HAVE i.e. passcard or OTP token

Something you ARE i.e. DNA, fingerprint, or handgeometry analysis, etc.

[Kthln01]

i could sound a little nerdy here and go into the whole schpill that we dont use our total brain capacity and therefore we should have absolutely no problem remembering our passwords, especially since we can recall our social, drivers lic number, credit card number, bank acct number, account numbers for different lenders, etc.


I could say all of that, but I'm not. Instead, I will simply say "Humans are unreliable, lets do RSA!"

[jinxy]

You speak for your self, it has taken me 7 years to learn my mobile phone number, and I still don't know my landline. I can not recite my debit card pin, although I always type it correctly, I have to be at the ATM keyboard.

It realy is time passwords were replaced.

[zencoder]

Originally posted here by Kthln01
i could sound a little nerdy here and go into the whole schpill that we dont use our total brain capacity and therefore we should have absolutely no problem remembering our passwords...

The problem with that is one of execution. How would we go about remembering a 4096KB key (not bit, Byte... go read 0wnz0red by Cory Doctorow if you don't get the reference. It's great.) then? What is you method for doing so?

To paraphrase Aesop, it's easy to suggest the impossible/impractical.

[Kthln01]

You speak for your self, it has taken me 7 years to learn my mobile phone number, and I still don't know my landline. I can not recite my debit card pin, although I always type it correctly, I have to be at the ATM keyboard.

funny, that happens to me too. but you remember it.

How would we go about remembering a 4096KB key

whoa, nellie!!
im just talkin about a alpha, numero,symbolic (9-digit) password, not pi.

[zencoder]

Originally posted here by Kthln01
whoa, nellie!!
im just talkin about a alpha, numero,symbolic (9-digit) password, not pi.

OFF TOPIC - I think phi is so much cooler than pi. Pi is great for round stuff and all, but phi is just so much more...intriguing! How can you not like the name 'The Divine Proportion'?!?

So what? What is a REASONABLE LENGTH/COMPLEXITY PASSWORD, given todays computing power, when combined with methods like using rainbow tables and cluster processing? You can make some password that is so ridiculously hard to remember that Stephen Hawking would spit up at it, and it's still just a bunch of ascii (or whatever encoding you use) for my brute force script to hammer against.

I think (calling back to the original article that lit this storm) the point Bruce was making is "make it strong enough so casual skiddies won't crack it on their parents Presario with a 4 year old version of L0phtCrack" and write it down and keep it with your important personal documents...credit card, identification card, cash, etc. It's no more important than most of those, right?

The root of the problem is we are still relying on a string of 0's and 1's all generated by keys being pressed on the keyboard. If I put an infinite number of monkeys at an infinite number of keyboards, trying to randomly enter characters that would eventually equate to your password, I would succeed...in creating the Internet, Mr. Gore. :grin:

Seriously...its always relying on ONLY the right sequence of characters being entered (be it password, username password PIN, or whatever). As technology increases in power, speed, and computational capabilties (reference: Implications of Moore's Law), guessing the right combinations of characters will only become easier.

I acknowledge that multi-factor will not be bullet proof either. But it will level the playing field some, because if I have an AES encrypted digital certificate with an un-f00king-believably long passphrase protecting the token it is stored on, and I have to provide this certificate when loggin in to a server, it'll be a SIGNIFICANTLY longer for the crackers among us in the world to positively login to that account with my credentials then if it were simply a password (4096KB in length or not!)

So my point is, it don't matter how much brain capacity you use. Things you remember are simply still things you remember, no matter how complex or simplistic.