Password Policy - What do you think?

[!mitationRust]

Originally posted here by catch I have seen a few systems like this already...... that ask three simple questions. typically the user answers 10-20 questions when setting up the account. Of which 1-2 of the questions are fakes, eg: "When was your last trip to Europe?" If you've never been and this wasn't selected from the original set and you answer it, even if your other answers are correct this will act as a duress alarm.

I hate to be the botheration in this thread, but are these systems modeled after the traditional models (Bell-La Padula, Biba (I know those only address reads and writes), lattice etc..)? What are the design principles and concepts? What model or models are these modeled after (designs)? If you're at leisure to divulge this information?
Forgive for my ignorance, I'm just trying to learn.

[catch]

Well the password system concept that you quotes is merely an authentication model rather than an access control model like those you cited.

cheers,

catch

[thehorse13]

suspect it will be replaced by two-factor authentication involving either biometrics or something like smartcards... and by having the user answer soft matching questions.

And here is a look at the cards I mentioned when I started this thread.

Longhorn will require two factor auth (or so rumor has it). All law enforcement systems that I personally secure must have two factor auth by a certain date, the requirement coming down from DHS.

My experiment *should* prove that password protection as we know it is nearly dead. How many of you fully trust the classic password model? Not me.

This also implies that classic password policies are near death as well. I wsa a believer in them at one point but like I mentioned, today they look nice on paper but are laughable in practice. Some will disagree with me and I expect that. This is my professional opinion.

Anyway, my shop will be moving towards two factor auth and don't be surprised if it becomes a requirement within the next 10 years.

Thanks to all for throwing this around.

--TH13

[MichaelAZ]

im gonna say that you still need to have periodic password changes but with your plan you wouldnt need them as often bet there is always the human element and thats where your screwed and theres nothing you can do about it but say to hell with technology

[thehorse13]

We know that using classic password policies causes users to do stupid things with passwords. We don't want this to carry over into our two factor auth model and policy.

Our experiment is using strong passwords with special chars formated so that they look like normal words in order to eliminate as much of the human factor as possible. Theoretically, this new password format is what will be used on the smart cards and or biometric readers. We certainly do not want someone taping a password to the back of a smartcard. See how all this fits together now?

[cudge]

I'm going to have to side on the issue using combination passwords. This is similar to a pass phrase, but instead uses, for example, 3 random common dictionary words separated by two other random characters. Take for example the password:

coffee#SYSTEMIC#juniper

Such a password is sufficiently long enough to withstand brute force attacks. In addition, providing the user with a way to generate these passwords can be accomplished easily. The fact that a user should change passwords often is simply following a best practice. Regardlesss of the password, many folks use different passwords at different locations, and will write them down anyway. Changing them to something less obfuscated might curve this a bit, but surely not completely.

[whatthe]

We certainly do not want someone taping a password to the back of a smartcard.

Like the millions out there with their ATM pin written somewhere in their wallet. Oh my god, a 4 digit number, how will I remember that.

[jinxy]

m gonna say that you still need to have periodic password changes but with your plan you wouldnt need them as often bet there is always the human element and thats where your screwed and theres nothing you can do about it but say to hell with technology

I disagree here, I think technology will provide an answere.

We all no that the human element is the weakest link in the security chain. There are far to many variables to consider, bad memory, poor operating practices, blackmail, coercion, etc, etc, the list is probably endless.

The technology to, positivley identify, authenticate and look for signs of duress/stress are already in wide spread use. They just have not bean amalgamated into one security solution viable to the mass market. There will come a day though, when these technolgies will be within reach and more reliable than what is available today.

In the mean time we have to do the best we can with what is available.

[gore]

Passwords are nothing but security by obscurity anyway. A password is liek your own personal 0-day into a system. As soon as someone else finds out, it's no longer security by obscurity, and it's no longer YOUR password. I'm thinking of my own methods. I'm going to make an OS that has a cable that hooks up to the chair you sit in to log in. If you can't enter in the password, it sends a couple volts through the chair.

Most people quit ****ing around when they realise they are that much closer to no longer being able to produce children. If you don't believe me kick a penny half way into a light socket and tea bag it with your testicles.

[gore]

Originally posted here by whatthe
Like the millions out there with their ATM pin written somewhere in their wallet. Oh my god, a 4 digit number, how will I remember that.

My dumb ass Cousin MAtt had his written on the back of the damned card.... Well HAD. After a 400 dollar cash withdrawel, he re-thought that process over. Horsey, maybe that's what you should do, when they write them down, USE THEM.

Like my Cousin's card, after it was used he learned the values of security, after you take their passwords and send email to their boss as them, they learn.

BOFH love