[cryptography] Password non-similarity?

Kevin W. Wall kevin.w.wall at gmail.com
Sat Dec 31 22:40:57 EST 2011

On Sat, Dec 31, 2011 at 10:24 PM, Randall  Webmail <rvh40 at insightbb.com> wrote:
> From: Kevin W. Wall <kevin.w.wall at gmail.com>
>>Boy, the latter sounds like advice that a black hat hacker would give someone to
> ensure simple dictionary attacks are successful. Your dog's name? Really???
> Beats the usual method of writing it on a Post-It note where the janitorial staff can see.

Nothing wrong with writing your password on a Post-It note. The problem is
*where* you keep that Post-It note. Put it in your wallet or purse or store
it in your locked desk drawer and the janitor isn't going to casually
see it.

> The current state of "security" in corporate America is somewhere between parlous and laughable.
> I've been in a Fortune 100 CEO's office -- his login/pw were indeed on a Post-It, stuck to his monitor.

That's true, but IMO, that's because most of corporate security is
driven as CYA policies
rather than ones with any particular rationale threat model in mind.
So instead of
engaging real risks, we waste our time fighting windmills.

> The most common password is "Password".

See, that would never fly at our company. They'd have to make
it "Passw0rd" or "Password1" because our AD policy requires
one uppercase, one lower case, and one numeric. :-P

> I know of at least one global company whose database password was "Oracle".

More common for our DBAs is the username written out backwards. (There
excuse: "We tell the developers and/or operations teams to change it". But
very few seldom do.)

> For a time in the 1980s, the BUPERS password on at least one dialup node was "Letmein".
> If you're wanting thousands of users to change their passwords once a month and you're NOT going to allow them to use Post-Its, you'd better plan to hire hundreds of kids for "Tech Support".

As Prof Bellovin so aptly remarked, a better approach would be to
train people to use
a password wallet / vault. E.g., Password Safe or KeePass, etc. Then keep the
file on a flash drive that you carry with you or if you are more
trusting, keep it
in the cloud somewhere. Then you only have a small handful of passwords to
worry about.

Train the uses how to create intelligent strong passwords (which we seldom do)
and they won't have to write them down. But teach them that it's OK to write
them down and put in a secure place where only they have access to them.
(E.g., treat them like you treat your money!)

It's really not that hard.

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list