07/16/08 10:40 AM
Posted in passwords by Laura Bowser
If you haven’t heard of OpenID, I suggest you create a livejournal account, and start seeing where you can log into with your live journal credentials. You can also go read more about it at openid.net. The basic premise is a distributed authentication system that allows a user to select their authentication provider when they log into various web sites. The hitch is that you and the site you’re wanting to log into have to use a mutually agreeable authentication provider.
When OpenID was first announced, it touted that you could run your own OpenID server, and then you’d never have to give your password to the site you’re logging into, only the site (which you trust) that you’re authenticating to. That completely runs afoul of the whole “mutually agreeable” authentication provider. If the site you’re logging into doesn’t trust your OpenID provider, you’re never going to be able to use it to authenticate. Most of us have moved past this point, and expect that we’ll be using major OpenID providers rather than our own, but the protocol still allows it, and it can be used among friends.
One of the huge benefits of OpenID is that each OpenID provider can authenticate their users in whatever way they want – password, two-factor, etc. But the relying party still gets to choose what authentication level they’ll trust (and so far, the only models I’ve seen are password based).
So, why will OpenID succeed? Once people realize that they can log into sites that may look sketchy without having to give their passwords directly to that site, they may start visiting smaller sites that just don’t have the security that the larger sites do. This gives a huge boost to those smaller companies by bringing in more consumers.
07/15/08 02:18 PM
Posted in passwords by Mike Markiewicz
Not long ago, I posted about snooping admins and suggested some ways to prevent them from abusing their positions. Today, we have an example of an administrator who used his powers to prevent other admins from logging into the network.
Terry Childs, who had become disgruntled over discipline for poor performance, reconfigured the network so that only he had access. He has refused to surrender the password for his account, and at the time the linked article was written, work was still being done to regain access to the network.
So, we can add this to the list of things to be wary of when handing out permissions to administrators. It looks like they knew about a month ago that this guy was up to something, but he was still able to cause all this trouble. It’s good to see that the security of the network is strong enough to keep you out if you don’t have the right password, but maybe there should be some sort of emergency break-in procedure for a situation like this.
Another lesson to take from this is that dealing with people and their egos is a delicate task. It pays to be careful how you handle employees. Security is bound to fail when your own people are working against it.
07/07/08 04:46 PM
Posted in privacy by Mike Markiewicz
Last week, the world’s top computer scientists gathered to discuss security and the weaknesses created by putting it in the hands of people. It was the first “Security and Human Behavior” conference, and many experts on human behavior were invited to help the attendees understand how criminals use social engineering to circumvent security technology.
Here are some interesting topics that came out of this conference:
A study soon to be published will reveal when we are more likely to surrender private information about ourselves. One conclusion was that we are more likely to answer private questions when we are not given any assurance of confidentiality because it makes us suddenly aware of our privacy.
Another set of research looks into the question of improving the fallback password system that many sites employ. Instead of asking questions that might even be difficult for the true user to answer, the proposed method has the user choose things that they like and dislike from a list.
Finally, this MSNBC posting reveals a new idea in security training that was presented at the conference. Instead of periodic reminders to be wary of phishing and e-mail attachments, companies may attempt to fool their own employees. Those who fail the tests would learn by shame or possibly by hearing about it in an employee review.
06/30/08 09:11 AM
Posted in rants by Laura Bowser
Blizzard offers a One Time Password device for it’s European customers but not the North American or Asia Pacific customers? Blizzard is using a One Time Password device (it appears to be event based) to allow for strong authentication to it’s EU servers. There’s no indication on what manufacturer they’re using, or if it’s OATH compliant, but it is still a “real” two factor authentication, as users will need to have their device with them to log into the account management web pages or to the game servers.
It’s optional, and available for 6 euros to EU customers.
There are three things that makes this interesting:
1) real two factor authentication is available in a game before it’s available in some banks
2) Someone at Blizzard feels that users will appreciate the extra authentication (for a game!)
3) It’s not available in North America
I’d get one just to play with it – not that I think my WoW account needs that kind of protection – but it’d be fun to see what it’s like and how they implemented it. Unfortunately, I have a North American account (although, I can play on EU servers, so maybe?). The EU is a smaller market than North America, so perhaps this is a “pilot” program that may eventually make it to the US?
What I still find incredulous is that while banks and financial companies (which do have information I’d like to protect with strong authentication) are using a fake two factor login while a video game is using real two factor authentication. The contents of a WoW account are (arguably) worth less than my bank account – depends on your feelings of the game – my account is certainly worth a lot less to me than my bank account.
UPDATE 7-1-08: Blizzard seems to be offering them for NA servers as well (at least they claim that it can only be shipped to the US).
06/26/08 03:06 PM
Posted in passwords by Walt Turnes
Jeff over at Coding Horror lashed out at the MENSA web site today, after discovering that their web site uses a presumably weak password storage mechanism that stores passwords in a recoverable format. The main point is that because the passwords can be retrieved by the application and sent back to the users, then they must be stored in a way that would allow an attacker to obtain a list of all (or some) of the passwords in the system.
One primary reason that this is seen as a bad thing is that many users use the same password for all of their various accounts, and therefore if the password is compromised in one place, it’s compromised everywhere. Apparently, according to this argument, every web site should have bulletproof security regardless of what it is that the web site does, in order to protect its users other accounts with other web sites. While this is a noble sentiment, and it would be great if this would happen, it’s a silly argument.
Security costs money, in terms of development, support, maintenance, training, etc. Therefore, security is built into an application as much as is reasonable for what the application does. If I’m designing a web site that lets you register your e-mail address, and all my web site does is associate your e-mail address with your home address so you can order a pizza online (let’s forgo the concept of credit cards for the moment and assume this is all handled with cash), why in the world should I need to have my site armed to the teeth with SSL, salted password hashes, password complexity requirements, and password expiration periods?
Since I’m not a member of MENSA, I don’t know what sort of services are available through their web site. If they aren’t performing anything that requires a high amount of non-repudiation and authentication, then why should anyone care if they’re storing passwords weakly? If you get your E*Trade account hacked because it had the same password as your MENSA account, that is not MENSA’s fault, because you shouldn’t be sharing passwords between any two systems, let alone two systems with vastly different security requirements. Don’t use the same password for your bank account as you do for your local pizza delivery place, and you’ll have a lot less to worry about.
05/02/08 11:03 AM
Posted in passwords by Anil Polat
Most corporate users are bombarded with guidelines and regulations on how to set good passwords. Users are forced to remember rules they don’t want to, leading to password fatigue. Administrators are given the sense that passwords are secure and users feel the same way if they’re following the rules.
People know that a password has to be 8 characters, but they really don’t know why – here are some surefire ways to be certain you (and your users) are picking weak passwords, despite length and complexity requirements.
- 1 Make It Up Yourself – Most users are going to come up with a ‘familiar base’, then add simple numbers and symbols (1 and !) to make their passwords compliant. Make good use and recommend some decent random password generators to your users.
- 2 Use Your Personal Account Passwords – Password change requirements are a good at keeping this problem under control (which is why your company should enforce them). Users using the same network password that is used for their personal email, social networking, or other less secure websites can place hidden vulnerabilities in your security architecture.
- 3 Change Your Password with Predictable Increments – Sure you have to change your password every 45 days, but do you just change all of the numbers from 111 to 222? Does Bob123! change to Bob234!?
Refer to #1, use randomly generated passwords.
It’s a good thing that machines can force password complexity and length requirements, but don’t let your users hack around them.
04/04/08 02:00 AM
Posted in passwords by Anil Polat
Password strength meters are all over the Net. These tools are designed to determine how long, random, and complex a given password is.
In general, I think they make good indications about passwords to guide people. It’s just that most people type in their dictionary word and tack on a number or two to get a ‘strong’ password.
See how PasswordMeter.com rates these 2 passwords (the second one randomly generated using 63 available ASCII characters):
- ‘Computer1’ – 56% = “Good” password rating.
- ‘buty1{’ – 34% = “Weak” password rating.
Try it, a couple of random passwords and I got 28-70% ratings using just 6 characters. I know this is all in the algorithms used at each stage – so what’s a user to do?
Read the rest of this article...
Previous
