Talk:Talking Passwords

From MicroFocusInternationalWiki
Jump to: navigation, search

Some Password Psychology

Firstly - our standard is 8 characters minimum, which must include at least one uppercase, one lowercase and one numeric character. We have only recently implemented password policies and wanted to get people used to the idea gradually.

Secondly - the psychology - which came about after a security seminar I attendended here in the UK. The basic theory is that the more complicated you try to make a password policy, the less secure your system becomes. Er What!?

It goes like this: For a start, 99% of users will choose a password that is easy to remember; regardless of what you tell them, they will pick pets, partners and license plates. So you implement a stupidly complicated password policy to overcome this - and next time your user is asked to change their password, they will be told it's not secure enough. So they choose another one, and are again told it's not secure enough, and a third, to be told by their PC that it's still not right. After a bit of frustration they will think "Darn you, you damnable computer" (or similar 4-letter euphemism!) and pick the simplest password they can get away with. Using my policy as an example, this might be Aaaaaaa1 - hardly secure.

of course it doesn't apply to all users. I heartily agree with prior sentiments that you need to compromise between security and upsetting users. Biometrics overcome that but as the previous poster mentioned, they're not always suitable - we couldn't afford the expense here! But it only takes one insecure password to potentially cause problems - so instead of forcing people into trying to "beat the system", you have to sort of encourage them to make the best of what you're trying to do.

Mark Russell

Q and A

Q: Why not just use biometrics? A good fingerprint reader doesn't really cost all that much. No passwords to forget - ever.
A Biometrics may be an answer for some enviroments but it is not a cover all, some examples are below
Factory users: may have gloves, dirty/greasy hands that means they cant authenticate that way (ours cant) Remote users over internet connections, i.e. on other poeples computers may not have an apropriate biometric reader
although Token authentication may be a way forward?

User understanding cant be over looked.

I have found with my experience in passwords is users attitudes are the key to the effectiveness of a password policy. The actual rules of the password arent as important (they still form a part as we dont want everyone using cola1 or the common january1, feburary2 etc to bypass the "must have a number in the password and it changes every 30 days".

When implementing your policy it is important that the importance of passwords be put across to your users. Some of the key messages we use is: Treat your password like your pin number on your bank card (this links the concept of a password with something they do in their personal lives "hey your right thats my money I dont want people looking at that I need to keep my pin a secret"

Passwords are your electronic identity, anything happening under your password is you, just in the same way a bank doesnt care if you have given your pin number to someone or wrote it on your card and then somebody takes the card and withdraws your money, the bank will say well thats not our issue, that must have been you. The company should treat this as a if someone sends an innapropriatte email or performs innapropriatte activity activity under your password then the company will treat that as you (this can be seen as a bit of fear tactics but it is putting ownership back onto the users. Make managers responsible for there staff, dont have the local book where everyone lists their password,or post it notes all over the place with passwords. By making management responsible this helps enforse behaviours.

Encourage the concept of passwords being not just a single word but a simple phrase. The average user thinks I have to think of one word and add a number, but if you get them to do simple phrases, it adds to the complexity of the password and can make it easy to remember e.g. a password of "my2children" is harder to guess then "Tommy" assuming that someone knows that the user has a child called tommy. The concept of password phrases is foreign to most and some passwords have limits to the number of characters, this is where you can get people to use the first letter of a phrase e.g. "My two kids eat dinner" could be a password of M2KED which is hard to remember if people thought I have to have a odd password, but as a user if they think oh its a phrase then it is easy to make sense. Most companies dont invest time in educating users on passwords and how to come up with an effective password or why it is important, we simply expect users to follow the rules and that should be enough, yet this is the base security 101 that should be invested by a company, change the culture and they will follow it without relying on the rules to manadate it (not that I would never have rules, but it is more important to get the culture right then the rules.

Well thats my opinion Scott Henderson Australia


08:28, 13 May 2005 (MDT)


First of all, remember the old trade-off between user convenience and security. Typically the stronger the password, the less convenience to the user. So the user will modify their habits to make things convenient. For example, writing down their password and stick in under the keyboard.

Next, if you are trying to come up with a solid password management policy, get buy-in from senior managers first and then let the politics of the password pilyc flow down from the top. The 8th layer of the OSI model. If management doesn't support you, it's not going to do any good trying to enforce policy without a hammer behind the fist.

As far as challenge questions go, the question set should be simple but yet not something that other users know about the person - when the questions are presented as a set. For example, I would consider using this set:

What is your favourite colour? (People's hair colour changes - don't use)

What is your mother's maiden name?

What are the last 4 digits of your social security number?

This would be a solid challenge set for regular users who do not have sweeping access to directory/file systems. I would use a different set of challenge questions for network administrators and keep that under wraps just to deter social engineering.

Lastly, if you are creating a security/password policy from scratch, start with tight security and loosen later (rather than loose security and tighten later). Users scream when you take away something, but when you give them something they don't have they are your best friend.

--Mgoddard 11:51, 17 May 2005 (MDT)

Use the calendar

Here's an idea:

The hint could be "May 2005, Thursday" or "5/5/05" or "Thursday this month"

The password is 5121926

Look at a calendar for the month, year, and day of the week hinted and type the dates all in order.

The second version of the hint is month/day_of_week/year (Thursday is the fifth day of the week).

A variant could be to start at the bottom of the column and go up (2619125 or 6292215).

To add a letter, May is the fifth month so add an "e" at the beginning (fifth letter) or end of the string.

Building on this, most employees know the dates of paydays. Say the first payday of May 2005 is May 13. The password construction rules could be:

- letter corresponding to the number of the month (in this case "e" fifth letter for fifth month, May)

- three weeks of dates beginning with the first payday of the month (132027)

- This yields "e132027" for this month's password which changes at midnight the last day of the month to the next month's combo.

Dave in Florida

Use a sentence

I once sat through a SANS session (on Securing Windows) taught by Jason Fossen in May 2002 in sunny San Diego (what a great idea it is to go to conferences in California - I strongly recommend it). During one of the presentations he spoke at great length about password best practices. He elaborated beyond NTLMv2, NTLM, Kerberos and the like to talk about complexity. He came up with an idea that to this day I still think is superior.

If you do not have to worry about 14 character (NTLM?), 8 character (AFP UAM, some LDAP), or other password length limitations I recommend the following: USE A SENTENCE.

Take a relatively weak password "fluffy" (lets assume it is the users dogs name). And simply add "My password is " and "." now concatenate the 3 strings and you get a very strong password "My password is fluffy." You know have a 23 character password with mixed case and an upper ASCII character '.'.

Think of the possibilities! Lets assume the user uses another simple password like "gr8day". What about "Have a gr8day.". Even stronger.

For those who whant to incorporate paydays, wedding anniverseries, birthdays, or what ever why not just use something like "I was born on 28Feb81.".

I think it has been empirically proven that a long password stands up better than a complex short password any day by todays brute force or dictionary attack pen tests.

I am still not convinced that biometrics or prox cards are ready yet. I have heard of companies that have to clean scanners fairly often because someone uses hand lotion or they have to re-enrol because they changed the color of their contact lens. The prox cards stories are even scarier. I have heard of companies that employ the IT departments to try and steal peoples cards. If a user has their card stolen their pay gets docked. That really helps us Tech Guys look good doesn't?

The only two factor concepts I think are easy and work are USB tokens (plus pin or password), Kerberos, and the king of all kings RSA SecureID. Unfortunately, I cannot afford any of these so I just use a simple sentence that people seem to have no trouble remembering.

Any ways I have bumbled on to long, --Jcrawfor 13:16, 1 Jun 2005 (MDT)

The Philosophy of Authentication and Security

Having been through similar discussions at a number of companies, I thought I'd throw in my two cents.

Get Management Buy In

I can't say too strongly how accurate the observation is that password (or Authentication) policy needs to follow organizational requirements - not lead them.

If you have a technology steering committee or some other form of joint IT decision-making body based on members from across your business units, those people need to determine how important password security is (based upon, of course, your full disclosure of security risks).

Two Factor Authentication

This is a time when it's really, really good to be a Novell customer.

The best way to ensure someone is who they say they are, is to base authentication upon two factors:

An NMAS Primer
  • Something you have
    • Biometric authentication, proximit/barcode/mag-stripe badges, RSA SecureID, etc.
  • Something you know
    • What-ever-password-you-want-and-who-cares-what-it-is.

A lot of people associate NMAS with Biometrics, which I think would ire the developers, as it really is a lot more than that. Biometrics are perhaps the most "Hollywood" incarnation of NMAS technologies, but it's not the only option available. In fact, NMAS should not be considered a way to eliminate the password problem - it simply completes your authentication solution. Also, I don't believe that physical authentication mechanisms present an "either / or" situation for companies - you should be able to freely mix between biometrics, barcode, magnetic stripe, etc. methods.


Nearly every modern company issues picture ID cards that work with barcode, magnetic stripe, or proximity scanners. Attendees of BrainShare realize that using this same picture ID for network authentication by itself - with no other form of ID - is very feasible and reliable, on both Windows and Linux platforms for sure, and probably others.

There are lots of add-on PC products that 1) read the same ID badges, and 2) plug in to NMAS. Usually the equipment expense is the greatest consideration.

Combine that with a password policy that addresses the aforementioned concerns (not too strong, not too weak, changing semi-regularly), and you have a pretty darn secure authentication story.

Again - the cost, effort, etc. of implementing this needs to be balanced against the perceived risk, and this can only be done by your senior leadership. Having the IT group implement the policy is a foregone conclusion - having them define the policy is often a recipe for political disaster.

Qbncgar 15:25, 25 May 2005 (MDT)

some thoughts on the matter

I would recommend a mix of 4 or 5 questions (make 2 out 5 or 3 out of 5 the required) this should allow for a broad enough mix that everyone should be able to use without trying to find the "one magic question" that works on everyone/everywhere/everytime (although if someone out there has found ... PLEASE POST IT... heh heh). The best one's that I've ever seen are some of the popular standbys

  - What's your mother's name ? (Leaving it somewhat nondescript 
    allows folks to use last, middle, first, even MOM or Mother)
  - Where were you born/raised ? (Everyone should know one of the 
    two. And if the answer text is not too bound by logic {ie just 
    match the text}, you could even go with the nonsensical "right 
    next to my mother")
  - What was your first pet ? (Before everyone jumps in with "Not 
    everyone has had a pet" remember that it's a mix, you have to 
    choose 3 out of 5 to answer. So skip this one or answer {as I've 
    seen some users do} with "a rock" or "tv")

Mix these with at least one free form or "blank" question that's made up by (and answered by) the user. (I admit this can sometimes be a two edged sword, you would NOT beleive how many will use a profanity of some sort. But I still think it outweighs the downside.)

As far as actual passwords go, I usually recommend to our end users that they use a meaningful phrase (without the spaces or punctuation). Usually when it's a legitimate phrase, they can remember something longer than "just a password". Some of the better ones I've heard of are "mysonis12", "mysonjimmygoestops12", "iwantaraise", etc. I would caution your users about using profanity though, I was once working on a machine and needed to signon as the user to help diagnose the issue. The young lady turned every color red as she told me her password, a particulary profane phrase with her boss' name in it as the subject. Hope this helps.Link title

I love the discussion. And for all you two factor fans out there. You never left your token at home? Or You never got called in the middle of an evening out and were two blocks fromt heoffice and 30 miles from your token? And of course if you were a consultant and visited 30 customers with thirty different tokens, you always remebered to tke the right token and remebered the pins that you ahd not used in two years?