Comment On Security by Post-It

Over the years, we've seen some fairly interesting security principles discussed here on The Daily WTF. While most in the industry already appreciate the benefits of Security by Obscurity, readers like you have contributed some fascinating alternatives including Security by Oblivity, Security by Insanity, Security by Letterhead, and and Security by Posterity. Today, I'm excited to add a new strategy for securing information systems: Security by Post-It. [expand full text]
« PrevPage 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6Next »

Re: Security by Post-It

2011-04-28 04:22 • by Quango
Sorry just had to do this..


Sadly this over-compensating-defeats-the-object isn't uncommon in corporate and even small businesses.

Re: Security by Post-It

2011-04-28 10:04 • by dpm
. . . because everyone knows that passwords longer than 12 characters are *easier* to guess.

Re: Security by Post-It

2011-04-28 10:06 • by CaptainSmartass
So the password has to be at least 8 characters, and must be over 6 characters long. Got it.

Re: Security by Post-It

2011-04-28 10:07 • by andres (unregistered)
The can still do better:

http://www.dilbert.com/strips/comic/2005-09-10/

Re: Security by Post-It

2011-04-28 10:07 • by dogbrags
Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]

Re: Security by Post-It

2011-04-28 10:16 • by Mcoder
Yeah, between 8 and 12 chars, at no more than 8 letters, no more than 8 digits, no scpecial character, no repeating character.

That makes for an EASY AS HELL password to crack.

Re: Security by Post-It

2011-04-28 10:21 • by James Q. Smithers (unregistered)
"be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks"

Does this mean a password must be 75% upper case, 75% lowercase, 75% digits, and 75% punctuation?

Or does it mean that the 75% of the password must be one of [uppercase, lowercase, digit, or punctuation]?

Re: Security by Post-It

2011-04-28 10:21 • by jim (unregistered)
345593 in reply to 345589
dogbrags:
Adding exclamation marks to the end of each requirement makes them much more exciting than normal requirements. [Must not contain your username!]


These rules should be in Comic Sans.

Re: Security by Post-It

2011-04-28 10:22 • by James Q. Smithers (unregistered)
(continued ... see next post)

"and may not contain your user name or any part of your full name."

Oh. So if my name is James Q. Smithers, the letters [list of letters deleted] are disallowed? That's good, I like that. My buddy Charles "Zippy" Quanstrom-Peebles likes it a lot, too.

Re: Security by Post-It

2011-04-28 10:23 • by Bill (unregistered)
When I was working on a project for a major government agency we were in a meeting with the client when she needed her latest password (they had very stringent password rules), she pulled up her calendar, navigated to a certain date and pulled out her password.

I was floored. She has this password stored in a public calendar (at least within her organization) and in plain text.

This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.

Rule of security vs. usability

secure <------------------------------------------> usable

You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.

Re: Security by Post-It

2011-04-28 10:23 • by DCRoss
345596 in reply to 345588
andres:
The can still do better:

http://www.dilbert.com/strips/comic/2005-09-10/


Or even http://www.dilbert.com/fast/2011-04-28/.

But that would be spamming, so I'm going to complain a bit here.

Re: Security by Post-It

2011-04-28 10:23 • by James Q. Smithers (unregistered)
Notes to self while trying to post a simple comment:

***I don't know why this post might be considered spam. Any guesses? Is "Quanstrom-Peebles" some sort of slang I don't know about? Will this note fix it?

***No, that didn't do it. Maybe I should put in a link to some dodgy erection-peddler, just to see if that helps?

*** Okay, copy the comment text into a new comment, let's see if that does it.

*** No. What if I take out the quote markup?

*** different name?

*** Maybe akismet is just on the rag today.

*** AH! It's the list of the letters in "James Q. Smithers" that it doesn't like!

Re: Security by Post-It

2011-04-28 10:26 • by Alargule (unregistered)
345598 in reply to 345591
Mcoder:
Yeah, between 8 and 12 chars, at no more than 8 letters, no more than 8 digits, no scpecial character, no repeating character.

That makes for an EASY AS HELL password to crack.


You did check the other requirements, or didn't you?

I'd like to see this captured in a regex...

Re: Security by Post-It

2011-04-28 10:26 • by Rob (unregistered)
I think I figured it out. If no password is valid, then nobody can hack into the system. They get 100% system security, at the low cost of 0% system usage. A security analyst's dream come true.

CAPTCHA: facilisi (not a valid password)

Re: Security by Post-It

2011-04-28 10:27 • by Anon (unregistered)
• be at least 6 characters long, contain 3/4 of uppercase,
lowercase, digits and punctuation marks, and may not
contain your user name or any part of your full name.


First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.

Re: Security by Post-It

2011-04-28 10:29 • by Rob (unregistered)
345601 in reply to 345566
Quango:
Sorry just had to do this..



I'm sorry, that is not a valid FRIST, as it doesn't contain lower-case letters or digits!

Please change your FRIST as soon as possible, or your FRIST privileges will be locked out!

Thank you!

Re: Security by Post-It

2011-04-28 10:31 • by Anon (unregistered)
345602 in reply to 345595
Also, more rules restricting stating what your password can't be = less entropy = less secure.

Re: Security by Post-It

2011-04-28 10:33 • by Mark (unregistered)
OK, seriously, where is the WTF? Other than the restrictions on symbols and max. length, I've had numerous (memorized) passwords over the years that would satisfy these requirements.

Re: Security by Post-It

2011-04-28 10:35 • by My Name (unregistered)
abcdEFGH

maybe?

Re: Security by Post-It

2011-04-28 10:36 • by Steve The Cynic
345605 in reply to 345592
James Q. Smithers:
"be at least 6 characters long, contain 3/4 of uppercase, lowercase, digits and punctuation marks"

Does this mean a password must be 75% upper case, 75% lowercase, 75% digits, and 75% punctuation?

Or does it mean that the 75% of the password must be one of [uppercase, lowercase, digit, or punctuation]?

No, it means you must use characters from at least three of the four categories, aside from the forbidden punctuation marks, obviously. I had a similar situation once, except the rules were: "must be at least 7 but not more than 8 characters, and if 7 then all four categories must feature, else only three", with the categories being uppercase, lowercase, digits, and symbols, and the added proviso that uppercase in the first position did not count as using uppercase, and digits in the last position did not count as using digits. So I kept the same last 5 characters the same in all passwords and invented various three character combinations involving letters and digits to lead them, generally expressing my dissatisfaction with the rules (1ck for ick, u6h for ugh, etc.). Overall, a security disaster.

Re: Security by Post-It

2011-04-28 10:39 • by Staffan (unregistered)
With all those rules an attacker would have an easy task at hand.

Everything is so restricted so the password space should probably be reduced to something responding to 6 characters or so.

Re: Security by Post-It

2011-04-28 10:39 • by Mark (unregistered)
345609 in reply to 345600
Anon:
• be at least 6 characters long, contain 3/4 of uppercase,
lowercase, digits and punctuation marks, and may not
contain your user name or any part of your full name.


First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)

Then I realized it must mean contains 3 or 4 uppercase, 3 or 4 lowercase, 3 or 4 digits and 3 or 4 punctuation. Of course to follow that rule, your password must be at least 12 characters, so the "must be at least 6 characters" is redundant. Also the punctuation part is difficult when they've already explicitly forbidden several marks.



Or, more likely, they mean you must use at least 3 of the 4 character classes (uppercase, lowercase, digits, punctuation)

Re: Security by Post-It

2011-04-28 10:44 • by frits
We had a similar policy that was implemented at a former employer of mine. Actually, it was more asinine. The original policy madated passwords be 7 characters long, but changed every 3 months. The CFO didn't like changing his password so often. A compromise was struck and users only had to change passwords every 3 months. However, all passwords must be at least 14 characters long. It all made sense, since 6/3 = 14/7...

The result, of course was most users had their passwords written somewhere within 2 feet (61 cm.) of their computers. Our director of IT decided to have a crackdown and started threatening to make examples of people who wrote down their passwords. The IT director wasn't a total ogre, however, and actually had a pragmatic workaround: anyone who had trouble remembering the long passwords should just use their old 7 character password typed twice.

Re: Security by Post-It

2011-04-28 10:46 • by Lockwood
One of the hospitals around here had a complex password rule, with a "do not reuse passwords that were used before, for the last X amount of time" rule added in.

This caused a lot of post-it notes on monitors.

Re: Security by Post-It

2011-04-28 10:48 • by pdpi (unregistered)
345613 in reply to 345600
Upper, lower, digits, punctuation are 4 different classes of characters. your password must contain characters from 3 out of 4 classes.

Re: Security by Post-It

2011-04-28 10:49 • by Dazed (unregistered)
I don't think the problem is so much being able to remember your password as trying to find a valid one in the first place. I can see it now:

- (shout) "WTF can I use for a password?"
- (shout from another cubicle) "QWErty123$%^ seems to work*"
- everyone in the office now uses the same password.

* This is a hypothesis on my part, not a promise.

Re: Security by Post-It

2011-04-28 10:52 • by Jon H. (unregistered)
Article:
• have no more than 1 pair(s) of repeating characters!


We don't even have that luxury at work. you can't imagine how many passwords end up having a pair of repeating characters.

Plus, TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?

Re: Security by Post-It

2011-04-28 10:53 • by boog
I think this might have been a former client of mine. I remember having to change my password and have some full-page list of crazy-ass requirements, some of which were redundant ("must be at least 8 characters" then further down the page "must be at least 6 characters").

I'm guessing the way they come up with this list is every time they hear of a potential risk or breach (such as passwords written on post-its) they get IT managers in a room to review the list to figure out what they're doing wrong, and what rule they can add to the list to quick-fix it.

Re: Security by Post-It

2011-04-28 10:55 • by pippin (unregistered)
have at least 8 character(s)

or
be at least 6 characters long

Not only is it absurd, but it's contradictory! (exclamation included to give my comment added umpfh ;)

Re: Security by Post-It

2011-04-28 10:56 • by boog
345618 in reply to 345600
Anon:
• be at least 6 characters long, contain 3/4 of uppercase,
lowercase, digits and punctuation marks, and may not
contain your user name or any part of your full name.

First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
12 quarters = 3 passwords.

That is a bit excessive.

Re: Security by Post-It

2011-04-28 10:58 • by trtrwtf (unregistered)
Speaking of such things, is there any real reason to suppose that changing passwords every N days increases security? Wouldn't it make more sense to just require a sufficiently complex and long password and leave it at that? I think just about anyone could memorize a truly random 14-character password if they had to type it every day, but if you have to change it once a month then you have to come up with algorithms for generating "unguessable" passwords. These include things like regular substitutions, which become well known (ie, @ for a, 1 for i or l, and so forth), and the purpose is successfully defeated.

Re: Security by Post-It

2011-04-28 11:04 • by Pat (unregistered)
The real WTF is the validation code they'll use to enforce that policy...

Re: Security by Post-It

2011-04-28 11:04 • by boog
345623 in reply to 345615
Jon H.:
...TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?
To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

In other words, the excuse for a cap on password length could just be outright laziness.

Re: Security by Post-It

2011-04-28 11:07 • by Spivonious (unregistered)
My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the hacker has access to my desk, he deserves access to my PC.

Re: Security by Post-It

2011-04-28 11:07 • by da Doctah
Still searching for that elusive tipping point where the rules become so stringent that the typical user will only be able to think of one or two passwords that the system will accept.

At which point you find that three quarters of your user population are using the same password.

Re: Security by Post-It

2011-04-28 11:08 • by trtrwtf (unregistered)
345626 in reply to 345624
Spivonious:
My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


FTFY

Re: Security by Post-It

2011-04-28 11:13 • by Kempeth (unregistered)
Hmm. Aside from that last requirement my password would work if I trimmed some characters off the end...

Is that good or bad?

Re: Security by Post-It

2011-04-28 11:15 • by Marvin the Martian (unregistered)
With this many restrictions, wouldn't it be easier to just circulate a whitelist of passwords that will pass the rules?

Re: Security by Post-It

2011-04-28 11:16 • by Justin (unregistered)
345630 in reply to 345626
trtrwtf:
Spivonious:
My company doesn't let you use any of the last five passwords. So I have a post-it in my drawer that has the last five passwords on it. I figure if the janitor has access to my desk, he deserves access to my PC.


FTFY


HA!

Re: Security by Post-It

2011-04-28 11:16 • by Dazed (unregistered)
345631 in reply to 345623
boog:
To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.

Re: Security by Post-It

2011-04-28 11:17 • by Justin Thought (unregistered)
345632 in reply to 345615
Jon H.:
Article:
• have no more than 1 pair(s) of repeating characters!


We don't even have that luxury at work. you can't imagine how many passwords end up having a pair of repeating characters.

Plus, TRWTF is having a cap on password length. Is there a reason to that? Do longer password hashes take more space than normal ones?

This whole article smells of a method of password verification by trial and error. In other words, you monitor passwords and determine which ones are not-secure and then add a new rule to make that one illegal. This means that the IT department was monitoring people's passwords in plain-text.

My second conjecture is that a regular expression was being used. The length between 8-12 characters was so that the regular expression would not get too big (the writer was not good at regular expressions, which is indicated by not allowing characters that are regex-special characters).

Re: Security by Post-It

2011-04-28 11:17 • by boog
345633 in reply to 345602
Anon:
Also, more rules restricting stating what your password can't be = less entropy = less secure.
I keep wondering when "security experts" (or whatever managers like to call themselves) will create that one password rule that really limits the password space.

- your password may not contain adjacent letters or adjacent numbers (they must alternate: S2t3u8p1d)
- your password may not contain letters/numbers from your username (I can't use b, o, g, B, O, or G)
- your password may not contain any consecutive letters/numbers (if you use C, you can't use B or D anywhere)
- your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

Oh yeah, I do see that last one happening somewhere in the next 10 years.

Re: Security by Post-It

2011-04-28 11:19 • by Anne (unregistered)
Worse than that, all these rules actually make the passwords less secure.

One of the rules I don't ever get is why you would restrict a password in length. A minimum number of characters I understand, but a maximum? Where's the reasoning behind that?

The same goes for "leading character must be a letter"? Why can't it be a number? Why are characters forbidden? You're actually reducing the number of possible passwords here.

Re: Security by Post-It

2011-04-28 11:20 • by The Corrector (unregistered)
345635 in reply to 345618
boog:
Anon:
• be at least 6 characters long, contain 3/4 of uppercase,
lowercase, digits and punctuation marks, and may not
contain your user name or any part of your full name.

First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
12 quarters = 3 passwords dollars.

That is a bit excessive.

Re: Security by Post-It

2011-04-28 11:22 • by The Corrector (unregistered)
345636 in reply to 345635
The Corrector:
boog:
Anon:
• be at least 6 characters long, contain 3/4 of uppercase,
lowercase, digits and punctuation marks, and may not
contain your user name or any part of your full name.

First I read this as my password must be three quarters uppercase, three quarters lowercase, three quarters digits and three quarters punctuation (that's 12 quarters for those keeping count)
12 quarters = 3 passwords dollars.

That is a bit excessive.

FTFY

FTFMS

Re: Security by Post-It

2011-04-28 11:22 • by trtrwtf (unregistered)
345637 in reply to 345633
boog:
Anon:
Also, more rules restricting stating what your password can't be = less entropy = less secure.
I keep wondering when "security experts" (or whatever managers like to call themselves) will create that one password rule that really limits the password space.

- your password may not contain adjacent letters or adjacent numbers (they must alternate: S2t3u8p1d)
- your password may not contain letters/numbers from your username (I can't use b, o, g, B, O, or G)
- your password may not contain any consecutive letters/numbers (if you use C, you can't use B or D anywhere)
- your password must be selected from the list of security-expert-approved passwords, which you can find on the company website

Oh yeah, I do see that last one happening somewhere in the next 10 years.


Don't forget this one: your password can't contain any sequence of 3 adjacent letters on a qwerty keyboard. No asdf, no zxc.

Re: Security by Post-It

2011-04-28 11:23 • by Larry (unregistered)
TRWTF is the guy in charge of the CAPTCHAs making fun of other people's security methods.

Re: Security by Post-It

2011-04-28 11:24 • by TheCPUWizard
Ironic... I just compared passwords I use (from memory) for a number of secure systems, and over 90% of them met the requirements [1 out of 17 failed].

This is on various systems that do not have overly compex rules...guess is speaks volumes about my state of mind <eek!>

Re: Security by Post-It

2011-04-28 11:24 • by boog
345640 in reply to 345631
Dazed:
boog:
To answer your first question: longer passwords result in more calls to the helpdesk to reset passwords that users forgot or mistyped more than 3 times.

The limit of 3 attempts is a WTF itself. It was probably reasonable in the days when people had to remember one password of five or six characters. If you are going to enforce long passwords and make people change them as well, then you should allow 6 attempts at least.
Can't agree more that locking accounts after 3 failed attempts is a WTF. I've been saying it for years, but my bank still won't listen to me.

I've heard a great alternative to locking passwords after the "maximum attempts" is to put delays on that account. After n failed attempts, the next n tries each take 10 seconds to submit, then the next n tries each take 30 seconds to submit, after that it takes 1 minute to submit every time.

Brute force attacks take a lot longer to search the password space, making them virtually useless.

Re: Security by Post-It

2011-04-28 11:28 • by William (unregistered)
345641 in reply to 345595
Bill:
This is the problem with creating really strigent password rules, people can't remember them and write them down in tremendously insecure ways.

Rule of security vs. usability

secure <------------------------------------------> usable

You can't have both, you get more secure it gets less usable, you get more usable (think Microsoft adding scripting to email) you get less secure.


You're contradicting yourself here. Think about it. If you increase the security requirements in such a way as to reduce the usability of the system, you're actually *decreasing* the *actual security* of the system, because users respond to the lack of usability with tremendously insecure work-arounds to the dysfunctional system.

The best security is also very usable. Two factor authentication is quite easy to use when done well. Swipe your smart card, run the fingerprint scanner, etc. and also type in your passphrase with no limits other than a minimum 10 characters, full sentences encouraged.
« PrevPage 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6Next »

Add Comment