• (cs)

    I once ran across a Linux system on which PAM had been configured for extra password security. Well, actually, that was what the previous admin tried to do, but he botched it up in such a way that the PAM stack would always succeed, so the net result was that no matter what password you typed, you were authenticated as the user you claimed to be.

    I'm pretty sure it wasn't deliberate, because:

    1. the guy who did it already knew the actual root password
    2. he had console access to it in the datacenter
    3. he made egregious numbers of typos even on a good day, such that at least once a day or so somebody would have to reset a password for him due to hard lockouts.
  • (cs)

    So actually this thing made me think a bit about why the policy in place here is bad.

    Coming up with the reason was actually rather harder than I expected, for the following reason. The concatenation of username+password is your authentication token. You can think of that concatenation as just a password, where part of your password is public knowledge. So if you say "this system is based on your password only", then all you're doing is taking the username+password combination and making something that was public knowledge into private knowledge. How can that make things less secure?

    And when you phrase it like that, the primary answer becomes clear: it's that the the users weren't told about it. Thus they couldn't compensate by choosing a better password.

    The secondary answer is a much better password becomes important. Under the username+password scheme, if the attacker picks a random string, that string can match only one specific user, which means that if the passwords are properly salted, the attacker can only test the password of 1 user at a time. Under the password-only scheme, the random string can match any user; if there are n users, that means you need an additional log n bits of entropy for the same overall strength.

    Further, if users aren't picking passwords randomly, the situation becomes even worse. For m people who aren't good at choosing strong passwords, a birthday paradox-type problem arises: if any two people pick the same password, one of them finds out and break into the other's account. Under the username+password scheme, the username prefix prevents this situation from arising.

    Finally it was possible for the submitter to accidentally break into another account, even he wasn't trying to be an attacker, because he didn't know to choose a stronger password.

    So the summary is that a password-only system is not inherently less secure, but it requires its users to take that information into account when creating their password. And, of course, the users can't do that if they aren't informed.

  • (cs) in reply to Frenchie
    Frenchie:
    OK, I call fake (or misguided embellishment) on this story based on the fact that I don't believe “two mixed-case passwords with numbers and special characters” could have collided with the password string chosen by another user. Such coincidences just don't happen.

    Good to know my Boys2Men password is safe

  • Antonio (unregistered)

    “I guess you could call it could call it fake one-factor authentication? Or half-factor authentication?"

    I think it looks more like identification without authentication.

  • Naresh Kookaburra (unregistered) in reply to Nagesh
    Nagesh:
    hoodaticus:
    Nagesh:
    hoodaticus:
    Am I the only one who gets frothing mad that incompetents like this have taken jobs I could have had? Because that knowledge drove me fucking nuts when I was unemployed.

    And what was exact cause of unemployment?

    I was both a lowly employee and a contractor for the board of directors with fiduciary duties to them. My boss asked me to withhold information from the board, which I could not ethically do. So I quit. That same day.

    Best decision I ever made.

    You're person with ethics.That's good and bad.

    In India, only ethics is work ethic. That's good and bad.

  • oheso (unregistered) in reply to keith
    keith:
    Sure, you could smash them together, then you would have to require a password that is x + y characters long, where the first x characters are unique for each user. But good luck explaining that to your average user.

    Allow me to introduce you to powerschool.

  • syockit (unregistered) in reply to Nagesh
    Nagesh:
    Simplified system based on Alibaba and Chalis Chor (40 theifs) for other people out here. The cave had just one factor authentication. All you had to say is "Khul ja sim-sim" and the door would open. The best part of that door was it did not matter who's voice said the magic words.
    You know what, you should consider using Wikipedia or some other references that tell you the English equivalent of the magic words. It is "Open Sesame", from Alibaba and the 40 thieves.
    Nagesh:
    Vibration of wind is powerful magic best left to those with advanced witchcraft and sorcery knowhow.
    Say what? Witchcraft/Sorcery is heresy! Death to all witches and sorcerers!

    Homu-homu is my waifu.

  • (cs) in reply to Bryan the K
    Bryan the K:
    Who's password was god?
    No, what's password was god. Who's on first.
  • (cs) in reply to Gunslinger
    Gunslinger:
    Matt Westwood:
    neminem:
    somedude:
    Greg:
    Not quite. 2 can be separated from you, 3 cannot.

    Wanna bet? (grabs his hatchet)

    Don't even necessarily need to resort to such violent methods; as spy shows have shown repeatedly, in many different ways, all you need is a sufficiently similar replica. As Michael Westen once pointed out, "Nobody wipes off a fingerprint scanner after they use it, so what's left on the scanner, nine times out of ten, is a fingerprint." Just stick the fingerprint on something else, reuse it, bang. Fingerprint, separated from the guy's finger without having to actually... separate the guy's finger.

    Does this work for those scanners where you swipe your finger over a narrow (1mm) glass window? Doubt it.

    No, it doesn't, because those use electrical conductivity to scan the fingerprint.

    So you just need to transfer the print into bas-relief on a base made of some substance that has a modicum of dielectric coefficient. Such as a gummi bear, for example.
  • (cs) in reply to Master and Commander of the Troll Amry
    Master and Commander of the Troll Amry:
    the guy behind you:
    Jack:
    Did you try hunter2?

    Why would anyone use ******* as their password?

    You idiot, you didn't do that right at all.

    Yes he did. It just *looks* like "hunter2" to you because he typed "*******"...
  • (cs) in reply to syockit
    syockit:
    Nagesh:
    Simplified system based on Alibaba and Chalis Chor (40 theifs) for other people out here. The cave had just one factor authentication. All you had to say is "Khul ja sim-sim" and the door would open. The best part of that door was it did not matter who's voice said the magic words.
    You know what, you should consider using Wikipedia or some other references that tell you the English equivalent of the magic words. It is "Open Sesame", from Alibaba and the 40 thieves.
    You know what? /You/ should JFGI.

    Always assuming, that is, that Nagesh's explicit mention of Ali Baba and the forty thieves wasn't enough of a clue for you to infer what he might be talking about in the context of a magic pass phrase that opens a door. Seemed blindingly obvious to me but I guess YMMV.

  • (cs) in reply to Jeb
    Jeb:
    1. Something you know (PIN number, password) 2. Something you have (RSA token, smart card) 3. Something you are (fingerprint, voiceprint, etc.)

    To be two-factor, you must use two of those factors (funny, that).

    FTFY

  • JD (unregistered) in reply to SQLDave
    SQLDave:
    Jeb:
    1. Something you know (PIN number, password) 2. Something you have (RSA token, smart card) 3. Something you are (fingerprint, voiceprint, etc.)

    To be two-factor, you must use two of those factors (funny, that).

    FTFY

    So, err, personal identification number number?

    Btw, the other advantage of having a separate username/password is that you can tell that someone is trying to log in as a particular user and can enforce rules like locking out after three failed attempts. Can't do that if you've only got a password. If you're using a two part password where the first part is public knowledge and acts as a username, it's functionally equivalent to a username password system, so what's the point? You only have to provide a single login box?

  • (cs) in reply to JD
    JD:
    SQLDave:
    Jeb:
    1. Something you know (PIN number, password) 2. Something you have (RSA token, smart card) 3. Something you are (fingerprint, voiceprint, etc.)

    To be two-factor, you must use two of those factors (funny, that).

    FTFY

    So, err, personal identification number number?

    Btw, the other advantage of having a separate username/password is that you can tell that someone is trying to log in as a particular user and can enforce rules like locking out after three failed attempts.

    I'm not sure I buy this argument, with the caveats I discussed in my post above.

    Why? If you keep track of the three attempts on a per-user basis, the attacker can just move on to a different user and get a fresh start. If you track failed logins on a, say, per-IP basis, then you could do that on a password-only system as well.

    The only reason that the attacker couldn't just move on (that I can think of and that doesn't also apply to the password-only system) is if the attacker is specifically targeting one account (say, 'admin'); but that's something that you can't even do in the first place with password-only.

    (I'm not trying to justify password-only here, just acting as a bit of a devil's advocate.)

  • (cs) in reply to syockit
    syockit:
    Nagesh:
    Simplified system based on Alibaba and Chalis Chor (40 theifs) for other people out here. The cave had just one factor authentication. All you had to say is "Khul ja sim-sim" and the door would open. The best part of that door was it did not matter who's voice said the magic words.
    You know what, you should consider using Wikipedia or some other references that tell you the English equivalent of the magic words. It is "Open Sesame", from Alibaba and the 40 thieves.
    Nagesh:
    Vibration of wind is powerful magic best left to those with advanced witchcraft and sorcery knowhow.
    Say what? Witchcraft/Sorcery is heresy! Death to all witches and sorcerers!

    Homu-homu is my waifu.

    And whose sockpupet are you, dear boy?

  • Naresh Kookaburra (unregistered) in reply to Nagesh
    Nagesh:
    syockit:
    Nagesh:
    Simplified system based on Alibaba and Chalis Chor (40 theifs) for other people out here. The cave had just one factor authentication. All you had to say is "Khul ja sim-sim" and the door would open. The best part of that door was it did not matter who's voice said the magic words.
    You know what, you should consider using Wikipedia or some other references that tell you the English equivalent of the magic words. It is "Open Sesame", from Alibaba and the 40 thieves.
    Nagesh:
    Vibration of wind is powerful magic best left to those with advanced witchcraft and sorcery knowhow.
    Say what? Witchcraft/Sorcery is heresy! Death to all witches and sorcerers!

    Homu-homu is my waifu.

    And whose sockpupet are you, dear boy?

    Obviously not yours. This one has brains.

  • helpfulcorn (unregistered)

    I'm surprised no one has made a reference to the fact that in WarGames all of the government machines (and the school) had only passwords to enter, no usernames.

  • (cs) in reply to Naresh Kookaburra
    Naresh Kookaburra:
    Nagesh:

    And whose sockpupet are you, dear boy?

    Obviously not yours. This one has brains.

    Brains get you no where. Let me give example. In India, first class students become doctors and engineers. Second class students become administrators and control first class students. third class student become "Bhai" and "underworld" and controls second class. but the best part is that failures are controlling the entire country.

    That state of affairs will not change till ppl with brains like you stop escape to usa and work for country

  • Paul Hogan (unregistered) in reply to Nagesh
    Nagesh:
    Naresh Kookaburra:
    Nagesh:

    And whose sockpupet are you, dear boy?

    Obviously not yours. This one has brains.

    Brains get you no where. Let me give example. In India, first class students become doctors and engineers. Second class students become administrators and control first class students. third class student become "Bhai" and "underworld" and controls second class. but the best part is that failures are controlling the entire country.

    That state of affairs will not change till ppl with brains like you stop escape to usa and work for country

    Kookaburra is a fine Hindi surname, isn't it? Do you have gum trees in South Asia as well?

  • (cs) in reply to Paul Hogan
    Paul Hogan:

    Kookaburra is a fine Hindi surname, isn't it? Do you have gum trees in South Asia as well?

    What are gum trees? We have rubber tree in Kerala the most beautiful place in entire world. Rubber tree you make cut, collect juice and then produce rubber. Lot of people in Kerala engage in rubber business.

  • troll (unregistered) in reply to Ernold

    you spelled 'first' wrong moron, try harder...

  • troll (unregistered) in reply to Ernold
    Ernold:
    This frist comment was not created. Please frist a different one.

    you spelled 'frist' wrong moron... try harder...

  • Dave (unregistered)

    This type of "authentication" is one of the most widely-used in the world. Chance are you've used it today, or at least within the last few days. It's called a credit card number.

  • poutines (unregistered) in reply to troll
    bad troll:
    Ernold:
    This frist comment was not created. Please frist a different one.

    you spelled 'frist' wrong moron... try harder...

    You spelt moran wrong. Stop trying so hard.

  • (cs) in reply to Dave
    Dave:
    This type of "authentication" is one of the most widely-used in the world. Chance are you've used it today, or at least within the last few days. It's called a credit card number.

    WTF? Credit card number has rotating lcd display pin behind card. Pin changes every 24 hours. What backwater country are you posting from?

  • Kittens (unregistered)

    Where did you work... ? <smirk>

  • AdT (unregistered) in reply to KilroySmith
    KilroySmith:
    We haven't been willing to test the "chop off a finger and use it to bypass security" theory yet, but we're looking for volunteers to help us out.

    Don't bother. It's been tested before.

    And as for the fingerprint scanners on notebooks, you'll find dozens of the owner's fingerprints all over the device. People who think biometrics solve all of their security problems have seen too many Bond movies.

  • GeraldDew (unregistered)
    Comment held for moderation.

Leave a comment on “The Phantom Password”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article