The previous post looked at man-made physical threats.
We now get to what I consider the greatest threat to computer security: the Yellow Sticky of Doom!
Passwords written down on yellow sticky notes. These are everywhere.
What is the difference between a secure facility and an insecure facility? In an insecure facility the yellow sticky notes are stuck to monitors. In a secure facility the yellow sticky notes are stuck to the bottom of the keyboard. In really secure facilities they are in desk drawers – and maybe even locked up!
The solution is obvious: ban people from writing down their passwords!
Except that this won’t work. Full stop. Period. Won’t. Work.
Why? Because passwords are crap for security.
Passwords that are difficult to guess or to crack with a brute force attack are impossible for people to remember – look at the ones in the yellow sticky above! All of these passwords were produced by a password generator with a high security setting. Anyone who can remember one of these passwords scares me!
Consider the usual guidelines for producing a secure password: 12-16 characters, no dictionary words, a combination of upper case, lower case, numbers, and punctuation. And changed every 1-6 months.
Human brains don’t work this way.
Correct Horse Battery Staple
If you want people to actually remember passwords, consider the way the human brain works. Look at XKCD on Password Strength: this is an example of a password that a human can remember. It builds on the way the mind and memory work, through chunking, context, and pattern recognition. Correct Horse Battery Staple has become an Internet meme – a code term referencing a way to make passwords somewhat work.
But, can your system handle it? Do you allow passwords this long? Do you allow spaces in passwords?
And look at your policies. If a person can remember a word, it is in a dictionary! The only thing a “no dictionary words” policy does is guarantee that passwords will be written down.
At a minimum, encourage pass phrases rather than classical passwords.
If you actually care about security, implement multi-factor authentication – a combination of what you know, what you have, and what you are.
Traditional passwords serve only one purpose – to allow you to blame innocent users for your mistakes. They are no longer an effective security or authentication mechanism. Forget trying to stop people from writing them down and get serious about security.
Get rid of the Yellow Sticky of Doom by making it obsolete!
I’d like to make an addition here: http://sgallagh.wordpress.com/2013/01/14/we-are-not-who-we-are/
Minor nitpick from a foreigner here. The only thing a “no dictionary words” policy does in non-English-speaking countries is guarantee that passwords will be chosen from words not in your default English dictionary. Which is just as bad.
This is a really good point – thanks for bringing it up.
One recommendation I found for a Linux distribution included the recommendation “Do Not Use Words in Foreign Languages — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is of little use. ” Ummm, yeah, right…
And, of course, passwords typically don’t allow Unicode.
I’ve enhanced the “correct battery horse staple” technique by using Num Lock in a laptop. “correct battery horse staple” becomes “c6rrect battery h6rse sta*3e”, an even worse nightmare for brute force crackers. You can use words having more letters around the “numbers” in your Num Lock section, for best effect.
Ernesto, you raise in interesting point that I would like to build on:
From the perspective of a brute force approach both “correct battery horse staple” and “c6rrect battery h6rse sta*3e” have the same entropy. The real question is what simplifications can be made to reduce the search space.
A common approach is to use rainbow tables to precompute password hashes and then do a lookup. If we assume a pass phrase of 3-8 dictionary words all in lower case, we can build a “reasonably small” rainbow table – especially if we use common words. Using the Num Lock transformation would double the size of the rainbow table. This still isn’t too bad, especially if you are searching starting with popular words.
You have suggested a useful approach (as long as you don’t use a regular keyboard!). Since the bad guys are, unfortunately, rather bright, it doesn’t give quite the protection it appears to at first glance.
Other useful ways to increase entropy with pass phrases include using punctuation – the occasional apostrophe, dash, comma or period, as well as mixed case, significantly strengthen a pass phrase. Assuming, of course, your system allows you to use them in a password…
In any case, you have a useful suggestion – thanks!