Dear Linkedin,

I have accounts at probably 100's of sites. Am I to understand
that I am supposed to remember each one of them and dutifully
update them every month or two?

Yes; of course if most of those accounts are moribund and unused then you
don't need to change them so often, but the passwords you use frequently
should be changed at regular intervals.

It's pretty commonsensical once the threat is understood.

Does anybody have a good URL explaining that idea? It's been kicking around
for many years. I've never seen a convincing writeup.

Does your bank request/require that you change the PIN on your ATM card every
few months?

Security is a tradeoff. I think there are two cases for passwords. I'll
call them important and junk. I'm willing to store the junk ones in a file
or piece of paper that I'm careful with. I have to memorize the important
ones.

I'm only smart enough to memorize a few good passwords. If I change them
every few months, they will be less good, or fewer of them.

Does anybody have a good URL explaining that idea? It's been kicking around
for many years. I've never seen a convincing writeup.

I've tried to do that in another mail - it's in the realms of philosophy more than strategy; like if you're a really security-aware person and take great care you can probably stretch the useful life of a password out to _years_ - but how typical are *you* in that instance?

Does your bank request/require that you change the PIN on your ATM card every
few months?

ATM cards are not passwords, they are a coarse form of two-factor authentication - You have the card, you have the PIN.

You have to possess both in order to transact - at least in in theory.

Compare that with the secrecy surrounding the CVV - the "last three digits on the number on the back of the card" which you are "not meant to tell anyone" and which _will_ be different if your card is lost/stolen and reissued.

Now _that_ is a password.

Security is a tradeoff. I think there are two cases for passwords. I'll
call them important and junk. I'm willing to store the junk ones in a file
or piece of paper that I'm careful with. I have to memorize the important
ones.

You know, that's not bad. I am pro-paper for long passwords. I am even-more pro "password safes".

I'm only smart enough to memorize a few good passwords. If I change them
every few months, they will be less good, or fewer of them.

It's harder as we get old. Use technology to aid with the heavy lifting.

  -a

Gene Spafford did a nice analysis of the *contrary* a while ago, that changing
and expiring passwords is essentially useless against the current threat model
(he was writing about mandatory changes, but all the arguments hold up just
fine for "should be changed" as well):

http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://www.cerias.purdue.edu/site/blog/post/passwords-and-myth/

Well, my personal approach to this -- one which I'm well aware is disparaged
by Security Professionals -- is tiered passwords.

I have one password for 'throwaway' accounts -- drive-forum postings and
the like, another password for slightly more important accounts -- forums
in which I participate regularly and the like, a third password for actual
machine accounts, VPNs and similar things like equipment control panels, and
finally a tier for accounts that people can actually change my life or spend
my money; things like eBay, PayPal, etc -- on this tier, each password is
actually distinct.

Finally, there's a top-emergency fallback password, which I use for password
safes, which is -- as nearly as I can determine, unresearchable, even if I
told you its description.

All of these passwords are rule/pattern constructed, using either The XKCD
Rule, or one of a couple of my own construction, and each individual password
is infixed after what it applies to, so as to make the actual final passwords
*never be the same string of characters*, the infix going in a nondeterministic
place in the string.

This puts enough bits of entropy into the passwords to make them relatively
strong -- sites with strength checkers on password set tend to like them a
lot -- while keeping them all unique so they can't be cross referenced... and
making them complex enough that they cannot be dictionary cracked either.

I am, of course, a special case; I've been a system administrator for 30
years; this is my business -- I am willing to put the necessary energy into
it as part of my work. I realize that lots of people (where, by lots, I
mean several billion) aren't -- either because they don't understand why
its important, or because they don't care, or because "it's someone else's
fault when $3800 gets taken out of my bank account cause I'm a careless
slob".

TL;DR: Everyone, admin, user, or civilian, has to make their own decisions
about how much work they want to put into security -- and *we* have to
find ways to explain the choices so that Joe Q. Sixpack can understand
*why it's important to him to think about it*. That's a sales pitch;
engineers are *singularly* unsuited to it, in general.

Cheers,
-- jra

Does anybody have a good URL explaining that idea? It's been
kicking around for many years. I've never seen a convincing
writeup.

I've tried to do that in another mail - it's in the realms of
philosophy more than strategy; like if you're a really security-aware
person and take great care you can probably stretch the useful life
of a password out to _years_ - but how typical are *you* in that
instance?

I have a slide in a presentation I give about oncea year that goes
something like:

How good does a password/phrase have to be in order to
protect against brute-force or dictionary attacks against the
password itself?
● Entropy in language.
– A typical english sentence has 1.2 bits of entropy per
character, you need 107 characters to get a statistically
random md5 hash.
– Using totally random english characters you need 28
characters.
– Using a random distribution of all 95 printable ascii
characters you need 20 characters.
● Observation, good passwords are hard to come by.

I don't disagree, except regarding dictionary attacks. If the attack isn't random then math based on random events doesn't apply. In the case of a purely dictionary attack if you choose a non-dictionary word and you are 100.000% safe.

John

    John Souvestre - New Orleans LA - (504) 454-0899

How good does a password/phrase have to be in order to protect
against brute-force or dictionary attacks against the password
itself? ? Entropy in language. A typical english sentence has 1.2
bits of entropy per character, you need 107 characters to get a
statistically random md5 hash. Using totally random english
characters you need 28 characters. Using a random distribution of
all 95 printable ascii characters you need 20 characters. ?
Observation, good passwords are hard to come by.

I don't disagree, except regarding dictionary attacks. If the attack
isn't random then math based on random events doesn't apply. In the
case of a purely dictionary attack if you choose a non-dictionary
word and you are 100.000% safe.

the search space for 6 8 10 character passwords is entirely too small...

> I don't disagree, except regarding dictionary attacks. If the attack
> isn't random then math based on random events doesn't apply. In the
> case of a purely dictionary attack if you choose a non-dictionary
> word and you are 100.000% safe.

the search space for 6 8 10 character passwords is entirely too small...

Saw this over on Full-Disclosure. I'd love to know what inspired the HashCat software
to *try* those 2 40-character passwords that broke...