Malta Info Security - Passwords

Microsoft Turns To Inkblots For Password Generation

nospam@example.com (Donald Tabone) — Thu, 06 Dec 2007 09:39:29 -0700

Microsoft thinks the fact that no two people look at an inkblot the same way can be used to help generate more secure computer passwords.

The company has set up a Web site that shows users a series of Rorschach-style inkblots -- of the sort used in psychological profiling -- and then asks them to write down the first and last letters of each word they associate with the pictures.

Ultimately, the users are asked to combine the letters into a password.

Microsoft hopes the approach will help overcome a major flaw inherent in systems that ask users to make up their own passwords: those that are difficult to crack are hard to remember, and those that are easy to remember are also easy for hackers to guess. "A century of psychological literature indicates that inkblot associations are intimately personal, and our own user studies verify that users almost always describe the same inkblots quite differently," Microsoft researchers note on the project's Web site -- inkblotpassword.com.

The image associations are not only unique to the user, they're also "hard to forget," the researchers said. "After typing her password several times, a user develops 'muscle memory' and can log in quickly without referring to the inkblot images," they said.

Given that many Internet users employ the same password to gain access to dozens of Web sites, for everything from banking and shopping to socializing, it's more important than ever that they create passwords that are at once highly secure and easy to remember.

"Nothing prevents a user from learning a strong password on inkblotpassword.com and then reusing it at other sites," Microsoft's researchers said.

Microsoft said it may develop a commercial version of the system, but for now it's free to try online. The company advises would-be users that it's collecting and storing the word associations they come up with for research purposes, but says the data is made anonymous and isn't linked to individuals.

Read on...

Continue reading "Microsoft Turns To Inkblots For Password Generation"

Leaked passwords and password policies that fail

nospam@example.com (Sandro Gauci) — Tue, 13 Nov 2007 12:21:33 -0700

Around 45000 MySpace passwords were leaked on the net recently. While it might seem like leaking such passwords is a major security threat, these passwords were already collected by phishing sites and possibly abused by the wrong people. The good thing is that this gives security folks a chance to see how effective or ineffective password policies can be.

The people behind the-interweb.com published an article called A brief analysis of 40,000 leaked MySpace passwords. What is interesting is that MySpace apply a password policy which says that you have to use at least a non-alphabetic character in the password. So from the analysis we get the top 10 passwords - top password being "password1". What we learnt (or already knew):

Half the passwords start with a dictionary word and have at least one digit/non-alphanumeric after that
The most popular suffix after an alphabetic password is obviously "1", followed by "2" and then "123"
The most popular prefix after an alphabetic password is "1", followed by "123" and then "2"
Most popular password when the non-alphabetic characters are stripped off is "password", followed by "iloveyou" and "love".

How does this help us make better security decisions?

A lot of security is based on passwords nowadays, despite being the most abused form of security (or I would argue - lack of). By applying security policies, a password attack will change a little but not much. The chosen passwords in most cases are still the same: "password", "love", and so on, but with an additional character (usually "1") at the end. This means that such passwords are still pretty guessable and can be guessed via a wordlist attack.

So how does the systems administrator make an educated security password policy?

In my opinion, one has to keep in mind the following before setting a password complexity policy:

Password age
Number of attempts before account lockout
What kind of passwords are going to be common with a given password complexity policy

The longer the password age, more at ease end users will be at choosing complex and unique passwords. A shorter password age will make end users think twice before choosing a password that they have to remember for 2 weeks only until the system starts nagging them to change their password again!

Say users are required to include 1 non-alphabetic character in their password, and the account lockout is after 10 attempts. That gives an attacker a high chance of finding users on the system who started their password with the word "password" and included a numeric digit at the end. If, on the other hand, end users are required to use 2 non-alphabetic characters, then that decreases the chance of a password.

Having a blacklist of known common passwords for the specific password complexity policy might be an idea to limit usage of common passwords.

Why Passwords do not live up to Today's Needs

nospam@example.com (Sandro Gauci) — Mon, 26 Feb 2007 09:42:00 -0700

aka Why Passwords Suck

I'm planning on writing a few articles about passwords - the most basic of all security tools. Starting with this essay, I'll describe what makes passwords such an issue and briefly outline a few solutions to the problem. In the subsequent posts, I'll be going more into detail on how (I believe) to best avoid passwords or at least go around the challenges that they present.

Continue reading "Why Passwords do not live up to Today's Needs"