Sigh.
-
Sigh.
Just got told by a company internal app that it's time to change my password.
Can we please stop with the fake #security? My password is a long string of randomly generated characters. Nobody's going to guess it any time soon.
@argv_minus_one
all the hypocrisy in the world when they hit you with a
"been two months time for a new password! we LOVE security"but then get you with a:
"wow wow just wait a second, is this password over 11 characters?? get outta here!" -
R relay@relay.infosec.exchange shared this topic
-
Sigh.
Just got told by a company internal app that it's time to change my password.
Can we please stop with the fake #security? My password is a long string of randomly generated characters. Nobody's going to guess it any time soon.
@argv_minus_one I still believe in password rotation on long intervals (1 year min). Passwords that get spread across multiple systems (e.g. LDAP, OIDC) get used and abused and shoved into god knows what by people and it contains the damage to some extent of a lost first factor which happens all the time. -
@argv_minus_one I still believe in password rotation on long intervals (1 year min). Passwords that get spread across multiple systems (e.g. LDAP, OIDC) get used and abused and shoved into god knows what by people and it contains the damage to some extent of a lost first factor which happens all the time.@7666 @argv_minus_one 1 year is reasonable and I would go even lower to 6 months at max. That said, there are companies that force password changes every 2 months and sometimes even faster. At that point it misses the point completely, because much more employees will just stick some number at the end or capitalize one letter and be done with it.
-
@7666 @argv_minus_one 1 year is reasonable and I would go even lower to 6 months at max. That said, there are companies that force password changes every 2 months and sometimes even faster. At that point it misses the point completely, because much more employees will just stick some number at the end or capitalize one letter and be done with it.
Guessing isn't the issue. If the hash gets exposed in a breach, attackers can brute-force it at their leisure. Rotation helps ensure that by the time they crack it, it's no longer valid. Rotation policy should thererore be based on projected brute-force time per string length, not arbitrary human calendar dates. Set a short password? Well then you're changing it often, don't like it, remember a longer password
️ -
Guessing isn't the issue. If the hash gets exposed in a breach, attackers can brute-force it at their leisure. Rotation helps ensure that by the time they crack it, it's no longer valid. Rotation policy should thererore be based on projected brute-force time per string length, not arbitrary human calendar dates. Set a short password? Well then you're changing it often, don't like it, remember a longer password
️Yes, and if they brute-force it at their leisure, they gain…access to the same system they've already breached.
You didn't think I was reusing passwords, did you? I'm not completely incompetent.
Actually, they don't even gain that, because I've been notified that there's been a breach and have already changed my password.
So exactly which threat is being mitigated by time-based password rotation?
-
Yes, and if they brute-force it at their leisure, they gain…access to the same system they've already breached.
You didn't think I was reusing passwords, did you? I'm not completely incompetent.
Actually, they don't even gain that, because I've been notified that there's been a breach and have already changed my password.
So exactly which threat is being mitigated by time-based password rotation?
@argv_minus_one @nicholas @7666
>You didn't think I was reusing passwords, did you? I'm not completely incompetent.
You aren't 70+% of people in <insert your workplace>.
>So exactly which threat is being mitigated by time-based password rotation?
Forgotten accounts, password reuse. -
@argv_minus_one @nicholas @7666
>You didn't think I was reusing passwords, did you? I'm not completely incompetent.
You aren't 70+% of people in <insert your workplace>.
>So exactly which threat is being mitigated by time-based password rotation?
Forgotten accounts, password reuse. -
@argv_minus_one @nicholas @7666 I mean forgotten accounts as accounts of employees that have been fired or left and weren't deactivated for whatever reason. That gives the account and absolute deadline where it is still active.
>Why are people at your workplace reusing passwords
Almost everybody that isn't tech savvy does that and there's exactly 0 ways to stop them from doing it, because they will never learn. Or people are just careless. Best you can do is force a password manager on people and put some higher password requirement on the vault password and some second factor. But have fun implementing that with Karen in HR. -
@argv_minus_one @phnt @nicholas @7666 if my workplace wouldn't enforce password rotation, I could pick a secure password without having to worry about by the time I memorized it, it already expired
so I just make variations on a simple password… -
R relay@relay.mycrowd.ca shared this topic
-
@argv_minus_one @nicholas @7666 I mean forgotten accounts as accounts of employees that have been fired or left and weren't deactivated for whatever reason. That gives the account and absolute deadline where it is still active.
>Why are people at your workplace reusing passwords
Almost everybody that isn't tech savvy does that and there's exactly 0 ways to stop them from doing it, because they will never learn. Or people are just careless. Best you can do is force a password manager on people and put some higher password requirement on the vault password and some second factor. But have fun implementing that with Karen in HR.Why are people at your workplace *using* passwords? Why is your workplace not using single-sign-on, hardware tokens, or the like?
-
@argv_minus_one @phnt @nicholas @7666 if my workplace wouldn't enforce password rotation, I could pick a secure password without having to worry about by the time I memorized it, it already expired
so I just make variations on a simple password…If you can memorize a password, and you're not some kind of super-genius, then your password isn't secure.
-
If you can memorize a password, and you're not some kind of super-genius, then your password isn't secure.
@argv_minus_one @nicholas @7666 @phnt hard to use a password manager for a Windows login that I would need to do to access the password manager in the first place (which I do use for other work accounts)
my trick for maximally secure yet memorizable passwords is: making a long sentence, and then taking the initials, using uppercase for nouns and keeping punctuation. Like this: mTfmsymPi:malS,atttI,uUfNakP.lt: -
@argv_minus_one @nicholas @7666
>hardware tokens gets stolen or left somewhere
>game over
Amazing security. This push for hardware tokens as the solution to everything security genuinely annoys me. Instead of securing a single factor like a password with a second factor like a hardware token, the current push is to replace passwords completely with tokens, still making it a single factor authentication. -
@argv_minus_one @nicholas @7666 @phnt hard to use a password manager for a Windows login that I would need to do to access the password manager in the first place (which I do use for other work accounts)
my trick for maximally secure yet memorizable passwords is: making a long sentence, and then taking the initials, using uppercase for nouns and keeping punctuation. Like this: mTfmsymPi:malS,atttI,uUfNakP.lt:If you can do that, it might be easier to just type in a sequence of 12 dictionary words. At 11 bits of entropy per word (source: xkcd), that gives you 132 bits total. Not as good as a password manager, but decent.
Your Windows login is protected by more than just your password. That password is only good on that one computer, so it's also protected by the physical security of the building the computer is in.
Online accounts are more exposed.
-
@argv_minus_one @nicholas @7666
>hardware tokens gets stolen or left somewhere
>game over
Amazing security. This push for hardware tokens as the solution to everything security genuinely annoys me. Instead of securing a single factor like a password with a second factor like a hardware token, the current push is to replace passwords completely with tokens, still making it a single factor authentication.Yes, that's the idea. MFA is security theater. The sum of a weak authentication method and a strong one is not significantly greater than the strong one by itself. The weak one is purely decorative. If both of them are weak then both of them are purely decorative. If both are strong then one is unnecessary.
And how the hell do you lose your hardware token without noticing? If it's gone, so are your car keys, your house keys, and your key into the office building!
-
Yes, that's the idea. MFA is security theater. The sum of a weak authentication method and a strong one is not significantly greater than the strong one by itself. The weak one is purely decorative. If both of them are weak then both of them are purely decorative. If both are strong then one is unnecessary.
And how the hell do you lose your hardware token without noticing? If it's gone, so are your car keys, your house keys, and your key into the office building!
And if you're worried people won't report a lost hardware token, you should be able to solve that with company policy:
“If you lose your hardware token, the punishment is we dock your pay by like $2 for a replacement token. If you lose your hardware token and try to cover up the fact that you lost it, the punishment is you're fired. Tokens are cheap; security breaches are expensive.”
-
And if you're worried people won't report a lost hardware token, you should be able to solve that with company policy:
“If you lose your hardware token, the punishment is we dock your pay by like $2 for a replacement token. If you lose your hardware token and try to cover up the fact that you lost it, the punishment is you're fired. Tokens are cheap; security breaches are expensive.”
@argv_minus_one @nicholas @7666 If I can take your token from you in a workplace and within 5 minutes or less gain access to everything, that is true security theater. Meanwhile you might get my token, but you probably aren't getting the password from me unless <xkcd 538>. If I can gain access to your whole computer by plugging in your token I stole, that is not security I would want near anything important.
>And how the hell do you lose your hardware token without noticing? If it's gone, so are your car keys, your house keys, and your key into the office building!
Idk, you leave your keys somewhere while on lunch in <company canteen>, i steal it from you in a hallway because you didn't have it securely on you,... Many different ways to achieve that. All it takes is a few minutes for someone prepared. Point is, your systems security might be high, but your physical security now sucks. In this case a smart card reader would actually be a really good solution and using your card to also log in to your computer, but barely any laptop now has a smart card reader.
On that note, it still vexes me that you can't setup a hardware key with password login on Windows I think. I have a hardware token on me almost at all times and I can set it up as a second factor on Linux with enough caffeine, but Windows can't do it (especially with an offline account). -
If you can do that, it might be easier to just type in a sequence of 12 dictionary words. At 11 bits of entropy per word (source: xkcd), that gives you 132 bits total. Not as good as a password manager, but decent.
Your Windows login is protected by more than just your password. That password is only good on that one computer, so it's also protected by the physical security of the building the computer is in.
Online accounts are more exposed.
-
@argv_minus_one @nicholas @7666 If I can take your token from you in a workplace and within 5 minutes or less gain access to everything, that is true security theater. Meanwhile you might get my token, but you probably aren't getting the password from me unless <xkcd 538>. If I can gain access to your whole computer by plugging in your token I stole, that is not security I would want near anything important.
>And how the hell do you lose your hardware token without noticing? If it's gone, so are your car keys, your house keys, and your key into the office building!
Idk, you leave your keys somewhere while on lunch in <company canteen>, i steal it from you in a hallway because you didn't have it securely on you,... Many different ways to achieve that. All it takes is a few minutes for someone prepared. Point is, your systems security might be high, but your physical security now sucks. In this case a smart card reader would actually be a really good solution and using your card to also log in to your computer, but barely any laptop now has a smart card reader.
On that note, it still vexes me that you can't setup a hardware key with password login on Windows I think. I have a hardware token on me almost at all times and I can set it up as a second factor on Linux with enough caffeine, but Windows can't do it (especially with an offline account).You don't need xkcd 538 to break a weak password. And since we're talking about the password people type in by hand to login to their computers, not passwords stored in a password manager, goodness knows that password is going to be weak.
I suppose it would take more than 5 minutes, though.
Then again, if we're talking about the kind of ninja who could sneak into a corporate office building unnoticed, he probably already saw you type in your password…
-
You don't need xkcd 538 to break a weak password. And since we're talking about the password people type in by hand to login to their computers, not passwords stored in a password manager, goodness knows that password is going to be weak.
I suppose it would take more than 5 minutes, though.
Then again, if we're talking about the kind of ninja who could sneak into a corporate office building unnoticed, he probably already saw you type in your password…
I'm shocked to learn that Windows makes it hard to use a hardware token to log in. I remember Windows championing smart cards back in the 1990s when everybody else had never heard of anything other than passwords.
Old-fashioned card-slot-type smart card readers do seem to be a thing of the past now, but a cursory web search says some laptops have NFC interfaces and some smart cards are NFC enabled. That must be what the cool kids are using these days.
