Open Cloze
Gap-fill exercise
Fill in all the gaps, then press "Check" to check your answers.
Our Terrible, Horrible, No Good, Very Bad Password System
It has
a heck of a year for password/password hash disclosures.
the same week in June, millions of password hashes
disclosed from LinkedIn, eHarmony and Last.fm. And in
same week in July, more than 450,000 usernames and unencrypted passwords were reportedly stolen
Yahoo Voice, while 420,000 password hashes were leaked as a
of an attack on the social networking site, Formspring. These events have
a lot of attention to the issue of password security.
particularly interesting breach occurred right
the end of 2011. Anonymous released over 800,000 password hashes
with personal information and credit
numbers from Stratfor. Stratfor writes popular analyses of current geopolitical
, and most large companies have a few employees
have created accounts
them.
There is a
engine of the Stratfor data available online
which you can input your company's domain
and obtain a list of employees who associated their work
address with their Stratfor account and subsequently
their password hash disclosed. Two questions immediately come to
when you see these search results: Did any of those employees use a password
Stratfor that they also use
their corporate network? If so, have all of those passwords
changed?
I have no
that we will see more password compromises
the future. Passwords are the oldest security control that
have, and they are probably the
understood. It would be nice to imagine that these breaches
result in the universal adoption of two-factor authentication technologies, or at least password vaults,
those changes are not going to happen everywhere
both economic and usability reasons. The fact
that passwords are here to stay, and it is
to get serious about modernizing the approach that corporations
to password security.
We need to abandon passwords in
of passphrases.
Today's passwords are too short. Two years ago, the Georgia Tech Research Institute argued that any password shorter
12 characters was easily broken with a PC and
graphics processor. Passwords that are
than 12 characters aren't really passwords anymore -- they are passphrases, and we should start calling them
so users understand what they should be
to protect themselves.
Many of the password rules that systems are enforcing can
be counterproductive. Forcing users to include a combination of random capitalizations and special characters
passwords hard to remember,
leads people to adopt common character substitutions that satisfy the requirements
adding security.
Password expiration has the same
, prompting users to adopt poor practices such
regularly incrementing a number
the end of their password. The worst password rule that I
ever encountered is maximum length. Enforcing a short maximum password length is
to result in bad security consequences. It also
the transition to passphrases impossible.
We need to
rid of almost all of the password rules that we enforce today except
one -- minimum length. We need to set the minimum lengths higher, and encourage users
create passphrases instead of passwords. Combinations of four or more randomly chosen, unrelated English words are often
more secure than short passwords and much easier
remember, as
as they aren't full of random character substitutions.
Adapted and abridged from: technewsworld.com, July 18, 2012.
Check
Hint
OK