Aug 14 2008

My password is amritrules

Published by at 6:07 am under Hacking,Simple Security

Not really, but I do have to admit that I’m one of those people who does a certain amount of password re-use. Not a lot, not for anything sensitive, but for some low impact sites, I have used the same password for multiple sites. They’ve been relatively strong passwords, but the fact that I re-used them definitely reduces their effectiveness and puts me at risk of having multiple resources compromised. Yes, even security professionals get lazy when creating passwords.

I can’t think of anyone who actually likes passwords and the memorization they require. Amrit Williams actively hates passwords and uses them as a way of expressing his man crush on Chris Hoff. The problem is, he’s not really offering up a good alternative. Yes, we all know that passwords suck, but what is the alternative?

I have a RSA SecureID token for logging in to my corporate VPN. At Black Hat they included a token for use with Paypal in every souvenier bag. We can use certificates if the site is properly set up and you have someone who can explain to the average user how to enable them. But if you think password resets create a lot of tech support calls, certificates would be even worse in the short run.

We don’t currently have a good alternative to passwords. OpenID has some possibilities, but it runs into the problem of providing one stop compromises for the baddies. Maybe a hardware token combined with OpenID is a solution, but then everyone has to have a hardware token. What other solutions are easily distributed and more secure than passwords? None that I know of.

We’re not going to see the end of passwords any time soon. Too many start ups, too many social media sites, too many Web 5.0 sites are out there being created on a daily basis. And each one requires a password to login. If the security professionals occasionally get lazy and re-use passwords, imagine how bad the average user is about creating unique passwords.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

7 Responses to “My password is amritrules”

  1. Amriton 14 Aug 2008 at 7:25 am

    You should have read the comments, all us Mac users prefer 1password…

  2. Mike Rothmanon 14 Aug 2008 at 8:47 am

    my passwords are anywhere from 20-35 character random strings. How do I manage that? On my Mac I use 1password and I can’t speak highly enough about it. It’s not free, but it rocks. Roboform provides similar functions for all you Windows dinosaurs out there.

    Having exceedingly strong passwords isn’t a panacea, but it will stop the brute force attacks that can facilitate a webmail or blog pwnage.

    Mike.
    http://blog.SecurityIncite.com

  3. Martinon 14 Aug 2008 at 9:23 am

    1Password would be great if all I used was a Mac. I primarily use my PC desktop at home, I use the corporate x86 laptop when on the road at clients and my Mac Book Pro when I’m on the road for personal activities (podcasting, not pr0n, you perverts). I can’t use a product like 1Password on all three systems. What I actually need is something that’ll fit on a USB stick and run from there on all three systems, without leaving a footprint behind. I guess I could use an open source solution to encrypt a text file, but that seems like a bit of a clunky solution to me.

    I’d appreciate any suggestions for something that would fit my needs. After last week, it’s obvious to me that memorized passwords are not the best solution, especially if that means I have to write them down or re-use them.

  4. Benon 14 Aug 2008 at 1:15 pm

    Good grief, how do you all not know about PasswordSafe and its derivatives? It’s a free, open-source solution that uses a standard encrypted database that can then be used with any other related projects – Windows, Mac, or Linux. Oh, and in case you question the pedigree, this was one of the first free releases by Bruce Schneier’s research team before Counterpane was a big name.

    PasswordSafe:
    http://passwordsafe.sourceforge.net/

    Related projects:
    http://passwordsafe.sourceforge.net/relatedprojects.shtml

  5. Martinon 14 Aug 2008 at 2:20 pm

    Thanks Ben, I knew there was something that fulfilled my requirements, but higher brain functionality is a little slow in returning after Black Hat and Defcon. There’s a slim possibility it’s alcohol related.

    I’ll download this tonight and start using it rather than a simple password algorithm and memorized passwords. And I’ll pass on making any comments on the much revered Mr. Schneier and his accomplishments past.

    Martin

  6. Christianon 14 Aug 2008 at 5:08 pm

    Also can’t speak highly enough of PasswordSafe. Awesome bit of software.

    I also got fed-up with just a password for my WP login so I hacked together a wordpress plugin to integrate Twitter DMs for a temporary one-time-pin 😛 (arguably though it’s not the most reliable thing, given Twitter’s notorious fail-whale)

  7. Martinon 16 Aug 2008 at 6:37 am

    Amrit,

    I broke down and purchased 1Password when I realized it will also run on my iPhone. It’s not the perfect solution, but I carry my iPhone almost everywhere with me, so it’s better in some ways than having something to run off of a USB drive.

    By the way, Password Safe does not run on the Mac. There is a port to the Mac, but the same port won’t run on Win systems.

    Martin

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: