The content of this blog is my personal opinion only. Although I am an employee - currently of Nvidia, in the past of other companies such as Iagination Technologies, MIPS, Intellectual Ventures, Intel, AMD, Motorola, and Gould - I reveal this only so that the reader may account for any possible bias I may have towards my employer's products. The statements I make here in no way represent my employer's position, nor am I authorized to speak on behalf of my employer. In fact, this posting may not even represent my personal opinion, since occasionally I play devil's advocate.

See http://docs.google.com/View?id=dcxddbtr_23cg5thdfj for photo credits.

Friday, February 03, 2017

Password HELL: "work is low security"

The Register has an amusing series BOFH (Bastard Operator From Hell): this post Password HELL resonated:
"I'll just need your username and password to verify this," the customer rep tells me.
No, this is not another "Never give out your password" post.

What amused me was later:
"Banana47" I lie. "Capital B"
I hear a clicking sound and then:
"No, that password doesn't seem to work."
So at least it's not a ploy to shut me out permanently...
"Hmm. I'll need to look at my password book."
"You... have a password book?" he asks.
"Of course I do! Encrypted, obviously – because I'm an IT professional. What, do you think I just have one password which I use for everything?"
"No, I'm not suggesting that."
"A good thing too, because I have three passwords I use for everything – Low, Medium and High Security."
"And I'm assuming that this is low security?"
"No, work is low security, this is medium and all the personal stuff I care about is high."
"Work is LOW?!" he gasps.
Have you noticed this?

I use long high entropy passwords for my personal stuff.

As a conscientious employee, I would like to use a high entropy password for work. But often IT gets in the way:
  • The only way I can handle a really high entropy password is using a password manager. There is no way that I can remember 24 characters of [a-zA-Z0-9[:punct:]]{20,24}; heck, I can barely type that many characters reliably. Yeah, gotta use copy&paste, or insert from a password manager.  (I hope those are secure!)
  • But IT often wants me to enter my password into places where password manager insertion or copy&paste doesn't work.  E.g. these convenient ways of entering high entropy passwords did not work, for a long time, on some browsers(usually Corporate IT standard browsers) for HTTP Basic Authentication. E.g. similarly for Cisco VPN tools.  (Although mostly fixed now.)
  • IT single sign on systems sometimes enforce lowest common denominator passwords: e.g. if some system only allows 14 character passwords, all are restricted.  Worse if it is a password replication system.
  • If you still want to use a high entropy password despite such problems, i.e. so that you have to memorize it, then IT policies like "passwords must be changed every 90 days" get in the way. How many of us increment a version number in a password?  Password change policies can weaken security is now a meme.
  • Many systems prevent you from reusing one of the last N passwords.  That's okay - they can compare hashes.  But trying to prevent incrementing patterns like HighEntropy.0342, HighEntropy.0442 if you have proper password security. Homomorphic encryption, anyone?
  • Corporate IT systems seem to require passwords to be entered much more often.  E.g. in my company I have to enter my password for VPN whenever I close and then reopen the lid of my laptop, disconnecting from wifi. (I wish there was hysteresis here - e.g. don't disconnect from wifi/VPN for a few minutes, or while I am still in building.)  Often, e.g. every morning and lunch, I have to enter the same password back to back for VPN and then for Perforce (the centralized version control tool).  And then often again for VNC or an emacs shell session. At least not so much for web pages, given a password manager.   Password manager insertion works for some, but not all.  Copy&paste of passwords works for some, but not all. Ironically, secure copy&paste of passwords often means that the password is erased immediately on pasting, so that it is not left around for a bad guy to look at. (Better to have some sort of indication of timeout, and/or some sort of indication of who the password can be pasted into, and/or a notification like "Are you SURE you want to paste this password into this phishing webpage text box?") So, while I am willing to use hopefully secure copy&paste for passwords that I only enter once in a while, it can be too much of a slowdown for passwords that must be frequently entered.  So I memorize them.  And probably simplify them to make them ease to memorize.  Password friction frequency erodes entropy.
  • Late addition, after original post, but probably one of the biggest factors leading to weak work passwords:  my company's "password failure" policy is "3 tries, and you are locked out for 30 minutes". Compare to iPhone "6 tries => 1 minute lockout".  (iOS 7 reported as 6=>1minute, 7=>5, 8=>15, 9=>60, 10=>lock/iTunes/erase; I don't know if iOS10 does that). A weaker password for work is encouraged by the more immediate & steeper penalty for typing a bad password compared to the iPhone - although the work password penalty curve levels off, there is no equivalent of "erase everything".
Other places where that last point applies:  
  • iPhone: whereas on Android password managers can look at webpages and apps and supply passwords, it is harder to do so on iPhone. At least iPhone now mostly allows password copy&paste, and seems to have some security features like use-once. But still, has anyone else noticed that iOS encourages you to have weaker passwords?
  • Two Factor Authentication is a darn good thing for security - ok, SMS text messages can be hacked, and I dislike time-based things like Google Authenticator. But how many Corporate IT departments support it?
This may be considered an example of your most important passwords are probably your weakest, which I have posted about before.  This is why I like this BOFH saying "work passwords are low security", even if in mockery or ironically.  My employer would probably LIKE me to create high security passwords for work. But IT gets in the way.

No comments: