Sophos Techknow - Busting Password Myths

Filed Under: Data loss, Featured, Podcast, Privacy

Welcome to Techknow, in which Sophos experts debate, explore and explain the often baffling world of computer security.

Unlike the Chet Chat, where we cover a range of recent news items without much depth, in the Techknow programme we pick one topic and consider it in more detail.

So if you're one of the regular Chet Chat listeners who's been asking for this sort of podcast: here you are!

In this episode, entitled Busting Password Myths, Paul Ducklin and Chester Wisniewski take a look at the thorny issue of password rules and regulations. In particular, we debate whether you really need corporate rules for password reset, password complexity, and password reuse.

The content of the show is based around a very popular presentation given by Chester at the recent RSA 2012 conference.

Listen now:

Listen later:

Download Techknow podcast


-

, , , , , , ,

You might like

14 Responses to Sophos Techknow - Busting Password Myths

  1. John · 767 days ago

    I see a market for password managers with proper 2 factor authentication :)

  2. John · 767 days ago

    In a time where everyone requires 256 bit AES, which has a password equivalence of say 35 random charachters, it boggles my mind that companies still rely on passwords. I know it has a bad rep (compromised certificate peddlers, expensive, exotic hardware) but I think good cryptographic tokens and a trustworthy PKI woulld make it lots and lots easier (on the user). Add some SSO to it, and all a user has to remember is to bring the token and remember the PIN, for all logons in the company infrastructure. Now you should be looking at where to set the PIN rules...

  3. Dante · 767 days ago

    Audio-only is not very user-friendly (not to mention search/archive-friendly). Could you post a list of the topics discussed in future Techknow episodes ?

    • Paul Ducklin · 767 days ago

      I added an explanatory sentence to the article to give a bit more detail about the password issues we covered - reuse, complexity and reset.

      Hope that's satisfactory.

      As for user-friendliness - I get your point, but the whole idea of doing the occasional podcast is that some people actually prefer audio "articles", at least from time to time. They can listen in the {car, bus, train}; they enjoy hearing the cut, thrust and tone of discussion and debtate; it provides a break from clicking, reading and scrolling.

      Our written-only material outnumbers our podcast material somewhere between 10 and 100 to 1, so there isn't exactly a shortage of written articles for those who dislike listening :-)

      Perhaps you will accept the podcasts as an attempt to be a bit more user-friendly to those who like listening, rather than as items which are less user-friendly to those who prefer to read.

      (We try to provide transcripts when we can, but they are a _lot_ of extra effort for the NakSec team considering that a podcast is specifically intended as an audio work. None of us is a stenographer, so it takes hours to transcribe 15 minutes of discussion correctly.)

      • Barney · 108 days ago

        Would you publish a transcript if someone else made it?

        • Paul Ducklin · 107 days ago

          We used to do transcripts. But they are a lot of effort, and one day we didn't do one and...

          ...no-one noticed. No-one asked us to bring them back. And so I guess we just lost the habit.

          For this podcast: if you have made a transcript and are willing to send it to tips@sophos.com, I'm willing to proofread it and then publish it, sure.

          • Magyver · 98 days ago

            Paul, for those of us who promote your articles by doing "fair access" repost articles. transcripts would help to pull a couple of good quotes out to promote the audio with.

            There's nothing like a good "teaser" paragraph.

        • Magyver · 98 days ago

          Just curious Barney, if you used Dragon to make the transcript, what version did you use? I assume the software had to "learn" the speaker's voice.

  4. Fionacat · 767 days ago

    Oblig XKCD reference> http://xkcd.com/936/

    • Paul Ducklin · 767 days ago

      Nicely done. Was hoping someone would bring that up :-) (I originally mentioned that very cartoon in the podcast, but ended up editing it out because I didn't do it justice in my verbal description.)

  5. Djordje · 753 days ago

    Regarding the regular password changes... seems to me there are at least 2 good reasons not to give up on it... I'd love to hear your comments...
    First, similarly to the principle of regular change of session keys in crypto protocols for communication, you do not want to give someone who is "listening" to your communication too much "material" from which he could try to crack the key. Regular change of the password limits the time of its validity, thus limits the amount of "material" someone could pick up from the network during your regular logins, and lowers the possibility for cracking your password that way.
    Second, in case someone gets hold of that file with the hashed passwords, and eventually cracks some or all of them, regular password change shortens the time frame during which they can be misused.
    Things are not black or white, of course, but in case of some of the mentioned scenarios, I would not want to give up on any security control that would have a chance of hindering the attack or limiting the damage.

    • Chester Wisniewski · 753 days ago

      Your points are certainly valid. What we are suggesting is that we need to strike a balance between perfection and it being easy enough that you get nearly 100% compliance from your user base.

      If you are an individual, I think it is great to choose really long passwords and change them frequently, but when designing a policy for an organization if you choose a policy that is too hard, most people give up and find ways to break the rules.

      I personally change my password on my LastPass every few months for that very reason. Of course if a company were to suspect their hashes may have been compromised (think RSA) it would appropriate to force everyone to perform a password change.

      Thanks for your comments,
      Chester

  6. Kryptos Vault · 619 days ago

    The fingerprint recognition is outdated?
    Passwords are dinosaurs that need to go the way of the dodo. We can add password complexity, length and change them regularly, but sooner or later, you will be left out of your own stuff (or end up with the passwords written on a post-it).
    I've already lost some info because of lost encryption keys (yes, I used to backup data with a long password lock. Now I realize I didn't keep records of passwords and its' date usage).
    I was able to recover some CD's, because I used short passwords. With current computing power, that is irrelevant... but somewhere in 2000 I decided to go to unbelievable long passwords. I just hope the CDs with the data will survive 10 more years to give it another try.

  7. palimadra · 615 days ago

    Thank you for the podcast

    What do you think is an appropriate length of your password?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog