Receive new posts as email.
RSS 0.91 | RSS 2.0
RDF | Atom
Podcast only feed (RSS 2.0 format)
Get an RSS reader
Get a Podcast receiver
| Sun | Mon | Tues | Wed | Thurs | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 |
This site operates as an independent editorial operation. Advertising, sponsorships, and other non-editorial materials represent the opinions and messages of their respective origins, and not of the site operator or JiWire, Inc.
Entire site and all contents except otherwise noted © Copyright 2001-2006 by Glenn Fleishman. Some images ©2006 Jupiterimages Corporation. All rights reserved. Please contact us for reprint rights. Linking is, of course, free and encouraged.
Powered by
Movable Type
« GoogleWiFi | Main | T-Mobile Offers Street-Level Coverage Maps »
Can you make users pick strong passwords?: It’s well known that users are the problem in security. (Yeah, right.) I mean, you tell people to choose passwords of 16 characters or more with no words found in any dictionary on the planet using a combination of letters, numbers, punctuation, and the symbol for the artist formerly formerly known as Prince—and they just choose “dog,” “cat,” or “1234.”
So we know that’s not really the problem. The problem is providing reasonable tools to allow users to select passwords or passphrases that don’t require them to memorize impenetrably long sequences that force them to write them down in order to have them available.
This Slashdot discussion linked to above links to a Security Focus discussion which runs through many of the issues. Even if you have a secure method to deliver password suggestions to a user, it’s unlikely that those suggestions would meet the user’s personal needs for recollection, identity with other passwords they use elsewhere, and security.
WPA’s preshared key version—WPA Personal—suffers directly from this problem. Although you can enter long phrases (up to 63 characters), none of the interfaces provided by manufacturers requires a key of sufficient entropy to ensure that it beats the WPA weak passphrase choice problem. If you choose a short WPA passphrase with words found in a dictionary, it’s possible for that passphrase to be cracked. This says nothing about the underlying WPA encryption, which is very good, but about the mechanism to generate the key used in that system.
Many systems solve the key problem by generating an extremely long and secure key that itself is secured through a passphrase that’s passed through a strong one-way encryption algorithm. For instance, PGP’s system protects the long private key that’s part of the public/private pair using a passphrase of arbitrary content and length that you create. The passphrase isn’t related to the private key—the private key isn’t derived from it—but it can be something simple to recollect but not simple in nature. I use a long English phrase to protect mine, for instance, which is an increasingly frequent recommendation.
Ultimately, there has to be a way to have strong keys that aren’t derived from passphrases and that can be used more easily by those who have proven their identity. This requires management, though, and it will take a long time for anything comprehensive to be rolled out.
I would argue that Apple’s Keychain is the closest element that’s currently available. Apple uses a passphrase to protect the Keychain, which is strongly encrypted. Keys can be retrieved as needed through the use of the passphrase. It stores keys, passwords, and certificates and can set individual access control limits per item, as well as managing multiple Keychains.
Posted by Glennf at April 24, 2005 8:27 AM
Categories: Security
TrackBack URL for this entry: