On Tue, Jul 28, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote:> On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote:>> Equating this to ?vaccination? is a huge stretch. > > Why?It's not just an imperfect analogy it really doesn't work on closer scrutiny. Malware itself is not a good analog to antigens. Vaccinations provide immunity to only certain kinds of antigens, and only specific ones at that. Challenge-Response, which is what a login password is, is about user authentication it is not at all meant or designed to provide immunity from malware. That we're trying to use it to prevent infections is more like putting ourselves into bubbles; and humans put into bubbles for this reason are called immune compromised. So this push to depend on stronger passwords just exposes how "immune compromised" we are in these dark ages of computer security. There are overwhelmingly worse side effects of password dependency than immunization. The very fact SSH PKA by default is even on the table in some discussions demonstrates the level of crap passwords are at. Software patches, SELinux and AppArmor are closer analogs to certain aspects of human immunity, but even that is an imperfect comparison. And also, a large percent of malware doesn't even depend on brute force password attacks. There are all kinds of other ways to compromise computers, create botnets, that don't depend on passwords at all. So vaccinations have something like 95% efficacy, while passwords alone have nothing close to this effectiveness against malware. -- Chris Murphy
On Jul 28, 2015, at 8:50 PM, Chris Murphy <lists at colorremedies.com> wrote:> > On Tue, Jul 28, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: >> On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote: > >>> Equating this to ?vaccination? is a huge stretch. >> >> Why? > > It's not just an imperfect analogy it really doesn't work on closer scrutiny.Every analogy will break down if you look too closely. The question is, is it a *useful* analogy?> ...a login password is...about > user authentication...not...meant or designed to provide > immunity from malware.Fine. If you want to be picky, a better analogy to a good password and reasonable limits on SSH logins is a healthy integument and healthy cell walls. Has that changed any of the conclusions about bad passwords? No. Therefore we have succeeded in clarifying nothing except our application of biology, which is interesting, but not on topic here.> That we're trying to use it to prevent > infections is more like putting ourselves into bubbles; and humans put > into bubbles for this reason are called immune compromised.Now it is you who are off the rails. The hygiene hypothesis explains a great deal about human disease because we have an active immune system to deal with an evolving set of biological challenges. CentOS?s immune system doesn?t get stronger purely by subjecting it to more attacks. It improves only through human intervention.> So this push to depend on stronger passwords just exposes how "immune > compromised" we are in these dark ages of computer security.While true, that doesn?t tell us that it is a good idea to allow weak passwords. If you will allow me to return to biology, it?s like saying that prophylaxis is a bad idea because it points out how imperfect our immune systems are. Stop covering your face when you sneeze, stop using condoms, stop going to the dentist: we need stronger humans, so let?s evolve some!> There are > overwhelmingly worse side effects of password dependency than > immunization.That seems like a falsifiable statement, so I expect you will be able to point to a scientific paper that supports that assertion.> And also, a large percent of malware doesn't even depend on brute > force password attacks.So let?s dial back my previous proposal. We?ll just stop using dental prophylaxis, then, because it doesn?t prevent the contraction of oral STIs. Just because one particular method of prophylaxis fails to protect against all threats doesn?t mean we should stop using it, or increase its strength.
On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com> wrote:> Just because one particular method of prophylaxis fails to protect against all threats doesn?t mean we should stop using it, or increase its strength.Actually it does.There is no more obvious head butting than with strong passwords vs usability. Strong login passwords and usability are diametrically opposed. The rate of brute force attack success is exceeding that of human ability (and interest) to remember ever longer more complex passwords. I just fired my ISP because of the asininity of setting a 180 compulsory expiration on passwords. Now I use Google. They offer MFA opt in. And now I'm more secure than I was with the myopic ISP. Apple and Microsoft (and likely others) have been working to deprecate login passwords for years - obviously they're not ready to flip the switch over yet, it isn't an easy problem to solve, but part of why they haven't had more urgency is because they are doing a lot of work on peripheral defenses that obviate, to pretty good degree, the need for strong passwords, relegating the login password to something like "big sky theory" - it's safe enough to tolerate very weak passwords in most use cases. The highest risk, by a lot, is from a family member. I'm not arguing directly against strong passwords as much as I'm arguing against already unacceptable usability problems resulting from stronger password policies, because it doesn't scale. Making policies opt out let alone compulsory is unacceptable. Even as the policies get stronger people's trust in password efficacy relating to security continues to diminish. -- Chris Murphy