On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com> wrote:> Just because one particular method of prophylaxis fails to protect against all threats doesn?t mean we should stop using it, or increase its strength.Actually it does.There is no more obvious head butting than with strong passwords vs usability. Strong login passwords and usability are diametrically opposed. The rate of brute force attack success is exceeding that of human ability (and interest) to remember ever longer more complex passwords. I just fired my ISP because of the asininity of setting a 180 compulsory expiration on passwords. Now I use Google. They offer MFA opt in. And now I'm more secure than I was with the myopic ISP. Apple and Microsoft (and likely others) have been working to deprecate login passwords for years - obviously they're not ready to flip the switch over yet, it isn't an easy problem to solve, but part of why they haven't had more urgency is because they are doing a lot of work on peripheral defenses that obviate, to pretty good degree, the need for strong passwords, relegating the login password to something like "big sky theory" - it's safe enough to tolerate very weak passwords in most use cases. The highest risk, by a lot, is from a family member. I'm not arguing directly against strong passwords as much as I'm arguing against already unacceptable usability problems resulting from stronger password policies, because it doesn't scale. Making policies opt out let alone compulsory is unacceptable. Even as the policies get stronger people's trust in password efficacy relating to security continues to diminish. -- Chris Murphy
On Jul 29, 2015, at 3:16 PM, Chris Murphy <lists at colorremedies.com> wrote:> > On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com> wrote: >> Just because one particular method of prophylaxis fails to protect against all threats doesn?t mean we should stop using it, or increase its strength. > > Actually it does.There is no more obvious head butting than with > strong passwords vs usability. Strong login passwords and usability > are diametrically opposed.Security is *always* opposed to convenience. The question is not ?security or no security,? it?s ?how much security?? The correct answer must balance the threats and risks. Given that the threats and risks here are nontrivial, the password quality restrictions should also be nontrivial.> The rate of brute force attack success is exceeding that of human > ability (and interest) to remember ever longer more complex passwords.You must consider offline and online attack scenarios separately. Online we have already dealt with: 50 guesses max/sec, allowing a 9-character random password to survive a million years of constant attack. Offline is an entirely separate matter, and is already addressed by /etc/shadow salting and hashing in CentOS. We know how to make it even stronger if the threat requires it: move to OTP keys, use a better KDF than SHA512, etc.> I just fired my ISP because of the asininity of setting a 180 > compulsory expiration on passwords.Good for you. Password expiration is silly. A good strong password should last years under any reasonable threat. But we?ve not been talking about password expiration here.> The highest risk, by a lot, is from a family member.Of course. It?s why Bruce Schneier wrote only one book on cryptography, but several on human factors. That does not tell us that we should be sloppy with our crypto and authentication methods, though.> it doesn't scaleI?m still not seeing how it?s difficult to remember, securely record, type, or transcribe a password that will pass the new restrictions. They?re on the mild side, as these things go. If you wanted to use the GRC password haystack calculator results to argue for a slight reduction in the defaults, I could get behind that. Six random characters pulled only from the unambiguous subset of the alphanumeric set, no uppercase, and one symbol gets you a password that should withstand constant pounding for the life of the machine. I could live with that minimum. I have no strong feelings on the new libpwquality rules, exactly. What I do feel strongly about is that there should be *some* reasonable minima that can?t easily be bypassed. Where that level is set is not only a sensible subject for debate, it is one that?s easy to separate from emotion; it?s basically a question of arithmetic.> Making policies > opt out let alone compulsory is unacceptable.I don?t see why we can?t take some responsibility for this mess and try to build up some herd immunity.> Even as the policies > get stronger people's trust in password efficacy relating to security > continues to diminish.Passwords are what we have today. Strengthening them to a level that will suffice until something better comes along is reasonable.
On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote:> Security is *always* opposed to convenience.False. OS X by default runs only signed binaries, and if they come from the App Store they run in a sandbox. User gains significant security with this, and are completely unaware of it. There is no inconvenience. What is the inconvenience of encrypting your device compared to the security? Zero vs a ton more secure (either when turned off and data is at rest or a remote kill that makes it very fast to effectively wipe all data)> I?m still not seeing how it?s difficult to remember, securely record, type, or transcribe a password that will pass the new restrictions. They?re on the mild side, as these things go.I disagree to the point I'd stop using products based on such restrictions. I will not participate in security theatre, other than to be theatrically irritated. I'm guessing you're not a tester or much of a home user. There are many such people using OS X, Windows, and yes Fedora and likely CentOS, where environments and use case preclude compulsory compliance because the risk is managed in other ways. And Apple and Microsoft have been working to kill login passwords for a while. Google and Facebook too. No one likes them. And our trust in them is diminishing. They are not long term tenable. Making longer ones compulsory already causes companies who do so grief as people complain vociferously about such policies.> I have no strong feelings on the new libpwquality rules, exactly. What I do feel strongly about is that there should be *some* reasonable minima that can?t easily be bypassed.This idea that opt in is not sufficient demonstrates how archaic and busted computer security is when you have to become coercive to everyone regardless of use case to make it safe. In any case, the complaint over on the Fedora proposal has been sufficiently addressed, even though the details are still being worked out. The gist is that the user will have informed consent, and will opt in to better quality passwords. So they will essentially be told a. the password they've proposed sucks, b. fairly clear information on why it sucks, c. the option to change it or continue anyway.> I don?t see why we can?t take some responsibility for this mess and try to build up some herd immunity.Because there is no such thing when it comes to computers. Computers with strong passphrases still sometimes get pwned, and at a much higher rate than vaccines not working. Please stop with this hideously bad analogy. Computers with NO passwords are often not ever getting pwned for their entire lifetime, and those computers, a.k.a. mobile devices, are used in public spaces, on public wifi, on public networks. Anyone without vaccines in such proximity to illness would definitely get sick. That doesn't happen with computers. The environment has changed, and the old architectures and methods aren't working the way they did. And somehow free open source software has got to do better than it has been with security, because proprietary systems are innovating more in this space right now, and aren't passing the buck onto the user with this burden in the form of stronger password requirements. Besides, it's FOSS for a reason and people will opt out because ultimately you can't make them do what you want. Apple and Microsoft could possibly get away with it. I think their customers would become foaming irate, however. -- Chris Murphy
Valeri Galtsev
2015-Jul-30 15:54 UTC
[CentOS] Fedora change that will probably affect RHEL
On Wed, July 29, 2015 4:16 pm, Chris Murphy wrote:> On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com> wrote: >> Just because one particular method of prophylaxis fails to protect >> against all threats doesn???t mean we should stop using it, or increase >> its strength. > > Actually it does.There is no more obvious head butting than with > strong passwords vs usability. Strong login passwords and usability > are diametrically opposed. > > The rate of brute force attack success is exceeding that of human > ability (and interest) to remember ever longer more complex passwords. > I just fired my ISP because of the asininity of setting a 180 > compulsory expiration on passwords. > > Now I use Google. They offer MFA opt in. And now I'm more secure than > I was with the myopic ISP."More secure" only to the level one can trust google ;-) Just my $0.02 Valeri> > Apple and Microsoft (and likely others) have been working to deprecate > login passwords for years - obviously they're not ready to flip the > switch over yet, it isn't an easy problem to solve, but part of why > they haven't had more urgency is because they are doing a lot of work > on peripheral defenses that obviate, to pretty good degree, the need > for strong passwords, relegating the login password to something like > "big sky theory" - it's safe enough to tolerate very weak passwords > in most use cases. The highest risk, by a lot, is from a family > member. > > I'm not arguing directly against strong passwords as much as I'm > arguing against already unacceptable usability problems resulting from > stronger password policies, because it doesn't scale. Making policies > opt out let alone compulsory is unacceptable. Even as the policies > get stronger people's trust in password efficacy relating to security > continues to diminish. > > > -- > Chris Murphy > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, Jul 30, 2015 at 9:54 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:>> Now I use Google. They offer MFA opt in. And now I'm more secure than >> I was with the myopic ISP. > > "More secure" only to the level one can trust google ;-)Yes I know, but I put them in approximately the same ballpark as having to trust my proprietary CPU, and proprietary logic board's proprietary firmware. -- Chris Murphy
Always Learning
2015-Jul-31 02:04 UTC
[CentOS] Fedora change that will probably affect RHEL
On Thu, 2015-07-30 at 10:54 -0500, Valeri Galtsev wrote:> "More secure" only to the level one can trust google ;-)Trust and Google are mutually incompatible ;-)> Just my $0.02That's my ?0.02 -- Regards, Paul. England, EU. England's place is in the European Union.