CentOS - Jul 2015 - Fedora change that will probably affect RHEL

On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com>
wrote:
> Just because one particular method of prophylaxis fails to protect against
all threats doesn?t mean we should stop using it, or increase its strength.
Actually it does.There is no more obvious head butting than with
strong passwords vs usability. Strong login passwords and usability
are diametrically opposed.

The rate of brute force attack success is exceeding that of human
ability (and interest) to remember ever longer more complex passwords.
I just fired my ISP because of the asininity of setting a 180
compulsory expiration on passwords.

Now I use Google. They offer MFA opt in. And now I'm more secure than
I was with the myopic ISP.

Apple and Microsoft (and likely others) have been working to deprecate
login passwords for years - obviously they're not ready to flip the
switch over yet, it isn't an easy problem to solve, but part of why
they haven't had more urgency is because they are doing a lot of work
on peripheral defenses that obviate, to pretty good degree, the need
for strong passwords, relegating the login password to something like
"big sky theory"  - it's safe enough to tolerate very weak
passwords
in most use cases. The highest risk, by a lot, is from a family
member.

I'm not arguing directly against strong passwords as much as I'm
arguing against already unacceptable usability problems resulting from
stronger password policies, because it doesn't scale. Making policies
opt out let alone compulsory is unacceptable.  Even as the policies
get stronger people's trust in password efficacy relating to security
continues to diminish.


-- 
Chris Murphy

On Jul 29, 2015, at 3:16 PM, Chris Murphy <lists at colorremedies.com>
wrote:
> 
> On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com>
wrote:
>> Just because one particular method of prophylaxis fails to protect
against all threats doesn?t mean we should stop using it, or increase its
strength.
> 
> Actually it does.There is no more obvious head butting than with
> strong passwords vs usability. Strong login passwords and usability
> are diametrically opposed.
Security is *always* opposed to convenience.

The question is not ?security or no security,? it?s ?how much security??

The correct answer must balance the threats and risks.  Given that the threats
and risks here are nontrivial, the password quality restrictions should also be
nontrivial.
> The rate of brute force attack success is exceeding that of human
> ability (and interest) to remember ever longer more complex passwords.
You must consider offline and online attack scenarios separately.

Online we have already dealt with: 50 guesses max/sec, allowing a 9-character
random password to survive a million years of constant attack.

Offline is an entirely separate matter, and is already addressed by /etc/shadow
salting and hashing in CentOS.  We know how to make it even stronger if the
threat requires it: move to OTP keys, use a better KDF than SHA512, etc.
> I just fired my ISP because of the asininity of setting a 180
> compulsory expiration on passwords.
Good for you.  Password expiration is silly.  A good strong password should last
years under any reasonable threat.

But we?ve not been talking about password expiration here.
> The highest risk, by a lot, is from a family member.
Of course.  It?s why Bruce Schneier wrote only one book on cryptography, but
several on human factors.

That does not tell us that we should be sloppy with our crypto and
authentication methods, though.
> it doesn't scale
I?m still not seeing how it?s difficult to remember, securely record, type, or
transcribe a password that will pass the new restrictions.  They?re on the mild
side, as these things go.

If you wanted to use the GRC password haystack calculator results to argue for a
slight reduction in the defaults, I could get behind that.

Six random characters pulled only from the unambiguous subset of the
alphanumeric set, no uppercase, and one symbol gets you a password that should
withstand constant pounding for the life of the machine.  I could live with that
minimum.

I have no strong feelings on the new libpwquality rules, exactly.  What I do
feel strongly about is that there should be *some* reasonable minima that can?t
easily be bypassed.  Where that level is set is not only a sensible subject for
debate, it is one that?s easy to separate from emotion; it?s basically a
question of arithmetic.
> Making policies
> opt out let alone compulsory is unacceptable.
I don?t see why we can?t take some responsibility for this mess and try to build
up some herd immunity.
> Even as the policies
> get stronger people's trust in password efficacy relating to security
> continues to diminish.
Passwords are what we have today.  Strengthening them to a level that will
suffice until something better comes along is reasonable.

On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote:
> Security is *always* opposed to convenience.
False. OS X by default runs only signed binaries, and if they come
from the App Store they run in a sandbox. User gains significant
security with this, and are completely unaware of it. There is no
inconvenience.

What is the inconvenience of encrypting your device compared to the
security? Zero vs a ton more secure (either when turned off and data
is at rest or a remote kill that makes it very fast to effectively
wipe all data)

> I?m still not seeing how it?s difficult to remember, securely record, type,
or transcribe a password that will pass the new restrictions.  They?re on the
mild side, as these things go.
I disagree to the point I'd stop using products based on such
restrictions. I will not participate in security theatre, other than
to be theatrically irritated.

I'm guessing you're not a tester or much of a home user. There are
many such people using OS X, Windows, and yes Fedora and likely
CentOS, where environments and use case preclude compulsory compliance
because the risk is managed in other ways.

And Apple and Microsoft have been working to kill login passwords for
a while. Google and Facebook too. No one likes them. And our trust in
them is diminishing. They are not long term tenable. Making longer
ones compulsory already causes companies who do so grief as people
complain vociferously about such policies.

> I have no strong feelings on the new libpwquality rules, exactly.  What I
do feel strongly about is that there should be *some* reasonable minima that
can?t easily be bypassed.
This idea that opt in is not sufficient demonstrates how archaic and
busted computer security is when you have to become coercive to
everyone regardless of use case to make it safe.

In any case, the complaint over on the Fedora proposal has been
sufficiently addressed, even though the details are still being worked
out. The gist is that the user will have informed consent, and will
opt in to better quality passwords. So they will essentially be told
a. the password they've proposed sucks, b. fairly clear information on
why it sucks, c. the option to change it or continue anyway.

> I don?t see why we can?t take some responsibility for this mess and try to
build up some herd immunity.
Because there is no such thing when it comes to computers. Computers
with strong passphrases still sometimes get pwned, and at a much
higher rate than vaccines not working. Please stop with this hideously
bad analogy. Computers with NO passwords are often not ever getting
pwned for their entire lifetime, and those computers, a.k.a. mobile
devices, are used in public spaces, on public wifi, on public
networks. Anyone without vaccines in such proximity to illness would
definitely get sick. That doesn't happen with computers.

The environment has changed, and the old architectures and methods
aren't working the way they did. And somehow free open source software
has got to do better than it has been with security, because
proprietary systems are innovating more in this space right now, and
aren't passing the buck onto the user with this burden in the form of
stronger password requirements.

Besides, it's FOSS for a reason and people will opt out because
ultimately you can't make them do what you want. Apple and Microsoft
could possibly get away with it. I think their customers would become
foaming irate, however.


-- 
Chris Murphy

On Wed, July 29, 2015 4:16 pm, Chris Murphy wrote:
> On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com>
wrote:
>> Just because one particular method of prophylaxis fails to protect
>> against all threats doesn???t mean we should stop using it, or increase
>> its strength.
>
> Actually it does.There is no more obvious head butting than with
> strong passwords vs usability. Strong login passwords and usability
> are diametrically opposed.
>
> The rate of brute force attack success is exceeding that of human
> ability (and interest) to remember ever longer more complex passwords.
> I just fired my ISP because of the asininity of setting a 180
> compulsory expiration on passwords.
>
> Now I use Google. They offer MFA opt in. And now I'm more secure than
> I was with the myopic ISP.
"More secure" only to the level one can trust google ;-)

Just my $0.02

Valeri
>
> Apple and Microsoft (and likely others) have been working to deprecate
> login passwords for years - obviously they're not ready to flip the
> switch over yet, it isn't an easy problem to solve, but part of why
> they haven't had more urgency is because they are doing a lot of work
> on peripheral defenses that obviate, to pretty good degree, the need
> for strong passwords, relegating the login password to something like
> "big sky theory"  - it's safe enough to tolerate very weak
passwords
> in most use cases. The highest risk, by a lot, is from a family
> member.
>
> I'm not arguing directly against strong passwords as much as I'm
> arguing against already unacceptable usability problems resulting from
> stronger password policies, because it doesn't scale. Making policies
> opt out let alone compulsory is unacceptable.  Even as the policies
> get stronger people's trust in password efficacy relating to security
> continues to diminish.
>
>
> --
> Chris Murphy
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

On Thu, Jul 30, 2015 at 9:54 AM, Valeri Galtsev
<galtsev at kicp.uchicago.edu> wrote:
>> Now I use Google. They offer MFA opt in. And now I'm more secure
than
>> I was with the myopic ISP.
>
> "More secure" only to the level one can trust google ;-)
Yes I know, but I put them in approximately the same ballpark as
having to trust my proprietary CPU, and proprietary logic board's
proprietary firmware.


-- 
Chris Murphy

On Thu, 2015-07-30 at 10:54 -0500, Valeri Galtsev wrote:
> "More secure" only to the level one can trust google ;-)
Trust and Google are mutually incompatible ;-)
> Just my $0.02
That's my ?0.02

-- 
Regards,

Paul.
England, EU.      England's place is in the European Union.