Owen -
Good observations...
Why?
1 - To be secure, you depend on the ISP to be secure. That's OK, but
does fail often.
Do you mean the server(s) and intranet of the service being used? Or do
you mean your (and their) first-mile provider? If you mean the former,
any service is only as secure as the one you are entrusting to provide it.
2 - Apparently length of passwords is the high order bit for
crackibility. We humans dislike typing 20 character passwords,
especially on our phones, and its extremely likely to be miss-typed at
least once, probability of typo goes up with each keystroke.
Complexity order M^N goes up faster than N^M for increasing N (the
length of the string matters more than the size of the alphabet for
brute-force). I find long passwords just fine if I have a keyboard.
Admittedly, my mental password generator is mnemonic, but not
particularly dictionary-worthy.
3 - We are also instructed to have a different password for each
login. Humans simply cannot do that, they are limited. Thus they
resort to a formula like two phrases with a 3-4 character difference
in the middle, with some significance like "azn" or "books" for amazon.
Significance can be metaphorical or appositional too. In my own case,
I apply rood concepts (with mangled spelling) to avoid the temptation to
*ever* share my password or allow it to be stored in clear text.. they
are just appalling. I suspect someone has done a study on how much
complexity using ideosyncratic phonetic spelling variations expands the
dictionary. I suppose it does nothing for rainbow table and brute-force
attacks. It also gives me a little bit of satisfaction each time I diss
Jeff Bezos, Steve Jobs, Bill Gates in street argot not even likely to be
found on the internet.
4 - Most ISPs have their own rules for passwords, and likely any
formula will fail on a percentage of them. Thus a formula will only
work part of the time. Maybe there is a subset that most ISPs accept?
I found UNM, and my bank, for example, failed to accept a formula I
tried.
I have backup (back-down) plans for overly restrictive systems...
especially those that don't like special characters or caps..
5 - This leads to keepass, 1password etc to remember all your
passwords for you. Silly, but still appears reasonable. But they
typically fail in certain situations. Ex: they are designed for
browser use so are plugins/bookmarklets. But what if you have a phone
"app". Won't work. So you have to do stupid tricks to go to the pw
app and cut/paste.
Yes, clumsy.
6 - The latest trend to improve this is two-fold:
6.1: Reduce number of logins: Use OAuth to have just a few accounts
that are very secure. As soon as twitter, google, facebook, moz,
yahoo, ... and the rest of the "standard ISPs" all have OAuth (or
equivalent), and are used by the vast majority of the other sites
(forums, stores, ..) we have reduced the complexity of the user.
Probably will work with all non-creditcard sites.
I like the convenience but don't like having my eggs in a single
basket. I'm giving over to it for "trivial" services... for example,
AutoCad's 123d products let me defer to Google Login. Yes, this lets
the NSA right into my business (where they surely already are anyway)
and anyone *else* who can hack Google. I trust Google more than
Facebook for this. But I'm not inclined to do this with my Bank, with
Amazon, etc.
6.2: 2-factor: How make more secure? So far 2-factor works out
pretty well. It would require a standard pin generator, google's is
pretty effective. Have to do this to reduce the pile of silly
physical pin generators.
Two-factor also implies two of: "who you are", "what you have", "what
you know". So, an ATM card and a PIN or a retinal scan and a PIN are
better than a password and a PIN.
I'm not sure this will work, its too complicated for most people. We
might be able to have a single pin dongle for 2-factor, could help.
Thus far 2-factor for me has been the best, and I use that account
via OAuth for all the forums, mail lists etc that accept that. Even
stores as long as they don't keep the credit card info.
LANL (and all of DOE/DOD?) has been using clock-synced CryptoCards for a
long time (15 years?)... Ray may know more of their potential
vulnerabilities but for a single two-factor authentication, I think they
are as good as it gets still?
The fallback is a password keeper as mentioned above. But do you
really want it to keep all your passwords? You're dead without it
(travel etc) and it simply doesn't work in all situations (apps vs
browser) and its a bit creepy to depend on a computer program for all
your security.
I've always felt terribly vulnerable (especially international travel)
knowing that I was "dead" (in the water) without my ID. And by
extension, my wallet. Thus all the shenaniganry of keeping photocopies
of everything in a separate place from your wallet, etc.
My last trip to europe, I photographed everything with my iPhone
(including my reservations, iteneraries, passport, driver's license,
credit cards (front only, memorizing my security code)), mostly out of
convenience (so, at a glance I could get certain info without rummaging,
etc.). Unfortunately it would have been a rich storehouse (the only
things missing from it were things committed to memory like Soc Sec,
Mothers Maiden, PINs, passphrases/passwords) for identity thieves. I
also managed to (temporarily) disable my phone by dropping it into a 1"
deep cup of icewater (don't ask) which completely bolloxed an important
plan for the next morning. Fortunately the water *only* interfered with
the backlight (took me a while to figure that out) and when it dried 12
hours later, came back to normal, but made me aware of how dependent I
was on that single device (in this case google map directions/address
and a phone number of a contact)
Sigh.
I felt *very* uncomfortable leaving my passport with people (hotels,
etc.) who used it as a simple "surety" measure.
We haven't really *solved* the problem of identity /en Verite/ yet, why
do we think we can solve it /en Virtu/?
Sigh,
- Steve
PS.. it is worth noting that a great deal of the mechanisms of molecular
biology (especially virology) have a lot in common with this problem...
self-vs-other and defeat mechanisms using massively parallel attacks.
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
