password plurality
A couple days ago I set up an AD domain controller for my workplace. I was faced with a dilemma that I still am not 100% decided on: what should I do about passwords?
See, the passwords my users are using right now are really, incredibly, disturbingly weak. They’re short, they’re bad, they’re all-lowercase dictionary words, stuff like that. Terrible, terrible passwords.
But I was thinking … why is it like that? Part of the reason, I think, has to do with what I’m going to call password plurality.
I did a little personal inventory. I’ve used a variant of the same core password for like 6 years. I change bits of it, but it’s the same basic idea… even if the accumulation of changes has made the original idea indecipherable. But across that same core idea, I’ve gone through at least 9 variants.
So I was thinking, where do I use these variants? Well, the strongest ones are always on my bank account access, and anything financial. Then there’s another tier, my “current normal password”. Then there’s the “less trusted, older” tier. So I have 3 password tiers that I consider, and password variants get demoted from one to the other.
Now, this sounds like a bad idea, but realistically, my weakest passwords are strong enough that nobody’s going to break them outright. It would require that my sysadmin, armed with my lanman hashes, spent a day or two on a fast machine on John The Ripper, or spent some serious time computing rainbow tables so they could O(1) lookup my hashes. They’re reasonably strong, for what they’re protecting, and still reasonably easy to remember and type.
The problem is, I started trying to access some old sites I’ve used in the past. And I can’t remember them all.
So I started making a list. The original goal (which I still haven’t really tried to do) is to bring all passwords up to their appropriate current trust-level password. Reasonable enough, right?
So, I’ve got 6 different usernames (complich8, computerizedyoga, archlich, two based off my real name, and my icq number). I’ve got 10 total different psswords. Now, I know one of those passwords is bound to the icq number, and two of those logins are bound to specific locations (purdue and zoneedit). Moreover, another one is slashdot-only (it was a transitional one, between being geeky enough to participate in slashdot discussions and being geeky enough to be a fansubber). So on random internet site X that I’ve got a login and password for, if the username is a normal username, it’s 50-50 that I guess which one is the right name. If it’s an email, I’ve got a 1 in 3 shot.
Then, off of that either 50% or 33% chance of getting the right username, I’ve got a 1 in 6 or so chance of guessing the right password (after eliminating passwords that only have specific locations).
I came up with 46 different places that I have accounts that I know of. I probably missed several, and it’s probably closer to 50. So if one password were compromised, I would have to change it in at least 46 different places. That’s sort of a mess, you know?
So I recently changed my PGP key password from an older “strong” level to a newer one, and that required changing the gnupg password in 2 places. And I migrated my home computer and my work password to the new pass, and that required changing it in loads of places (home computer, fileserver samba, fileserver shell, alternate samba, alternate shell, work workstation, work domain, work on 3 shell-only servers, work on a samba server outside the lab). Plus changing the gnupg password on the win home machine and the linux workstation. So to change the one password associated with work that I type every day, I had to do 14 distinct password changes! How stupid is that?
Now, I could alleviate this, by setting up a NIS domain to propagate shell changes, joining my home pc to a samba domain, so on and so forth. But that still only addresses the things that are in my zone of control!
Now, let’s see if I want to change the password at all the places I can remember related to anime. So there’s gotwoot, animesuki, animenfo, anime-planet forums. I think I’ve got a username/password with RightStuf, so that’s another one. Amazon, but now we’re also into “shopping”. So amazon, newegg, dell home, how many other places have I shopped in the last year or two? Or three? Cripes, when I was in the dorms I was ordering stuff every week from various places. Do I have an account with the apple store? How about the bank that I got the loan for my old laptop for three or four years ago? I don’t even remember that bank’s name! And did they change names in that time?
Then there’s chat services. I’m registered on at least 4 irc networks, used to be more but I’m sure those accounts have gone unused and gotten unregged by now, so that’s less to remember. AIM? Yeah, I don’t remember which pass it is for aim. ICQ I know. How about jabber? I’ve got a jabber.org and a phsi jabber account. I’ve also got MSN passport. Then there’s private torrent sites … torrentbytes, etc. And the shells on gotwoot and mt. Mysql passwords! Gallery and wordpress! Dreamhost!
Yeah … so this just keeps going. I am pretty sure I can’t remember all the places I have passwords. I hope they’ve got good password accounting policies, and prune unused accounts at regular intervals, but I know some of them don’t.
So yeah, I guess I can really see the appeal of things like Passport, or another centralized authentication system. I doubt most people have it as bad as I do, because of all the random shells and such that I’ve got… but you think about what the average college student has, it’s probably 2 or 3 im services, a career account, gmail, amazon, maybe two other online stores, something like myspace, facebook.
Spaf recently made a blog post that caught slashdot attention, talking about how forced periodic password changes are basically stupid security. I’m finding myself in agreement… but I think it goes deeper than that.
There’s really a serious need, if security admins are going to expect their users to remember their passwords, for centralized authentication. Auth once, prove who you are to the whole system, and the whole system hands out the privs you get, on a net-wide level.
Least … I think it’d be nice. ’cause really, who can change ALL of those passwords, right?