Tags:
create new tag
, view all tags
this discussion started in TWikiCommunity with the introduction of forced password changes every 6 months.

Every additional place that demands a password decreases the overall security of the whole system, for everybody. They offer false security which is often worse than no security at all. I'd be quite happy to elaborate on this if anybody wants.

-- MattWilkie - 21 Apr 2004

I'm with Matt regarding the forced password change issue because I think it's not necessary. Maybe I'm a dreamer, but I believe in the trustworthiness of the community.

-- FranzJosefSilli - 22 Apr 2004

Matt, I am trying my best to do the right thing for the community. It is simply impossible to please everybody. I hope that people appreciate the additional freedom.

Franz, good that you bring that forward so that we can solve a misunderstanding. I fully trust the community, it is all about reducing risks.

The reason for the password policy is best explained with a hypothetical example: Lets assume the there is a security flaw where anyone who has the permission to rename topics can gain TWikiAdminGroup rights. Before the recent policy change, a malicous person had 9 accounts available for cracking. With the new policy he has a much easier task because there are now around 100 accounts available.

The change password policy has three purposes:

  1. Make members aware of the risks involved with added responsibility
  2. Reduce the risk of making accounts available to malicious people
  3. Reduce the risk by removing inactive accounts, e.g. limiting the number of members

Example on point 2: In the early days if SourceForge, I was very surprised to see my SF password posted on a web site in plain text along many other SF users (although I changed it immediately after the SF alert)

-- PeterThoeny - 23 Apr 2004

  • At least 2 username/password/domain triplets where I work
  • My door code for work
  • 2 credit card pin numbers
  • Password and memorable word for online banking
  • Numerous website username/password pairs, most of which fall into half a dozen combinations, or use some mnemonic related to the site.
  • etc.

There is a similar list in Donald A. Norman's The Design of Everyday Things:

"It is one thing to have to memorize one or two secrets: a combination, or a password, or the secret to opening the door. But when the number of secret codes gets too large, memory fails."

"I cheat and make all my computer accounts use the same password."

Addressing the points above:

  1. Since there is very little that members can do to reduce these risks their awareness of them is irrelevent.
  2. If malicious people can crack the old password they can crack the new one. Frequent changes may even give them more opertunity to obtain passwords.
  3. This is already addressed by removing members who are not active for more then 6 month.

And finally, since ResetPassword will produce a different hash for the same password on each submission I intend to resubmit the same password if I am ever required to change it.

(PS: here is an interesting paper on passwords that I found while writing the above.)

-- SamHasler - 23 Apr 2004

Thanks Sam, your list largely overlaps mine. smile I'm going to dump a piece I wrote awhile ago on this here with the aim of recruiting aid refactoring into something more like a real article.

-- MattWilkie - 21 Apr 2004


Passwords and Security

It is the responsibilty of the individual to "Use different passwords at Websites and on every machine you use."

Yeah, right. Sure.

On average I use 3 machines a day with at least four separate accounts on each of those (regular user, power user, administrator, web admin, db admin, etc.). Add to that the half a dozen password enabled or more increasingly, demanded, websites I visit regularily, plus the dozen or so more I see from time to time and I have a real password management problem. Oh, don't forget that effective passwords need to be changed often. And the bank machines. and the security door[*] at work. and...

I used to have different passwords for different machines and different tasks that I changed regularily and often. Then I had to restore a year old password-protected backup tape.... Need I say it never happened?

As I see it there a three possible solutions:

  • Pick a small number of passwords according to general task (admin, general use, finance, internet) and use them everywhere.
  • Be responsible, use different often changing passwords for everything, And:
    • write it all down in a convenient little text file buried in $home
    • post-it notes in the top desk drawer
  • Invent a personal algorithm based on the name of the service, say reverse the letter order, number-substitute and then add them up and subtract the the year and month. (All the while hoping to God the name doesn't get changed)

[*] At an office I used to work at we each had individual codes to disarm the building security. For the first while I was forever forgetting my number, so I would wait until somebody else showed up. The front desk clerk cheerily said "Oh just use mine. It's 7777". So I did, because I could remember it easily. A year or so later the clerk was let go because of psychiatric problems (manic-depressive with a healthy dose of paranoia as I recall). We were told to lock our individual office doors in case this out-of-his-head person entered the building after hours seeking revenge (which was a total load of hooey. Nobody was ever in physical danger from this misguided individual, but that's another story). When I left the office a year after that 7777 still worked...

  • How much of the above is from The Design of Everyday Things? I recognise it but I don't have my copy to hand to check the quote. -- SH well, I haven't read that book yet, so none of it smile (although it is on my must read list). -- MattWilkie - 26 Apr 2004 My memory is swiss cheesed, I must have read that on twiki.org while I was reading Design of Everyday Things smile -- SH

Bob Cringley wrote a really good essay on the problem with advice much the same as above but I can't remember which ariticle it was.

Bruce Tognazzini weighs in with Security D'ohLTs. My favourite exceprt is "Only a DíohLT would come up with a security scheme that is so overly complex that itís guaranteed people will write down their passwords." Can't really get much clearer than that can we?

By the way, the only reason a user name and password is required for my site is so that edits aren't attributed to 'guest'. The minute twiki gets silent personalization the login prompt here is gone.

-- MattWilkie


Interesting discussion, but it's really not a good idea to discuss security holes in TWiki on TWiki.org, as mentioned in TWikiSecurityAlertProcess. I've zapped the whole topic history and deleted those comments since the security hole discussion by Matt was in the first revision...

I realise applying policy retrospectively is dodgy but it seems better than leaving information out there that applies to many shared web hosts - please continue policy discussions in TWikiSecurityAlertProcess, and email the SecurityTeam if you find potential security holes, even if they only appear to affect TWiki.org.

-- RichardDonkin - 26 Jan 2005

Richard you also lost at least two of the most recent edits to this topic. Some one asked me to elaborate and I did. That was ~3 days ago. I don't know if there intervening edits.

-- MattWilkie - 26 Jan 2005

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 2005-01-26 - MattWilkie
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.