[cap-talk] Do Strong Web Passwords Accomplish Anything?

Wed Jul 22 02:54:37 EDT 2009

Hi Alan, interesting subject.

Looking at the summation in 1.1 of common advices, we can add one more:

* Don't use the same password for multiple sites.

The 3.3 section seems to advocate the (IMHO) horrible "three strikes"
approach. This approach simply does not work for several reasons:

1) Blocking the legitimate account creates a real availability/DOS issue.
2) Blocking the IP will block commonly used proxies and thus also creates
   somewhat of a availability/DOS issue.
3) Blocking IP/account combinations potentially takes up massive resources
   and will likely be a problem with distributed attacks.

I thus feel that the 3 strikes approach is bad, at least for 'user' accounts.

An alternative approach that I think would be preferable would be using
such an approach combined with a separation of 'user' (admin) account and
'access' (sub) account.

If each user account gives access to an administration interface allowing
users to create, remove , administrate and revoke 'access' (sub) accounts,
this might be much more usable IMHO and take away much of the problems
with the 3 strikes approach.

Thus as an example you could log in to your user account 'alan', and
create an access account 'alan:freebuldeebob2009' that for example auto
expires January first 2010. You could make limited or full access to the
'alan' resources available to  'alan:freebuldeebob2009', and even use a 3
strikes approach on 'alan:freebuldeebob2009' given that the access account
name is not public and can on being blocked easily be replaced from the
'alan' account.

This approach also allows for programs accessing the 'user' account to
create sparse cap type 'access' accounts like
'alan:5bed82d8e9f7519b9e89a186721eb08cec28083f' instead.

With respect to the list being quiet, I've been somewhat amused and
intrigued by the observation that weekends tend to kill interesting and
relatively active discussions on this (and some other) list, and am still
trying to come up with hypothesis why this could be the case :-)

Rob

On Tue, July 21, 2009 19:12, Karp, Alan H wrote:
> The list has been pretty quiet lately, so I thought I'd send the abstract
> of
> http://www.usenix.org/event/hotsec07/tech/full_papers/florencio/florencio.pdf.
>  It might make you feel better about the weak passwords you use.
>
> We find that traditional password advice given to users is somewhat dated.
>  Strong passwords do nothing to protect online users from password
> stealing attacks such as phishing and keylogging, and yet they place
> considerable burden on users.  Passwords that are too weak of course
> invite brute-force attacks.  However, we find that relatively weak
> passwords, about 20 bits or so, are sufficient to make brute-force attacks
> on a single account unrealistic so long as a "three strikes" type rule is
> in place.  Above that minimum it appears that increasing password strength
> does little to address any real threat.  If a larger credential space is
> needed it appears better to increase the strength of the userID's rather
> than the passwords.  For large institutions this is just as effective in
> deterring bulk guessing attacks and is a great deal better for users.  For
> small institutions there appears little reason to require strong passwords
> for online accounts.
>
> ________________________
> Alan Karp
> Principal Scientist
> Virus Safe Computing Initiative
> Hewlett-Packard Laboratories
> 1501 Page Mill Road
> Palo Alto, CA 94304
> (650) 857-3967, fax (650) 857-7029
> http://www.hpl.hp.com/personal/Alan_Karp
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
>