Re: [Full-Disclosure] Passwords for Chocolate!

[Szilveszter Adam <adam@xxxxxx>]

Jeremiah Cornelius wrote:
> "All because the Lady loves Milk Tray..."  The BBC has an article about
> users giving up their passwords for chocolate.

Hehehehe, I really got a kick outta this. It really goes a long way to 
show why you do *not* need to go very fancy with technology to eg attack 
strong crypto: quite often you ask and you shall receive the info, 
dammit. But that of course takes out the geek fun part.

But with that said, think of this: If you meet some pollsters on the 
street, who ask you anonymous questions, what exactly do you risk by 
giving out info that they will not be able to use? After all, in order 
to use it they already must know who you are etc, in which case we are 
already talking a targetted social engineering attack, not some random 
street poll.

Also, think about it: Why not give something resembling a password if 
they offer you some good chock? I mean, wouldn't you? I surely would: Oh 
yeah, my login is "uberhax0r" and my pass is "Y0u GuYZ SuKk!" and 
collect my king size. ;-)

As for ID theft: I know that this is big in some countries right now, 
but I suspect that in some sense they are getting their money's worth 
when they failed to implement proper data protection legislation and 
practices in order not to hamper the "freedom of expression" of some 
direct-marketing and credit-reporting agencies... that is, the real 
problem is that already waaay too much data is out there about you and 
often the only missing link was a quick-enough technology to link them 
all. This is why proper data protection starts with the premise: "Only 
collect and handle the data that is absolutely necessary, and only to 
the extent absolutely necessary, and delete it right aftewards". Of 
course, this causes some inconvenience and/or makes some business models 
harder to pursue, but imho this is an acceptable price to pay. Data like 
your date of birth or mother's name are all so common identifiers that 
requiring people to keep them secret to prevent ID theft is ridiculous. 
The key is to keep all the other data restricted that would enable 
somebody to profile you, and to prevent unauthorized storage and 
movement of your data.

Corollary: you should not believe everything you read in surveys, 
especially ones that are sponsored by RSA Security to push their SecurID 
solutions. (which will *not* help you with websites outside your company 
like your webmail etc anyway)

On a more serious note, good password management has always been a dance 
on the edge: give too many and too random passwords, and people *will* 
write them down, often in insecure places. Use less or less random ones, 
and you risk a more feasible brute force attack. What is appropriate 
depends on the situation. In some cases, a password written down and 
stored in the person's wallet which they will guard very closely for 
obvious reasons is better than an easily guessed word in memory or a 
Post-It on the monitor, in others, the wallet is exactly the wrong place 
(like for debit and credit card PINs). Also trusting only one measure of 
protection (good pwd policy) is not sufficient. If, in order to use the 
password stolen, you also need to get physically inside a building, find 
the appropriate office and get in there uncaught, that raises the bar. 
If all you need is to go to a website and enter the info, that is a 
different matter. etc.

The question that the RSA guys (and other lovers of one-size-fits-all 
smart card etc solutions) need to ask of themselves is this: what is 
worse: a pwd that possibly (but not surely) relies on some personal info 
but you do not know which one and therefore stand a chance of getting 
nailed with your unsusccessful login attempts, or a smart card or other 
device getting lost with the PIN or other acivation info neatly written 
on it or somewhere near it. (like a keyring that people like wearing on 
some strap around their necks or loosely stuffed into their pockets with 
the strap hanging out. This fashion item is getting mucho use here in 
town atm. And people not only hang their normal keys on it but also 
card-keys and/or mobile phones. Which clearly shows the level of 
frustration people have with regard to the many keys etc that they have 
to carry and remember in life.)

And no, biometry is not the answer either, at least not a conclusive 
one. I certainly would not trust it to make the final decision, unless 
the "biometry" is the receptionist flashing me a broad smile and a Hello 
on my way in. :-)

As usual, my HUF 0.02.

Regards:
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html