You have to realize that that is 600 days (almost 2 years) that depends on the target not changing their password during that time. If they do, you have to start all over again. A once yearly password change, perhaps enforced by the network, would be enough to mitigate this attack.
1 Like
have you seen anyone willingly changing their passwords?
I am myself paranoid and security conscious and yet I must admit that my email password has been the same for 10 years, although it doesn’t matter anymore since I am using FIDO U2F so it is irrelevant if anyone keylogs it.
There is a natural resistance to change, and you really don’t want to go through the pain of remembering a new set of password every time.
Nothing beats the practicality of: remembering an absurd phrase + 2FA.
Something you know + Something you have, makes authentication really practical.
I proposed way back to add some kind of biometrics that doesn’t require hardware as well: keystroke biometrics.
It could be really user friendly if the speed and style of typing itself generates the “secret” automatically.
1 Like
My point is that EVEN IF someone were willing to waste the nearly two years to crack a password, that that would be upset easily by just requesting a password change on the order of once a year. The difficulty of implementing a change of password once a year is less than any form of biometrics.
4 Likes
As I said, 90% of the people will never change their passwords, so as a policy it is useless, especially if it is not enforced.
In fact, it is not even a policy, it is just a baseless hope that people MAY change their passwords every 2 years.
I’m saying you could make it a policy. Send reminders 6 months out, 3 months out, 1 month and then force a reset. Its just like what’sapp. They tell you 30 days before you need to upgrade your version of software and its done. Any attack that would work on a previous version, all of a sudden doesn’t work. No need for biometrics or terminatrix robots or anything. The simpler the solution the easier it is to adopt.
It is things like this that create the opportunity for some to be secure. Like using Linux rather than Windows when so few did etc.
It is making everyone secure that’s difficult, but that’s no reason not to ensure oneself is secure 
I think it is not possible to reach the user after forcing a reset ,
we only have secret and password and no other information ,
where do you want to send a reset link ?
And it’s not a good idea , some users might have a lot of valuable things that either are
just stored or run as sites apps , unattended , even for years if the owner wishes so …
One may have an account only for giving some resources and earning safecoin while
being anywhere on the globe for years . Let’s not overmanage users but only provide
a minimal but working solution sophisticated enough to keep usage easy and evil out .
1 Like
Well, I haven’t thought it through, but I’m almost certain it can be done. It may require some thinking in order to ‘reconnect’ a user with their data after their password has changed, but surely you’re not suggesting it is impossible/too difficult right? I mean, its possible to reset a user password that without the owner of a site knowing what that password was. So, surely its possible to get a user to change their password, though again, I haven’t thought it through. But the main point was, that it is highly improbable that someone will be willing to wait the year and a half it would take to crack the password, especially if its possible to be reset during that time. In other words, we should avoid falling for the trap of overengineering.
You clearly never saw the real world effects of the ineffectual password policies around organizations.
Frequent password changes only sounds “simple” in theory, cognitively it is a huge pain in the ass and what you actually end up incentivizing is to make the users to write them down or make sequential changes to it.
It doesn’t work.
I’ve actually written software for password management, so I think I have an idea what I’m talking about. No one is talking about frequent password changes. Once a year is not frequent, and yes regularly (though not necessarily frequently) changing your password is about the strongest yet simplest thing you can do to improve your own network security. Its silly to suggest that getting someone to change their password once a year is so difficult, while recommending a biometric method that may or may not be proven to work as an alternative. Finally, changing passwords DOES WORK. People who use passwords that are required to be changed on an interval CHANGE THEM. This is standard policy in corporate environments, so I’m not sure where all the pushback is coming from. Biometrics on the other hand, not so much.
1 Like
yeah, and they will change to charlie01 and the next to charlie02, and the next one charlie03.
Come on guys, you have to get out of the cubicle and see it from the other side. Anyone who does some pentesting and password cracking will laugh at you.
With password changing SAFE will have to prompt for the old password (to check obviously) and the new password.
Then the strength tester will use the old password to make sure the new one is different enough to be secure. So if someone decides to ignore warnings and use 01 … 02 … 03 tacked on the end they will be warned they are at very high risk of being cracked and losing control of their account and coins.
I agree that we must enforce a minimum level of security, but maybe a lot lower than some would think acceptable. We don’t know why some people may want simpler passwords, maybe its a test account and they don’t want to have to write it down. Maybe its one set up on that weekend away and they will change the password on Monday. So as long as it reaches a non-trivial level of security then provide dire warnings that they have to agree on.
Remember that cracking SAFE credentials is a lot more time consuming than other systems and if we make the minimum a non-trivial password by normal standards then perhaps warnings will suffice. If someone uses a minimal password for their personal account and clicks through the warnings then really its on their head.
I say this because someone somewhere will make a account creator that allows it anyhow, if you don’t allow it.
1 Like
Your sarcasm, while noted, does nothing to strengthen your position. The fact is, you cannot present a single significant objection to this idea. First you are assuming someone is going to waste a year and a half trying to crack your password. Then you assume that they are not going to be concerned with the 100% probability that the password they are trying to crack will change before they succeed. Then you’re assuming safe users are so stupid as to have not only an unreasonably short password, but to only change it by a single character (which actually makes it harder to remember as the familiarity with the old one will clash with the minor change; better to change the whole thing). Finally you’re assuming that the cracker will know they will make this mistake and will be willing to waste valuable electricity and money on continuing the attempt in spite of this knowledge. I’m sorry, but I have not enough cord with which to suspend my disbelief…
2 Likes
@Neo That is precisely the whole thing that makes it completely impractical.
@Kagetoki if you really can’t see the limitations of these policies, I have nothing else to say.
You guys must see from the psychological perspective of a user that is requested to change their password. It is literally a mental stress that they will find anyway to avoid it, and such avoidance strategies are the following:
- Make it sequential and change minimally.
- AND if such minimal changes AREN’T allowed, THEY WILL END UP WRITING IT DOWN.
Some background of why it happens:
We are not designed and the majority is not trained to remember arbitrary passwords, especially those that are high in entropy. Our brain works with patters to minimize effort (this is actually a strategy to be efficient in energy consumption of our brains).
We as species are so averse to change is literally perceived as a fearful response physiologically.
So while your geeky mind consider to be a sensible solution to be asking for frequent changes, what you are actually doing is to perpetuate the security nightmare that plagues every freaking organization out there.
BESIDES THAT:
From behavioral psychology we also know that OPT-OUTS ARE DEFAULTS.
Warnings doesn’t work, and people don’t read it.
And this is extremely abused by “black hat” UX designers. They are legally covered because they wrote the warning, but they clearly know that almost nobody will opt out from purchasing the extra insurance that was automatically added to your cart, or the adware that comes with freeware. Yeah, neither I believed there were enough people out there that didn’t tick off the yahoo toolbars, but everyone who implements such revenue streams are making a killing.
The same will happen here. You might warn them all you want that their security is low and you might even write that after logging in they must surrender their first born child, and they will still do it because they don’t care.
@Kagetoki I am not assuming, you are. I can bore you to death with research papers and statistics of how people actually behave when they create their “creative” passwords. 90% of the leaked hashes are cracked, and even those that have theoretically 40+bits of entropy are cracked. HOW? Well I just explained to you above.
If you insist on applying ineffectual policies that AREN’T TESTED EMPIRICALLY, or even worse IGNORE THE ACCUMULATED EMPIRICAL DATA, well, it is your problem.
I know how people behave, that is what I studied. And considering that the human element is the weakest link in every single system, you should at least lend a ear and ponder about it.
You are making the main capital sin of every geek: you assume that every user must be as competent as you.
Secondly, you assume that the SAFE network will be limited among geeks, when it is very clear that the scope is to achieve mass adoption.
And common people are not stupid, they are merely humans, and if you don’t understand what makes them tick, you will simply fail.
And this is why geeks usually fail at UX, you focus on what is seemingly technically efficient but not on what is practical for commoners,
Ignoring UX in authentication, it DOES affect security in very tangible ways.
Btw, unfortunately this lack of perspective of yours will eventually lead you to get your network compromised.
Regards,
2 Likes
All of that is well and good, but this is a solved problem already. Corporations use it. Their password reset times are around 3 months. I’m suggesting one year. You should not assume you know who you’re talking to over the internet. I’m not a ‘geek’ by any means. Programming is only ONE of the things that I do. It happens to make me the most money, but I’m also a professional musician, and am fluent in 3 languages, self-taught. I’m not saying this to brag, I’m saying this to let you know you’re not talking to some cubicle-jockey, I’m about as ‘common’ a common man as can be.
It is because safe will not be limited among geeks that it is imperative that safe use a well recognizable and familiar method of account security. Biometrics are unproven, and even worse, unfamiliar. Even picture locking (where you use a picture of your face) is HORRIBLY unreliable, a friend of mine was able to unlock my phone and we do not look similar.
Furthermore, it is also unwise when it is possible that the safe network could fall to overengineering. Not being ‘too careful’. I’m frankly shocked at the level of attention this is getting. Don’t get me wrong, passwords and network security need to be done right, from the start, but why are we reinventing this wheel? Passwords are not broken, the server-client framework is! Passwords work wonders and are not the weak point in networks, it is the human factor that is the week point.
I don’t know why you’re assuming the system will be ‘opt-out’. It will be enforced, like in my what’sapp example. They tell you to download the latest version of software. They tell you 30 days before you have to do it. And then, that 30 days comes and you can’t use it until you upgrade. In this way, 1 billion users now have been (ostensibly) protected by encrypted communications. This is no opt-out feature, neither the encryption nor the update, so again, here your argument falls flat. Something similar would be trivial to implement for Maidsafe.
Again, the subset of people who are going to be using Maidsafe is such that they will abide by warnings for password security. And if not, it DOESN’T MATTER. Why? Because even if they don’t, any attacker will know that a large percentage (probably a majority or close) will, and their chances of getting the person who wouldn’t are not worth the risk of losing ROI. Remember, its not free to spend a year and half cracking passwords. You have to have your machines going 24/7 for that time, and the password can’t change or you’ve lost a whole years work. There is NO MONEY in such an attack.
The fact is, there is too much focus, imo, being put on this decidedly trivial issue. Biometrics, voice activation, whatever you like is overkill. The network needs security, and passwords/passphrases are enough. Msigna and any other bitcoin wallet worth their salt uses them. NEM uses them. They work. This wheel does not need reinventing.
3 Likes
Yes, corporations use it, and they are the laughingstock of the cracking community.
Really, i invite you to join any hacking convention and ask a pentester what they think about the password change policies, and where they find those “changed” passwords.
But that argument falls flat because corporate password standards are much less stringent than maidsafe’s will be. Also, the minimum password strength for corporations is much lower than Maidsafes. In essence, in order to make this argument viable, you must make several unwarranted assumptions. The above being one of them.
2 Likes
The question is not about the complexity but how people behave when they are faced to change.
Really, that leads to two outcomes: people will slighly modify the existing password and/or write it written down.
This is a constant, and it really undermines security in a deep way.
Btw, there is no way to tell that charlie01 was changed to charlie02 the produced hash will be completely different, and you can interview anyone with experience with pentesting or system administration, this is a common topic to bitch about users and their practices. And most corporate policies are a joke UNLESS those employees are properly trained in infosec, but that is not a luxury that the laymen have.
I have a background in psychology and in computer security, and those skills are relevant to our discussion.
I also speak three languages, but I never bothered mentioning it here since I fail to see its relevance to the topic.
The relevance is that usually people who are ‘cubicle jockeys’ lack the ability to see things from other people’s perspective and relate to them; two skills that are paramount in learning a foreign language. Further, those who are only able to focus on one thing as you accuse us ‘cubicle jockeys’ of being, do not have the patience to branch out of areas they are uncomfortable in and haven’t focused on as much as their core competency. In short, your accusation is of a completely different kind of person than I am.
To the passwords, you are merely finding problems to be solved by algorithms. For example, charlie01 to charlie02. A decent algorithm can compare the new password and reject it due to similarity with the previous password. Such an algorithm would take 30 min to write give or take, initial testing included. It is by no means a show stopper. Yet, you are not addressing the flaws with biometrics, their unreliability (may improve over time), and the near unfamiliarity (a show stopper). You complain about people who don’t want to change their passwords, but biometrics are a ton more hassle to deal with.
The fact is that Maidsafe will have/already has password strength facilities built in that are leaps and bounds above corporate. Corporate policies being a joke is beside the point, you either change your password or you can’t work. If you can’t work you get fired. 100% of employees change their passwords. Their passwords can’t be the same as the last five passwords, must contain (usually) a special character with numbers, etc. These are very basic measures, but even these alone makes corporate password cracking UNFEASIBLE on a wide-scale regardless of how much of a joke they are.
I will give you an example, in computer science there is a field of study in Operating Systems. This field is dedicated to gracefully handling fatal memory issues that cause unrecoverable OS crashes. There are several techniques to mitigate this problem, each more clever and graceful than the last. Do you know which of these techniques are widely used? NONE OF THEM. It turns out just turning the computer off and on solves the issue just as well with a lot less effort, so that’s what most OS’s do. There is such as thing as overengineering. “Too much” security.