On 8 Jun 2012, at 21:55, Michael Thomas wrote:
With apps and browsers that can remember passwords why are we still insisting that users generate and remember their own bad passwords? That's one reason that I find the finger wagging tone of that Linkedin post extremely problematic -- they have obviously never even considered thinking beyond the current bad practice.
That's a fair point, well made; in practice I try to educate people on how to choose a good password by showing them bad ones and giving them a list of "Don'ts"; giving them a tool would be easier but then you have a race to the bottom for platform neutral tools which are well-written, don't repeat plaintexts and don't serve off a central authority like a website. In some ways when faced with a challenge like that I would prefer people learned how to pick their own. One pentester-friend of mine can now determine which in department employees of his customer reside because each department circulated its own rules on "how to choose a secure password" and the templates/technique are distinct from one department to the next. He brute-forces a password (possible because the passwords are 8 characters-ish and reasonably short, thereby making templates irrelevant) and then reprograms his cracking software to mess with the per-department template to crack the rest of the users in a shorter time. Having people make up their own passwords reduces scope for that sort of behaviour - you crack some of the clueless folk but the overall quantity of breaks may be reduced. Also: someone earlier mentioned "the password anti-pattern" - just to clear up a misapprehension, password security is not itself the aforementioned "anti-pattern"* but instead the actual "password anti-pattern" is (for example) surrendering your Blog password to a third party like Flickr so that it can post photos to your blog on your behalf. This sort of problem is solved by OAuth which community (unsurprisingly) is from whence the password-anti-pattern term was popularised; Google's "application-specific password" scheme addresses another aspect of the same issue. More concisely the "password anti-pattern" is "giving your password away or using it untowardly". -a