Password Complexity, Good or bad?
-
@scottalanmiller said:
@Dashrender said:
@larsen161
I won't speak for JB, but for me - it's all around cost.But you can do that for free.
How? How can you do 2FA for free in an office scenario?
Something you know and something you have.
The something you know is the password.
The something you have is the part that costs money. It is not free.
-
@BRRABill said:
@Dashrender said:
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.
Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,
-
@JaredBusch said:
The something you have is the part that costs money. It is not free.
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).
Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.
Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,
Or that they MIGHT use, that's all that matters. Given that set, sure, some user might go nuts and ONLY use special characters in a pretty small set - but the smaller set is only useful to a hacker that knows what the smaller set is.
In reality, knowing a smaller set is the same as knowing the password. Think of it this way...
You have a one char password, the hacker knows your set, the set size, by definition, can only be one char, so knowing the set and knowing the password are the exact same thing in that case.
-
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
-
My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.
Right?
-
@BRRABill said:
My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.
Right?
Correct, a hacker is stuck attempting basically the full set, all the time unless they can social engineer you down to a subset, which is possible but hard to do and requires both a social AND a technical hacking attempt.
-
@BRRABill said:
My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.
Right?
Doing brute force attacks does happen, but it's almost always that last thing they would try today. For example: If you have the hashed passwords, many faster options are available. It's assumed that if you have the list of hashed passwords that you'll also know what algorithm(s) were used to create the hashes. Which allows them to create a list of hashes from known common passwords. All they have to do is compare the two lists of hashes and any matches mean that they then know the password.
I know many people just won't "grok" the next concept. Forcing the use of special characters (!@#$%^&*) often times makes "guessing" a password even faster than not forcing their use. For example, replacing the letter s with $. The fact that the hacker knows that use of special characters is a must, it reduces the number of possible passwords drastically, VERY drastically!
-
@scottalanmiller said:
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
yeah the actual set size is 7, but for a hacker knowing only that you used upper/lower/numbers, the set size is 62
-
@Dashrender said:
@scottalanmiller said:
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
yeah the actual set size is 7, but for a hacker knowing only that you used upper/lower/numbers, the set size is 62
That's my point... if the hacker knows the set size, they have you. If they don't, it's a big set. We use these weird thing of "if we only use lower case, our set size is X" but it isn't, the set size is much smaller. The full set of ANY password is really small. That's what people miss... all set sizes are small, knowing what the set size is is part of knowing the password.
-
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
-
@scottalanmiller said:
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
How do you use SSH Keys to log into your windows desktop?
@scottalanmiller said:
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
-
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.
-
@JaredBusch said:
@scottalanmiller said:
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
How do you use SSH Keys to log into your windows desktop?
Scott did mention that his 2FA was all after desktop logon.
@scottalanmiller said:
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Personally, I don't have an issue with this. You want to work here, you must have a device that's able to run this 2FA software. At the time of hire we can negotiate if needed around any compensation - but frankly I think those days are past. When I have employees demanding that I provide free WiFi for them so they can watch their home video camera system to watch their dog or kids get home from school - I think I can put some demands back on them...
-
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
How do you use SSH Keys to log into your windows desktop?
Scott did mention that his 2FA was all after desktop logon.
@scottalanmiller said:
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Personally, I don't have an issue with this. You want to work here, you must have a device that's able to run this 2FA software. At the time of hire we can negotiate if needed around any compensation - but frankly I think those days are past. When I have employees demanding that I provide free WiFi for them so they can watch their home video camera system to watch their dog or kids get home from school - I think I can put some demands back on them...
Of course you can, but it is a cost you have to accept as a business. It is not free, ever. Period.
-
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
But how do you find that out? That's the thing. Once you are getting an arbitrary set of the possible chars why do you assume it is "all lower case" and not just the actual set? Why one ASCII set and not another?
It's not how these things work. If you are getting a limited set, you already know a lot about the password.
-
@JaredBusch said:
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.
-
@travisdh1 said:
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.
While it might socially reduce it, how does it actually reduce the number? By socially I mean that users will do $ocial instead of $social because they (the user) wants it to be easier to remember. But that is on the user, not the system.
But you're right, like this whole thread.. that add the requirement of complexity itself moves people to make bad choices for their own simplicity... which is bad for security.
-
@scottalanmiller said:
@JaredBusch said:
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.
The company is providing a phone, then that is an expnse the company has taken on to handle it. Again that makes it not free, which is the entire point, you stated 2FA is free and it is not.
-
@Dashrender said:
@travisdh1 said:
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.
While it might socially reduce it, how does it actually reduce the number? By socially I mean that users will do $ocial instead of $social because they (the user) wants it to be easier to remember. But that is on the user, not the system.
Forcing "complexity" itself is a social thing.
I think this actually made me realize what the problem is... no complexity is added. No complexity is checked. Using the term complexity itself is marketing and extremely misleading.
If the system was complexity checking, it would be looking at the size of the set, not that random pieces of different human visible sets are selected. It's not checking complexity, calling it that is a means of socially engineering end users to "feel better" about something that isn't true. It sounds nice, it helps them sleep at night, but it's not more complex at all.