Password Complexity, Good or bad?
-
@BRRABill said:
My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.
Right?
Doing brute force attacks does happen, but it's almost always that last thing they would try today. For example: If you have the hashed passwords, many faster options are available. It's assumed that if you have the list of hashed passwords that you'll also know what algorithm(s) were used to create the hashes. Which allows them to create a list of hashes from known common passwords. All they have to do is compare the two lists of hashes and any matches mean that they then know the password.
I know many people just won't "grok" the next concept. Forcing the use of special characters (!@#$%^&*) often times makes "guessing" a password even faster than not forcing their use. For example, replacing the letter s with $. The fact that the hacker knows that use of special characters is a must, it reduces the number of possible passwords drastically, VERY drastically!
-
@scottalanmiller said:
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
yeah the actual set size is 7, but for a hacker knowing only that you used upper/lower/numbers, the set size is 62
-
@Dashrender said:
@scottalanmiller said:
Did that make sense?
Look at this....
AuAAu3dd7T55uA
How big is the set?
The set size is seven. Just seven.
AdTu357... that's the entire set.
yeah the actual set size is 7, but for a hacker knowing only that you used upper/lower/numbers, the set size is 62
That's my point... if the hacker knows the set size, they have you. If they don't, it's a big set. We use these weird thing of "if we only use lower case, our set size is X" but it isn't, the set size is much smaller. The full set of ANY password is really small. That's what people miss... all set sizes are small, knowing what the set size is is part of knowing the password.
-
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
-
@scottalanmiller said:
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
How do you use SSH Keys to log into your windows desktop?
@scottalanmiller said:
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
-
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.
-
@JaredBusch said:
@scottalanmiller said:
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
How do you use SSH Keys to log into your windows desktop?
Scott did mention that his 2FA was all after desktop logon.
@scottalanmiller said:
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Personally, I don't have an issue with this. You want to work here, you must have a device that's able to run this 2FA software. At the time of hire we can negotiate if needed around any compensation - but frankly I think those days are past. When I have employees demanding that I provide free WiFi for them so they can watch their home video camera system to watch their dog or kids get home from school - I think I can put some demands back on them...
-
@Dashrender said:
@JaredBusch said:
@scottalanmiller said:
The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.
How do you use SSH Keys to log into your windows desktop?
Scott did mention that his 2FA was all after desktop logon.
@scottalanmiller said:
Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Personally, I don't have an issue with this. You want to work here, you must have a device that's able to run this 2FA software. At the time of hire we can negotiate if needed around any compensation - but frankly I think those days are past. When I have employees demanding that I provide free WiFi for them so they can watch their home video camera system to watch their dog or kids get home from school - I think I can put some demands back on them...
Of course you can, but it is a cost you have to accept as a business. It is not free, ever. Period.
-
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
But how do you find that out? That's the thing. Once you are getting an arbitrary set of the possible chars why do you assume it is "all lower case" and not just the actual set? Why one ASCII set and not another?
It's not how these things work. If you are getting a limited set, you already know a lot about the password.
-
@JaredBusch said:
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.
-
@travisdh1 said:
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.
While it might socially reduce it, how does it actually reduce the number? By socially I mean that users will do $ocial instead of $social because they (the user) wants it to be easier to remember. But that is on the user, not the system.
But you're right, like this whole thread.. that add the requirement of complexity itself moves people to make bad choices for their own simplicity... which is bad for security.
-
@scottalanmiller said:
@JaredBusch said:
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.
The company is providing a phone, then that is an expnse the company has taken on to handle it. Again that makes it not free, which is the entire point, you stated 2FA is free and it is not.
-
@Dashrender said:
@travisdh1 said:
@Dashrender said:
if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.
Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.
While it might socially reduce it, how does it actually reduce the number? By socially I mean that users will do $ocial instead of $social because they (the user) wants it to be easier to remember. But that is on the user, not the system.
Forcing "complexity" itself is a social thing.
I think this actually made me realize what the problem is... no complexity is added. No complexity is checked. Using the term complexity itself is marketing and extremely misleading.
If the system was complexity checking, it would be looking at the size of the set, not that random pieces of different human visible sets are selected. It's not checking complexity, calling it that is a means of socially engineering end users to "feel better" about something that isn't true. It sounds nice, it helps them sleep at night, but it's not more complex at all.
-
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.
The company is providing a phone, then that is an expnse the company has taken on to handle it. Again that makes it not free, which is the entire point, you stated 2FA is free and it is not.
Sure, and that's what I said, if we are assuming that things like phones, desktops, etc. are not already paid for then the 2FA is not free. We provide phones without 2FA, though. So if we did 2FA on them, 2FA is free.
This gets into the "the word free is useless" category. Like my friends who say that food can't be free unless someone else eats and poops it for you (real conversation where they disputed free software because you were still required to operate it.) It's free to the way that humans mean to use the term free... it itself incurs no cost outside of the use of it.
-
@scottalanmiller said:
This gets into the "the word free is useless" category. Like my friends who say that food can't be free unless someone else eats and poops it for you (real conversation where they disputed free software because you were still required to operate it.) It's free to the way that humans mean to use the term free... it itself incurs no cost outside of the use of it.
LOL I remember that conversation!
-
@scottalanmiller said:
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?
Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.
The company is providing a phone, then that is an expnse the company has taken on to handle it. Again that makes it not free, which is the entire point, you stated 2FA is free and it is not.
Sure, and that's what I said, if we are assuming that things like phones, desktops, etc. are not already paid for then the 2FA is not free. We provide phones without 2FA, though. So if we did 2FA on them, 2FA is free.
This gets into the "the word free is useless" category. Like my friends who say that food can't be free unless someone else eats and poops it for you (real conversation where they disputed free software because you were still required to operate it.) It's free to the way that humans mean to use the term free... it itself incurs no cost outside of the use of it.
The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.@Dashrender stated that cost is the factor, and I agreed while you stated it could be free.
Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.
The context of all IT decisions have to be based on the business.
-
@JaredBusch said:
The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.
Agreed, but I've seen several SMBs in a number of spaces that either require the use of your existing phones or provide them. Sure many don't or won't, but many don't care about 2FA either.
-
@scottalanmiller said:
@JaredBusch said:
The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.
Agreed, but I've seen several SMBs in a number of spaces that either require the use of your existing phones or provide them. Sure many don't or won't, but many don't care about 2FA either.
Absolutely. I know of several myself. But that is far from even a large minority of the SMB I am personally familiar with. I am quite comfortable with my statement above that Most SMB do not.
-
@JaredBusch said:
@scottalanmiller said:
@JaredBusch said:
The use of the term free here is constrained by the context of the conversation.
Said context is that I stated 2FA is not going to see a huge roll out in the office scenario. Implied in that, because of our past knowledge of each other, is the fact that I mean the SMB space.Most SMB do not provide equipment to all of their office staff capable of doing anything with 2FA. So to add that piece is a cost to the business.
Agreed, but I've seen several SMBs in a number of spaces that either require the use of your existing phones or provide them. Sure many don't or won't, but many don't care about 2FA either.
Absolutely. I know of several myself. But that is far from even a large minority of the SMB I am personally familiar with. I am quite comfortable with my statement above that Most SMB do not.
I agree, most do not. But I think that those mostly overlap with those that aren't looking for 2FA, too.
-
I have a scenario going on right now.
A local hospital is deploying 2FA to all offsite personal who access their systems. They offer two choices for 2FA
- when you log in, your default phone number will be called, you press 1 to indicate that you did log in, and the system allows you in.
- you are provided a key fob and type the number when prompted.
Option 1 assumes that there is a direct phone number to you - be that a DID to a phone in your office, or a cell phone.
Management in my office denied this option because they are of the opinion that personal phones can't be demanded to be used for work without paying the employee for phone use (even though it amounts to $5 or less per month, employees would undoubtly try to get something ridiculous like 50% of the phone bill paid for - so management just said no)
This unexpected refusal by my office to use phones as 2FA means the hospital has to purchase and support 80+ key fobs for my office alone. They have a near countless number of offices that have remote access to their systems. I'm sure the cost of key fobs is what has stalled this project.