We've lost the password battle

October 9, 2008

It's been an article of faith, frequently professed to users, that they should never write down their password or otherwise record it. Your users probably profess to follow this, and may even honestly believe that they are.

But find a user with a machine that recently rebooted (this often doesn't take long) and watch what happens next, as the user re-establishes their environment and restarts their applications. Did they get asked for a password when their IMAP-based mail program started, or is it happily fetching mail? How about their CIFS-based shares, did they get asked for that password when they started talking to your Samba server?

Probably not.

Do you use separate user passwords for each of those services?

Almost certainly not. (At least around here, the users would likely lynch us for trying that. And it wouldn't really matter if we used a separate password for these services than for people's Unix login; the net effect would be to make even fewer people log in to our Unix servers, with no decrease in an attacker's ability to do damage.)

If you are lucky, your users have some sort of master password that unlocks their machine. If you are really lucky, all of their applications are using a single secure password store, instead of putting together various ad-hoc solutions to the problem (or just storing passwords in barely encrypted form and ignoring the issue).

(By the way, try not to think too much about the effects of having your webmail system. You'll sleep better.)


Comments on this page:

From 74.95.178.233 at 2008-10-09 06:42:58:

I went through this for a long time, and it's miserable.

After considering a lot of options, I finally decided to go with an Active Directory infrastructure to support centralized administration. This might not have been an obvious solution, due to the fact that 99.9% of my servers run Linux, but it's very possible to authenticate a linux machine against AD, especially with a tool like Likewise Open. The commercial version actually extends your AD to allow full administration of a Linux machine, much like you would administer a Windows machine.

I'm gradually working toward unified passwords everywhere. My new machines all authenticate against it, and my old ones are going to be reinstalled and authenticated against it. We're switching to a hosted exchange mail solution, and we'll be able to export our user base to it. My new SSL VPN machines are technically capable of AD authentication, too, I just haven't figured it out yet.

When I'm done, the only thing that users will log into that isn't AD authenticated will be the oracle database.

Matt Simmons
http://standalone-sysadmin.blogspot.com

From 62.210.154.97 at 2008-10-09 09:25:59:

Your users should write their password down.

In fact, it's the only way to have secure passwords: write them down. If you don't write them down, it means that you either always use the same or use simple ones.

The key here is what you do with the written password. Schneier says that you should keep it in your wallet, which you always keep with you, and would notice quickly if it ever gets stolen.

By cks at 2008-10-09 11:15:34:

I agree about writing passwords down, but I don't think it would help this problem very much because I don't think that the users would be willing to give up the convenience of having various applications remember their passwords for them.

From 76.113.53.58 at 2008-10-10 23:08:41:

It's even worse when you consider web services. My master password file has 174 entries.

Written on 09 October 2008.
« How we set up our Solaris ZFS-based NFS fileservers
Some notes about iSCSI multipathing in Solaris »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Thu Oct 9 01:06:21 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.