randombio.com | computer commentary
Saturday, December 22, 2017; updated Wednesday, January 03, 2018

Two factor deauthentication

Passing the burden of security to the end user is the wrong solution to a fake problem.

Y ou may not have ever read NIST Special Publication 800-63, Appendix A. But if you use a corporate, academic, or government computer you're probably following its advice.

Newser reports that Bill Burr, the author of said appendix, now says we shouldn't be using passwords like dogcatbarkmeowwoofwoofiamadog1234 any more, but strings of words, and we shouldn't change them every 90 days.

Now they tell us. If I were conspiracy-minded (which I am, actually, now that you mention it), I'd think this is all part of a strategy to put us on the cloud. It's following the usual pattern: create a problem, then propose a flawed solution, knowing it will create a demand for the solution you really want.

Like many people, I keep my passwords in a gigantic encrypted text file. At the moment I have 649 of them, including the ones for computers that also demand to know the name of my first school (School of Fish), name of my first pet (Nyarlathotep), mother's maiden name (Borgia), and what street I last got a flat tire from (Wong Way), that go along with them. One place needed to know the make of my first car (the Chevy Unsafe At Any Speed™), my first pet's name, and the street I lived on when I was ten.

My home security system needs to know the name of my first car (Christine). At my last job the Procurve, a lowly network switch, somehow acquired 22 different passwords. Our tabletop centrifuge had three. But the record goes to my current employer. I have 63 to keep track of because we're not allowed to re-use them.

There is no possible way to remember this many passwords, and you can't trust a password manager: it could crash or scramble its database. Writing them on a piece of paper just creates a race condition: will that paper get lost first, or out of sync first?

In a target-rich environment like this, some patterns become evident:

  1. The more often I'm forced to change it, the simpler the password is.
  2. Some people are in love with their passwords and use the same one for everything.
  3. Devices that demand a password for no good reason get passwords that are four letters long.
  4. If password reuse is forbidden, the new one gets the simplest change that will appease the software, like incrementing digits and letters.
  5. All Windows computers get the same password, just because.

What is the solution? It's just a matter of time before a brain chip is mandated. But to make that acceptable to the masses, they have to make the problem bad enough that there seems to be no alternative.

What is the best password?

Which brings us to the best password ever.

Some years ago we were teaching the boss how to set his password over telnet. That evening, our consultant found he was unable to log into the boss's account. Neither could I. We called the boss and he confirmed the password verbally, but it still didn't work. After some head scratching, I said: “What if when he says ‘F 1’ he actually means the F1 key?” Sure enough, that was it.

It was our own fault: we had recommended using digits and special characters. We instructed him to stop doing that in the future, but actually it was clever. Every terminal interprets F1 differently. Some print 1~, others print ~, some ignore it, and some intercept it and put up a dialog box instead. That adds a couple of bits more security to your password.

Moral: the best password is one that can only be typed on your own computer, because your OS is the most screwed up. That means if your keyboard doesn't trap [Ctrl-Alt-Delete], you can use that as your password, secure in the knowledge that all your hackers are either rebooting or staring at the Task Manager.

Since most data losses are caused by the user, setting your password to Ctrl-Alt-Del is also a good way of making sure you never lose a file.

Fifty ways to lock yourself out of your computer

TLAs and employers don't need to crack your password. Employers routinely set up middleman systems to defeat any encryption that goes in or out. The TLAs discourage encryption altogether by tagging you as a terrorist if you try to use it. If you install it, it just guarantees that you get monitored. These guys have so many zero-day exploits that they go straight to the “end point,” which is to say your PC. Passwords aren't even on their radar.

Fingerprints, which we use at work, and even retina or iris scans, are too scary, as anyone who's ever watched a terrorism movie knows. DNA sequencers on a chip would be useless: anyone could grab a sample of your DNA in ways that might not be as enjoyable as you'd hope. Sending DNA over the Internet would be a challenge when the computer is 1000 miles away.

Little radio transmitters, like the ones we're forced to use to get into our car, would just get lost. Ditto with little USB sticks and special RFID jewelry.

Voiceprints wouldn't work either: the computer would have to tell you what word to speak to prevent a miscreant from recording it. If you think people walking down the street talking to unseen companions is weird, imagine an office full of people saying things like “chiffon orangutan adventitious xanthophyll.”

The latest fad is two-factor authentication. It works like this: when you want to get on your computer, you type your username and password and then wait for your cell phone to send you a code by SMS that you must type in. It's great, because everybody has a cell phone and carries it around continually, and everyone always gets a good signal where they work, right?

Maybe someday they'll invent a way of hashing a personal identifier and sending it securely to the remote site through a separate channel, putting the burden on the ones who demand a password, where it belongs.

What's wrong with remote authentication?

Not every computer needs to be on the Internet. Some are air-gapped for security. Others run hideously expensive software that controls hideously expensive equipment, like MRI machines and spectrometers. Vendors always put Windows on them. That means when the hard drive crashes, you need an Internet conniption to get it running again.

That's when you get stonewalled by IT: Why does this PC suddenly need an IP? We don't support this old version of Windows. Why is this PC not on our Manifest Domain so we can push whatever crap slug-inducing software-of-the-day we want onto it?

They must know if they set up bureaucratic roadblocks like this, we'll just take the PC home for a day and activate it ourselves.

What it's really all about is control. Who gets to control your computer: the user, the IT bureaucrats, or the big Internet companies? The companies expect you to have a continuous Internet connection. Already more and more software refuses to run unless it's allowed to phone home to prove you haven't stolen it. Even some freeware does this now: when the company goes under, they leave behind a scorched earth.

That might sound great, if you're under thirty. You grew up thinking the Internet is everywhere, and it always works. Those of us who grew up with modems, DSL, and flaky T1 lines know that the Internet is just aching to fall on its face.

The problem people are trying to solve is one that doesn't exist. Sysadmins are turning into bureaucrats, and they see security as a way of blocking things. So they push the burden onto the user—the one who just wants to get some work done.

As a result productivity plummets: if it's too much trouble to log in and retrieve a file from a computer at work, people will just not bother to try, even when the company's future depends on it. If email requires firing up a browser and waiting for some slow website, we just won't do it. That's the solution I use now.

Remote authentication is a terrible solution, and the powers that be know it. It's designed to be bad. They won't rest until they find a way to pry those computers out of our cold, dead hands. Lose control now, and you may never get it back.

Update (Jan 03, 2018)

Yesterday I got a very strange email from IT saying that there's another pfishing scam out there from somebody using the credentials of their IT security bigshot. All of us must change our passwords immediately, but there's nothing to worry about.

Five minutes later we got another one telling us the server that handles passwords had crashed and we should please not change our passwords until it's fixed.

The disadvantages of 100% user compliance.

They're still rolling out two-factor authentication, which is a de facto admission that the old method doesn't work. But 2FA is fundamentally flawed. They could put ten factors on it and it would have no effect, because authenticating on the PC is not the problem. The problem is the top-down model.

2FA is an admission that management doesn't trust themselves to be able to keep hackers out of their server. Even the US government knows that compartmentalization and decentralization are the only sure ways to keep information secure. That's the model ISPs use. Until more recognize this and stop trying to control everything, we'll just see more people trying to find ways around whatever security people put in place so they can do their jobs.

dec 22, 2017, 5:18 am; updated jan 03, 2018, 5:40 am. last edited jan 27 2018, 7:37 am

Related Articles

Email as a cloud storage mechanism

Linux and Windows: Why You Need Both

How close are they to real AI?
We read the textbook on ‘deep learning’ so you don't have to.

On the Internet, no one can tell whether you're a dolphin or a porpoise

linux and computers
book reviews