hacked - looking for doc/suggestions on hardening/securing systems from the start

Greg Woods woods at ucar.edu
Fri Dec 20 01:04:21 UTC 2013

On Fri, 2013-12-20 at 03:46 +1030, Tim wrote:
> Allegedly, on or about 18 December 2013, Rick Stevens sent:
> > 3. Make sure you enforce complex passwords and require them to be
> > rotated at least every 90 days. 
> I take issue with the continually changing passwords idea.

I agree with you on this one. There was a white paper I read (wish I
still had the link to it) where they demonstrated that some security
measures are actually more expensive than dealing with a break-in. The
basic theory was a small-to-medium cost, when incurred by thousands of
users, is higher than the high cost of dealing with the average
compromise. I think changing passwords is up there on that list. It's a
huge hassle (we're required to do this at work), and several thousand
users have to go through it every six months. I don't think that is a
good use of security resources. But the security people will argue that
bad guys can get a hold of a password and not use it for months, which
increases their odds of evading detection. Or they get encrypted
passwords and decrypt them offline, using computing resources they've
stolen from others (PC's in botnets, etc.). So it may take a long time
to guess your 15-character password this way, but they've got forever if
you never change your password. So it's hard to come up with numbers to
back up my belief.

That said, I also think it is very risky to use the same password at
multiple locations, even if it is an easy-to-remember but hard-to-guess
password. The reason is that if any one of those locations is
compromised, the bad guys now have access to your accounts at all these
other places that have *not* been hacked. It is very important to use
different passwords at every place you do business. Yes, that means you
have to "write them down", so you write them down in a secure way, by
using a password safe (I like Keepassx on Linux, it's packaged in
Fedora, and there are versions of Keepass for Windows, MacOS, Android
and iOS as well). The safe is strongly encrypted, so you can store it on
insecure but easy-to-access locations like Dropbox (even so, I do not
keep my banking password in Keepass/Dropbox, that is one of the very few
that is stored nowhere but in my head). This allows me to use a password
like "K8_jBh6ewq,5" (no, silly people, that is NOT any of my actual
passwords :-) Then there is one critical password that you have to
memorize, which is the one to open the Keepass safe. My wife and I store
our Keepass passwords in each other's safe, to guard against somehow
forgetting it. That password is never used except on our own personal
machines (I would argue that if someone has compromised your personal
machine, the game is already over; there are many ways they can use that
to get access to your accounts). 

> You really need something that detects attempt to crack passwords

Very few passwords are actually cracked by brute force on your machine.
They are almost always obtained by compromising a server where
(hopefully encrypted) passwords are stored, and then brute force
cracking them offline, where you could not detect the attempt. Or just
use the access to the server to capture the passwords used on that
server (also undetectable by the end user). Another common attack lately
is to use stolen certs to run a man-in-the-middle against https sessions
(the security of many of the certificate authorities is atrocious, there
have been many well-publicized compromises). So if you're like me and
access hundreds of password-protected web sites, you want to use a
different password for every one of them.


More information about the users mailing list