Are password policies promoting weak password choices?

Passwords are one of the most cumbersome parts of modern life. It used to be enough to have a password for the UNIX account at work and a four digit PIN code for the debit card. But not anymore. Nowadays, almost everybody has several email accounts, social network logins, home banking, login to the favorite online newspaper, and so on.

Many people use the same password for everything. If one site gets corrupted – it might be because this password was not strong enough or because the site got hacked – all other logins are open to the attacker. A solution is the use of a password manager. But in some cases this is not practical (and of course we need at least one password to unlock the password manager…). Therefore, finding a way to generate safe but easy to remember passwords is arguably a big challenge to computer security.

In many organizations, password policies are used to enforce a minimum level of password strength. In a recent blog post, John Fontana argues that most password policies actually decrease password security. He cites Cameron Morris who proposes password policy improvements and wrote a tool called Passfault to measure password strength.

After reading about weak passwords a few years ago, I started to use a small command line toll called pwgen to generate random passwords. as it turns out, 7 random characters is pretty much the most I can remember.  In fact, there were several embarrassing incidences where I had to call IT support only half an hour after choosing a new password because I forgot it. Passfault estimates that a random password generated with “pwgen 7” contains 78 billion pattern and can be cracked in about 1 day – sounds not bad to me.

The makers of webcomic xkcd propose an alternate way to make up strong passwords. They suggest to choose 4 random words which are easier to remember than random strings. Knowing my memory, I put this to the test with just 3 random words “garden dolphin dictionary” using the Passfault tool. result: 27 quadrillion pattern taking an estimated 9 centuries to crack – wow! And it is really easy to remember: I lost this paragraph while writing the post but was still able to remember my password while I typed it again later on.

Unfortunately, most password policies do not allow a password like “garden dolphin dictionary”. Some password policies do not allow use of common words. Users can get around this by “keyboard shifting”. For instance, “bird” becomes “notf” on an US keyboard shifting all key presses one position to the right. This does not significantly enhance password strength and some password cracking programs are optimized to detect this.They often require the inclusion of numbers and special characters like ‘&’. As a consequence, users tend to substitute some letters with numbers, a technique well known to password crackers.

A quick web search reveals that there are many opinions on this topic.  For instance, take a look at Per Thorsheim’s Security Nirvana, Schneier on Security who simply advocates to write the password on a piece of paper, and this discussion at Stack Exchange. Personally, I have to say that I like the idea of using a few simple random words – I seem to be able to remember this much better than other passwords. For passwords I have to type often, e.g., to unlock screens, I still prefer shorter random strings. In the end, the single day necessary to crack the above mentioned 7 character random string password by brute force might still provide good enough security for me.

Location of CFEngine Inputs on Debian Systems

The first few times I used CFEngine on a Debian GNU/Linux system I ran into strange eror messages while updating the inputs. I used some code examples for update.cf:

"/var/lib/cfengine3/inputs"
    perms => system("600"),
    copy_from => mycopy("$(master_location)","localhost"),
    depth_search => recurse("inf"),
    action => immediate;

See here for the complete example. The only change I made was to adapt the code to the location of the CFEngine system files that are located under /var/lib/cfengine3 on Debian systems. Still, it gave me mysterious errors about recursive security issues.

The error is caused by a small difference in the  file locations on Debian systems: inputs are located in the /etc/cfengine3 directory and /var/lib/cfengine3/inputs is not a directory but a symbolic link to /etc/cfengine3. After I changed line no. 1 in above code to point to the real directory “/etc/cfengine3”, everything started to run smoothly!

Tip: Ubuntu systems are identical to Debian in this respect.

Configuration Management for Amateurs

The configuration of computer systems is a tedious endeavor. It requires installation of software and hours editing configuration files. Often, these tasks have to be repeated for many computers. This can be automated with configuration management software.
Configuration management software is written to control networks of tens if not hundreds or even thousands computers. So why would an amateur who runs only one or two machines want to use it?

In the past, I never used configuration management software. After all, all I wanted was to configure a single webserver. I like playing with server configuration files, after all I am a geek. However, I also have a day job that has nothing to do with system administration and a family. Therefore, even small projects can take a while to complete. Consequently, I forget many things and often fall into the same traps over and over again.

Of course I could take better notes, but automating configuration tasks prevents both repeated errors and serves as documentation at the same time. It also serves as a mind hack: On one hand, I know that documentation is important. On the other hand, coding is much more fun. Figuring out how to configure my system with a configuration management software can also be fun (for geeks).

In addition, even a small-time system administrator like me will end up repeating many things. The availability of cloud computing, for instance, gives many opportunities to play around – but also to spend a lot of time with mundane configuration tasks. Imagine you want to try some new software. Cloud computing gives easy and cheap access to computing resources. However, starting a fresh server instance usually comes together with basic configuration. Especially for geeks. After all, most geeks are not satisfied with the standard choice of text editor etc. Using configuration management software, you can automate these basic tasks. In my case, the resulting time savings can make the difference between a quick one-day project and a never ending on-off affair.