From rick Fri Jan 10 10:19:54 2003
Date: Fri, 10 Jan 2003 10:19:54 -0800
To: ilug@linux.ie
Subject: Re: [ILUG] [OT] email server

Quoting ccostelloe@flogas.ie:

> What bothers me is that sometimes from a user's point of view it gets
> impossible to access what they need without a multitiude of passwords.

I have an observation and a suggestion to offer.

The ability to brute-force-attack passwords long ago outstripped humans' ability to remember them. That is, unless you have really unusual powers of memory, you won't be able to reliably remember more than three or four reasonably long, reasonably entropic passwords — especially given the need to change them on occasion. Our brains just aren't wired that way.

Most of us, of necessity, try to deal with this problem by inventing variously ineffective coping schemes: Most people don't even make the effort, and just use weak passwords whenever allowed, and will tend to use a small set of passwords everywhere. Slightly more cautious people will use weak "joe" passwords in low-security situations and try to be more diligent on sites that matter — but still end up sharing the same password among multiple non-trivial sites.

Ironically, given complaints commonly levelled against people leaving high-security passwords on PostIts pasted to their monitors, that is actually a better coping mechanism, as the threat model for security compromise is limited to people with physical access to the user's cubicle, and who moreover can figure out what the password pertains to.

But that's where people's efforts to cope with the wetware (brain-capacity) problem generally peter out: People can't remember more and stronger passwords, especially ones that get changed every few months, so everyone just lives with the security exposure.

One long-term solution is applications like Keyring for PalmOS (http://gnukeyring.sourceforge.net/), which store security tokens in strong-crypto storage (3DES, in Keyring's case). The token database is always stored only in encrypted form, and decrypted only a record at a time into RAM. It can of course be backed up safely onto insecure backup media — and the user then need only remember a single strong password for entry into the database.

There are at least a couple of others for PalmOS (Strip, http://www.zetetic.net/products.html, and I think there are others). I use Keyring extensively, and it Works for Me<tm>.

> Um, desirable. Patching everything (in my experience) regularly
> breaks your system.

See, this is where having designated people who are experts at maintaining packages for an entire community of users, and who in preference backport security patches to stable software versions rather than frogmarching everyone onto new and untested versions, is useful. Not intending to harp on the example, but this is what the Debian Security Team does, and also what regular Debian package maintainers are encouraged to do in preference to grabbing the latest CVS and hoping for the best.

Staying current on patches — if done right — does not need to mean venturing out into bleeding-edge versions, as you seem to imply, here.

> Patch selectively? To me, it depends on your perimeter.

Defence in depth is much smarter than praying that a perimeter-security model will protect your systems, in my view.

-- 
Cheers,                                      "My file system's got no nodes!"
Rick Moen                                    "How does it shell?"
rick@linuxmafia.com