January 28, 2006
So now you've changed your Case Password.
Why? Because they told you you had to do it.
As your new CISO, they is me.
The main technical reason was the transisiton between Kerberos 4 and Kerberos 5, which required new passwords. Other reasons were that some passwords were shared and common knowledge. If they don't meet the complexity requirements, they are easily guessed. If they are easily guessed, someone else has your access 'keys' to your email, portal, weblogs, registration, etc.
It is a bad idea to use the same password on multiple accounts, because if you mistakenly divulge a password that you use for, say your .Mac email account, and it is the same as for your bank account, you'll be a victim. Or, if you share your account credentials with somebody (its against the rules, but people still do it), they've got access, disguised as you, to all your accounts.
The flip side is having lots of passwords that are complex is that typical users don't remember them all and end up calling support personnel to reset them. There is a kewl website that will generate some 63-character passwords for you. People will write them down or keep them in a text file on their desktop. The classic vulnerability here is to find a 'Post It' note with the users passwords and accounts 'posted' underneath the keyboard, or stuck to the monitor. ( can generate some whoppers for you. Kewl).
I've got over 30 different passwords and accounts, and I change them regularly to be sure that nobody else is pretending to be me. What makes this work is a utility written by Bruce Schneier called Passafe version 3.02. It uses encryption to protect the file, and you open it with a single password.
Various OS flavors of passsafe can be downloaded here.
Then use the www.GRC.com site to generate hideously unguessable (I call them antisyntactical scribings) passwords that you just copy and paste into the fields from Bruce Schneier's utility. (nota bene: some OS specific passwords have a maximum length!) Then you just remember the one good password to open the passafe utility. This might be difficult process to teach your grandmother, but hey, you are at CASE, you should be able to handle this process.
It is not all a path of roses yet, because you run the risk of losing access to it all of your accounts if you lose access to the passsafe program database. For example, it is on your laptop, and then you leave your laptop on the sofa in the basement of Thwing after a study induced 'power nap'. The same goes if you take a long weekend and forget your main password to the passsafe program. It also doesn't quite work if you are using other machines to access your accounts. Backups can save you hours of recovery time.
For Mac users, try the Tellura Key Minder, which you can keep on a USB drive and bring between Macs. The Password Gorilla also works well in Linux and MacOS. It can be found at
Let me know if you try it.
Mac OS-X also has a built-in password management tool called Keychain. Unique to this utility is a help icon that will give you a color-coded quality factor to a password you are trying to use. If you get a unique password from www.grc.com, the quality will definitely be green. To read more about Keychain, go here.
Next time-- two factor authentication beats passwords any day.
Posted by Thomas Siu at 11:46 PM
