USENIX Update

“We have to do better … The bad guys are pros, they’re just as good as you are and maybe better.”  That’s Bill Cheswick’s message to the audience in his talk “Rethinking Passwords.”  Comparing the password policies of various companies and educational institutions yields a confusing and sometimes contradictory set of requirements.  This makes managing passwords difficult for users.  Perhaps the solution doesn’t lie in stronger passwords, but in better authentication?

Dictionary attacks are not the major the major threat anymore.  The common threats now are keystroke loggers, phishing and other social engineering attacks, and password database compromise.  Strong passwords are no protection against any of those attacks.

In order to improve system security, it’s necessary to think beyond the traditional password mechanism.  Multi-factor authentication is one solution that has worked for ATM cards for decades.  Although users sometimes resist having to carry a RSA token or similar, there are solutions available now.  Softkeys are available for smart phones, which many people have with them at all times.

If strong passwords must be used, it’s better to make them easy to remember and fun to type.  The goal of a strong password isn’t necessarily to make a string of gibberish, but to to meet a minimum level of entropy.  Phrases or sentences composed entirely of dictionary words can provide that level of entropy and are often much easier to remember.  Bill has provided a sentence generator at http://www.cheswick.com/insult (some content may be unsuitable for children) which he claims to have 42 bits of entropy.

There’s no requirement that authentication be done with text, either.  The idea of a password map has not yet caught on, but it holds promise as an easy-to-remember-but-difficult-to-guess method of authentication.  In a password map, the user zooms in on map or an image (such as the Mandelbrot set) and clicks a selected point.

The current password paradigm is in need of repair.  It will involve the development of a consistent set of password recommendations (perhaps an ANSI standard) and user education.  Bill encourages users to use a tier of passwords, with the same password for all sites where a compromise is unimportant.  A variation of the same strong password can be used for sites, and it’s okay to write notes as password reminders (for example “use the strong password except that this site doesn’t allow spaces”).

Rethinking passwords also requires work on the part of the admins providing the authentication mechanism.  Authentication attempts should be counted and managed, locking out accounts after some number of attempts.  Inquisitive addresses or networks should be blacklisted.  A single reliable authentication server is preferable to replicated servers from a security standpoint, and the most important thing is to not let the authentication server be compromised.

Join us February 22, 2010, in San Jose, CA, for the 2nd USENIX Workshop on the Theory and Practice of Provenance (TaPP ‘10).

The TaPP workshop series builds upon a set of Workshops on Principles of Provenance organized in 2007–2009, which helped raise the profile of this area within diverse research communities, such as databases, security, and programming languages.

We hope to attract serious cross-disciplinary, foundational, and highly speculative research and to facilitate needed interaction with the broader systems community and with industry.

Registration is now open and the program is available.

TaPP ‘10 is co-located with  FAST ‘10, taking place February 23-26, 2010 in  San Jose, CA.

The Call for Participation for the 24th Large Installation System Administration Conference (LISA ’10) is now available.  Participation opportunities include refereed papers, invited talks, and more.

The annual LISA conference is the meeting place of choice for system and network administrators and engineers. The conference serves as a venue for a lively, diverse, and rich mix of technologists of all specialties and levels of expertise. LISA is the place to exchange ideas, sharpen old and new skills, learn new techniques, debate current and controversial issues, and meet industry gurus, colleagues, and friends.

The theme for LISA ‘10 is “Share your experiences, both real-world and in research.”

NEW! Have you completed a major project? Tell the LISA audience what worked and what didn’t in a practice and experience report.

Check out the full Call for Participation.

LISA ’10 takes place November 7–12, 2010 in San Jose, CA and is sponsored by USENIX in cooperation with LOSPA and SNIA

The Call for Papers for 2nd USENIX Workshop on Hot Topics in Cloud Computing (HotCloud ’10) is now available.

HotCloud ’10 seeks to discuss challenges in the Cloud Computing paradigm including the design, implementation, and deployment of virtualized clouds.

Submissions are due March, 23, 2010.

More information and submission guidelines can be found here.

HotCloud ’10 will be part of USENIX Federated Conferences Week, which will take place June 21–25, 2010.