Passwords That Are Simple — and Safe(?)

TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.

Seems to Be Some Confusion

[eldavojohn]

I'm not sure that allowing unique but simpler passwords is a better idea.

There is a misunderstanding here. The paper itself is proposing an additional mechanism for protecting against popular passwords. Let's say I give you the password "password" and you find it in the dictionary and send it back to me. Now I give you the password "p@ssword" and you again explain it must have an uppercase/lowercase mix as well as a special character and a number. So I give you "P@ssw0rd" and we go about on our merry business.

Unfortunately for the security of my account, I responded to your system's demands in a very algorithmic way. And, after millions of users try this, it might be safe for me to add in my dictionary attacks substitutions for characters in password.

I believe what the proposed paper is suggesting is that there is an oracle that alerts the user when their password is acceptable but is simply too common and therefore unsafe. The final piece of the puzzle is building in protection so that attackers cannot "query" the Oracle to find out what are popular passwords in your system that have reached their max. It's about managing entropy in the set of passwords that your user has with a new mechanism ... and can be applied equally to the loosest and most stringent password requirements.

After reading the paper (assuming you don't have this already), it is genuinely a way to increase your user's protection.

Only for big services

[PseudonymousBraveguy]

This only works for big servics: If you have only a couple of users, you will miss many of the easy-to-guess passwords. Instead of preventing users to pick the same password as other users, you should check the passwords against a pre-made dictionary. This is basically the same approach, only without relying on the users for building your dictionary.

Substitition cipher method

[iivel]

I've posted this as a potential answer on /. before though the original page on my site is no longer available. It's also been discussed here: http://www.schneier.com/blog/archives/2009/05/secret_question.html [schneier.com] (find cipher.php) I found my old page on the wayback machine...perhaps I'll move it back where it goes http://web.archive.org/web/20060715223129/http://levii.com/cipher.php [archive.org] I'd appreciate input on the method. You have your random card, your own ez phrase and you end up with properly complex passwords. I've implemented this in numerous business environements, and people seem very happy with the result. Every 60 days they choose a new ez passprase and/or get a new dynamically generated card.

Re:changing passwords frequently makes no sense

[Monkeedude1212]

People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.

*I suppose that depends how frequently you are talking

Subject

[MBGMorden]

This is definitely a pet peeve of mine. We recently introduced new password rules at work, despite me trying to convince them otherwise. Has to be 8 or more characters, must contain upper and lower case letters, numbers, and symbols. And it has to be changed every 3 months.

Wonderful. Now everyone has these horribly complex passwords, which around half the users are now posting next to their monitor on a sticky note. If they'd had made simpler passwords available, not nearly as many people would have resorted to that.

It seems common sense, but too many IT managers just don't get it - complex passwords are only useful until they hit the threshold at which the user sidesteps around the whole secrecy part of it.

Pass Phrases

[Lifyre]

Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.

Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"

It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.

Re:SImple non-dictionary passwords

[ArcherB]

The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

The best passwords I've found are sentences translated into passwords. For example:

My phone number is 555-234-2344 : Mp#i555-234-2344
I live at 2202 Park Street : Il@2202PSt
Four score and seven years ago : 4Sa7ya...
My wife won't go down on me since we got married! : Mww'tgdomswgm!

Whatever. You get the idea. All you have to remember is the sentence.

Turn your phrase into a password.

[Weedhopper]

Use your phrase. Just turn it into a password.

I Need My Morning Coffee!!

Then jam a number (your morning train, maybe) than makes sense onto it. Result:

inmmc!!650

I do this with song lyrics and quotes, going as far as to leave plaintext reminders on post-its - it's still impossible to guess.

Re:Reality Check

[Anonymous Coward]

I run a mail server that I am able to see a brute attack happen... passwords used in the attempts are rarely more than ABC, 123, or the users name

Re:changing passwords frequently makes no sense

[DragonWriter]

We don't think of rotating passwords as a solution to the problem - we think of it as a countermeasure that will buy us time when issues arise.

Regular rotation clearly doesn't buy you time (it limits the time of exposure when a certain problems occur, but doesn't buy you time.)

What are we going to do to reprimand password sharing?

Reprimanding is not the solution.

The solution is:
1) Find out what the problem is in the existing system that people are working around by sharing problems, and
2) Address that problem in a way that removes the incentive to share passwords.

As IT we just police

This view is probably the source of many of your problems. As IT your mission should be marshalling technology to enable the broader organization to acheive its goals efficiently and safely, not being "just police".

Rotating the passwords gives us the time we need that when attacks come up - we can address them properly.

How? Regular rotation of passwords does nothing to delay the impact of an attack. Selective forced expiration of passwords in response to an identified attack may by some time, but that's very different than a regular and frequent rotation policy.

Re:changing passwords frequently makes no sense

[nine-times]

People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.

I don't think that the claim is that "changing passwords frequently is a waste of time," at least not exactly. What's often misunderstood about security is people think that something is "secure" or it's not, and you can just sort of turn up the security level. That's not quite it. It's more about trade-offs.

Just as a hypothetical example, imagine you owned an apartment building, and you found out that the lock on the front door to the building was relatively easy to pick. You think, "I'll fix that," and you install some big crazy contraption that's supposed to be incredibly secure and impossible to pick. Unfortunately it takes 5 different keys to open, and each time someone goes in or our, it takes them 3 minutes to get through the door. You say, "I don't care, I want the most secure thing!"

A week later, you stop by the building to check on things. You find that, fed up with the annoying locks, the tenants have propped the front door open using a cinder block.

This is the sort of thing that makes security a complicated subject, and this is the sort of objection you get to making people have really strong passwords that need to change frequently. When I started out, I worked briefly for a company that would make everyone have a 12 character password with lower-case, caps, symbols, and numbers, rotated once a month (maybe it was once every couple of months) with a 2-week warning. So you would really only get a couple weeks before the thing started popping up again asking you for a new password. And it wouldn't let you reuse any of your last 7 passwords. People were writing down their passwords all the time. Then someone came up with the idea of having a common way of generating passwords: [month]!abc1234567. She shared the idea with some of her coworkers, and then the next thing you know, half the people in the company have the same exact password: DEC!abc12345. The next month they had "JAN!abc12345". It took a while to convince the manager that this arrangement was not very secure.

So really it's about finding balance. You have to find password policies that will encourage users to practice good habits, and the ideal policies may vary depending on the group of users.

Re:deh.

[Anonymous Coward]

There are exactly 2 things in my experience (from various forensic examinations) that are responsible for almost all hacked passwords: Keyloggers and easily guessable recovery questions.

And it's the latter that really drives me nuts. I can't tell you the number of places that have a canned set of 4-6 questions that they're willing to allow you to use.

For starters, I don't want to tell them the answers to any of those questions. Both because they can reconstruct too much about me, and because I don't want them to have the information since everybody seems to think they've got something 'unique' -- the more people who know the answer to any of those questions, the less usable it is as an identifier.

I've actually had to come up with a set of alternate answers to the canned set of questions, specifically to push it back to something that is only known by me (or far less easy to deduce without a lot of personal knowledge).

Having seen financial institutions use the same questions over and over, I'm sometimes more worried about the security of the challenge questions than my actual password -- because most password storage I've seen isn't invertible. You can confirm that the entered password creates the same hash, but you can't actually get the password.

Any time I see a site which has a canned set of challenge questions, I cringe. Because, clearly they know nothing about security.

Re:don't ever use the word "password"

[turbidostato]

"After all, any security system involves secrets"

False.

Authentication requires at least one of these (of course, mixing two or three is better):
  * Something you know
  * Something you have
  * Something you are

Only the first one relies on secrets.

why not have both?

[nobodyman]

Why not use a system of using simple phrases, including spaces and punctuation. Most systems allow that sort of thing. So the password "I love stinky cheese!" (including spaces and exclamation) is good for two reasons:

• It's easy to remember (it's 21 characters but you only have to remember four words)
• It's easy to type
• It's extremely secure (it would take ages to bruteforce, even with a dictionary attack

That said, I agree with the parent post: many times writing a password down is actually a good idea.

Re:Simple

[bberens]

Pick a row on the keyboard. Go down the row normally, then back up the row while holding shift. On the way down you'll get a number and lower case letters. On the way back up you get capitals and a special character (shift plus whatever number your row is). This is what a LOT of people do for ridiculous password requirements. It's very easily crackable.

This is why I lie.

[KingSkippus]

Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system. Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.

I find it amusing that people answer these questions honestly. My mother's maiden name was Johnson. A lot of people who know me know this. I think that it's silly that me telling anyone this could be considered a security risk. It's probably easily found out in public records that anyone can access.

That's why when anyone ever asks me, "For security purposes in case you lose your account information, what is your mother's maiden name?" I answer, "Brigadoon." That way if someone who knows me decides to have a good laugh on ol' Skippus and they call up some owner of an account I have and they ask, "Okay, for security purposes, what is your mother's maiden name?" and they answer, "Johnson," they will not be allowed access to whatever it was they were trying to get access to.

I have a list of stock answers to questions such as my mother's maiden name, my high school, my favorite pet's name, my favorite sports team, etc. Most of them are related. My mother's maiden name is Brigadoon. My high school was good ol' BHS. My favorite pet was Brigadot. My favorite team is the Brigands. You get the idea.

Of course, I've also lied about almost everything in this post. My mother's maiden name really isn't Johnson, and the name I give everyone isn't really Brigadoon, but the part about lying on those forms and using meta-passwords is true, and I highly encourage everyone else to do the same. Using actual facts or experiences that aren't so intimately personal that I wouldn't be telling anyone anyway as a security checkpoint is pretty damn stupid.