Passwords That Are Simple — and Safe(?) 563
TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.
deh. (Score:5, Insightful)
Why don't use simple words that can't easily be found using dictionnary bruteforce ?
And most hacked account come from shitty secret question/answer that can let you change password.
don't ever use the word "password" (Score:5, Insightful)
Call it a "passphrase." Ban that other word.
SImple non-dictionary passwords (Score:4, Insightful)
The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.
Depends on the importance and access (Score:4, Insightful)
To me it depends on two things:
1) How important is the data.
2) What level of access do un-authorized people have to the system.
For example, we have a private development server on a isolated vlan. The only way to gain any network activity to this server is to be plugged into one of the ports that have access to that vlan (so just the developer offices).
Do I really need a password like 2wsx)OKMnhy6BGT%?
or does something simple like: 53xym@n cover it?
Now, let's say it's a public server available on the internet with ssh running? Does a really strong password protect me any more then just using a simple public key with a simple password on said key?
Passwords aren't the weak point (Score:5, Insightful)
Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.
Simple to remember, Hard to crack (Score:2, Insightful)
Phrases (Score:1, Insightful)
I never understood why phrases never caught on in place of single, overly-complex and hard to remember "words." Using a phrase like "I need my morning coffee!!" as a password is long enough that it won't be brute forced, complex enough that it won't be dictionary'd, and is still completely memorable. Nonsense phrases would make it even less likely to be "figured out."
Re:changing passwords frequently makes no sense (Score:3, Insightful)
Yeah, changing passwords frequently just makes for lower-quality passwords.
Eventually people fall into a sequence that's even more detrimental to security than a really good, long password.
Here's some "strong" passwords - capital letters and numbers: Jan2010, Feb2010, Mar2010, ... ... Nov2010 ... ... ...
Let's make it harder, add symbols! Jan!2010, Feb@2010, Mar#2010,
Can't repeat numbers in same spot? Jan!2010, 2010Feb@, Mar#2010,
Want longer? January2010, February2010,
Hell, they may just simplify and do 1!January, 2@Feburary, 3#March,
etc.
Plus, it really depends on what you're trying to protect. My password for a blog site would be relatively weak because if it's compromised, so what? My password for my bank though is something much stronger for obvious reasons. Sites that claim that 80% of the people use "password" as their password isn't revealing - it depends on the site itself. If it's some news site or otherwise unimportant with no consequences, it'll have a weak password. If it's a password to your bank account, then you'll have something much stronger on it. Ditto sites with same password - if it's a blog, so what if I use the same password on all the blog sites I visit? Big whoop, you compromized by NYT login and now have access to some other blog sites.
Simple (Score:2, Insightful)
When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.
And having written-down passwords negates the benefit of all those special characters.
Also, simply making it policy that users can't write the passwords down doesn't help...users either break the policy or often forget their passwords, forcing frequent use of the password recovery process, which can be costly and further weakens the security of your system.
Re:changing passwords frequently makes no sense (Score:3, Insightful)
Real security requires you to balance out risks, figure out who is the main threat and make passwords to combat that. If your main threat is from random blackhats, choosing a password like "jennifeR21211985" wouldn't be too terrible of a password, on the other hand, if the main threat was from people who knew the person, such a password like your kid's name with a random capital letter then their birthdate could be laughable.
Eventually they will be in dictionaries. (Score:5, Insightful)
If the password can be easily remembered, it will end up in a dictionary.
But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.
You have two different uses for passwords:
#1. Lets you login to your computer or account or whatever.
#2. Encrypts files that you don't want other people to read.
If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).
In case #2 then you want a HUGE key because the file can be attacked off-line.
Re:Seems to Be Some Confusion (Score:2, Insightful)
Or maybe I have cut my finger and have a bandaid on it, altering my typing speed and force distribution. Perhaps there is a crumb stuck under a key that alters the momentum of the press.
There are way too many possible ways for it to go wrong. There needs to be a backup method, and that is likely to remove most of the benefits of the scheme.
Re:Pass Phrases (Score:3, Insightful)
Depends what the password is for. We have to lock our screens when we leave our desks, and then retype our passwords when we return. I now lock my screen out of habit if I turn round to talk to someone. I don't want to have to retype a 40 letter string (correctly) every time I turn back to do some work.
Re:don't ever use the word "password" (Score:5, Insightful)
I agree. There is only so much entropy the human brain can remember, but I can remember phrases quite well. Throw in a few digits and special characters instead of letters and you have the perfect balance between security and ease of use. Unfortunately I keep seeing maximum passwords lengths, which is just stupid. I suspect maximum password lengths are caused by lazy developers and web sites that store passwords instead of hashes of passwords.
Don't know if typing phrases would be better for everyone though. Interested to know how non-touch typists would deal with something like "It w@s the b3st of times, It was the worst of times".
Re:changing passwords frequently makes no sense (Score:5, Insightful)
People who argue that rotating passwords frequently is a good solution to password sharing are missing the point: password sharing means either:
1) People who should not have access to facilities are routinely being given it by others, or
2) People who should have access to facilities are not given reliable enough access to it in their own name.
Rotating passwords frequently does not address either of these problems. OTOH, it makes it more likely that people will be unable to remember their passwords and will, therefore, write them down somewhere near their computer for ready reference, which creates its own problems.
You can certainly redirect "My Documents" (and most other profile folders) to network locations, and you can make the rest of the C:\ drive writable only to administrators and not make normal users administrators. Problem solved.
And rotating passwords may limit the time of exposure to such attacks, but doesn't prevent them, so if there is anything truly sensitive exposed, it doesn't protect it. What an IT organization ought to do is deal with the reasons people are routinely sharing passwords.
Re:Simple (Score:5, Insightful)
I assume this is when someone uses a captive bolt gun to threaten you to reveal your password...
This is a misconception. Forcing the user to write down a password allows the password to be much longer, and probably much more impervious to attack over the network. The fact that it's written down makes the password as insecure as the place where it's written down. If that place is behind a locked door, perhaps in the room containing the protected machine itself, then the password is about as secure as you could expect, since if someone can get into that room they're going to have access to everything that password protects, password or no. A sheet of paper in a wallet is also valid, since people keep extremely valuable bits of information that can be easily changed and cancelled in their wallet as well.
Encryption keys require a different sort of discipline, but again just because something is memorizable doesn't mean it absolutely better than something written down, or contained in a separate, secure place.
You have to ask, "what is this password protecting?" If it's protecting a box from network attack, PLEASE FOR THE LOVE OF GOD USE BIG PASSWORDS AND WRITE THEM DOWN! If you're protecting data from more, ah, physical or intimate incursion, a memorized password is a start, but it had better not be the only part of the puzzle. Since network attacks are a much bigger problem these days than someone breaking into your house, the first solution is probably going to be much more practical and effective.
Popular Password Error Message (Score:1, Insightful)
I'm sorry, that password is already in use in the following accounts.
Re:changing passwords frequently makes no sense (Score:5, Insightful)
Changing passwords frequently, as somebody writes below, leads to patterns, sticky notes on monitors, passwords kept in notepad files, etc. IOW, it MAKES THINGS LESS SECURE.
It is the most ridiculous policy I've seen in this field.
A better policy is:
1) force strong passwords
2) audit against week passwords using cracking tools
3) force a change of passwords when an incident occurs, or a person with a shared (ie: admin, root, database, etc) access leaves the company.
Forcing constant changes does not make you more secure if the password is strong to begin with and good policies around sharing and disclosing that password are followed (and they are more likely to be followed if you aren't forcing users to change the damned thing every month). Users will also be able to REMEMBER their STRONG password. Imagine that!
Re:deh. (Score:5, Insightful)
Pretty much this. Someone hand Mr. Anonymous a few mod-ups.
There are exactly 2 things in my experience (from various forensic examinations) that are responsible for almost all hacked passwords: Keyloggers and easily guessable recovery questions.
Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system.
Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.
Place of birth? Elementary school? Pet's name? Check the person' Facebook account.
It has never, in my experience, been a blunt dictionary attack within the last 5 years. Why? Because even a password susceptible to a dictionary attack requires a fairly weak login procedure to work. And every single password entry system I know of (at least when it's about more than something trivial like logging in to your pr0n account) either has a delay feature that keeps you from trying more than maybe 10 passwords a minute, or it even implements something like a "3 strikes" system before you have to contact a human being, or at the very least solve a captcha. Dictionary attacks are not really something anymore that you can easily use to crack passwords.
Oddly, such a safeguard is almost certainly missing when it comes to password recovery questions.
And I guess I needn't waste a character to write about keyloggers.
Re:changing passwords frequently makes no sense (Score:3, Insightful)
We don't think of rotating passwords as a solution to the problem - we think of it as a countermeasure that will buy us time when issues arise. We could be complete hard asses about sharing passwords, no doubt. However, we're going through some growing pains right now and we don't have the staff to deal with all the smaller issues that come up. What are we going to do to reprimand password sharing? Reduce their share folder size? As IT we just police, but its up to the individual managers to dole out the sentences for bad behavior and some managers honestly don't care.
We haven't been able to combat the password writing down with OR without rotation - people still print them off, or write them on stickies, post them to the wall, and all that. We have not been able to combat that problem in any sense, so why not rotate it around?
A redirect from My Documents to a network drive would cause some unnecessary strain on the backbone of our network - we don't want them sharing EVERY possible file, and we don't want to have to upload to our server everytime they press CTRL+S.
Rotating the passwords gives us the time we need that when attacks come up - we can address them properly. It doesn't stop them from happening, but it makes dealing with them easier. And we simply haven't found a solution that stops the problem from occuring.
Re:don't ever use the word "password" (Score:3, Insightful)
That's security through obscurity. It's basically a substitution cypher that relies on the attacker not knowing it's being used. It's maybe fine for something like your slashdot account, but should not be relied on for real security.
frobgard (Score:3, Insightful)
If the password can be easily remembered, it will end up in a dictionary.
Frobgard.
The clock is ticking on your assertion...
Re:changing passwords frequently makes no sense (Score:4, Insightful)
Real security requires you to balance out risks, figure out who is the main threat and make passwords to combat that.
That is exactly right.
The security in any system is only as strong as the weakest members, and the end user is almost always the weakest member of the security question. So before you can do anything, you need to strengthen the security that the users themselves practice. You need a comprehensive training program for all your employees - and it has to be a good one. You've got to make the security problem relevant to them before you'll be able to get any real behavior change.
Once you've done that, you need to implement sane policies that a reasonable individual can handle. Just because you have developed a system to memorize a random 20 character password at the drop of the hat doesn't mean your end users have (in fact, they almost certainly have not). Requiring a 20 character password with four upper and four lower case characters, four numbers, and four symbols (yeah, you get a whole 4 characters that you can make whatever you want!) that changes every month is not going to work, ever.
I worked at a National Guard armory on an army base for a while (I was a civilian contractor) and the problem with security that didn't take the users into account was glaringly obvious. The security there was intense - access cards that were bio-metrically linked to the individual (via fingerprint), an 8 digit PIN number for the card access, and a 10-15 character passwords that had to have 2 upper and lower characters, 2 numbers and 2 symbols in case you locked out your card with the wrong PIN.
You couldn't just unlock your PIN. If you locked it out, you needed to set a new one. To do this you had to scan your fingerprint at the issuing office. Your PIN could not be the same as any of the last 10-15 PINs you used, I don't remember the exact number. Since this was a constant problem, if you locked your card out you could expect to spend a half hour to an hour unlocking it. The password was a backup - you could get on to your system with your password. The trouble was nobody used their password, so unless they had it on a sticky they couldn't use it to get in to their system.
The PIN numbers were changed so frequently people started putting them on stickies on their monitor. Then they'd step out and forget their access card in the machine. Now you have zero security. None, nadda, zilch. For all your system does to keep it secure, you can just walk in to almost any empty but open office and find a card in a machine with the correct PIN stickied to the monitor.
You must design your security system to the limits of your users, not to the limits of the technology.
I'm personally a big fan of pass-phrases. It doesn't matter if you use dictionary words in a pass phrase, you're looking at 50,000+ possibilities for each word in the phrase, so for a 5 word passphrase you're looking at about 3^20 permutations. Add in capital letters and punctuation and it is more like 1^25 permutations. Compared to 9^20 for the 20 character password I described above, and that's not too far off. Most places recognize that a 20 character password will never work, and they generally use at most a 15 character password. Without any of the lost-options caused by adding restrictions (so many of x, y, or z type digit) that's 3^15 permutations, a hell of a lot less than the much easier to remember 5 word pass-phrase.
So you can have your insane levels of security if you're smart about it. If someone wants to use their daughter's birthday, "Shelly's birthday is on July the 20'th" is nearly uncrackable and extremely easy to remember.
The only way to limit sharing of passwords is to: a.) give them a secure and convenient way to do the same thing, b.) educate them about why they should not be sharing their passwords amongst themselves and make it relevant to them personally, and c.) enforce the policy with serious conse
Re:deh. (Score:3, Insightful)
Re:don't ever use the word "password" (Score:3, Insightful)
Are not all passwords just security though obscurity?
Re:changing passwords frequently makes no sense (Score:2, Insightful)
The solution is: 1) Find out what the problem is in the existing system that people are working around by sharing problems, and 2) Address that problem in a way that removes the incentive to share passwords.
Well put. Should be modded up. (the rest directed to monkeedude)
I have been managing small networks for about 13 years, and your post is exactly the problem. A relative "n00b" thinks they can dictate the way users work by putting a network in place and telling users to do it a certain way.
Well, that doesn't fly. In any small network, you have to look at the work flow and figure out what information these users need in order to complete their tasks. If Bob and Suzie need to share files, for goodness sake, map them an X: drive to a server, give them rights, and move on. Do it however you choose, script-wise, but do it. Use Groups. Plan your resources. This is Network Admin 101. Above all, work with the users, don't just think you're going to slap them on the wrist when they don't do it "your way".
Have you introduced this problem to your manager? What do they say? If your responses belong to your manager, then your manager doesn't have a great deal of experience in the IT field either. I'm not attempting to bash your post, but your entire point of view regarding management of the network should really be re-assessed. Some small network admins get those kinds of ideas in their heads and never let it go. My suggestion to you: let it go. Work with management to establish network documentation: Best Practices, Internet Usage, and a Policy and Procedure manual (see HR for help. yes, they are two completely different things). Establishing documentation will help the users better understand what's going on, even if they don't become immediately savvy. Working with the users to figure out their issues with the computer system will be a learning experience for you, too. Be open-minded and leave any defensive attitude at the door, as someone is bound to say something that you will want to take personally. Get past this phase of the network growth and you will reap the benefits.
Re:Reality Check (Score:3, Insightful)
IT Security doesn't get security, mostly because they don't seem to deal in common sense.
Years ago I tried to explain that making the password more complex, and making people enter it more often, and changing it, will NOT make anything more secure, but will in fact make things LESS secure. My rational was that people will just write it down on a sticky note and stick it to their monitor. Their response to that is to simply make a policy (which everyone ignores btw) that prohibits employees from doing that. So really they don't care about security at all, only that it can be blamed on someone else.
Also more recently I expressed my objections over the sheer number of passwords I need to maintain for all the corporate systems I have access to. Remembering them is hard enough, when they don't all need to be changed to something new every 30 days. Not only that, but currently I am trying to explain to some IT systems folks involved in development of a new system, how putting a strong password scheme is really pointless, and really it should be the exact same password as my personal log in, or none at all. Considering that once someone has logged on as me, it is really trivial to send Help Desk an email in my name asking for a password reset, and then to receive that new password via the same email. Considering that people now forget their passwords all the time due to their current security setup, they process this task of telling people their passwords relentlessly every day, so one more request would be a drop in the bucket.
Anyway I think many times people need to look at the "big picture" security rather than get lost in the details, and just use some common sense. Don't fool yourself, IT security has more to do with assigning blame than it ever has to do with trying to keep unauthorized people out.
Re:frobgard (Score:3, Insightful)
Easy to remember for who? I tried something similar before (password generator) and most people still considered them difficult to remember and grumbled...
So I think it's better to:
1) Have them write their passwords down and store them in their purse or wallet.
2) Do not give them powerful accounts where possible.
If you're the sysadmin and the Boss _insists_ on super powerful accounts and wants to stuff like "password" as his password, and you are unable to convince him otherwise, it's not a good situation...
Re:changing passwords frequently makes no sense (Score:3, Insightful)
The grandparent isn't talking about replacing passwords with USB sticks. He's talking about two factor authentication. The user has a USB stick and a password. They need to plug in their USB stick in order to even bring up the login screen. Once their USB stick is authenticated, they need to type in the password to get access to their account.
It'd solve both problems. You wouldn't have to deal with the risk of former employees snooping, since you could drop the permissions for their USB stick. The users wouldn't mind because the need for a strong password would be lessened. Its not even a mental leap for most users, since they seem to do just fine with ATMs, which employ the same system (card + pin).
Re:changing passwords frequently makes no sense (Score:3, Insightful)
People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.
I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.
*I suppose that depends how frequently you are talking
I had to deal with a similar situation in the military... I came to the conclusion that users will always be users and if things like this are happening, it's a failing of the IT and/or Software Design portions of the system. If your secretaries are saving documetns to My Documents on the C: drive, you need to change the My Documents to point to the network drive. You need to basically start eliminating/changing the way the users do things that are improper... it really is ultimately a failing of IT to design the system to cater to the users. In the end, you only have to design one system that works, as opposed to training individuals forever. While it takes longer to design a system properly and less time to train an individual user, over the operational lifetime of the system, the cost:benefit ratio for the properly designed system will far, far outweigh the cost of training users (and ultimately failing).
I could actually see a lightbulb go off in the head of an Admiral during a JTF exercise one time when I explained this concept to him. Apparently, the concept of making a system that fits the users, instead of making the users fit the system is foreign to a great number of people, mostly in management and those that make budget decisions.
Re:The real rule is so simple... (Score:3, Insightful)
If they're not highly-trained enough to know to lock up a password, then they have no business being in charge of information that needs a password to access, and all of the worry about how they store their password is moot.
Re:Compuserv had it right (Score:3, Insightful)
Quick point: The 15+ characters on Windows rule is outdated (not that short passwords are a good idea anyhow). The old hash algorithm was absurdly easy to brute-force (there are free downloads that will do it in 3 minutes or less) and is disabled by default on all Windows systems from Vista forward (possibly also 2003, I'm not sure). I believe it can be re-enabled for backward compatibility, and it may be possible to disable on XP (check the Local Security Policy management console, perhaps) but yes, there are downsides to using a legacy OS, such as legacy hashing algorithms used for security.
Re:don't ever use the word "password" (Score:3, Insightful)
Authentication requires at least one of these (of course, mixing two or three is better):
* Something you know
* Something you have
* Something you are
Only the first one relies on secrets.
"Something you have" typically involves a device containing some form of stored "something you know". "Something you are" can't be revoked and reissued in case of compromise.
Re:Pass Phrases (Score:3, Insightful)
Typing five words in a row correctly is not actually that hard.
It is if you can't see what you're typing.