Passwords That Are Simple — and Safe(?) 563
TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.
changing passwords frequently makes no sense (Score:4, Interesting)
Compuserv had it right (Score:4, Interesting)
Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.
Re:SImple non-dictionary passwords (Score:2, Interesting)
Just use diceware [std.com]. It's got more than enough entropy and uses real words that are easy to remember.
Amatuer idea (Score:2, Interesting)
Not allowing duplicate passwords is often one of the first things that people that don't understand security think of. It's also one of the first things that people realize is a very stupid idea once they come to understand security. The problem is simple. If you tell somebody that the password entered is in use, you've just told them the password of another user. User names are not secret, so it's much simpler to fly through a list of users trying a single password than it is to fly through a list of passwords for a single user. Allowing multiple users to use the same password before it is locked out just makes it worse. If there are multiple potential hits, it's easier to find one account once you have a locked-out password.
Anyone else see the problem with this? (Score:2, Interesting)
If you automatically ban overly popular passwords, you have provided attackers with positive information about passwords in existence among the pool of users under the regime.
1) change password, repeat until
2) you hit upon a banned password
3) add password to the top of your dictionary
4) ???
5) profit
Re:My favorite (Score:2, Interesting)
I once got locked from my bank account as I registered with a 14 character password which I spent some time memorizing.
Unfortunately after calling them up and resetting my account twice, I was informed that the system only allowed 10 character long passwords and they had not implemented any method of checking the length when you registered.
Re:changing passwords frequently makes no sense (Score:2, Interesting)
People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.
No, but I had to deal with very strict password rules at university, and you know what I liked to collect? Strips of paper with usernames and very complicated passwords you can't possibly remember. I found those handwritten notes quite frequently at the computer labs, because the password system was insanely user-hostile and stressed-out students forget things when running off to class in a hurry.
allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk.
Why is their account not terminated at the same moment as their employment?
Re:Actually I don't. (Score:3, Interesting)
"I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain"
Actually I don't have a problem with it. Once you get used to it and it's normal, then it's really not a problem. The thing with these people is that no matter how easy a password system is, they are going to complain about it.
The big problem with my employer, is that most of us have multiple platforms to log into, each maintained by a different group. Each with unique password policies
which means different expiry periods, different non-alpha character requirements, and different min/max character requirements.
Yes it's stupid.
Yes, it does drive many users to the post-it note solution
Yes we are a huge bureaucratic organization
And, no, there is no political will to merge or harmonize the systems or policies. "You want us to do things like *them*? Are you mad!"
Sigh. Only 5 years 'till early retirement...
Reality Check (Score:4, Interesting)
No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.
Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.
The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.
Your password policies should be geared towards the individual security requirements of ... the individuals.
Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.
Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.
If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.
Comment removed (Score:3, Interesting)
Re:deh. (Score:3, Interesting)
I occasionally use simple, but misspelled words or names, or a combination of simple words that do not belong together, or simple phrases omitting spaces. One has to be careful not to choose common misspellings, or words that somehow go together, but a successful selection should be both easy to remember and immune to dictionary attack.
My brother and nephews and I play a game called "two great tastes" that involves choosing two foods that taste great, but not together. The purpose is to come up with the grossest combination. These words combined would make a combination of words that don't go together ("sauerkraut" and "candycorn" for example, or "Tabasco" and "milk"). There are a virtually unlimited number of foods that can be combined in this game.
Unfortunately, I cannot use these types for all passwords as some systems have strict rules in place which require numbers and/or characters or length restrictions.
Examples (none that I use, of course):
Misspelled:
elixabeth
zpecialist
Combinations:
applespongewrap ("apple" + "sponge" + "wrap")
mustardeyedrops ("mustard" + "eyedrops")
Phrases:
islitasheet (part of "I slit a sheet, a sheet I slit, upon the slitted sheet I sit" tongue-twister)
ilikemynewjob ("I like my new job")
Comment removed (Score:4, Interesting)
Man, am I a loser... (Score:1, Interesting)
I've used the same two passwords for over 25 years. Actually it was just one random alpha password that a mainframe spit out when I created one of my first password protected accounts, and I added the second because the original didnt have any numbers in it. I came up with that one the first time a system demanded that I put numbers in a password.
I did recently introduce a 3rd password for my email accounts since I've seen some malware or hackers get your email addy and password from some site you use, then try the same password on that email account, then look for emails from financial institutions and businesses that can be exploited with the same password. But the 3rd password is still the same original password with one number stuck in the middle.
I've never had anything whatsoever hacked into or had any problems of any kind related to the password, even though I've probably used it on more than a thousand systems from mainframes to minicomputers to networks to pc's to web sites.
When I worked for one company that enforced the fancy password rules of length and numeric/symbols and changing it frequently, I just wrote it on a piece of paper and stuck it under the keyboard, just like you're supposed to. I'm not a security guy, I have a different job and forgetting the stupid password sort of made doing that job difficult. While I'm sure that its some degree better to go through all these shenanigans, most users not only dont care or wont do it if they can avoid it, they dont want to do it and it probably doesnt make any difference in the grand scheme of things.
Shoot, I used a bank for over 20 years and was pretty happy with them until they introduced the complex password and rotating them every two weeks. I'm not going to remember that crap and I dont want to have to write down my banking password. Kissed them goodbye immediately and put my money in a bank that lets ME decide how much security I need around my password.
Re:Simple (Score:3, Interesting)
My solution to draconian password schemes is simple, use a hash of one of my more normal passwords AS the password for said system.
Good luck to the person who tries to brute force the 40+ character hex string :)
Comment removed (Score:3, Interesting)
Problem + problem = solution (Score:2, Interesting)
Problem #1: Users use simple, easy-to-guess passwords.
Problem #2: Users write hard and long passwords down.
Solution: Let users' passwords be "AB", where A is long and hard string, written down and posted to their computer, and B is a small and short string.
Rationale:
1. The result is easy to remember;
2. The resulting password "jH329J#nBmbottle" is very secure from bruteforce attacks;
3. The resulting password is secure from local co-workers attacks, because the evil-doer won't know part B;
4. In case someone was hired and could have left will all parts A written down, you can simply change parts A for all users, and they will hardly even notice.
Did I miss anything?