Passwords That Are Simple — and Safe(?) 563
TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.
deh. (Score:5, Insightful)
Why don't use simple words that can't easily be found using dictionnary bruteforce ?
And most hacked account come from shitty secret question/answer that can let you change password.
Simple (Score:2, Insightful)
When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.
And having written-down passwords negates the benefit of all those special characters.
Also, simply making it policy that users can't write the passwords down doesn't help...users either break the policy or often forget their passwords, forcing frequent use of the password recovery process, which can be costly and further weakens th
Re:Simple (Score:5, Insightful)
I assume this is when someone uses a captive bolt gun to threaten you to reveal your password...
This is a misconception. Forcing the user to write down a password allows the password to be much longer, and probably much more impervious to attack over the network. The fact that it's written down makes the password as insecure as the place where it's written down. If that place is behind a locked door, perhaps in the room containing the protected machine itself, then the password is about as secure as you could expect, since if someone can get into that room they're going to have access to everything that password protects, password or no. A sheet of paper in a wallet is also valid, since people keep extremely valuable bits of information that can be easily changed and cancelled in their wallet as well.
Encryption keys require a different sort of discipline, but again just because something is memorizable doesn't mean it absolutely better than something written down, or contained in a separate, secure place.
You have to ask, "what is this password protecting?" If it's protecting a box from network attack, PLEASE FOR THE LOVE OF GOD USE BIG PASSWORDS AND WRITE THEM DOWN! If you're protecting data from more, ah, physical or intimate incursion, a memorized password is a start, but it had better not be the only part of the puzzle. Since network attacks are a much bigger problem these days than someone breaking into your house, the first solution is probably going to be much more practical and effective.
why not have both? (Score:3, Informative)
Why not use a system of using simple phrases, including spaces and punctuation. Most systems allow that sort of thing. So the password "I love stinky cheese!" (including spaces and exclamation) is good for two reasons:
That said, I agree with the parent post: many times writing a password down is actually a good idea.
Re: (Score:3, Interesting)
My solution to draconian password schemes is simple, use a hash of one of my more normal passwords AS the password for said system.
Good luck to the person who tries to brute force the 40+ character hex string :)
Re: (Score:3, Informative)
Eventually they will be in dictionaries. (Score:5, Insightful)
If the password can be easily remembered, it will end up in a dictionary.
But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.
You have two different uses for passwords:
#1. Lets you login to your computer or account or whatever.
#2. Encrypts files that you don't want other people to read.
If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).
In case #2 then you want a HUGE key because the file can be attacked off-line.
frobgard (Score:3, Insightful)
If the password can be easily remembered, it will end up in a dictionary.
Frobgard.
The clock is ticking on your assertion...
Re: (Score:3)
What? You don't think that a dictionary attack is limited to words in an actual dictionary, do you? Crackers have password dictionaries that include all sorts of common passwords, like "letmein", "IAmGod", "xyzzy" "Hunter2", etc. By now, "Frobgard" is in one.
Re: (Score:3, Insightful)
Easy to remember for who? I tried something similar before (password generator) and most people still considered them difficult to remember and grumbled...
So I think it's better to:
1) Have them write their passwords down and store them in their purse or wallet.
2) Do not give them powerful accounts where possible.
If you're the sysadmin and the Boss _insists_ on super powerful accounts and wants to stuff like "password" as his password, and
Re:deh. (Score:5, Insightful)
Pretty much this. Someone hand Mr. Anonymous a few mod-ups.
There are exactly 2 things in my experience (from various forensic examinations) that are responsible for almost all hacked passwords: Keyloggers and easily guessable recovery questions.
Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system.
Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.
Place of birth? Elementary school? Pet's name? Check the person' Facebook account.
It has never, in my experience, been a blunt dictionary attack within the last 5 years. Why? Because even a password susceptible to a dictionary attack requires a fairly weak login procedure to work. And every single password entry system I know of (at least when it's about more than something trivial like logging in to your pr0n account) either has a delay feature that keeps you from trying more than maybe 10 passwords a minute, or it even implements something like a "3 strikes" system before you have to contact a human being, or at the very least solve a captcha. Dictionary attacks are not really something anymore that you can easily use to crack passwords.
Oddly, such a safeguard is almost certainly missing when it comes to password recovery questions.
And I guess I needn't waste a character to write about keyloggers.
Re: (Score:3, Insightful)
This is why I lie. (Score:4, Informative)
I find it amusing that people answer these questions honestly. My mother's maiden name was Johnson. A lot of people who know me know this. I think that it's silly that me telling anyone this could be considered a security risk. It's probably easily found out in public records that anyone can access.
That's why when anyone ever asks me, "For security purposes in case you lose your account information, what is your mother's maiden name?" I answer, "Brigadoon." That way if someone who knows me decides to have a good laugh on ol' Skippus and they call up some owner of an account I have and they ask, "Okay, for security purposes, what is your mother's maiden name?" and they answer, "Johnson," they will not be allowed access to whatever it was they were trying to get access to.
I have a list of stock answers to questions such as my mother's maiden name, my high school, my favorite pet's name, my favorite sports team, etc. Most of them are related. My mother's maiden name is Brigadoon. My high school was good ol' BHS. My favorite pet was Brigadot. My favorite team is the Brigands. You get the idea.
Of course, I've also lied about almost everything in this post. My mother's maiden name really isn't Johnson, and the name I give everyone isn't really Brigadoon, but the part about lying on those forms and using meta-passwords is true, and I highly encourage everyone else to do the same. Using actual facts or experiences that aren't so intimately personal that I wouldn't be telling anyone anyway as a security checkpoint is pretty damn stupid.
Re: (Score:3, Interesting)
I occasionally use simple, but misspelled words or names, or a combination of simple words that do not belong together, or simple phrases omitting spaces. One has to be careful not to choose common misspellings, or words that somehow go together, but a successful selection should be both easy to remember and immune to dictionary attack.
My brother and nephews and I play a game called "two great tastes" that involves choosing two foods that taste great, but not together. The purpose is to come up with the g
Re: (Score:3, Funny)
By any chance, is "deh" your password?
don't ever use the word "password" (Score:5, Insightful)
Call it a "passphrase." Ban that other word.
Re:don't ever use the word "password" (Score:5, Insightful)
I agree. There is only so much entropy the human brain can remember, but I can remember phrases quite well. Throw in a few digits and special characters instead of letters and you have the perfect balance between security and ease of use. Unfortunately I keep seeing maximum passwords lengths, which is just stupid. I suspect maximum password lengths are caused by lazy developers and web sites that store passwords instead of hashes of passwords.
Don't know if typing phrases would be better for everyone though. Interested to know how non-touch typists would deal with something like "It w@s the b3st of times, It was the worst of times".
Re: (Score:3, Insightful)
That's security through obscurity. It's basically a substitution cypher that relies on the attacker not knowing it's being used. It's maybe fine for something like your slashdot account, but should not be relied on for real security.
Re: (Score:3, Insightful)
Are not all passwords just security though obscurity?
Re: (Score:3, Informative)
"After all, any security system involves secrets"
False.
Authentication requires at least one of these (of course, mixing two or three is better):
* Something you know
* Something you have
* Something you are
Only the first one relies on secrets.
Re: (Score:3, Insightful)
Authentication requires at least one of these (of course, mixing two or three is better):
* Something you know
* Something you have
* Something you are
Only the first one relies on secrets.
"Something you have" typically involves a device containing some form of stored "something you know". "Something you are" can't be revoked and reissued in case of compromise.
changing passwords frequently makes no sense (Score:4, Interesting)
Re:changing passwords frequently makes no sense (Score:5, Informative)
People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.
I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.
*I suppose that depends how frequently you are talking
Re: (Score:3, Insightful)
Real security requires you to balance out risks, figure out who is the main thre
Re:changing passwords frequently makes no sense (Score:4, Funny)
Re:changing passwords frequently makes no sense (Score:4, Insightful)
Real security requires you to balance out risks, figure out who is the main threat and make passwords to combat that.
That is exactly right.
The security in any system is only as strong as the weakest members, and the end user is almost always the weakest member of the security question. So before you can do anything, you need to strengthen the security that the users themselves practice. You need a comprehensive training program for all your employees - and it has to be a good one. You've got to make the security problem relevant to them before you'll be able to get any real behavior change.
Once you've done that, you need to implement sane policies that a reasonable individual can handle. Just because you have developed a system to memorize a random 20 character password at the drop of the hat doesn't mean your end users have (in fact, they almost certainly have not). Requiring a 20 character password with four upper and four lower case characters, four numbers, and four symbols (yeah, you get a whole 4 characters that you can make whatever you want!) that changes every month is not going to work, ever.
I worked at a National Guard armory on an army base for a while (I was a civilian contractor) and the problem with security that didn't take the users into account was glaringly obvious. The security there was intense - access cards that were bio-metrically linked to the individual (via fingerprint), an 8 digit PIN number for the card access, and a 10-15 character passwords that had to have 2 upper and lower characters, 2 numbers and 2 symbols in case you locked out your card with the wrong PIN.
You couldn't just unlock your PIN. If you locked it out, you needed to set a new one. To do this you had to scan your fingerprint at the issuing office. Your PIN could not be the same as any of the last 10-15 PINs you used, I don't remember the exact number. Since this was a constant problem, if you locked your card out you could expect to spend a half hour to an hour unlocking it. The password was a backup - you could get on to your system with your password. The trouble was nobody used their password, so unless they had it on a sticky they couldn't use it to get in to their system.
The PIN numbers were changed so frequently people started putting them on stickies on their monitor. Then they'd step out and forget their access card in the machine. Now you have zero security. None, nadda, zilch. For all your system does to keep it secure, you can just walk in to almost any empty but open office and find a card in a machine with the correct PIN stickied to the monitor.
You must design your security system to the limits of your users, not to the limits of the technology.
I'm personally a big fan of pass-phrases. It doesn't matter if you use dictionary words in a pass phrase, you're looking at 50,000+ possibilities for each word in the phrase, so for a 5 word passphrase you're looking at about 3^20 permutations. Add in capital letters and punctuation and it is more like 1^25 permutations. Compared to 9^20 for the 20 character password I described above, and that's not too far off. Most places recognize that a 20 character password will never work, and they generally use at most a 15 character password. Without any of the lost-options caused by adding restrictions (so many of x, y, or z type digit) that's 3^15 permutations, a hell of a lot less than the much easier to remember 5 word pass-phrase.
So you can have your insane levels of security if you're smart about it. If someone wants to use their daughter's birthday, "Shelly's birthday is on July the 20'th" is nearly uncrackable and extremely easy to remember.
The only way to limit sharing of passwords is to: a.) give them a secure and convenient way to do the same thing, b.) educate them about why they should not be sharing their passwords amongst themselves and make it relevant to them personally, and c.) enforce the policy with serious conse
Re: (Score:2, Interesting)
People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.
No, but I had to deal with very strict password rules at university, and you know what I liked to collect? Strips of paper with usernames and very complicated passwords you can't possibly remember. I found those handwritten notes quite frequently at the computer labs, because the password system was insanely user-hostile and stressed-out students forget things when running off to class in a hurry.
allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk.
Why is their account not terminated at the same moment as their employment?
Re:changing passwords frequently makes no sense (Score:5, Insightful)
People who argue that rotating passwords frequently is a good solution to password sharing are missing the point: password sharing means either:
1) People who should not have access to facilities are routinely being given it by others, or
2) People who should have access to facilities are not given reliable enough access to it in their own name.
Rotating passwords frequently does not address either of these problems. OTOH, it makes it more likely that people will be unable to remember their passwords and will, therefore, write them down somewhere near their computer for ready reference, which creates its own problems.
You can certainly redirect "My Documents" (and most other profile folders) to network locations, and you can make the rest of the C:\ drive writable only to administrators and not make normal users administrators. Problem solved.
And rotating passwords may limit the time of exposure to such attacks, but doesn't prevent them, so if there is anything truly sensitive exposed, it doesn't protect it. What an IT organization ought to do is deal with the reasons people are routinely sharing passwords.
Re: (Score:3, Insightful)
We don't think of rotating passwords as a solution to the problem - we think of it as a countermeasure that will buy us time when issues arise. We could be complete hard asses about sharing passwords, no doubt. However, we're going through some growing pains right now and we don't have the staff to deal with all the smaller issues that come up. What are we going to do to reprimand password sharing? Reduce their share folder size? As IT we just police, but its up to the individual managers to dole out the se
Re:changing passwords frequently makes no sense (Score:4, Informative)
Regular rotation clearly doesn't buy you time (it limits the time of exposure when a certain problems occur, but doesn't buy you time.)
Reprimanding is not the solution.
The solution is:
1) Find out what the problem is in the existing system that people are working around by sharing problems, and
2) Address that problem in a way that removes the incentive to share passwords.
This view is probably the source of many of your problems. As IT your mission should be marshalling technology to enable the broader organization to acheive its goals efficiently and safely, not being "just police".
How? Regular rotation of passwords does nothing to delay the impact of an attack. Selective forced expiration of passwords in response to an identified attack may by some time, but that's very different than a regular and frequent rotation policy.
Re:changing passwords frequently makes no sense (Score:5, Insightful)
Changing passwords frequently, as somebody writes below, leads to patterns, sticky notes on monitors, passwords kept in notepad files, etc. IOW, it MAKES THINGS LESS SECURE.
It is the most ridiculous policy I've seen in this field.
A better policy is:
1) force strong passwords
2) audit against week passwords using cracking tools
3) force a change of passwords when an incident occurs, or a person with a shared (ie: admin, root, database, etc) access leaves the company.
Forcing constant changes does not make you more secure if the password is strong to begin with and good policies around sharing and disclosing that password are followed (and they are more likely to be followed if you aren't forcing users to change the damned thing every month). Users will also be able to REMEMBER their STRONG password. Imagine that!
Re: (Score:3, Informative)
People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.
I don't think that the claim is that "changing passwords frequently is a waste of time," at least not exactly. What's often misunderstood about security is people think that something is "secure" or it's not, and you can just sort of turn up the security level. That's not quite it. It's more about trade-offs.
Just as a hypothetical example, imagine you owned an apartment building, and you found out that the lock on the front door to the building was relatively easy to pick. You think, "I'll fix that," a
Re: (Score:3, Insightful)
People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.
I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.
*I suppose that depends how frequently you are talking
I had to deal with a similar situation in the military... I came to the conclusion that users will always be users and if things like this are happening, it's a failing of the IT and/or Software Design portions of the system. If your secretaries are saving documetns to My Documents on the C: drive, you need to change the My Documents to point to the network drive. You need to basically start eliminating/changing the way the users do things that are improper... it really is ultimately a failing of IT to d
Re: (Score:2)
You know that'll cause a lot of un-needed traffic, right? We don't want all our computers all having shared drives communicating with each other so they pop up on everyone's computer anytime they log in.
We do that. (Score:2)
And the people STILL share passwords because they cannot remember how to navigate through the various folders.
This is a case where I'd prefer the *nix method and just mount the directories under the user's home directory.
Technology will never be a match for someone's mindset. Bob's files are in Bob's directory on Bob's computer. If Alice wants to see Bob's files, Alice wants to go to Bob's computer. And then Alice wants to copy them to Alice's computer to work on them.
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
The grandparent isn't talking about replacing passwords with USB sticks. He's talking about two factor authentication. The user has a USB stick and a password. They need to plug in their USB stick in order to even bring up the login screen. Once their USB stick is authenticated, they need to type in the password to get access to their account.
It'd solve both problems. You wouldn't have to deal with the risk of former employees snooping, since you could drop the permissions for their USB stick. The use
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
Yeah, changing passwords frequently just makes for lower-quality passwords.
Eventually people fall into a sequence that's even more detrimental to security than a really good, long password.
Here's some "strong" passwords - capital letters and numbers: Jan2010, Feb2010, Mar2010, ... ... Nov2010 ... ...
Let's make it harder, add symbols! Jan!2010, Feb@2010, Mar#2010,
Can't repeat numbers in same spot? Jan!2010, 2010Feb@, Mar#2010,
Want longer? January2010, February2010,
Hell, they may just simplify and do 1!Januar
SImple non-dictionary passwords (Score:4, Insightful)
The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.
Re: (Score:2)
optionally make up a word and apply some kind of personal leetspeak "encoding" to it.
Re: (Score:2, Interesting)
Just use diceware [std.com]. It's got more than enough entropy and uses real words that are easy to remember.
Re: (Score:2)
Re: (Score:2)
I've found that chopping off certain parts of my full name are easy to remember as well, though I suppose those might be easier to guess than a simple non-dictionary word.
James Tiberius Kirk would be something like ameski or jamtibirk
and like you said - its very easy to simply add or replace the more complex symbols.
Re:SImple non-dictionary passwords (Score:5, Informative)
The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.
The best passwords I've found are sentences translated into passwords. For example:
My phone number is 555-234-2344 : Mp#i555-234-2344
I live at 2202 Park Street : Il@2202PSt
Four score and seven years ago : 4Sa7ya...
My wife won't go down on me since we got married! : Mww'tgdomswgm!
Whatever. You get the idea. All you have to remember is the sentence.
Re:SImple non-dictionary passwords (Score:5, Funny)
Bad password. Too common.
Re: (Score:2)
I make up random letter, number, and punctuation passwords, write them down, and keep them in my wallet with my other valuables. Tags are slightly obfuscated in case my walet gets stolen; "Dorothy Slasher" for slashdot, for example.
Depends on the importance and access (Score:4, Insightful)
To me it depends on two things:
1) How important is the data.
2) What level of access do un-authorized people have to the system.
For example, we have a private development server on a isolated vlan. The only way to gain any network activity to this server is to be plugged into one of the ports that have access to that vlan (so just the developer offices).
Do I really need a password like 2wsx)OKMnhy6BGT%?
or does something simple like: 53xym@n cover it?
Now, let's say it's a public server available on the internet with ssh running? Does a really strong password protect me any more then just using a simple public key with a simple password on said key?
Re: (Score:2)
1st) I write a song. A tune I can follow in my head.
2nd) I add words.
3rd) When asked for a password, I type until the max limit has been reached.
4th) When logging in, I type until I'm not allowed to!
Sure, it might sound complicated but no one is going to guess what year Columbus sailed...
Re: (Score:2)
I would also add:
3) Where is it possible to access the data?
4) Is it feasible to monitor and log accesses to the data?
If the answer to 3) is "anywhere" and 4) is "no", there is a case for a strong password. In these cases, it may be necessary to take advantage of password memory features in either your smartphone or web browser. In this case, a strong password would protect against constant phishing, while still being useable. The fact that I don't actually remember my password is balanced by the fact tha
Seems to Be Some Confusion (Score:3, Informative)
I'm not sure that allowing unique but simpler passwords is a better idea.
There is a misunderstanding here. The paper itself is proposing an additional mechanism for protecting against popular passwords. Let's say I give you the password "password" and you find it in the dictionary and send it back to me. Now I give you the password "p@ssword" and you again explain it must have an uppercase/lowercase mix as well as a special character and a number. So I give you "P@ssw0rd" and we go about on our merry business.
... and can be applied equally to the loosest and most stringent password requirements.
Unfortunately for the security of my account, I responded to your system's demands in a very algorithmic way. And, after millions of users try this, it might be safe for me to add in my dictionary attacks substitutions for characters in password.
I believe what the proposed paper is suggesting is that there is an oracle that alerts the user when their password is acceptable but is simply too common and therefore unsafe. The final piece of the puzzle is building in protection so that attackers cannot "query" the Oracle to find out what are popular passwords in your system that have reached their max. It's about managing entropy in the set of passwords that your user has with a new mechanism
After reading the paper (assuming you don't have this already), it is genuinely a way to increase your user's protection.
Re: (Score:2)
For anyone who thinks "people will be able to do it..." Sure, for most probably. But you take people like myself who type pretty quickly and it'll be a job - not because of the speed but because of how hard or soft I press certain
Re: (Score:2, Insightful)
Or maybe I have cut my finger and have a bandaid on it, altering my typing speed and force distribution. Perhaps there is a crumb stuck under a key that alters the momentum of the press.
There are way too many possible ways for it to go wrong. There needs to be a backup method, and that is likely to remove most of the benefits of the
Re: (Score:2)
Write it down (Score:5, Funny)
Re: (Score:2)
Just write down your password in a convenient & easily accessible location near entry point. Problem solved.
I guarantee that everyone reading this just thought of those Post-its on his/her PHB's desk.
At least the PHB's secretary has the good sense to put the Post-it with the password in her drawer, where no one would ever think to look.
Comment removed (Score:4, Interesting)
Only for big services (Score:2, Informative)
Passwords aren't the weak point (Score:5, Insightful)
Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.
Compuserv had it right (Score:4, Interesting)
Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.
Re:Compuserv had it right (Score:4, Funny)
12 billion sounds like something a computer could brute force these days, although it depends a lot on the algorithm.
This is also why on Windows you want to have a 15+ character password. For 14 characters and below, Windows stores the passwords as two 7 byte fields for backwards compatibility purposes (darn Windows 95/98!). This is bad because a 7 byte field with just lowercase letters has only 8,031,810,176 combinations, 16 million if you use the full 14 characters, but most people have 8 character passwords for historical reasons (DES salt length of all things), and that last character is basically worthless. It's a bit of a pain, but 15 character passwords can be made reasonable (assuming your security policy doesn't require 25% punctuation or something) and will be stored a much more secure way on Windows hosts.
Re: (Score:3, Insightful)
Quick point: The 15+ characters on Windows rule is outdated (not that short passwords are a good idea anyhow). The old hash algorithm was absurdly easy to brute-force (there are free downloads that will do it in 3 minutes or less) and is disabled by default on all Windows systems from Vista forward (possibly also 2003, I'm not sure). I believe it can be re-enabled for backward compatibility, and it may be possible to disable on XP (check the Local Security Policy management console, perhaps) but yes, there
Easy, secure passwords (Score:2)
Questions (Score:2)
I am, by no means, an
Unintended consequences? (Score:2)
If the idea is to prevent compromise of multiple accounts, this has merit. But if the attackers only need to get one account (and don't care which one), this actually hurts things. By allowing simpler passwords but requiring that not too many users have the same simple password, they increase the number of simple passwords used by the system, thus increasing the chance the attacker has a password on the system in his dictionary.
think of something you like to do or did before (Score:2)
i used to use the designations of military units as passwords. something like HHC of the 72nd Armor Battallion would be hhc72armrbn. after the domain admins started to use 5 passwords remembered i switched to restaurant names and anything else i liked to do. for a little while i thought about using hashed versions of porn star names for system account passwords.
My favorite (Score:4, Funny)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2, Interesting)
I once got locked from my bank account as I registered with a 14 character password which I spent some time memorizing.
Unfortunately after calling them up and resetting my account twice, I was informed that the system only allowed 10 character long passwords and they had not implemented any method of checking the length when you registered.
Amatuer idea (Score:2, Interesting)
Not allowing duplicate passwords is often one of the first things that people that don't understand security think of. It's also one of the first things that people realize is a very stupid idea once they come to understand security. The problem is simple. If you tell somebody that the password entered is in use, you've just told them the password of another user. User names are not secret, so it's much simpler to fly through a list of users trying a single password than it is to fly through a list of passw
Simple to remember, Hard to crack (Score:2, Insightful)
Anyone else see the problem with this? (Score:2, Interesting)
If you automatically ban overly popular passwords, you have provided attackers with positive information about passwords in existence among the pool of users under the regime.
1) change password, repeat until
2) you hit upon a banned password
3) add password to the top of your dictionary
4) ???
5) profit
Substitition cipher method (Score:2, Informative)
Passwords (Score:2)
Okay, how about an informal poll?
1. What is the oldest password that you are still using?
2. Is the username associated with said account one that can be hit by dictionary attacks? Yes, username.
Because a username and password are only as weak as the weakest link between them. Don't get me started on password recovery schemes. Secret question anyone? Gotta be kiddin' me. People post their secret questions' answers in their blogs sometimes!
Hopefully any site will temporarily lock the account if too many faile
Lockouts.. (Score:2)
If you can lock out a service, and have things flagged that way, simple isn't quite so bad. You need to have access to the password source to brute force things (in which case, you may just have lost already by giving up that extremely sensitive file).
Users like things nice and simple and memorable. If you force nasty constructs on them, they'll either:
1) Write things down on a piece of paper, or text doc on their desktop. Both are bad (though probably the desktop is worse).
2) Call the service desk every
Subject (Score:3, Informative)
This is definitely a pet peeve of mine. We recently introduced new password rules at work, despite me trying to convince them otherwise. Has to be 8 or more characters, must contain upper and lower case letters, numbers, and symbols. And it has to be changed every 3 months.
Wonderful. Now everyone has these horribly complex passwords, which around half the users are now posting next to their monitor on a sticky note. If they'd had made simpler passwords available, not nearly as many people would have resorted to that.
It seems common sense, but too many IT managers just don't get it - complex passwords are only useful until they hit the threshold at which the user sidesteps around the whole secrecy part of it.
Pass Phrases (Score:5, Informative)
Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.
Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"
It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.
Re: (Score:2)
Length is still a problem: Did I put spaces between each word? Did I capitalize some of the words?
A reasonable compromise, which still defeats most dictionary attacks is to acronymize your phrase:
"Purple Elephants make for a rough Work Day" becomes PEmfarWD. It sill has problems with caps -- make a rule like adjectives and nouns get capitalized, and you may be OK.
Re: (Score:3, Insightful)
Depends what the password is for. We have to lock our screens when we leave our desks, and then retype our passwords when we return. I now lock my screen out of habit if I turn round to talk to someone. I don't want to have to retype a 40 letter string (correctly) every time I turn back to do some work.
Re: (Score:3, Insightful)
Typing five words in a row correctly is not actually that hard.
It is if you can't see what you're typing.
My problem is DIFFERENT rules (Score:2)
Not a total solution but... (Score:2)
mix letters and numbers (Score:2)
you can conver numbers into words:
2001: movie ..
2010: movie
1942: arcade saloon game
1984: movie
42: answer
You can also have tiny words that have meaning to you: ..
LOTR: lord of the rings
imho: in my humble opinion
me: me
orly: oh, really?
bf: battlefield
so you can mix both things
bf2010me44 ... ...
tk40000z21
rs47ak232
to me is easier to remenber {expresion} {number} {expresion} {number} than a true mix of number of letters.
Passwords, imho, sould be easy to remenber and hard to guest.
I use passwords that can be touch-typed quickly. (Score:2)
Re: (Score:2)
Yet very easy to generate for a machine as well.
What I (usually) do (Score:2)
11 random letters (all lowercase) and digits. No need to be more fancy than that. And if you roll the generator several times you'll find the combination which is pretty easy to remember after entering it 2-5 times.
But is that really enough? Let's calculate, assuming somebody can test a million tries per second (way optimistically/pessimistically, I'd say): (26+10)^11 / 10^6 = over 4000 years. Pretty secure. Actually, in real life you can even use 10 or 9 characters and sleep well.
Deceptively simple is the key. (Score:2)
Seriously, I've found that the simplest, non-dictionary passwords are the best. Call me crazy, but I work from the premise that a random user is just as likely to guess my password on the first try as they are to guess it if given 100000 tries.
The place where I work (and other places that fly the same banner) has employees that are exceedingly technology illiterate, so it's a pretty good bet that I can find their passwords written near the terminals on pieces of paper. Since we're required to use two diff
Easy problem to solve (Score:2)
The easy solution is to make the passwords longer. Everyone can remember a sentence.
I see two problems (Score:2)
I see two problems -- I don't know that either is a deal breaker, but I figure I'll put them out there.
First, users might not enjoy certain aspects of the experience.
Usually, there are rules, they tell you the rules, and if you follow them, your password is accepted. The system seems fair -- there are rules, you can follow them, if you follow them, it works. The proposed system will feel arbitrary -- you try a password, maybe it will work, maybe not. If it doesn't, you have to try again. Maybe it won't
where's biometric (Score:2)
Reality Check (Score:4, Interesting)
No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.
Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.
The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.
Your password policies should be geared towards the individual security requirements of ... the individuals.
Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.
Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.
If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.
Re: (Score:3, Insightful)
IT Security doesn't get security, mostly because they don't seem to deal in common sense.
Years ago I tried to explain that making the password more complex, and making people enter it more often, and changing it, will NOT make anything more secure, but will in fact make things LESS secure. My rational was that people will just write it down on a sticky note and stick it to their monitor. Their response to that is to simply make a policy (which everyone ignores btw) that prohibits employees from doing that.
Best password ever. (Score:5, Funny)
Re: (Score:2)
Something tells me that a 6-7 character password of something meaningful yet obscure would have decent amounts of protection without leading in new security flaws
Re: (Score:2)
I use patterns on the keyboard for most of my passwords.
For example
@W(I0o1q#E*U
That is a easy to remember password.
wpWPa'A'z/Z? is another.
Re: (Score:3, Interesting)
"I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain"
Actually I don't have a problem with it. Once you get used to it and it's normal, then it's really not a problem. The thing with these people is that no matter how easy a password system is, they are going to complain about it.
The big problem with my employer, is that most of us have multiple platforms to log into, each maintained by a different group. Each with unique password policies
which means different expiry periods, different non-alpha character requirements, and different min/max character requirements.
Yes it's stupid.
Yes, it does drive many users to the post-it note solution
Yes we are a huge bureaucratic organization
And, no, there is no political will to merge or harmonize the systems or policies. "You want us to
Re: (Score:2)
The thing is, once you've hit 12+ characters in a phrase the special chractera aren't really buying you that much. You gain as much security by making your phrase one word longer as you do adding -;())$&&@@ in the middle of it. Allthatglittersisnotgold will beat dictionary attacks, take weeks to brute force, and be much easier to type. The only point of random characters is to get some of those benefits in an 8 character password.
Turn your phrase into a password. (Score:3, Informative)
Use your phrase. Just turn it into a password.
I Need My Morning Coffee!!
Then jam a number (your morning train, maybe) than makes sense onto it. Result:
inmmc!!650
I do this with song lyrics and quotes, going as far as to leave plaintext reminders on post-its - it's still impossible to guess.
Re: (Score:3, Insightful)
If they're not highly-trained enough to know to lock up a password, then they have no business being in charge of information that needs a password to access, and all of the worry about how they store their password is moot.