Forgot your password?
typodupeerror
Microsoft Security The Internet Technology

Passwords That Are Simple — and Safe(?) 563

Posted by CmdrTaco
from the pardon-my-skepticism dept.
TravisTR submitted a story that talks about simpler passwords. I don't think anyone disagrees that having elaborate rules with 20 char passwords requiring mixed cases and symbols and requiring them to change frequently is a pain, but I'm not sure that allowing unique but simpler passwords is a better idea.
This discussion has been archived. No new comments can be posted.

Passwords That Are Simple — and Safe(?)

Comments Filter:
  • deh. (Score:5, Insightful)

    by Anonymous Coward on Tuesday July 20, 2010 @11:51AM (#32965438)

    Why don't use simple words that can't easily be found using dictionnary bruteforce ?

    And most hacked account come from shitty secret question/answer that can let you change password.

    • Simple (Score:2, Insightful)

      by Anonymous Coward

      When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.

      And having written-down passwords negates the benefit of all those special characters.

      Also, simply making it policy that users can't write the passwords down doesn't help...users either break the policy or often forget their passwords, forcing frequent use of the password recovery process, which can be costly and further weakens th

      • Re:Simple (Score:5, Insightful)

        by iluvcapra (782887) on Tuesday July 20, 2010 @12:27PM (#32966116)

        When your password rules have a net effect of disallowing people from using their familiar pneumonic systems for remembering passwords, you force them to write the passwords down.

        I assume this is when someone uses a captive bolt gun to threaten you to reveal your password...

        And having written-down passwords negates the benefit of all those special characters

        This is a misconception. Forcing the user to write down a password allows the password to be much longer, and probably much more impervious to attack over the network. The fact that it's written down makes the password as insecure as the place where it's written down. If that place is behind a locked door, perhaps in the room containing the protected machine itself, then the password is about as secure as you could expect, since if someone can get into that room they're going to have access to everything that password protects, password or no. A sheet of paper in a wallet is also valid, since people keep extremely valuable bits of information that can be easily changed and cancelled in their wallet as well.

        Encryption keys require a different sort of discipline, but again just because something is memorizable doesn't mean it absolutely better than something written down, or contained in a separate, secure place.

        You have to ask, "what is this password protecting?" If it's protecting a box from network attack, PLEASE FOR THE LOVE OF GOD USE BIG PASSWORDS AND WRITE THEM DOWN! If you're protecting data from more, ah, physical or intimate incursion, a memorized password is a start, but it had better not be the only part of the puzzle. Since network attacks are a much bigger problem these days than someone breaking into your house, the first solution is probably going to be much more practical and effective.

        • why not have both? (Score:3, Informative)

          by nobodyman (90587) *

          Why not use a system of using simple phrases, including spaces and punctuation. Most systems allow that sort of thing. So the password "I love stinky cheese!" (including spaces and exclamation) is good for two reasons:

          • It's easy to remember (it's 21 characters but you only have to remember four words)
          • It's easy to type
          • It's extremely secure (it would take ages to bruteforce, even with a dictionary attack

          That said, I agree with the parent post: many times writing a password down is actually a good idea.

      • Re: (Score:3, Interesting)

        by walshy007 (906710)

        My solution to draconian password schemes is simple, use a hash of one of my more normal passwords AS the password for said system.

        Good luck to the person who tries to brute force the 40+ character hex string :)

        • Re: (Score:3, Informative)

          by bberens (965711)
          Pick a row on the keyboard. Go down the row normally, then back up the row while holding shift. On the way down you'll get a number and lower case letters. On the way back up you get capitals and a special character (shift plus whatever number your row is). This is what a LOT of people do for ridiculous password requirements. It's very easily crackable.
    • by khasim (1285) <brandioch.conner@gmail.com> on Tuesday July 20, 2010 @12:13PM (#32965840)

      If the password can be easily remembered, it will end up in a dictionary.

      But that doesn't matter. At least it doesn't in the way that TFA discusses passwords.

      You have two different uses for passwords:

      #1. Lets you login to your computer or account or whatever.

      #2. Encrypts files that you don't want other people to read.

      If we're dealing with #1 then simple passwords are perfect AS LONG AS SOMEONE IS MONITORING THE ACCOUNT FOR FAILED LOGIN ATTEMPTS and dealing with them (and having a delay between individual attempts).

      In case #2 then you want a HUGE key because the file can be attacked off-line.

      • frobgard (Score:3, Insightful)

        by SuperKendall (25149)

        If the password can be easily remembered, it will end up in a dictionary.

        Frobgard.

        The clock is ticking on your assertion...

        • The clock is ticking on your assertion...

          What? You don't think that a dictionary attack is limited to words in an actual dictionary, do you? Crackers have password dictionaries that include all sorts of common passwords, like "letmein", "IAmGod", "xyzzy" "Hunter2", etc. By now, "Frobgard" is in one.
    • Re:deh. (Score:5, Insightful)

      by Opportunist (166417) on Tuesday July 20, 2010 @12:37PM (#32966320)

      Pretty much this. Someone hand Mr. Anonymous a few mod-ups.

      There are exactly 2 things in my experience (from various forensic examinations) that are responsible for almost all hacked passwords: Keyloggers and easily guessable recovery questions.

      Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system.
      Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.
      Place of birth? Elementary school? Pet's name? Check the person' Facebook account.

      It has never, in my experience, been a blunt dictionary attack within the last 5 years. Why? Because even a password susceptible to a dictionary attack requires a fairly weak login procedure to work. And every single password entry system I know of (at least when it's about more than something trivial like logging in to your pr0n account) either has a delay feature that keeps you from trying more than maybe 10 passwords a minute, or it even implements something like a "3 strikes" system before you have to contact a human being, or at the very least solve a captcha. Dictionary attacks are not really something anymore that you can easily use to crack passwords.

      Oddly, such a safeguard is almost certainly missing when it comes to password recovery questions.

      And I guess I needn't waste a character to write about keyloggers.

      • Re: (Score:3, Insightful)

        by bertoelcon (1557907) *
        I find a good way to get around those recovery questions is to lie on them. For example, every one that asks me "What is your mother's maiden name?" gets the same answer but not the truth.
      • This is why I lie. (Score:4, Informative)

        by KingSkippus (799657) on Tuesday July 20, 2010 @03:37PM (#32969090) Homepage Journal

        Last 4 digits of your credit card? If the system allows you to retry infinitely, it's a matter of try and error. 10000 attempts, tops. Trivial to do for an automated system. Last name of your teacher/Mother's maiden name? Trivial for anyone who knows you, and if you don't care for the account you want, send the most common names against as many accounts as you can get your hands on.

        I find it amusing that people answer these questions honestly. My mother's maiden name was Johnson. A lot of people who know me know this. I think that it's silly that me telling anyone this could be considered a security risk. It's probably easily found out in public records that anyone can access.

        That's why when anyone ever asks me, "For security purposes in case you lose your account information, what is your mother's maiden name?" I answer, "Brigadoon." That way if someone who knows me decides to have a good laugh on ol' Skippus and they call up some owner of an account I have and they ask, "Okay, for security purposes, what is your mother's maiden name?" and they answer, "Johnson," they will not be allowed access to whatever it was they were trying to get access to.

        I have a list of stock answers to questions such as my mother's maiden name, my high school, my favorite pet's name, my favorite sports team, etc. Most of them are related. My mother's maiden name is Brigadoon. My high school was good ol' BHS. My favorite pet was Brigadot. My favorite team is the Brigands. You get the idea.

        Of course, I've also lied about almost everything in this post. My mother's maiden name really isn't Johnson, and the name I give everyone isn't really Brigadoon, but the part about lying on those forms and using meta-passwords is true, and I highly encourage everyone else to do the same. Using actual facts or experiences that aren't so intimately personal that I wouldn't be telling anyone anyway as a security checkpoint is pretty damn stupid.

    • Re: (Score:3, Interesting)

      I occasionally use simple, but misspelled words or names, or a combination of simple words that do not belong together, or simple phrases omitting spaces. One has to be careful not to choose common misspellings, or words that somehow go together, but a successful selection should be both easy to remember and immune to dictionary attack.

      My brother and nephews and I play a game called "two great tastes" that involves choosing two foods that taste great, but not together. The purpose is to come up with the g

    • Re: (Score:3, Funny)

      by MrEricSir (398214)

      By any chance, is "deh" your password?

  • by Anonymous Coward on Tuesday July 20, 2010 @11:52AM (#32965444)

    Call it a "passphrase." Ban that other word.

    • by swilly (24960) on Tuesday July 20, 2010 @12:23PM (#32966044)

      I agree. There is only so much entropy the human brain can remember, but I can remember phrases quite well. Throw in a few digits and special characters instead of letters and you have the perfect balance between security and ease of use. Unfortunately I keep seeing maximum passwords lengths, which is just stupid. I suspect maximum password lengths are caused by lazy developers and web sites that store passwords instead of hashes of passwords.

      Don't know if typing phrases would be better for everyone though. Interested to know how non-touch typists would deal with something like "It w@s the b3st of times, It was the worst of times".

  • by js_sebastian (946118) on Tuesday July 20, 2010 @11:52AM (#32965448)
    Recent paper by some microsoft folks at usenix security: "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" (http://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf)
    • by Monkeedude1212 (1560403) on Tuesday July 20, 2010 @12:02PM (#32965654) Journal

      People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

      I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.

      *I suppose that depends how frequently you are talking

      • Re: (Score:3, Insightful)

        by Darkness404 (1287218)
        So instead of having a few people in the company knowing passwords, you lead to the people with a sticky note with all their passwords stuck to their monitor. Lets face it, perfect security is impossible, the average person can't remember insanely long abstract passwords, so either you have weaker passwords, the security question flaws, IT hell of having to reset passwords every other week, or the sticky note on the monitor.

        Real security requires you to balance out risks, figure out who is the main thre
        • by hal2814 (725639) on Tuesday July 20, 2010 @12:19PM (#32965972)
          There's not always a sticky note on the monitor. Some people are security conscious. They hide the sticky under their mouse pad. Because really... who would ever think to look there?
        • by Bigjeff5 (1143585) on Tuesday July 20, 2010 @12:57PM (#32966676)

          Real security requires you to balance out risks, figure out who is the main threat and make passwords to combat that.

          That is exactly right.

          The security in any system is only as strong as the weakest members, and the end user is almost always the weakest member of the security question. So before you can do anything, you need to strengthen the security that the users themselves practice. You need a comprehensive training program for all your employees - and it has to be a good one. You've got to make the security problem relevant to them before you'll be able to get any real behavior change.

          Once you've done that, you need to implement sane policies that a reasonable individual can handle. Just because you have developed a system to memorize a random 20 character password at the drop of the hat doesn't mean your end users have (in fact, they almost certainly have not). Requiring a 20 character password with four upper and four lower case characters, four numbers, and four symbols (yeah, you get a whole 4 characters that you can make whatever you want!) that changes every month is not going to work, ever.

          I worked at a National Guard armory on an army base for a while (I was a civilian contractor) and the problem with security that didn't take the users into account was glaringly obvious. The security there was intense - access cards that were bio-metrically linked to the individual (via fingerprint), an 8 digit PIN number for the card access, and a 10-15 character passwords that had to have 2 upper and lower characters, 2 numbers and 2 symbols in case you locked out your card with the wrong PIN.

          You couldn't just unlock your PIN. If you locked it out, you needed to set a new one. To do this you had to scan your fingerprint at the issuing office. Your PIN could not be the same as any of the last 10-15 PINs you used, I don't remember the exact number. Since this was a constant problem, if you locked your card out you could expect to spend a half hour to an hour unlocking it. The password was a backup - you could get on to your system with your password. The trouble was nobody used their password, so unless they had it on a sticky they couldn't use it to get in to their system.

          The PIN numbers were changed so frequently people started putting them on stickies on their monitor. Then they'd step out and forget their access card in the machine. Now you have zero security. None, nadda, zilch. For all your system does to keep it secure, you can just walk in to almost any empty but open office and find a card in a machine with the correct PIN stickied to the monitor.

          You must design your security system to the limits of your users, not to the limits of the technology.

          I'm personally a big fan of pass-phrases. It doesn't matter if you use dictionary words in a pass phrase, you're looking at 50,000+ possibilities for each word in the phrase, so for a 5 word passphrase you're looking at about 3^20 permutations. Add in capital letters and punctuation and it is more like 1^25 permutations. Compared to 9^20 for the 20 character password I described above, and that's not too far off. Most places recognize that a 20 character password will never work, and they generally use at most a 15 character password. Without any of the lost-options caused by adding restrictions (so many of x, y, or z type digit) that's 3^15 permutations, a hell of a lot less than the much easier to remember 5 word pass-phrase.

          So you can have your insane levels of security if you're smart about it. If someone wants to use their daughter's birthday, "Shelly's birthday is on July the 20'th" is nearly uncrackable and extremely easy to remember.

          The only way to limit sharing of passwords is to: a.) give them a secure and convenient way to do the same thing, b.) educate them about why they should not be sharing their passwords amongst themselves and make it relevant to them personally, and c.) enforce the policy with serious conse

      • Re: (Score:2, Interesting)

        by Scrameustache (459504)

        People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.

        No, but I had to deal with very strict password rules at university, and you know what I liked to collect? Strips of paper with usernames and very complicated passwords you can't possibly remember. I found those handwritten notes quite frequently at the computer labs, because the password system was insanely user-hostile and stressed-out students forget things when running off to class in a hurry.

        allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk.

        Why is their account not terminated at the same moment as their employment?

      • by DragonWriter (970822) on Tuesday July 20, 2010 @12:24PM (#32966062)

        People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.

        People who argue that rotating passwords frequently is a good solution to password sharing are missing the point: password sharing means either:
        1) People who should not have access to facilities are routinely being given it by others, or
        2) People who should have access to facilities are not given reliable enough access to it in their own name.

        Rotating passwords frequently does not address either of these problems. OTOH, it makes it more likely that people will be unable to remember their passwords and will, therefore, write them down somewhere near their computer for ready reference, which creates its own problems.

        As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home.

        You can certainly redirect "My Documents" (and most other profile folders) to network locations, and you can make the rest of the C:\ drive writable only to administrators and not make normal users administrators. Problem solved.

        We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

        And rotating passwords may limit the time of exposure to such attacks, but doesn't prevent them, so if there is anything truly sensitive exposed, it doesn't protect it. What an IT organization ought to do is deal with the reasons people are routinely sharing passwords.

        • Re: (Score:3, Insightful)

          We don't think of rotating passwords as a solution to the problem - we think of it as a countermeasure that will buy us time when issues arise. We could be complete hard asses about sharing passwords, no doubt. However, we're going through some growing pains right now and we don't have the staff to deal with all the smaller issues that come up. What are we going to do to reprimand password sharing? Reduce their share folder size? As IT we just police, but its up to the individual managers to dole out the se

          • by DragonWriter (970822) on Tuesday July 20, 2010 @12:53PM (#32966632)

            We don't think of rotating passwords as a solution to the problem - we think of it as a countermeasure that will buy us time when issues arise.

            Regular rotation clearly doesn't buy you time (it limits the time of exposure when a certain problems occur, but doesn't buy you time.)

            What are we going to do to reprimand password sharing?

            Reprimanding is not the solution.

            The solution is:
            1) Find out what the problem is in the existing system that people are working around by sharing problems, and
            2) Address that problem in a way that removes the incentive to share passwords.

            As IT we just police

            This view is probably the source of many of your problems. As IT your mission should be marshalling technology to enable the broader organization to acheive its goals efficiently and safely, not being "just police".

            Rotating the passwords gives us the time we need that when attacks come up - we can address them properly.

            How? Regular rotation of passwords does nothing to delay the impact of an attack. Selective forced expiration of passwords in response to an identified attack may by some time, but that's very different than a regular and frequent rotation policy.

      • Changing passwords frequently, as somebody writes below, leads to patterns, sticky notes on monitors, passwords kept in notepad files, etc. IOW, it MAKES THINGS LESS SECURE.

        It is the most ridiculous policy I've seen in this field.

        A better policy is:

        1) force strong passwords
        2) audit against week passwords using cracking tools
        3) force a change of passwords when an incident occurs, or a person with a shared (ie: admin, root, database, etc) access leaves the company.

        Forcing constant changes does not make you more secure if the password is strong to begin with and good policies around sharing and disclosing that password are followed (and they are more likely to be followed if you aren't forcing users to change the damned thing every month). Users will also be able to REMEMBER their STRONG password. Imagine that!

      • Re: (Score:3, Informative)

        by nine-times (778537)

        People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis.

        I don't think that the claim is that "changing passwords frequently is a waste of time," at least not exactly. What's often misunderstood about security is people think that something is "secure" or it's not, and you can just sort of turn up the security level. That's not quite it. It's more about trade-offs.

        Just as a hypothetical example, imagine you owned an apartment building, and you found out that the lock on the front door to the building was relatively easy to pick. You think, "I'll fix that," a

      • Re: (Score:3, Insightful)

        by NitroWolf (72977)

        People who argue that changing passwords frequently* is a waste of time has not had to deal with the security issue of people sharing their passwords on a regular basis. On the odd occaison, the Receptionists will share passwords so they can log in on each other's computers and access each others files. As an IT team we've done our best to abstract that concept by allowing anyone to log onto any computer in the network so long as they have an account, and mapping network drives automatically based on your permissions, but suffice to say some people just don't understand that. Someone will still only save to "My Documents" or C: drive, because thats what they do at home. Anyways, if someone gets terminated, and they remember the passwords, they pose a security risk. We had this issue come up last summer where a manager knew a few people's passwords, and after being fired, was using the webmail client to snoop on emails.

        I haven't been working in this side of IT for more than 2 years and I can already see the benefit of ever-changing passwords.

        *I suppose that depends how frequently you are talking

        I had to deal with a similar situation in the military... I came to the conclusion that users will always be users and if things like this are happening, it's a failing of the IT and/or Software Design portions of the system. If your secretaries are saving documetns to My Documents on the C: drive, you need to change the My Documents to point to the network drive. You need to basically start eliminating/changing the way the users do things that are improper... it really is ultimately a failing of IT to d

    • Re: (Score:3, Insightful)

      by tlhIngan (30335)

      Yeah, changing passwords frequently just makes for lower-quality passwords.

      Eventually people fall into a sequence that's even more detrimental to security than a really good, long password.

      Here's some "strong" passwords - capital letters and numbers: Jan2010, Feb2010, Mar2010, ...
      Let's make it harder, add symbols! Jan!2010, Feb@2010, Mar#2010, ... Nov2010
      Can't repeat numbers in same spot? Jan!2010, 2010Feb@, Mar#2010, ...
      Want longer? January2010, February2010, ...
      Hell, they may just simplify and do 1!Januar

  • by ceswiedler (165311) * <chris@swiedler.org> on Tuesday July 20, 2010 @11:53AM (#32965458)

    The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

    • by hitmark (640295)

      optionally make up a word and apply some kind of personal leetspeak "encoding" to it.

    • Re: (Score:2, Interesting)

      by Shakrai (717556) *

      Just use diceware [std.com]. It's got more than enough entropy and uses real words that are easy to remember.

    • by pnutjam (523990)
      that password is fine until someone starts using it for a website, laspdedi.com
    • I've found that chopping off certain parts of my full name are easy to remember as well, though I suppose those might be easier to guess than a simple non-dictionary word.

      James Tiberius Kirk would be something like ameski or jamtibirk

      and like you said - its very easy to simply add or replace the more complex symbols.

    • by ArcherB (796902) on Tuesday July 20, 2010 @12:07PM (#32965736) Journal

      The best passwords I've used are non-dictionary but pronounceable words. The simplest way to generate one is to alternate consonants and vowels, for example 'lasopedi'. It's easy to remember because your brain can store it as a word, not as a random series of letters. You can add uppercase letters, symbols, or numbers if you want it more complex, like 'lasoPedi2!', which is still pretty easy to remember.

      The best passwords I've found are sentences translated into passwords. For example:

      My phone number is 555-234-2344 : Mp#i555-234-2344
      I live at 2202 Park Street : Il@2202PSt
      Four score and seven years ago : 4Sa7ya...
      My wife won't go down on me since we got married! : Mww'tgdomswgm!

      Whatever. You get the idea. All you have to remember is the sentence.

    • by mcgrew (92797) *

      I make up random letter, number, and punctuation passwords, write them down, and keep them in my wallet with my other valuables. Tags are slightly obfuscated in case my walet gets stolen; "Dorothy Slasher" for slashdot, for example.

  • by FictionPimp (712802) on Tuesday July 20, 2010 @11:53AM (#32965464) Homepage

    To me it depends on two things:

    1) How important is the data.
    2) What level of access do un-authorized people have to the system.

    For example, we have a private development server on a isolated vlan. The only way to gain any network activity to this server is to be plugged into one of the ports that have access to that vlan (so just the developer offices).

    Do I really need a password like 2wsx)OKMnhy6BGT%?

    or does something simple like: 53xym@n cover it?

    Now, let's say it's a public server available on the internet with ssh running? Does a really strong password protect me any more then just using a simple public key with a simple password on said key?

    • by socz (1057222)
      Want to know how I set up my passwords?

      1st) I write a song. A tune I can follow in my head.

      2nd) I add words.

      3rd) When asked for a password, I type until the max limit has been reached.

      4th) When logging in, I type until I'm not allowed to!

      Sure, it might sound complicated but no one is going to guess what year Columbus sailed...
    • I would also add:

      3) Where is it possible to access the data?
      4) Is it feasible to monitor and log accesses to the data?

      If the answer to 3) is "anywhere" and 4) is "no", there is a case for a strong password. In these cases, it may be necessary to take advantage of password memory features in either your smartphone or web browser. In this case, a strong password would protect against constant phishing, while still being useable. The fact that I don't actually remember my password is balanced by the fact tha

  • by eldavojohn (898314) * <eldavojohn.gmail@com> on Tuesday July 20, 2010 @11:54AM (#32965472) Journal

    I'm not sure that allowing unique but simpler passwords is a better idea.

    There is a misunderstanding here. The paper itself is proposing an additional mechanism for protecting against popular passwords. Let's say I give you the password "password" and you find it in the dictionary and send it back to me. Now I give you the password "p@ssword" and you again explain it must have an uppercase/lowercase mix as well as a special character and a number. So I give you "P@ssw0rd" and we go about on our merry business.

    Unfortunately for the security of my account, I responded to your system's demands in a very algorithmic way. And, after millions of users try this, it might be safe for me to add in my dictionary attacks substitutions for characters in password.

    I believe what the proposed paper is suggesting is that there is an oracle that alerts the user when their password is acceptable but is simply too common and therefore unsafe. The final piece of the puzzle is building in protection so that attackers cannot "query" the Oracle to find out what are popular passwords in your system that have reached their max. It's about managing entropy in the set of passwords that your user has with a new mechanism ... and can be applied equally to the loosest and most stringent password requirements.

    After reading the paper (assuming you don't have this already), it is genuinely a way to increase your user's protection.

    • by socz (1057222)
      This is one if not the only thing(s) I liked of the pressure sensitive keyboard that MS developed (it was MS right?). Having your P@$$UU0rd wouldn't be enough, it would have to be with the same pressure each time AND speed/quickness/slowness of typing it. That is pretty secure.

      For anyone who thinks "people will be able to do it..." Sure, for most probably. But you take people like myself who type pretty quickly and it'll be a job - not because of the speed but because of how hard or soft I press certain
      • Re: (Score:2, Insightful)

        Detecting how a user types a password sounds like a great idea until I decide that my cheese burger is not worth putting down, and I try to type the password with one hand.

        Or maybe I have cut my finger and have a bandaid on it, altering my typing speed and force distribution. Perhaps there is a crumb stuck under a key that alters the momentum of the press.

        There are way too many possible ways for it to go wrong. There needs to be a backup method, and that is likely to remove most of the benefits of the
        • by socz (1057222)
          how about more than 1 password? one for your right hand, one for your left, and one complex 'master' to override the sensitivity issue?
  • by glittermage (650813) on Tuesday July 20, 2010 @11:56AM (#32965516)
    Just write down your password in a convenient & easily accessible location near entry point. Problem solved.
    • by boristdog (133725)

      Just write down your password in a convenient & easily accessible location near entry point. Problem solved.

      I guarantee that everyone reading this just thought of those Post-its on his/her PHB's desk.

      At least the PHB's secretary has the good sense to put the Post-it with the password in her drawer, where no one would ever think to look.

      • Re:Write it down (Score:4, Interesting)

        by hairyfeet (841228) <bassbeast1968&gmail,com> on Tuesday July 20, 2010 @01:08PM (#32966840) Journal

        That reminds me of a story one of my teachers used to tell: He was taking a class to go check out some new enterprise clusters and the PHB they had conduct the tour kept blathering on about how secure their place was thanks to their insane password policies. Finally Mike got tired of it and said "I'll bet you $100 and a steak dinner you let me loose in here for 15 minutes and I'll have access to your system". This of course annoyed the PHB who took the bet. Sure enough in 15 minutes he came back with 4 valid logins. When the PHB demanded to know how he did it he just started flipping keyboards over until he found post its with logins. He said the PHB stormed off in a huff and he never did get his steak or $100.

        That is why I believe ultimately passwords will have to be done away with for smart cards or CC style password generators for large systems. It is just too hard for little Sally in the pool to remember the huge password, so you end up with a security theater system where the janitor has better access than many of the admins.

  • This only works for big servics: If you have only a couple of users, you will miss many of the easy-to-guess passwords. Instead of preventing users to pick the same password as other users, you should check the passwords against a pre-made dictionary. This is basically the same approach, only without relying on the users for building your dictionary.
  • by Darkness404 (1287218) on Tuesday July 20, 2010 @11:57AM (#32965532)
    In most systems, the password isn't the weak point, it is generally the security question or an off-site link. For example, you might require that users of an online banking system use a password 15 characters long, however, you e-mail them a link to change a password if needed through an e-mail account, well if that person's password is "e-mail" or something like that, all the security on your site vanishes.

    Really, you have to figure out who would be trying to get into your account, family members? A random black-hat? Your friends? Your enemies? And base passwords on there, for example, if your main problem is with black hats, a password such as your dog's name with your birth year might be good enough to prevent brute force attacks like "fido1961" on the other hand, that password is laughably weak if your family or friends wants to get in and have some good skills. However, in most cases people write down passwords which lead to more weaknesses there because for some reason IT departments want people to have passwords of "Zn98iTgg4324YEneEjjRtZ34" which might be great at preventing a black hat from accessing it, but such an arcane password generally requires people to write it down.
  • by pcjunky (517872) <walterp@cyberstreet.com> on Tuesday July 20, 2010 @11:58AM (#32965534) Homepage

    Compuserv used to use two words with a punctuation mark between them . My old password was impair?boxer. Tens maybe hundreds of millions of possibilities, simple to remember. I still use that scheme.

    • by jandrese (485) <kensama@vt.edu> on Tuesday July 20, 2010 @12:36PM (#32966308) Homepage Journal
      Interesting. According to the internet, the average educated adult knows about 20,000 words. Assuming a loose definition of "punctuation" we have about 32 punctuation keys on the keyboard. This means there are around 12,800,000,000 possible passwords under that system. That compares alright (but not spectacularly) to 8 random lowercase letters (208,827,064,576 combinations). It falls completely on its face against requirements like "add random punctuation, numbers, and at least one capital letter (6,095,689,385,410,816 combinations).

      12 billion sounds like something a computer could brute force these days, although it depends a lot on the algorithm.

      This is also why on Windows you want to have a 15+ character password. For 14 characters and below, Windows stores the passwords as two 7 byte fields for backwards compatibility purposes (darn Windows 95/98!). This is bad because a 7 byte field with just lowercase letters has only 8,031,810,176 combinations, 16 million if you use the full 14 characters, but most people have 8 character passwords for historical reasons (DES salt length of all things), and that last character is basically worthless. It's a bit of a pain, but 15 character passwords can be made reasonable (assuming your security policy doesn't require 25% punctuation or something) and will be stored a much more secure way on Windows hosts.
      • Re: (Score:3, Insightful)

        by cbhacking (979169)

        Quick point: The 15+ characters on Windows rule is outdated (not that short passwords are a good idea anyhow). The old hash algorithm was absurdly easy to brute-force (there are free downloads that will do it in 3 minutes or less) and is disabled by default on all Windows systems from Vista forward (possibly also 2003, I'm not sure). I believe it can be re-enabled for backward compatibility, and it may be possible to disable on XP (check the Local Security Policy management console, perhaps) but yes, there

  • It's pretty easy to make secure, simple to remember passwords. Take some random sentence from your like like, "I grew up at 367 oak Street in Mytown when I was little." Grab the first letter and all the numbers, Igua367OiMwIwl and you've got a dictionary proof password that's secure and easy to remember.
  • The new scheme from Microsoft Research does away with complexity requirements entirely while protecting against both dictionary attacks and statistical guessing. The service simply counts how many times any user on the service chooses a given password. When more than a small number of users pick a password, the password is banned and no one else is allowed to choose it. The scheme can only be used by organizations with millions of users--websites like Microsoft's Hotmail, for instance.

    I am, by no means, an

  • If the idea is to prevent compromise of multiple accounts, this has merit. But if the attackers only need to get one account (and don't care which one), this actually hurts things. By allowing simpler passwords but requiring that not too many users have the same simple password, they increase the number of simple passwords used by the system, thus increasing the chance the attacker has a password on the system in his dictionary.

  • i used to use the designations of military units as passwords. something like HHC of the 72nd Armor Battallion would be hhc72armrbn. after the domain admins started to use 5 passwords remembered i switched to restaurant names and anything else i liked to do. for a little while i thought about using hashed versions of porn star names for system account passwords.

  • My favorite (Score:4, Funny)

    by DNS-and-BIND (461968) on Tuesday July 20, 2010 @12:00PM (#32965590) Homepage
    I just love being required to use a SECURE PASSWORD for something totally meaningless like a forum or shopping cart. It usually goes like this: 1) Password rejected! All passwords must contain numbers. 2) Password rejected! All passwords must contain mixed case. 3) Password rejected! All passwords must contain at least one symbol. 4) Password rejected! Use only ASCII, ¥ and © are not allowed. 5) Password rejected! Your account has been disabled and a 24 hour block has been placed on your IP address. Please call customer service, the number is on another page of our website.
    • Re: (Score:2, Funny)

      by boneclinkz (1284458)
      Amen. I get so tired of that nonsense. Look, I really don't care if somebody breaks into my Bell Tire Discount Club forum account. I'd much rather just use "passw0rd" than have to come up with a 76-character string that includes both upper and lower-case, at least one special character, at least one numeral, a Latin proverb, the last four digits of my social security number, and a passage from the Necronomicon.
    • by OzPeter (195038)
      You left out "Password cannot start with a number" and probably a lot more inane restrictions. "Password is too [long|short]"
    • Re: (Score:2, Interesting)

      I once got locked from my bank account as I registered with a 14 character password which I spent some time memorizing.

      Unfortunately after calling them up and resetting my account twice, I was informed that the system only allowed 10 character long passwords and they had not implemented any method of checking the length when you registered.

  • Amatuer idea (Score:2, Interesting)

    by Anonymous Coward

    Not allowing duplicate passwords is often one of the first things that people that don't understand security think of. It's also one of the first things that people realize is a very stupid idea once they come to understand security. The problem is simple. If you tell somebody that the password entered is in use, you've just told them the password of another user. User names are not secret, so it's much simpler to fly through a list of users trying a single password than it is to fly through a list of passw

  • Think about a sentence, take the first letter of each word, include a digit : you got your password.
  • by Anonymous Coward

    If you automatically ban overly popular passwords, you have provided attackers with positive information about passwords in existence among the pool of users under the regime.

    1) change password, repeat until
    2) you hit upon a banned password
    3) add password to the top of your dictionary
    4) ???
    5) profit

  • by iivel (918436)
    I've posted this as a potential answer on /. before though the original page on my site is no longer available. It's also been discussed here: http://www.schneier.com/blog/archives/2009/05/secret_question.html [schneier.com] (find cipher.php) I found my old page on the wayback machine...perhaps I'll move it back where it goes http://web.archive.org/web/20060715223129/http://levii.com/cipher.php [archive.org] I'd appreciate input on the method. You have your random card, your own ez phrase and you end up with properly complex password
  • Okay, how about an informal poll?

    1. What is the oldest password that you are still using?
    2. Is the username associated with said account one that can be hit by dictionary attacks? Yes, username.

    Because a username and password are only as weak as the weakest link between them. Don't get me started on password recovery schemes. Secret question anyone? Gotta be kiddin' me. People post their secret questions' answers in their blogs sometimes!

    Hopefully any site will temporarily lock the account if too many faile

  • If you can lock out a service, and have things flagged that way, simple isn't quite so bad. You need to have access to the password source to brute force things (in which case, you may just have lost already by giving up that extremely sensitive file).
    Users like things nice and simple and memorable. If you force nasty constructs on them, they'll either:

    1) Write things down on a piece of paper, or text doc on their desktop. Both are bad (though probably the desktop is worse).
    2) Call the service desk every

  • Subject (Score:3, Informative)

    by MBGMorden (803437) on Tuesday July 20, 2010 @12:04PM (#32965688)

    This is definitely a pet peeve of mine. We recently introduced new password rules at work, despite me trying to convince them otherwise. Has to be 8 or more characters, must contain upper and lower case letters, numbers, and symbols. And it has to be changed every 3 months.

    Wonderful. Now everyone has these horribly complex passwords, which around half the users are now posting next to their monitor on a sticky note. If they'd had made simpler passwords available, not nearly as many people would have resorted to that.

    It seems common sense, but too many IT managers just don't get it - complex passwords are only useful until they hit the threshold at which the user sidesteps around the whole secrecy part of it.

  • Pass Phrases (Score:5, Informative)

    by Lifyre (960576) on Tuesday July 20, 2010 @12:06PM (#32965714)

    Stop using pass words and move on to pass phrases. They can be fairly long and still easy to remember. Increasing the number of characters does more to make something hard to crack than adding more symbols does.

    Hell a phrase like "Purple Elephants make for a rough Work Day" is much harder to crack than "1qaz@WSX3edc$RFV"

    It may make dictionary attacks more effective but it will completely destroy brute force methods. Of course the biggest issue is still social engineering so it is still a mostly moot point once you get past trivial passwords.

    • Length is still a problem: Did I put spaces between each word? Did I capitalize some of the words?
      A reasonable compromise, which still defeats most dictionary attacks is to acronymize your phrase:

      "Purple Elephants make for a rough Work Day" becomes PEmfarWD. It sill has problems with caps -- make a rule like adjectives and nouns get capitalized, and you may be OK.

    • Re: (Score:3, Insightful)

      by plumby (179557)

      Depends what the password is for. We have to lock our screens when we leave our desks, and then retype our passwords when we return. I now lock my screen out of habit if I turn round to talk to someone. I don't want to have to retype a 40 letter string (correctly) every time I turn back to do some work.

  • I don't mind elaborate rules, I do mind that some say things like "You must have a non-letter/number character" while others say "you can't have". It makes my systematic "rules" based approach to creating a password that is easy to remember much harder. (I.e. I can have a rule that says "Password is 1st letter of website name + last letter before the .com/.net/.org plus the combination "!4a" if one idiot says you need something like an ! and another moron says you can't have something like an ! ---------
  • I think the biggest issue (for me) is that for work I have seriously about 20 different passwords for different systems and logins and they all seem to have different requirements. It has taken me 5 minutes before just to create a password that the system will take.. I.E. 8 to 16 chars, must contain 1 special char, 1 cap, 1 lower case, and 1 number the number and the cap can not be next to each other, the number can't be the first or last char, and you cant have more than 4 chars in a row of the same class.
  • you can conver numbers into words:

    2001: movie
    2010: movie
    1942: arcade saloon game
    1984: movie
    42: answer ..

    You can also have tiny words that have meaning to you:
    LOTR: lord of the rings
    imho: in my humble opinion
    me: me
    orly: oh, really?
    bf: battlefield ..

    so you can mix both things

    bf2010me44 ...
    tk40000z21 ...
    rs47ak232

    to me is easier to remenber {expresion} {number} {expresion} {number} than a true mix of number of letters.

    Passwords, imho, sould be easy to remenber and hard to guest.

  • Instead of memorizing a series of digits, numbers and symbols, I use "nonsense" passwords based on the position of my fingers (not just on the home row) that can be typed quickly. By shifting the block of keys left or right, I can create new passwords with a minimum of fuss. The result is non-dictionary passwords that are easy to remember and quick to enter.
  • 11 random letters (all lowercase) and digits. No need to be more fancy than that. And if you roll the generator several times you'll find the combination which is pretty easy to remember after entering it 2-5 times.

    But is that really enough? Let's calculate, assuming somebody can test a million tries per second (way optimistically/pessimistically, I'd say): (26+10)^11 / 10^6 = over 4000 years. Pretty secure. Actually, in real life you can even use 10 or 9 characters and sleep well.

  • Seriously, I've found that the simplest, non-dictionary passwords are the best. Call me crazy, but I work from the premise that a random user is just as likely to guess my password on the first try as they are to guess it if given 100000 tries.

    The place where I work (and other places that fly the same banner) has employees that are exceedingly technology illiterate, so it's a pretty good bet that I can find their passwords written near the terminals on pieces of paper. Since we're required to use two diff

  • The easy solution is to make the passwords longer. Everyone can remember a sentence.

  • I see two problems -- I don't know that either is a deal breaker, but I figure I'll put them out there.

    First, users might not enjoy certain aspects of the experience.

    Usually, there are rules, they tell you the rules, and if you follow them, your password is accepted. The system seems fair -- there are rules, you can follow them, if you follow them, it works. The proposed system will feel arbitrary -- you try a password, maybe it will work, maybe not. If it doesn't, you have to try again. Maybe it won't

  • Seriously where does biometric sit these days? Is there a potentially cheap/reliable/ubiquitous form to replace password? Finger-print, retina scan, voice, spit sample... something?
  • Reality Check (Score:4, Interesting)

    by BitZtream (692029) on Tuesday July 20, 2010 @12:32PM (#32966236)

    No one cares enough about your data to steal your password, so long as its not so easy to guess that a random dictionary account gets it real quick than your 3 letter password of 'AAA' is more secure than most 6 letter passwords.

    Why? Again, because no one cares about your data. When you have important enough data that the employees really do need to know security, they'll also have enough intelligence to realize they need to be intelligent with their passwords.

    The problem with complex passwords is that idiots keep trying to force them on people who don't need complex passwords.

    Your password policies should be geared towards the individual security requirements of ... the individuals.

    Donna the secretary gets to use 'mydog' as her password, so does Chris the CEO, because he doesn't do anything anyway, he tells someone else to do everything.

    Igor the IT guy has strict password requirements, as do most of the accountants which have access to bank accounts directly.

    If you have one password policy for your organization, you are indeed retarded unless your organization consists only of yourself.

    • Re: (Score:3, Insightful)

      by DarthVain (724186)

      IT Security doesn't get security, mostly because they don't seem to deal in common sense.

      Years ago I tried to explain that making the password more complex, and making people enter it more often, and changing it, will NOT make anything more secure, but will in fact make things LESS secure. My rational was that people will just write it down on a sticky note and stick it to their monitor. Their response to that is to simply make a policy (which everyone ignores btw) that prohibits employees from doing that.

  • by trevdak (797540) on Tuesday July 20, 2010 @12:47PM (#32966510) Homepage
    I set my password to "********". Eight asterisks. That way, if anyone ever cracks it or uses a keylogger or something, they'll say "What the hell? I still can't see it." If I need my password to be extra secure, I throw a few more asterisks in there.

"How do I love thee? My accumulator overflows."

Working...