Slashdot Mirror
The Psychology of Passwords
afabbro writes "According to this study, people's password choices put them into four groups: "Family", "Fan", "Self-Obsessed", or "Cryptic". I'm sure we're all good Cryptics here...now if only my users would stop being "Family"." And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password",
I beat end users with random flailings of my arms and watch for 'letter-like' shapes which rise as welt on thier bodies. Grab a new user, repeat.
I develop schemes now and again. I start with something easily recognizable, like 'So Long And Thanks For All The Fish'. Then I turn it into a 'random' password by a bunch of operations. For an example, I might take the second letter of each word (yielding oonholhi), then make characters 1 and 5 upper case, turn 2 and 6 into numbers (alphabetic value mod 10), then turn 3 and 7 into non-alphanumerics based on the keyboard layout. The pass would then be O5$hO2*i.
That is sufficiently random for 90 day use or so. It would be weakened if somebody somehow guessed my scheme, but I pick a new arbitrary scheme every 90 days when I change all my passwords. Then I just have to remember one scheme and a bunch of key phrases for all of them.
We got our high-school computer labs admin password the old fashioned way too. By rifling through his desk. Sure enough, we found the words 'lunch' and 'dinner' written on the inside cover of one of the manuals for no apparent reason. Admin password? breakfast. From then on we played a lot of networked doom.
--
Take a made-up nonsense sound, like "kersplat" or "squish" or "blart" or "shazam" or something.
Capitalize the first letter, easy to remember because words are often capitalized in English (Kersplat, Squish, Blart, Shazam).
Pretend you're a l33t h4x0r and start replacing letters with numbers (K3rspl@t, Squ1sh, Bl4rt, Sh@z@m).
Add some punctuation, either in front or behind (K3rspl@t!, Squ1sh?!?, !Bl4rt, ??Sh@z@m).
Congratulations, you now have a reasonably secure password.
One of these is very similar to a password that I used to use. Can you guess A) which password is similar, B) what the real password was instead, and C) which systems that password was used on?
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
So I've had to write them down "somewhere" bloody safe. As it happens, I ended up encrypting the piece of paper, such that the only thing that I definitely have to remember is the non-trivial decryption scheme. Of course, I also remember the passwords that I need most often, but for the others my encrypted paper has occasionally worked miracles.
--
Linux user since early January 1992.
Where do you work? :P
that was popular when I was in school. Every time I came across someone who did that I just did a control-C and then rm -rf (opps, I mean whatever the dos equivelent was. deltree of some such) I always hoped the student has some assignment due the next day that was almost done...
I always said that when the program catches me like that, I don't trust it not to have logged someone else's password, and so my good dead for the day was to make sure no passwords were stolen.
Wouldn't work these days. If you said "So where's the lead?" and were overhead these days, they'd think you were talking about bullets and expel you.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
At my old HS they were runnint Novel Netware with one of those butt ugly login screens. All of the student accounts were locked down to a rediculesly low 500K of storage. I "needed" more ( to install wolfenstein ) so I wrote a pascal app that looked "just" like the novel login screen that logged usernames and passwords. Then would give a cookie.."wrong password" message and show the real loing screen.
After a week of going in just after class and starting it on every pc in the lab I had all of the privlidged account passwords.
If you just write it on a slip of paper and stick it in your pocket, you're probably really safe. It's rather unlikely that someone will mug you for it, and you can make it really hard to guess while not leaving it around the computer. Given the number of people who pick good passwords and then leave them where it's easy for an attacker to get at and obvious what it's for, you'd think people would think to carry them.
I mean, they tell you not to carry your ATM PIN with you, but that's because you'd have the card and the PIN in the same place. You're probably not carrying your work computer with you...
Also, you'll probably have memorized your password after using it a bunch of times by looking at the slip of paper, at which point, you can destroy it.
That's why we have npasswd configured to not allow password reuse within a one year period. I have already had people tell me that they had picked out five passwords that they intended to rotate as the last used expire away. Those users can rotate if they like, but after a year I imagine they'll be more likely to pick a genuinely new one, especially since npasswd is such a hard ass about approving password choices.
Ultimately, we hold the users responsible for maintaining reasonable security practices. My job in implementing npasswd was not to force everyone to do the right thing, it was to make it a lot harder to do something stupid. In the end, it comes down to the user.
We do master a lot of systems from our master account database, so the user's single password gets them email, dialup, UNIX, Windows NT, AppleShare, etc. If our users needed to remember a dozen very difficult passwords, we couldn't do this, but with only one password needed for most of our network services, we hope it is not too unreasonable to require them to use decent passwords.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
I tried setting my password to 'mypassword1', and it told me 'Password not acceptable, may be derived from word 'mypassword'.
npasswd may not be able to catch all variants of past passwords, but it is very very picky about what passwords are allowed, and if you choose a password that passes through npasswd, it is going to be a high quality password.
No, a piece of software can't do anything about a user writing their password down on their forehead. But we have managers, and they can discipline or fire users for putting the lab's security at risk, if they do something truly stupid/negligent.
Security is a process, and software's just a tool.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
The npasswd password history files are kept as a dbm of crypted password choices, so an intruder would have to find and crack that file, and by definition all of the passwords in that file would be hard to crack, as such things go.
The one thing I'm not sure of right now is whether or not npasswd can support the use of md5 passwords or not. If it can, that would add a significant boost to the difficulty of cracking its files.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
We recently implemented Clyde Hoover's npasswd password validation program, which does all kinds of password quality checks and a password history function, to prevent users from re-using their old passwords. We have incorporated npasswd into Ganymede here, along with a password aging function, and boy, what a change for our users. Users really can't have easy passwords any more, they have to change them regularly, and they can't re-use old passwords. The sysadmins in charge of network security here love it, because the odds that our users are using the same password for our network that they are using for Amazon and Slashdot is now dramatically reduced.
Npasswd is very good at what it does. Npasswd supports checks against account information and a wide variety of dictionary files, with character transpositions, reverals, etc. No more 'us3rname' passwords for our users. Here's a partial list of the dictionaries that Ganymede with npasswd checks against in our environment:
If anyone here wants to make sure your users are using strong passwords, run don't walk and get npasswd, I say.
- jon
- jon
Ganymede, a GPL'ed metadirectory for UNIX
I tend to configure /etc/issue so that it prints the root password just above the "login:" prompt.
Nice way to tease crackers. Too bad telnet doesn't allow root to login, but requires su'ing from a user account.
On some enterprise systems, the administrator has the option to have passwords checked against a dictionary for common words, palindromes or other easily guessed passwords. If you are interested in such "smart" password software, check out npasswd at: http://www.utexas.edu/cc/unix/software/npasswd/
- -----------
a funny comment: 1 karma
an insightful comment: 1 karma
a good old-fashioned flame: priceless
this sig limit is too small to put anything good h
Is there a category for the idiots that write their passwords on post-its and stick them to the bottom of their keyboards?
Oh, so THAT's how my wife found all that pr0n on my private share...
Sanity.html - Error 404 not found
#!/bin/sh /dev/random | mmencode
/dev/random).
head -c 6
Much easier & faster, and certainly just as random as your cup of tea (of course, you have to be on a system with a reasonable
-"Zow"
I prefer to take stupid phrases that no one else would think of (something like making a phrase to remember quiz items) and take the first letters and sound out a word for it.
pretty easy to make up, easy to change, and easy to remember.
My winner under the Stupid category is the "admin" when I was in high school. He choose the great password of "none" for his personal account, which was easily cracked with a simple dictionary. Of course, he was really one of the biggest fools I have known in my life, so I am not really all that surprised...
Posted from the wireless couch.
Ack! I forgot the best part. For users who are really paranoid, you can, in the next-to-last step, convert the number into triplets instead of pairs:
633 436
And then you convert both triplets to their Unicode decimal equivalents. Thus, the high-security password in this case is:
This may not display properly on non-Unicode browsers/platforms. But those of you who can display them will see that they have the added advantage of not actually appearing on any keyboard, thus exponentially increasing the difficulty for anyone wishing to guess your password.
BTW, for those who can't display them, decimal 633 is an upside-down lower-case "r", and decimal 436 is described as "Latin small letter 'y' with hook".
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
That is not nearly random enough. You need an algorithmic process that'll give you something really random.
Here's what I do. First, you take a phrase, famous or obscure. For this example, I'll use a little Shakespeare - "He hath a daily beauty in his life that maketh mine ugly."
Then, you take the second letter of each word, ignoring any single-letter words, thus producing "eaaeniihaig" in this case.
Then, you convert each letter to its decimal ASCII equivalent, giving us:
101 97 97 101 110 105 105 104 97 105 103
Then squash that all into a single number in that order, producing:
101979710111010510510497105103
Then, you take the 5'th root of that number, and drop any decimal places:
101979710111010510510497105103^(1/5) = 633436.01848182821643020050352705 --> 633436
Then, you take THAT number, and break it into pairs thusly:
63 34 36
Finally, you take the first pair and convert it back to its ASCII decimal equivalent, and that's your password. In this case ASCII 63 is "?", so your password is "?" (without the quotes, naturally).
And that, my friend, is pretty damn random.
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
The answer to this is quite easy by using a (simple) password algorithm:
;)
1) Take that random number, say 5934
2) Now for everyplace where you need a password, append/prepend the name of the site/computer to that string. So if you decided something like first and last letters, plus the random number, you'd get:
yahoo.com = y5934a
slashdot = s5934t
etc.
If that's too short (like for hotmail) use a full-name variant for those like ho59tm34ail.
For better security, always use caps for one of the ends, and/or tack on some (consistent) non-alpha at beginning or end, whatever rules you want to always use.
Benefits:
1) You never need to "remember" a password. Just the numeric bit, which you get to reuse everywhere, and the rule for picking the letters.
2) Unique password nearly everywhere. Getting one of them doesn't give access to the other sites, and pattern isn't obvious with just one.
3) If you ever are required to change a password (or just want to be safer anyway), ditch the first random number and select a new one, using the same basic scheme with it for all new passwords. Worst case scenario is you'll have to make 2, maybe 3 guesses, at a site you haven't been to for a while....
I've been doing this for about 4 years now and it works like a champ. I've lost track of how many times I've suggested this to users when they're griping about having to remember passwords, but they still give me a blank look and use something like their dog's name anyway. Lamers...
In the Portland, Ore area and like card games? Check out: http://groups.yahoo.com/group/portlandgames/
Of course, that would be silly.
I have used my PDA for password storage, but it proved somewhat tedious to go back and forth between computer and PDA to input them (whereas FPM can copy straight to X11's cut buffer with the hit of a button). It's not impossible for someone to break into my box, steal FPM's password file and somehow steal the password to decrypt it, but I consider that a possibility remote enough to fall within my level of tolerance.
I figure so long as the value of the passwords are less than the effort it would take someone to steal them, I'm protected from the most likely attacks.
Ita erat quando hic adveni.
I recommend a decent password manager for everybody, since there's just too damn many sites that require them.
Ita erat quando hic adveni.
Hey, a bunch of people in my HS did that too.
;)
You wouldn't happen to be in Surrey, UK would you?
Stuart.
The advice "never write down a password" dates from back when a secure-enough password could be remembered reliably.
This simply isn't true anymore. Any password that is easily remembered is likely to be easily crackable, because computer power is so cheap these days.
Even Bruce Schneier has reversed himself and now recommends that you write your passwords down on a piece of paper, and then treat that paper like it was a significant amount of cash or a credit card; keep it in your wallet, or locked in a safe, and be aware of it's location at all times.
Of course, people who write down their password on a sticky note and place it on their monitor are still idiots.
-
A friend of mine came up with a pretty nifty password creation scheme.. He lived on a rather busy street near a stop light.. So he would look out the window and pick out someone's licence plate number who was waiting at the light.....
Slashdot is like Playboy: I read it for the articles
The thing that cracks me up, is that they obviously had researchers go ask people for their passwords, and they gave them to them!
I used to have an app on my PalmPilot that would generate random passwords and store them using IDEA. I was responsible for changing the root passwords at the ISP I worked at, and everyone hated it when I made them change.
Wasn't it Sierra's Hero Quest where you had to utter a password to enter a house, or cave, or something? The password, if I'm not mistaken, was "schwertfische"; If you said, "swordfish", it responded with something akin to "Wrong game!" before kicking you back to from whence you came.
Well, it was amusing... back in those EGA days...
When I worked as an intern in a rather big
corp which shall remain nameless all
passwords for all computer were "welcome".
The sysadmins claimed it made their jobs
easier because they didn't have to remember
passwords for all the machines.
I once read an interview with Clifford Stoll, who was speaking about another interview he did on camera in his apartment. Apparently, the camera crew set him up seated in front of his computer. By the time the interview was aired, he realized his monitor - and the Post-It (tm) note with his root password on it - was clearly visible in the shot.
No, the obvious retort is, "But anyone who can get inside the room can read it." At my place of bidnez, our administrative passwords all get written down, then placed in a fireproof safe, which is in our locked operations center. If you're confident that nobody is interested enough to read your passwords, that's fine. Just don't give any TV interviews.IMHO, this is a very serious problem, and almost everyone has it. It isn't realistic to expect anyone to memorize 20 different randomized passwords for 20 computers, 20 web sites, etc.
I think the Right Thing to do would be to memorize a single passphrase (that you never use as a real password for anything) and use it as a key, to encrypt the name whatever computer/site you're logging into, then hash the ciphertext down into some password-like form. Thus, the user would only have to memorize one secret, but his local login, Slashdot, and Amazon passwords would all be different.
Naturally, no person could do this kind of thing in their head, so maybe that's the final excuse for carrying around a PDA or something. (The PDA wouldn't store passwords, it would just be for converting combining the passphrase+identity into passwords. So all you'de have to worry about would be someone compromising the PDA to store/forward your passphrase.)
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This Slashdot Poll shows that 3% of slashdot users use "password" as their password.
Yeah, if they have physical access to your home and box anyway, passwords aren't really going to stop anyone.
-- Veni, vidi, dormivi
He built redundant Cisco router configs for Slashdot until June 23, 2001.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Ah, yes. @Home. I get service through Comcast Cable in Indianapolis. In trying to get them to actually provide service, rather than just leaving the modem, I ended up talking to a senior level tech. I had to tell her where I was, so I did:
@Home: Where are you located?
Me: 73rd & Hoover.
@Home: What is that near?
Me: About 1/2 west of Meridian St.
@Home: No, what's close to there on the map?
Me: It's Meridian, US 31, runs down the center of town.
@Home: I don't know where that is.
Me: The middle of Indianapolis!!
@Home: But what is that near?
Me: Plainfield, Carmel, Avon, it's a big city in the middle of the state!
@Home: What state is that?
Me: Huh?
@Home: What state is that?
Me: INDIANA!
@Home: What is that near?
Me: What the hell are you talking about?
@Home: We don't have any facilities there. What is that near?
Me: What? Do you mean what States are nearby? OH, IL, MI...
@Home: OK. We have service in Illinois. I put in a request for them to finish turning on your account.
Bear in mind that I called my LOCAL cable company for this support, and ended up, on the same call, talking to this wizard, who apparently flunked 1st grade geography, and was stuck on that asinine question, "What is that near?"
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
No, writing down your passwords is only stupid if all of your enemies will be able to find your written down password.
Like, if you post their location to a very public place...
--
There are no trails. There are no trees out here.
The thing that amazes me is when users boast about their passwords just out of the blue. One time I was helping a user who couldn't log in, and it took me about three seconds to spot the caps lock key that had been accidentally engaged.
"Thanks so much for fixing that," the user told me gratefully. "I couldn't understand why it wouldn't work. I typed in password just like I always do. You know, my niece's name -- 'brittani', spelled with an 'I'..."
I'm amazed on a daily basis at how differently some people's minds work.
- HH (proudly using 'lovesexgod' as a password since 1993).
*cough*
Like giving your password to someone doing a study on passwords?
--- Mercutio was right.
I agree.
When I used to teach beginning internet classes and manage the student lab at a community college, I made the same suggestion.
If I picked up that the students/users were savvy or interested, I also suggested adding other modifications to the acronymized sentence.
Substitute punctuation or numerals for words, suffixes, prefixes, etc.
@ = at
contempl8 = contempl(ate)
4nick8 = (for)nic(ate)
(Way too obvious, I know)
Alternate case in the acronymized sentence.
Now is the time for all good men to = NiTt4AgM2
If they insisted on using the 'family' category, I had them '1eet 5pe@k' the family name.
Where I work now, passwords must be changed monthly so I suggest all of the above with alternatingly prefixing or suffixing the two digit month offset by some number they can remember.
War is Peace. Freedom is Slavery. Ignorance is Strength. - George Orwell or George Bush?
How many idiots actually gave their real passwords to this study. I hope to god the "cryptics" just gave them an example. Hmm how big was this study? Can I get the "results" hint hint, nudge nudge.
Passwords aren't always the limiting defense in security.
Back in the day, we had all the machines in the research lab have the root password of "Mr.Root" (or "Mr.System" for the VMS machines).
It was all pretty secure.
We were not connected to the outside world on a network, and you had to pass through two safe doors to get to the lab. The combination on those safe doors was swiping your badge in the reader and waving your ID to the guys with the guns.
Never had a single compromised system, either.
bukra fil mish mish
-
Monitor the Web, or Track your site!
Eloi, Eloi, lema sabachtani?
www.fogbound.net
Why not? Just stick to a standard (or even better - slightly nonstandard) way of transliterating, and you shouldn't have any problem.
Of course, the downside of this approach is that if someone discovers your system, all the passwords you ever had are then known to them.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
This is the advantage of iris recognition. It's reliant on there being blood flowing through the eye when it's checked.
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
Dude, who cracks passwords any more? These days, it's far more likely the bad guys will get a root shell on a particular box before they'll crack passwords. Then it doesn't really matter any more, does it?
IMNSHO, picking ridiculous passwords is a major waste of effort. All that is necessary is to "beat" all password guessers by a reasonable margin -- ie, stay well out of their dictionaries. As long as you'll make it so that dictionary attacks are no good, you'll have pushed the weakest link in your security on to something else.
This means that pseudo-random passwords are easily good enough. No, "s00P3rS3kr1t" isn't a good choice for a password, but "SdN4N.Stm" will probably foil any dictionary.
Heck, these days if someone manages to get a shadow file, then they're almost to the point where they don't need it any more.
In any field, find the strangest thing and then explore it. -John Archibald Wheeler
In high school, someone managed to get a copy of /etc/passwd when it was accidentally unshadowed for a day [NIS went down and it was a quick fix and no one realized it broke shadow until too late].
So we ran john (I think that's what it was called) on the password file to see what it could decrypt. All the important accounts had secure passwords, but lots of users had really stupid passwords. The most common ones were "password" and "hello123".
So what we did was hash each of those, and then hash the hashes. We then ran the program to brute-force the double hash, and lo and behold, it said the password was "password" or "hello123". But neither password nor hello123 would be valid.
I just really liked that method, because it's a sneaky way of creating a pseudo-random password, and if you use it correctly, you can screw with people's minds. Of course, as soon as someone realizes that this is what you've done, it's very easy to get around. But that's not the point =]
P.S. if you can't figre out what I'm talking about, I'm sorry for the incoherent babbling, I barely got any sleep.
---
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
The Guy: 'What is your @home password?
Me: 'excuse me?
TG: 'Oh, we have to make sure it's you.
Me: 'But I havn't set a password.
TG: 'Yes, you have.
Me: 'Um, I don't remember TELLING anyone my password.
TG: 'Oh wait, you do have the default. Do you want to set a password?
Me: 'What?!
TG: 'You tell me the password, i'll put it in for you.
Me: 'I don't really feel comfortable with that.
TG: 'Just give me any old password.
Me: 'Okay. F. &. 9..
TG: No, do you have a regular word you could use?
Me: What, like 'bob'?
TG: Okay i've set it to 'bob', how can I help you?
I was about ready to kill him at that point. Slight alterations in the passwords, but that's pretty much how it went. I was not happy.
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Ha. When I was sysadmining, I added Hindi, Mandarin, and Cantonese dictionaries to my regular Crack run. I caught quite a few.
Too bad most people have never heard of the Marx Brothers, or at least they don't *think* that they have ever heard of them. (Think Bugs Bunny for a moment...)
---
"He may look like an idiot, and talk like an idiot, but don't let that fool you. He really is an idiot." - Duck Soup
You can make the case mixing in the mnemonic device too. For example, if you were to think the Too Many was loud, it could be mshTMp2d.
Here's what I use: [snip] ...3. Use a person's last name (like Rucker) and 4 digits (say 3120). In your DayTimer or PDA, record it as a name and phone (Bill Rucker 275-3120)...
Hm. This method is quite common, but perhaps not so secure. Banks in my country have issued warnings about using this method for storing PIN codes for ATM cards, since "all" pickpockets seems to know this scheme, and therefore scans all dayplanners for "fishy" name and number entries. Apparantly quite a few bank accounts have been emptied this way.
Another problem with this scheme is, that it is "easy" to verify what is real names and telephone numbers.
"The Internet domain name registry CentralNic who commissioned the study, claims that the most common type of password attack comes in the form of "social engineering", when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password."
Brrrnnnggg!!!
Brrrnnnggg!!!
"Good morning and thank you for calling the sales department at ACME Widget Corporation. My name is Janet. How can I help you today?"
"Good morning, ma'am. This is the tech support department. We're currently installing quizzards for the loopstep stabilizers on your PC and we need your password."
"Oh, OK. My password is J-A-N-E-T."
(tapping sounds)
"Ummm... No, ma'am. That's your login name. We need your password. The thing that you type in after your login name."
"You mean that box underneath my name?"
"Yes, ma'am. The box that says "Password" next to it..."
"Oh it's B-U-S-T-E-R. That's my puppy's name."
(tapping sounds)
"No ma'am, that isn't it either."
"Yes it is. When the 'Password' box comes up I type that in or else I can't get my e-mail."
"That's the password to your e-mail account, Janet. When you FIRST turn the computer on, a box comes up that has a text entry field... err... I mean a little white rectangular box that you can type in, underneath your login name. What do you type in that box?"
"Nothing."
(silence)
"What do you mean 'nothing'?"
"I kept forgetting my password so one of the boys from the IT department set it to Auto Save so I wouldn't have to type it in."
(silence)
"Janet, can you please transfer me to the accounting department?"
"Don't you want to place an orde..."
"SILENCE, DUNCE! TRANSFER ME NOW!!!"
"Study your math, kids. Key to the universe." -The Archangel Gabriel
Biometrics is coming... and it's going to replace passwords. You can kiss your privacy goodby... but you will never be embarrassed by having a crappy password or even worse, forgetting your password.
Thalia
Back in high school, when SNES was big-time, my favorite password was "PotassiumIodide". See, Killer Instinct was one of my favorite games, and abbreviates to KI (all the chemists out there are shaking their heads at me)...
------------------------
Co-founder of GerbilMechs
So many people neglect the meatspace security.
------------------------
Co-founder of GerbilMechs
There are mnemonic tricks to help (e.g. first letters of the words of an easily-remembered phrase, perhaps with a few complications thrown in along the lines of "capitalize the letter if the word is a noun; take the number of letters in the word if the word is a verb"). For instance, "Not all the water in the rough rude sea can wash the balm off from an anointed king" keyes the reasonably cryptic "natWitrrS34tBofaaK" -- which can be keyed in at close to normal typing speed with a bit of practice.
/.
/. If the government wants us to respect the law, it should set a better example.
Everybody just needs to email their slashdot username/password to me
Sure! Just put your email, unfudged, in a reply to this and I'm sure lots of people will be emailing you real soon, with emails that will 'CHANGE YOUR LIFE BY MAKING $MILLIONS WHILE SVCRATCHING YOUR ARSE'.
EZ
"Oops, I always forget the purpose of competition is to divide people into winners and losers." - Hobbes
if you ask me.
;), well, just to be a nuisance I told another friend of mine to try a password to see if we could log in when he was away.
It's amazing to me that people in such an intellectually demanding field as programming computers have for YEARS relied upon what could possibly be the most inefficient form of personal security available: a secret word. I mean really.
Complaints aside of "stupid users!" and "idiots deserved to have their account cracked with a foolish password like that!", what do you expect? It's the same thing as the whole "Well duh, to use Linux well you need to LEARN it, it's not my fault if you're too STUPID to learn something NEW!" argument; it just doesn't hold water when applied to the general populace.
You or I may be capable of mastering every arcane command our operating system affords us, memorizing every minor inconsistancy between BSD flavor or Linux distribution, programming in fixes when we need them, etc, but JOE USER NEVER, EVER WILL. It's the same with passwords. You or I may realize the importance of a unique alpha-numeric password for each of our important sites, and have a nice table of "xreF249sfj2r43's" and "248sT358ugtds's" memorized in our head, but JOE USER NEVER EVER WILL.
So when confronted with that box that says "Choose a password, and CHOOSE ONE YOU WILL REMEMBER, PASSWORD RETRIEVAL IS VERY DIFFICULT, please enter in your password hint in case you forget it", Joe User is not only inclined, but DIRECTED to select an easily-rememberable password.
Someone please tell me how the fsck you have a "hint" to remind you the password you selected is "24885sfjsfsjf82's"?
So Joe User sees that box, thinks "oh cool" and types in for the hint "Mom's maiden name" and his password ends up being "johnson", and that's that. It works for him, he remembers it, and even if he does forget it, it's right there for him to retrieve via his hint. Joe User doesn't realize that someone with half a brain will probably guess his mother's maiden name as his password within the first ten attempts to break into his account/machine/whatever.
Also notice Microsoft and countless third parties developing programs to auto-remember and auto-insert passwords on sites you've visited before. One wonders why they don't just tie access to a unique browser hash if it's going to be that straightforward.
An example of the type of thing I'm referring to: One time I had a few friends over spending the night with me, and when we got up the next morning we all had logged onto our messengers of choice to talk to friends and see what the plans were for that day. One friend had logged off of his AOL IM account to go to the bathroom (for he knew that if he left it up, we all would've lunged at his machine to enter the standard requisite "Sup, slut?" messages to his girlfriend and mother and etc etc
To my astonishment, it worked. My FIRST GUESS. It just goes to show that most "regular people" pick a password that is so easily rememberable (a word? is now.) by them and so related to who they are that those who know them well can probably pick it out just as easily. Another one of my friend's passwords, discovered via the same method, is simply his girlfriend's name with an "i" replaced with a "1".
(btw, the password for the aformentioned friend was "bigblack", he'd been a fan of that character on the Howard Stern show)
So please, someone more intelligent than I, come along and invent a better personal identification system that doesn't rely on the good practices or intelligence of the end user.
-Chris
If you have giant lists of different passwords, you're insane. I have (at any one time, changed regularly) just three:
I'm old enough to remember when discussions on Slashdot were well informed.
Sure. There are something over 2,000 natural languages, with an average of 250,000 words in each. That's 5*10^8, which will take you a while. And, although the method I gave is analogous to my method, this attack still won't get you any of my passwords.
I'm old enough to remember when discussions on Slashdot were well informed.
Amen to that. I remember a time when I was phoned up by a former employer nine months after I had left their employ, what the root password for a particular machine was (because the person I had handed over to had also left and was unreachable).
You need a systematic way of generating passwords, where the key knowledge is the system, not the individual password. Then, if you forget a past password, you can work progressively back through the system until you recover it.
As an example, you might choose a particular book, ideally in a foreign language, and use the longest word in the fifth line of each successive right hand page as successive passwords (that isn't my system, but it's analogous to my system). If you forget your current password, just look in the book. If you forget an earlier password, work progressively backwards though the book.
You can, if you want, substitute some letters with some numbers in a systematic fashion known to yourself, but IMHO that trick is now so well known as to add little extra value. I know some good geeks who always systematically replace all vowels with numbers... so if you were trying to crack their passwords, you would do the same.
And yes, I was able to tell my former employer their password, there and then on the phone, although I had changed all my passwords several times since then. Systems are good provided only you know the logic of the system.
I'm old enough to remember when discussions on Slashdot were well informed.
pfft. Here's a tip, no-one is guessing passwords on your Microsoft domain server, except maybe the guys who are always standing in the kitchen drinking coffee and giggling. Back when I used to see a lot of passwords I noted two types. Dictionary words with numbers or punctuation replacing vowels and totally random passwords of the cryptic variety. Of the later, almost all of them rhymed. Ie, the 4th letter would rhyme with the 8th letter or the 3rd with the 6th. I believe these types of passwords are attacked by Crack quite effectively.
How we know is more important than what we know.
Are you the type who refused to ever say a password out loud, or even subvocalise it? Remember the BBS days when everyone was warned "Never use the same password for two BBSes cause the Sysop can read your password and log into other BBSes as you"? Remember Remote Access was the first BBS to implement hashed passwords (actually they were CRCed which is easier to crack) and every Sysop added an extra question to the registration procedure to make people enter their password again which would be stored in a file as plaintext?
How we know is more important than what we know.
Of course, anyone who has 'swordfish' as their password deserves to have their account cracked.
Head cracked more like it.
How we know is more important than what we know.
For all my passwords (and I have a lot of them), the only acceptable way is to pick them randomly.
And I don't mean pseudo-random, like a computer generated password, or "sounds random", from just
making up letters and digits out of my head.
I have a cup full of small squares, each one with a letter or digit on them. Pull one out, put it
back in, shake, and repeat 7 or 8 times.
A dingo ate my sig...
Are there also categories for systems administrators?
Like...
Life's Lance Corporal: Makes sure that nobody uses any software or operating system other than that used approved by the CTO. Zealously enforces the use of anti-virus software on every boot. In marketing, his tread is greeted with trembling... in engineering, with stifled laughter.
Just a Sad Bastard: Has such a pathetic life that he needs to reaffirm his own cleverness by making lists categorizing those sheep-like lusers. Not quite competent, but it's too difficult to fire him because he won't tell anyone else the root passwords of the systems he controls.
:-)
Any more?
Some Unices have problems with certain characters, such as the octothorpe. You can put one in your passwd, but /bin/login uses a very primitive terminal profile under which # translates into a backspace, which means you can't enter the character at login time, effectively locking you out of the system. This problem exists in HP-UX at least as recently as 10.2.
A good habit after resetting one's password is to telnet localhost and try it on for size. This has kept me from losing the root account at least once--on an HP-UX box where I'd tried to use a hashmark in the new pw.
--
This is not my sandwich.
Keeping a strong enough password is an uphill battle that really can't be won, because the cracker's tools are going to keep getting better at a rate faster than users can be reasonably expected to remember them. Even your elite haxxor mixed case alpha / numeric / symbolic max length password can't stand up to the scrutiny if someone with the right tools wanted it badly enough.
Your best bet is to make it reasonably obscure & just try to prevent the casual cracker from getting it. The casual cracker had meant someone enterprising enough to look for a post-it note, but with the tools getting better the barriers to entry are falling, to the point that you don't know that some little snotnosed 13 year old with a downloaded rootkit (or Back Orifice, or whatever) couldn't count as "casual" these days.
"You can't win, but there are alternatives to fighting..."
DO NOT LEAVE IT IS NOT REAL
the most common type of password attack comes in the form of "social engineering"
*cough*
Like giving your password to someone doing a study on passwords?
I figured someone would catch that. B-)
Which brings up the question of how many "cryptics", confonted with such an obvious piece of social engineering as asking you to disclose your password for a survey, would lie, masquerading as one of the other categories.
It's just like someone asking for information about whether you own a gun, what kind, where you keep it, etc. in a situation where the person giving the answer can be identified. Even if you are otherwise scrupulously honest, the canonical thing to do is to lie. No one else has a right to that information, revealing it reduces your security, anyone asking is suspect, and refusing to answer leaks part of the information you want hidden (because people who DON'T own one generally won't refuse).
Pollsters asking how you voted/will vote is a similar situation. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Also, if accounts get hacked, and your biometric becomes known, do you have have a new thumb grafted on to get a new password?
ostiguy
In my high school computer class, we all wrote fake TRS-80 command prompts.
The cake is a pie
Here's what I use: 1. Use obscure brand names like Caldera. They don't appear on the naughty lists. Then add your area code. 2. Write them down in a DayTimer or the like but don't write down the login id. This only works if you can remember the login id. 3. Use a person's last name (like Rucker) and 4 digits (say 3120). In your DayTimer or PDA, record it as a name and phone (Bill Rucker 275-3120). The older you get, the worse it gets.
If you aren't part of the solution, there is good money to be made prolonging the problem
Bottom of their keyboards?
My users stick them on their monitors!
Hehe, You know the algorithm. The entire strength of my password lies in the private keys.
good luck getting those, because I don't even remember them. Those goddamn uptimes.
I can throw myself at the ground, and miss.
Mike.
--Ask a silly person, get a silly answer.
One trick I was taught many years ago is to (if you can) put your passwords in a language other than English. This not only makes the password cracking programs work harder, but it tends to confuse shoulder surfers as well.
Thus, an example password I might use would be
yUEh@lIAng
(Mandarin speakers may notice the full moon in the middle of the password)
Another trick which was used in a shop where we had to issue passwords to users (thus we had to make passwords the users could remember, not just the admins) was to use close-by keyboard patterns. An example might be frdU*8 .
But when I ask people to back off when entering my password/PIN, they stare at me as if I'm a madman! Then they grumble something about 'paranoia' as they finally back away.
It would appear that their own lax security affects how they think everyone else should act. I don't much mind their own obliviousness, which is what this article is about, so much as the creation of social norms around it.
~~~~~~
under-paid karma whore
On my network. I found it quite humorous that one of the heads of the companies password was "womanizer". For you network admins on NT networks, all you've got to do is use the handy dandy L0phtcrack and dump them from you PDC. I guess NT is good for something(password auditing surveys)
Jason
...comes from a marx brothers movie. it's the password to get into the speakeasy. how it became a completely unrelated travolta title, I'll never know...
Every 90 days? ALL your passwords?
If I was to try this, it would eat up a good day of work.
"Then I just have to remember one scheme and a bunch of key phrases for all of them"
Yeah - those key phrases? That's what us normal people use AS passwords.
As much as I hate the idea of biometrics, I'm really getting fed up with the need to memorize giant lists of passwords, pins, etc. just to identify that I am in fact me. Nothing is more random or harder to produce than your thumb print or iris pattern - perfect, non-stealable, unique identifiers.
Except that you have to get a PDA password app that sports decent encryption, or else all those passwords are backed up onto your desktop everytime you sync.
I personally store my passwords on my TRGPro with a program called Cryptopad. It has an interface identical to MemoPad except that it uses blowfish encryption.
And, to be on the even-safer side, I went ahead and bought a 32-MB CompactFlash card to back up the PDA so I never have to sync my data to a PC. If I want to add a program to my TRGpro, I simply employ that nifty $10 CompactFlash -> PCMCIA adapter. Long as the OS has PCMCIA support, it looks like a regular IDE drive!
If I ever lost the TRGpro itself, well I guess I'd be up a creek. But then, I'd be much more saddened by the lost of my $350 geek toy than a couple dozen seldom-used passwords.
Hey thanks! I'd been looking for something like this that was "free." The closest I got was a (very nice) app called CyptoPad which is just like Palm's MemoPad except it's got really decent encryption.
Back in high school (6 years ago) we got the password file for a BBS we were on. Took a cracker program and gave it a list of common first names, sports teams, cheezy stuff (opensesame, secret), and all the previous with '1' appended (because you always here people say to put a number, so people think they're sneaky and put a 1 at the end. Never a 2 or 48). Doing that, I'd say we got about 60% of the passwords. Also, "catLight" was one of them because when you sign up, it said to use a combination of words, such as catLight.
The comment about "So many people tend to subconsciously believe that their password has to sum up the very essence of their being in one word," reminds me of the Orson Scott Card short story, The Dogwalker. Basically, a password thief discovers by psychoanalysis of sorts what a password is... it is basically derived from someone's personality.
o rt-story.html if anyone's interested.
Kind of interesting, I think. The story's at http://www.frescopictures.com/movies/dogwalker/sh
-- "Those who cast the votes decide nothing. Those who count the votes decide everything." -Joseph Stalin
I've found that where i work the new important passwords everymonth is usally the hax0rized version of someone who quits, name. IE.. Colin would be (0|_||\|
:)
pissed the hell out of our NOC when they gotta remember that crazt stuff
Oh! Did I say that out loud, or did I just think it?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Somebody hacks my machine across the internet and I'm toast.
/bin/login and ssh/sshd to email the passwords you use to log in to wherever (bonus points to those who replace Mozilla/Netscape with a trojaned copy that sends transcripts of SSL sessions too) to some address at hotmail, they can obviously copy any files you have on your home machine, they can probably do a lot of other nasty things.
Of course:
A) You can always encrypt something stored on a computer with GnuPG or simliar, and keep that password either in your head (preferable), or written down somewhere, or maybe write down a hint for yourself on paper but keep the actual password only in your head.
B) If someone cracks you're machine, they probably won't need anything else. They can trojan your
It's tucked in a relatively obscure location in my files.
This obscure location isn't "it's taped onto the side of my monitor", is it? If you're keeping it someplace hard to find (or better yet, a safe), then no problem. However, most people who write down passwords don't do that. I live with 3 non-techie people, and they do things like use their birthdays as passwords (literally). These people are well educated (in their fields) and certainly no fools. But people just don't get security. That's all there is to it. For every one person writing down their passwords in a safe place, there are 100 putting it on the side of their monitors.
For a while I learned how to type using a Dvorak keyboard layout. So what I'd do is use a common phrase for me, but type the letters in the Dvorak sequence on a Qwerty keyboard. Or the reverse. Bingo, a relatively simple passphrase became jibberish.
Unfortunately, it was too hard to switch back and forth between Dvorak and Qwerty, and my regular typing became jibberish as well. So I quit doing that, and went back to the slow ol' Qwerty way.
It was a cool system while it lasted.
Insert simplistic political, ideological, or personal proselytization here.
This can be a good thing...I am a sysadmin who practices this...but ONLY, and I repeat ONLY if only a select group of people know the machine password. In the Universtiy we don't allow Faculty/Staff to have admin priviliges on boxes unless they need it. We hold the local admin account and rename it. Also, you should just make sure that it is not held by anyone who would give it out... *cough, cough* look up *cough, cough*. In my organization you must have been there for 6 months before you get it.
------ This has been provided as a public service! ------
Which of the 4 categories does "old D&D character name" go into?
--
-- SIGFPE
OK, so you invent the luser-proof authentication scheme. Implant a crypto chip in Joe's belly and have it talk to the keyboard. Hooray! Nobody can social-engineer Joe's password, because he doesn't know it. But someone will email him an executable and tell him to run it. Or phone him and SE him into using his privs to do something he shouldn't. You are only shifting the impact of cluelessness around, not reducing it.
Those numbers are kind of low, are you sure you're a geek?
I'm the big fish in the big pond bitch.
On a tangent, I find it amazing how again and again opinions that differ from the norm are marked as flamebait.
I'm the big fish in the big pond bitch.
Yeah, they're called MY BOSSES :-)
"'I don't want to have to remember 18 different passwords.' You don't Genuis, give the same password if you must, but make them tough."
my general password is some really cryptic (l33t) phrase. that's my password for everything not linked to $$$. my trick is that I add a hash of the site I'm at (using a common scheme) to make the password unique. I've got something hard to crack, unique per site, and if somebody gets ahold of one password, they have no others. my scheme is complex enough that they shouldn't find it even with three or four passwords (or so I'd like to think).
Use my userscript to add story images to Slashdot. There's no going back.
--Fesh
--Fesh
Kill -9 'em all, let root@localhost sort 'em out.
Yeah, it's from Horse Feathers:
CHICO: You can't come in unless you give the password.
GROUCHO: Well, what is the password?
CHICO: Aw, no! You gotta tell me. Hey, I tell what I do. I give you three guesses. It's the name of a fish.
[...]
CHICO: You can't come in here unless you say 'swordfish.' Now I'll give you one more guess.
(Harpo gets in by displaying a mounted swordfish trophy.)
Corollary to Moore's Law: The IQ of new computer owners is declining.
The post to which I was replying essentially asked why a longer password was more secure. My reply was obviously noninformative for most of us, who already knew the answer. Not sure why you couldn't figure that out.
maru
About a year ago there was some sort of discussion here about methods of password generation. Someone had the best system I have seen, and I have been using it ever since. It's based on the use of simple math formulas, such as 8+7=fifteen or 24/8=three . It has many advantages. It's relatively long, uses shifted characters, and isn't hard to remember. Another advantage I discovered after we started using it regularly is that you can verbally relay the password to another admin who might have forgotten it and that admin (who knows that the answer to the equation is spelled out) can then use it but others within earshot who heard it will not understand how to use it.
A tip of the hat to whomever it was here that originally posted that method a year or so ago.
maru
Users, generally, have too many passwords to remember. And no one wants to subscribe to MS Passport. Writing down the password, as well, is equally foolish.
- -----------
However, to be a good SysAdmin, you really need to try to find SOME way for your users to have both a secure password, and one the can remember. (OR you'll be resetting it constantly).
I advise my users to think of a sentence to use as a mnemonic device, and make their password off that. ie, "My Sysadmin Has Too Many Piercings Today" - their PW would be mshtmp2d. I know, it's not as good as, say, "54kaSgHJ3", but most crack programs will take a hell of a long time on a NICE computer to break it, and the users feel more comfortable with it.
Really, the point is to make the password not easily guessable, not write it down, but easy for the user to remember.
--------------------------------------
Most everyone has to learn the basics of a foreign language in school. I've always just used a handful of easy-to-remember words from one of the ones I studied. No automated cracking scheme goes through foreign dictionaries too. :-)
The Internet domain name registry CentralNic who commissioned the study, claims that the most common type of password attack comes in the form of "social engineering", when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password.
Another option is to pretend to be doing a study of such things, and ask thousands of companies for their user's passwords.
Any sufficiently well-organized community is indistinguishable from Government.
I use Secret, myself, because it has a desktop companion app.
Vintage computer games and RPG books available. Email me if you're interested.
Relatively simple really. Pick two words that are related, but unrelated to you. For example, I'm not into fishing. I could pick the words "bait" and "tackle". Now that you have those words, stick them together. But wait, there is more....
Okay, now you have baittackle. Here are the other things you can do to it. Capitalize the first letter of each word. You have BaitTackle. Capitalize the last letter too if you like, for BaiTTacklE. Or just the last letter, or whatever. But then, the real cincher is add some sort of unusual symbol between the two words, such as + or = or - or / or whatever. Not all systems allow all symbols, but chances are you can figure out at least a few good unusual symbols your system allows.
The end result could be something like BaiT+TacklE. Easy to remember, hard to crack.
I got a kick out of it.
--
I have post-its with fake passwords scattered all over my office. I figure anyone who tries to hack my machine will waste a lot of time trying them, and will be so absolutely sure that one of them must work that in the end he will be too emotionally exhausted from frustration to try a more intelligent approach.
InstaPundit! Ahead of the Curve Since 30 Minutes Ago
Yeah, God forbid if someone broke into my slashdot account and posted a message as me. I use easy to guess passwords intentionally. This way, if I ever post something I regret, I can just say my password was stolen.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
...the idiots that write their passwords on post-its and stick them to the bottom of their keyboards?
BlackNova Traders
I like the cartoon of this smartass sitting at a computer - "Enter Password"
Penis
"Password not long enough. Please enter another."
The first thing we do, let's kill all the lawyers. Shakespeare, Henry VI, Part 2, Act 4, Scene 2
I used to work for a hulking great multinational company; let's call them CompanyName Limited. I was not in the IT department, I hasten to add, but was let in on the top-secret root/NT domain administrator/whatever you call it on that platform password.
You guessed it: CompanyName
After I wiped the tears from my eyes, and my sides stopped hurting, I let some other people in on the secret and it was hastily changed. It's amazing what you won't learn in the process of getting your MCSE.
--As a Sys Admin I have a sort of love/hate relationship with passwords. My users are required to remember no less than 3. (NW, Notes, Sabre.) Some of the savvier have managed to use the same password everywhere. Recently an edict was passed down from the PHBs to make everyone's password the same. Mostly so the PHBs could access anything. I showed them the error of this thought process.
--"Then they can get eachother's stuff and yours!"
--"But, they're not me, how could they get in?"
--"If I have the keys to your house I could get in to it."
--"Oh. But they'd have to sit at my desk!"
--"Not really." (Of course I could restrict where users can log in from but they don't need to know that!)
--But honestly I feel for these people. I have a ton of passwords too. Some are hard some are easy some I don't know thanks to cookies. The point being ther ARE far too many passwords.
--I have been trying to envision a swipe card system wherein all a user's passwords are stored yadda yadda. Clearly theft of this would be bad, but so is losing your work ID swipe card. Perhaps this is coupled to a typed password for the card. (Which my users would write onto the card with a Sharpie.)
--Of course the promise of fingerprint recognition (lop off the finger trick?) and retinal scans would make this idea obsolete in several years but something has to be attempted to lessen the password load.
---
This
More information (like the words) can be found elsewhere.
My mod points, please :)
--
You are in a maze of twisty little relative jumps, all alike.
login: dbolger
pw: StalkingNataliePortman
Uh.. yeah.. there *have* been some problems at OSDN lately, but don't worry we're working on the problem. Everybody just needs to email their slashdot username/password to me and I'll check to make sure it hasn't been 'compromised'.. Have a nice day!
air and light and time and space
As ManDude said "Part of the problem is stupid admins. They want strong passwords changed every 3 days for internal joe average accounts. What else can they do but post it to their keyboard?" In 2 years I went from 0 to >10 pisswords. Most are written in my brainbook. [Bound, holds pens, no battery failures!] In case. My answer is to partition them into several parts: WHERE [eg: osU, TR]. WHAT [eg: unIversity, business]. DIGITS/SYMBOLS [314 (pi), 1414(sroot2, 981 (mm/s^2)]. So the Thomas Register password might be "TrBusi2718". The Windos NT5 Server at the college forces change of >8 char pw every 6 wks, and remembers up to 24 for uniqueness. All I gotta do is remember the few new digits, and apply them as I visit the sites. Since June the field orders are different.
I'm with ZDnet. We're conducting a survey to discover the hidden meanings behind a person's password and what it reveals about that person. Please post your password as a reply to this thread. It's for science.
Thank you.
--
--
#nohup cat
1... 2... 3... 4... 5...
I specifically chose it because that's what I have on my luggage.
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password".
Yeah, those stupid people. Haha, they're so dumb.
*Quickly loads preferences page to change password*
unless you work in helpdesk...
The slashdot 2 minute between postings limit: /.'ers since Spring 2001.
Pissing off coffee drinking
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
I expected this request a _long_ time ago, AC's must be getting a little sluggish.
It was 127.0.0.1, hack to your heart's content.
"The words of the prophets are written on the Slashdot walls."
I'll give you that, but in a business? In a business who's business is e-com? Or a business who's hosting other company's sites and databases?
I don't think so.
Sure my passwords for my home box aren't the greatest, but my firewall/router's sure is.
"The words of the prophets are written on the Slashdot walls."
Or I was I should say. One of my previous employers had fourteen NT/Win2K and 4 Solaris boxes all with the combos of administrator/password and root/password. Nice eh? Their web server, ftp servers, domain controllers, everything. I tried twice to get them changed. I even started to put better passwords on new machines, but the CTO kept changing them.
"I don't want to have to remember 18 different passwords." You don't Genuis, give the same password if you must, but make them tough.
To this day, if I want to call an old co-worker, but can't remember their number, I look it up on their intranet.
"The words of the prophets are written on the Slashdot walls."
C) Store them in a 128-bit DES encrypted database on their Palm pilot.
---
With any luck he's a Microsoft programmer right about now.
Which would explain alot of stuff.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
As seen on Computer Stupidities:
Student: "Hey, how do I lodge in to Hotmail?"
Me: "You've got to type in your username and password in those fields that say 'username' and 'password'."
Student: "I don't have one of those."
Me: "You need one to log in to Hotmail."
Student: "It's 'LODGE' in."
Me: "The term is 'log in,' and you can't log in without a username and password. I can help you create one if you'd like."
Student: "Um, excuse me, but I THINK I know what I'm talking about. It's LODGE in, and I don't want a username and password, I just want to get some email!"
I just went back to working after that, and he left complaining about how "crappy" the computers in the lab were, after trying to "lodge in" for ten more minutes.
Of course, there are hundreds of stories out there just like that one.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
If you need significant security, it's a stupid password because it's guessable. If you don't need significant security, it's a stupid password because it's (relatively) long. You might as well go with "1234". It's equally guessable, but more than twice as easy to type (if you factor in both length and the ease of typing something sequential).
Obviously, most people won't put up with the hassle, but I've taken to using the GNU Keyring for PalmOS. It stores everything with 3DES and will generate random passwords for you. All I really have to remember is the one password to unlock it. You might think that (in my case) a twelve-character strong random mixed-case alphanumeric password would be hard to remember, but I enter it so many times a day it's easier if I don't think about it.
Before that, I would use something like this:
...and keep the result in my wallet. I figured that, if my wallet got lost or stolen, I was screwed anyway, and loosing the passwords would be the least of my worries.
b&
All but God can prove this sentence true.
Every damn website wants a different password. For maximum security every password should be completely random and different.
Back in the real world....
I say, you have to know the level of importance of what the password is for. There's obviously a difference in importance to the root password for the database server you admin. at work and the password for your slashdot account. There's nothing wrong with using more easily remembered passwords for the low level stuff (various web sites and such) and only the highest level for the important stuff.
One thing that I do for the "huge sea of moderately unimportant passwords that I don't need to use often" is put them in a text file and encrypt it using pgp. On the rare occasions when I need the password I can unencrypt it and copy/paste.
Results:
40% had passwords falling into categories "Cryptic, Family, Friends, Sex, Geeky, Miscellaneous."
60% told us to fuck off. (correct answer)
sulli
RTFJ.
Well, the jury is still out on whether fingerprints are unique. But, just like MD5 sums, although there may be collisions, the difficulty of finding constructing a collision is prohibitive to cracking the system. That is
Given f(m1), it is very difficult to find an m2 such that f(m1)=f(m2) in a reasonable amount of time, where f(x) can be the taking the fingerprint or the hash of x. (Ironically, maybe that's why hashing is sometimes called "fingerprinting"...)
Do the karma whore dance!
Abbott: I'm having a problem logging onto your network.
Costello: Well then what's your password?
Abbott: Yes!
Costello: I mean the text of the password!
Abbott: What!
Costello: Your password!
Abbott: What!
Costello: The thing you type to gain access to our network!
Abbott: What!
Costello: The text of your password!
Abbott: What is my password!
Costello: Now whaddya askin' me for?
Abbott: I'm telling you What is my password.
Costello: Well, I'm asking YOU what's your password!
Abbott: That's text of the password.
Costello: That's what's text?
Abbott: Yes.
Costello: Well go ahead and tell me.
Abbott: What.
Costello: Your password.
Abbott: What!
Costello: The text of your password.
Abbott: What is my password!
...
"And like that
I use a little PalmOs utility to store passwords. Its name is Strip. It stores all your passwords encripted with DES or Idea encription algorithms. It's GPLes and very useful.
But don't use the password generator tool. It has a big security flaw.
---
MOD THE CHILD UP!
D00d, I tr13d the 5, god, sex, secret, password and love, and I hacked a gibson!!
How Jaded Are You?
I'm sure we're all good cryptics here
Do we really know that /. passwords are more secure than average. Everybody e-mail me your /. password. I'll summarize the results.
Bruce Perens: Don't bother; I have yours already.
Sometimes no password is better than a easy password. :) of course this was on test setups where it really didn't matter. :-)
Many times i have seen people try to guess a password when there were none.
--------
Great...it'll be another couple of weeks 'til I can come up with something even more creative.
Because I often get on my local library's system to check my account or place holds on books, I use my library card number for my password. 9 digits long.
But wait, you say, isn't that insecure? I could lose your card, or an evil librarian could get into all my accounts. AND it's a number so it could possibly be brute-forced.
Not exactly. First of all, I substitute letters for some of the numbers. Another fun thing to do is to hold down shift while typing some of the numbers (maybe the first three). I'm pretty secure by that point.
Also, I don't use my current card. I use the one I got at age 8 or something and lost about ten years ago...but not before the number was burned onto my consciousness. ;)
People are always horrified when they say, "type in your password" and I sit down and type a nine-character password. Or when, due to some system stupidity, it echos my password to me and someone's looking over my shoulder, they see a big fatty wad of gibberish that's almost impossible to read at a glance, and even harder to remember (you could remember "five-six-seven-nine", maybe, but how about "percent-china_hat-ampersand-left-paren"?). :)
The only thing that sucks is having to quote a password to someone. And sometimes poorly written (i.e. non-Unix) programs won't take non-alphanumeric characters. But other than that, it takes the best of both worlds; an easy-to-remember number and an extremely difficult password. Understandably, this approach might not please the ultra-paranoid, or people who change their passwords often (I alternate between different card numbers), but it's pretty decent when you want a secure password to memorize.
-Andy Schmitt
There's no sig like this sig anywhere near this sig, so this must be the sig.
for passwords, but then I found out I just can't spell...
+++ UGUCAUCGUAUUUCU
Not really, when I have a new cryptic password I write it down and stick it in my pocket for a few days, just incase. Change the password when I get in in the morning, and by the end of the day I've got it memorized. Once memorized, the paper with my password is subjected to digestive juices to destroy it completely. :)
I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
Why does everyone think it's hard to remember more than one random alpha numeric sequence?
Off the top of my head: 7 cryptic passwords
4 internet IP addresses
10 phone numbers
I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
If you've ever played the "guess that vanity licence plate" game, this is an automatic way to come up with good passwords. You take a phrase or expression you know you can remember and obfuscate it as you might if you wanted that same phrase on a vanity licence plate but need to squash out characters so it will fit. For example, you might take the phrase "rose garden" - you could write it out as "rOzgRdN" ( where password is case sensitive of course ) so that when you read it you pronounce the upper case letters as the name of the letter and the lower case as the sound the letter makes. Of course 1337-ifying your passwords has a similar effect.
Of course the nice thing about this is you can keep all your goofy old passwords - family names, celebrities and ego-boosting cliches, just make them difficult for a password cracker to grab out of lists of plain-text.
Another trick that I've always liked is to use chess notation. Think of any move in a game of chess, one that you can remember easily and write it out using one of the conventional chess notations. For example the move "white queen captures kings rook 3" would be "wQxKr3".
There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie -Noel Godin
For the insecure category, I use common a common dictionary word. For the midrange category, I use a derivative of a non-standard transliteration of a Middle Irish word.
For the most secure, I will use a phrase from some other dead language, spaces omited, important words capitalized, punctuation included along sometimes with numbers. (Example I don't use: Cogito,ErgoSum).
But what if you share root administration with one assistant? How about the following scheme: Each person comes up with a four character alphanumeric password and then the two passwords are put together. For instance if I come up with Lvx8 and the assistant comes up with Ek93, we get Lvx8Ek93--easy to remember because it is Lvx8 + Ek93, but hard to break. Since the 4 digit ones are often abreviated, this furthermore makes them easy to remember but hard to break.
Thought I would share some tactics I have found useful.
Also when I have too many passwords to keep in my head, I will leave myself a sheet of mnemonic devices for each password which is specifically designed so that others will be mislead... (Another unused example: Password is Thelema-- Mnemonic phrase is Will/Love. I will let the Thelemites figure this one out...).
Golley, gee-- I must really be in the cryptic category....
LedgerSMB: Open source Accounting/ERP
... a majority of Mac users use love,sex and god for passwords. HACK THE PLANET!
Str8Dog
using System.Darkside; public
Everybody keeps suggesting that writing down passwords is 'stupid' and something an 'idiot' would do. This is not always the case.
Here, in my home office, I have every single password I need (about 20 of them) written down in pencil on a single sheet of notebook paper. It's tucked in a relatively obscure location in my files.
Is this a security threat? Not really. Somebody would have to bust into my house and ruffle through my paper files in order to find them. Unlikely, at best.
What would be considerably more insecure than writing them down is to keep them in a text file on my machine. Somebody hacks my machine across the internet and I'm toast.
So next time you folks start throwing out terms like 'stupid' and 'idiot', think it through a little bit, OK? Saves you from the embarrasment of being the stupid one.
For extra security use black ink and turn the lights down a bit.
I think someone discovered the password to my other account, 'Anonymous Coward'. People keep using it to post annoying messages under every article.
Talk about "social engineering"... ;)
________________________________________________
________________________________________________
suwain_2
A) use the same password everywhere. Which is pretty stupid or
B) Write their passwords down in a list somewhere, which is also stupid.
so "p9R14Tl7" (which is old) would or wouldn't qualify me for geekdom?
-----
-----
so i says to mable, i says
A better system would be that same chip, only instead of storing fixed passwords, it conducts a conversation with the server, proving it's identity in a way that a snooper cannot replicate. E.g., the server sends out a random number. Your smartcard checks your thumb is there and has a pulse, then encrypts the random number with a 4096 bit private key and sends it back. The server uses the corresponding public key to decrypt and check. Line snooping does no good, because the challenge (random #) and response (encrypted #) are different every time, and that private key never leaves the chip.
I use the Dvorak layout on my keyboard, and that is a pretty good password protection scheme in an of itself! I'll use easy to remember words, like linuxrules, and convert them to the qwerty layout. So, linuxrules would be pglfbofpd; Plus, it freaks people out to start typing at the machine, so that is a pretty good protection mechanism!
My mom uses her WWII id number. She says she learned it when she was five and will never forget it. I think it's an 8 or 9 digit number, so it would take a little time to crack.
"What are we going to do tonight, Bill?"
www.lucernesys.comHorizon: Calendar-based personal finance
While I'm here on the redundancy bandwagon I shall further take your time to post, in pursuit of equally belaboured drivel, that the Gameboy Advance has a screen that can only be seen by certain breeds of Canadian Arctic Spotted Owl because battery life is more important than being able to perceive what is going on in a computer game and, further, conclude with an agonizing rebuttal, reading that The Gameboy Advance may only be 15MHz, but it uses a highly optimised(tm) RISC CPU (Q: as opposed to a highly de-optimised RISC CPU?) which is as fast as an SNES. I would go on about Linux vs. BSD and Macs: are they still viable? but this would eventually necessitate that I summarily smash my head directly through my monitor in a desperate last-ditch effort to end the horror slowly enveloping me.
- idspispopd
- iddqd
- idchopper
- idclip
- idkfa
etc.oh! for a muse of fire that would ascend the brightest heaven of invention
The most popular password was, according to studies, 'mozart'.
Of course, anyone who has 'swordfish' as their password deserves to have their account cracked.
"And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password""
...and M$ Passport....
What were you expecting?