Slashdot Mirror
The Psychology of Passwords
afabbro writes "According to this study, people's password choices put them into four groups: "Family", "Fan", "Self-Obsessed", or "Cryptic". I'm sure we're all good Cryptics here...now if only my users would stop being "Family"." And then there's the category "Stupid" for the zillions who use "Trustno1", "Swordfish", and "Password",
I develop schemes now and again. I start with something easily recognizable, like 'So Long And Thanks For All The Fish'. Then I turn it into a 'random' password by a bunch of operations. For an example, I might take the second letter of each word (yielding oonholhi), then make characters 1 and 5 upper case, turn 2 and 6 into numbers (alphabetic value mod 10), then turn 3 and 7 into non-alphanumerics based on the keyboard layout. The pass would then be O5$hO2*i.
That is sufficiently random for 90 day use or so. It would be weakened if somebody somehow guessed my scheme, but I pick a new arbitrary scheme every 90 days when I change all my passwords. Then I just have to remember one scheme and a bunch of key phrases for all of them.
On some enterprise systems, the administrator has the option to have passwords checked against a dictionary for common words, palindromes or other easily guessed passwords. If you are interested in such "smart" password software, check out npasswd at: http://www.utexas.edu/cc/unix/software/npasswd/
- -----------
a funny comment: 1 karma
an insightful comment: 1 karma
a good old-fashioned flame: priceless
this sig limit is too small to put anything good h
That is not nearly random enough. You need an algorithmic process that'll give you something really random.
Here's what I do. First, you take a phrase, famous or obscure. For this example, I'll use a little Shakespeare - "He hath a daily beauty in his life that maketh mine ugly."
Then, you take the second letter of each word, ignoring any single-letter words, thus producing "eaaeniihaig" in this case.
Then, you convert each letter to its decimal ASCII equivalent, giving us:
101 97 97 101 110 105 105 104 97 105 103
Then squash that all into a single number in that order, producing:
101979710111010510510497105103
Then, you take the 5'th root of that number, and drop any decimal places:
101979710111010510510497105103^(1/5) = 633436.01848182821643020050352705 --> 633436
Then, you take THAT number, and break it into pairs thusly:
63 34 36
Finally, you take the first pair and convert it back to its ASCII decimal equivalent, and that's your password. In this case ASCII 63 is "?", so your password is "?" (without the quotes, naturally).
And that, my friend, is pretty damn random.
ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
I once read an interview with Clifford Stoll, who was speaking about another interview he did on camera in his apartment. Apparently, the camera crew set him up seated in front of his computer. By the time the interview was aired, he realized his monitor - and the Post-It (tm) note with his root password on it - was clearly visible in the shot.
No, the obvious retort is, "But anyone who can get inside the room can read it." At my place of bidnez, our administrative passwords all get written down, then placed in a fireproof safe, which is in our locked operations center. If you're confident that nobody is interested enough to read your passwords, that's fine. Just don't give any TV interviews.*cough*
Like giving your password to someone doing a study on passwords?
--- Mercutio was right.
"The Internet domain name registry CentralNic who commissioned the study, claims that the most common type of password attack comes in the form of "social engineering", when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password."
Brrrnnnggg!!!
Brrrnnnggg!!!
"Good morning and thank you for calling the sales department at ACME Widget Corporation. My name is Janet. How can I help you today?"
"Good morning, ma'am. This is the tech support department. We're currently installing quizzards for the loopstep stabilizers on your PC and we need your password."
"Oh, OK. My password is J-A-N-E-T."
(tapping sounds)
"Ummm... No, ma'am. That's your login name. We need your password. The thing that you type in after your login name."
"You mean that box underneath my name?"
"Yes, ma'am. The box that says "Password" next to it..."
"Oh it's B-U-S-T-E-R. That's my puppy's name."
(tapping sounds)
"No ma'am, that isn't it either."
"Yes it is. When the 'Password' box comes up I type that in or else I can't get my e-mail."
"That's the password to your e-mail account, Janet. When you FIRST turn the computer on, a box comes up that has a text entry field... err... I mean a little white rectangular box that you can type in, underneath your login name. What do you type in that box?"
"Nothing."
(silence)
"What do you mean 'nothing'?"
"I kept forgetting my password so one of the boys from the IT department set it to Auto Save so I wouldn't have to type it in."
(silence)
"Janet, can you please transfer me to the accounting department?"
"Don't you want to place an orde..."
"SILENCE, DUNCE! TRANSFER ME NOW!!!"
"Study your math, kids. Key to the universe." -The Archangel Gabriel
So many people neglect the meatspace security.
------------------------
Co-founder of GerbilMechs
if you ask me.
;), well, just to be a nuisance I told another friend of mine to try a password to see if we could log in when he was away.
It's amazing to me that people in such an intellectually demanding field as programming computers have for YEARS relied upon what could possibly be the most inefficient form of personal security available: a secret word. I mean really.
Complaints aside of "stupid users!" and "idiots deserved to have their account cracked with a foolish password like that!", what do you expect? It's the same thing as the whole "Well duh, to use Linux well you need to LEARN it, it's not my fault if you're too STUPID to learn something NEW!" argument; it just doesn't hold water when applied to the general populace.
You or I may be capable of mastering every arcane command our operating system affords us, memorizing every minor inconsistancy between BSD flavor or Linux distribution, programming in fixes when we need them, etc, but JOE USER NEVER, EVER WILL. It's the same with passwords. You or I may realize the importance of a unique alpha-numeric password for each of our important sites, and have a nice table of "xreF249sfj2r43's" and "248sT358ugtds's" memorized in our head, but JOE USER NEVER EVER WILL.
So when confronted with that box that says "Choose a password, and CHOOSE ONE YOU WILL REMEMBER, PASSWORD RETRIEVAL IS VERY DIFFICULT, please enter in your password hint in case you forget it", Joe User is not only inclined, but DIRECTED to select an easily-rememberable password.
Someone please tell me how the fsck you have a "hint" to remind you the password you selected is "24885sfjsfsjf82's"?
So Joe User sees that box, thinks "oh cool" and types in for the hint "Mom's maiden name" and his password ends up being "johnson", and that's that. It works for him, he remembers it, and even if he does forget it, it's right there for him to retrieve via his hint. Joe User doesn't realize that someone with half a brain will probably guess his mother's maiden name as his password within the first ten attempts to break into his account/machine/whatever.
Also notice Microsoft and countless third parties developing programs to auto-remember and auto-insert passwords on sites you've visited before. One wonders why they don't just tie access to a unique browser hash if it's going to be that straightforward.
An example of the type of thing I'm referring to: One time I had a few friends over spending the night with me, and when we got up the next morning we all had logged onto our messengers of choice to talk to friends and see what the plans were for that day. One friend had logged off of his AOL IM account to go to the bathroom (for he knew that if he left it up, we all would've lunged at his machine to enter the standard requisite "Sup, slut?" messages to his girlfriend and mother and etc etc
To my astonishment, it worked. My FIRST GUESS. It just goes to show that most "regular people" pick a password that is so easily rememberable (a word? is now.) by them and so related to who they are that those who know them well can probably pick it out just as easily. Another one of my friend's passwords, discovered via the same method, is simply his girlfriend's name with an "i" replaced with a "1".
(btw, the password for the aformentioned friend was "bigblack", he'd been a fan of that character on the Howard Stern show)
So please, someone more intelligent than I, come along and invent a better personal identification system that doesn't rely on the good practices or intelligence of the end user.
-Chris
Amen to that. I remember a time when I was phoned up by a former employer nine months after I had left their employ, what the root password for a particular machine was (because the person I had handed over to had also left and was unreachable).
You need a systematic way of generating passwords, where the key knowledge is the system, not the individual password. Then, if you forget a past password, you can work progressively back through the system until you recover it.
As an example, you might choose a particular book, ideally in a foreign language, and use the longest word in the fifth line of each successive right hand page as successive passwords (that isn't my system, but it's analogous to my system). If you forget your current password, just look in the book. If you forget an earlier password, work progressively backwards though the book.
You can, if you want, substitute some letters with some numbers in a systematic fashion known to yourself, but IMHO that trick is now so well known as to add little extra value. I know some good geeks who always systematically replace all vowels with numbers... so if you were trying to crack their passwords, you would do the same.
And yes, I was able to tell my former employer their password, there and then on the phone, although I had changed all my passwords several times since then. Systems are good provided only you know the logic of the system.
I'm old enough to remember when discussions on Slashdot were well informed.
For all my passwords (and I have a lot of them), the only acceptable way is to pick them randomly.
And I don't mean pseudo-random, like a computer generated password, or "sounds random", from just
making up letters and digits out of my head.
I have a cup full of small squares, each one with a letter or digit on them. Pull one out, put it
back in, shake, and repeat 7 or 8 times.
A dingo ate my sig...
Bottom of their keyboards?
My users stick them on their monitors!
But when I ask people to back off when entering my password/PIN, they stare at me as if I'm a madman! Then they grumble something about 'paranoia' as they finally back away.
It would appear that their own lax security affects how they think everyone else should act. I don't much mind their own obliviousness, which is what this article is about, so much as the creation of social norms around it.
~~~~~~
under-paid karma whore
...comes from a marx brothers movie. it's the password to get into the speakeasy. how it became a completely unrelated travolta title, I'll never know...
The Internet domain name registry CentralNic who commissioned the study, claims that the most common type of password attack comes in the form of "social engineering", when a cracker poses as technical support, and contacts someone in a different department within a big corporation claiming that there is a network problem, and asks for the user's password.
Another option is to pretend to be doing a study of such things, and ask thousands of companies for their user's passwords.
Any sufficiently well-organized community is indistinguishable from Government.
...the idiots that write their passwords on post-its and stick them to the bottom of their keyboards?
BlackNova Traders
More information (like the words) can be found elsewhere.
My mod points, please :)
--
You are in a maze of twisty little relative jumps, all alike.
Uh.. yeah.. there *have* been some problems at OSDN lately, but don't worry we're working on the problem. Everybody just needs to email their slashdot username/password to me and I'll check to make sure it hasn't been 'compromised'.. Have a nice day!
air and light and time and space
1... 2... 3... 4... 5...
I specifically chose it because that's what I have on my luggage.
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
Or I was I should say. One of my previous employers had fourteen NT/Win2K and 4 Solaris boxes all with the combos of administrator/password and root/password. Nice eh? Their web server, ftp servers, domain controllers, everything. I tried twice to get them changed. I even started to put better passwords on new machines, but the CTO kept changing them.
"I don't want to have to remember 18 different passwords." You don't Genuis, give the same password if you must, but make them tough.
To this day, if I want to call an old co-worker, but can't remember their number, I look it up on their intranet.
"The words of the prophets are written on the Slashdot walls."
As seen on Computer Stupidities:
Student: "Hey, how do I lodge in to Hotmail?"
Me: "You've got to type in your username and password in those fields that say 'username' and 'password'."
Student: "I don't have one of those."
Me: "You need one to log in to Hotmail."
Student: "It's 'LODGE' in."
Me: "The term is 'log in,' and you can't log in without a username and password. I can help you create one if you'd like."
Student: "Um, excuse me, but I THINK I know what I'm talking about. It's LODGE in, and I don't want a username and password, I just want to get some email!"
I just went back to working after that, and he left complaining about how "crappy" the computers in the lab were, after trying to "lodge in" for ten more minutes.
Of course, there are hundreds of stories out there just like that one.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
Do the karma whore dance!
I'm sure we're all good cryptics here
Do we really know that /. passwords are more secure than average. Everybody e-mail me your /. password. I'll summarize the results.
Bruce Perens: Don't bother; I have yours already.
Everybody keeps suggesting that writing down passwords is 'stupid' and something an 'idiot' would do. This is not always the case.
Here, in my home office, I have every single password I need (about 20 of them) written down in pencil on a single sheet of notebook paper. It's tucked in a relatively obscure location in my files.
Is this a security threat? Not really. Somebody would have to bust into my house and ruffle through my paper files in order to find them. Unlikely, at best.
What would be considerably more insecure than writing them down is to keep them in a text file on my machine. Somebody hacks my machine across the internet and I'm toast.
So next time you folks start throwing out terms like 'stupid' and 'idiot', think it through a little bit, OK? Saves you from the embarrasment of being the stupid one.
I think someone discovered the password to my other account, 'Anonymous Coward'. People keep using it to post annoying messages under every article.