Slashdot Mirror
Crappy Passwords Very Common
KeatonMill writes "CNN released this story about passwords. Apparently, a group of UK psychologists did a study about password selection, and found that many passwords can be guessed if access to the subject's desk is allowed (the article gives an example of sports memoribilia representing sports-related passwords). According to the study, 50 percent of people use names of family members or pets as passwords."
I've had good luck guessing passwords using the method of adding a number to the user's name: e.g. someGuy's password is probably someguy[0-9]+[0-9]*
What this is saying is that if you know something of the person you can work out what they will say. This is always going to be the case until it is something actually unique for the person (fingerprint, iris etc). While we all _know_ that we should have passwords like "sdf987*(&^JJHASBDjkasdjkh231*()&as" and every account should have a different one it tends to be simpler to use something you can remember easily.
So this isn't a suprise, and its what the Biometrics people have been saying for years.
An Eye for an Eye will make the whole world blind - Gandhi
... water found to be wet[1], sky found to be blue, Earth found to be round[2] and CNN found to be obvious.
[1] at certain temperatures
[2] well, almost
The best password ever is one my friend has. He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password. And after he told me this, he changed it. Because he changes his PGP keys every week.
If you are one of these people who has a stupid password, you deserve what you get.
I'm going to get the book of petnames now and write a brute force hack into paypal, wee! My money problems are solved. I don't do stuff like that, but someone should. Send all the money to me that is.
The GeekNights podcast is going strong. Listen!
Johnny Quest has two Daddies.
It's written in all the study books I have been reading about. Most people will use their first name, the name of their pet or their birthdate in the password field. Only recently, you start to see smart software that refuses to accept this type of entries. What would be neat is a global password database where all the passwords that have been entered are stored as MD5, and each new password entered is checked agains the digest form to see if it matches, and if it does is refused. The dictionary words and common words should all be part of this database as a starter.
PPA, the girl next door.
-- I feel better now. Thanks for asking.
damn, now i gotta go change the combination on my luggage!
A cracker friend of mine noted this way back in 1983. Another interesting tidbit: back then, at least, a fairly high percentage of admins used "god" for the root password.
The cake is a pie
... is usually a fucking nightmare. Good luck trying to guess anything by it.
[ note to self -- 3mptyC0k3C4n is not a good enough password anymore ]
The password policy where I work is 10 characters, mix of upper and lowercase, at least 1 non-alphabetic, expires every 6 weeks. So of course I write it down (indirectly) or put it in "logon.bat".
Because of Windows' stupid caching, I already have to phone the helpdesk every 6 weeks to get my account unlocked when windows somewhere decides to try my old password 5 times in succession.
This is news?? Hello!! Any sysadmin already knows this...
Free cell phone tracking
What do you mean? ... like on alot of systmes like oh I don't know the one I take care of at www.lockhavenonline.com
I use pats for my username for everything and I just use pats75 for my password.. you know username with an extra character and then year of birth
My password is and always has been newline, newline, newline.
Gets me logged in quick, and noone seems to be able to guess those last two characters.
Anything you can do, I can do meta.
I went to my bank the other day to assign a PIN to my ATM card. For this you need to sit down with a bank person at their desk. Just to be a pain in the ass, I asked her how many numbers I could enter (it's 7). She said 4. I entered 7 and it took.
Then she went "How do you remember 7 numbers?" and I said "The same way I'd remember 4 numbers. It's not like remembering yet another set of numbers is going to be hard--I've memorized the passwords of at least 20 other services".
To which the lady at the bank said "See, the best way is to just use the same password for EVERYTHING. This way you only need to remember one!"
you know what my problem is??? i have dozens and dozens of passwords to remember...i have my work computer, my work e-mail, my home computer, my 2 home e-mail accounts, eBay, Slashdot, IM, etc...it's just too many passwords to remember...
because of that, i've fallen into a bad rut for my passwords, i only have like three that i use on a regular basis, and i just reuse them whenever i register for a new account...don't get me wrong, i know that's a terrible thing to do...but i just can't bother myself to rememeber more and more passwords...god forbid someone found one out...
does anyone have any tips for things they do, or products they use to keep track of their dozens and dozens of passwords...?"Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
I realised this the moment the team leader of our software development project -- a woman who is about to graduate with a *degree* in *computer science* revealed that her password for nearly everything was her name, spelt backwards. *D'oh!*
Hey, the Brunching Shuttlecocks just published an article relevant to this one: The Twelve Least Surprising AP Headlines.
I don't care if most users passwords are easy to guess. They only got User access anyway.
Being an Admin or root however, you have a responsibility of having good passwords...
Most people's info or access rights are not important anyway, so why not let them use easy passwords. You get less calls to the Helpdesks that way...
From Jakob Neilsen's UseIt column on usability and the Internet, comes this column on Security and Human Factors. His summary:
Sysadmins are fond of forcing users to use complex passwords. What happens then is that the user writes the password on a yellow adhesive note and sticks it on the monitor. Better to let the user use the first password that comes to mind, with possible gentle restrictions like no dictionary words, so that the user can hold the password in his or her head without writing it down -- or putting it in a "Passwords" file on the hard drive. How many theives really look up biographical information on computer users and find out all the names of their family members?
Fight for your right to read books!
Compaq Tru64 UNIX V5.1 (Rev. 732) (idol.union.edu) (pts/7)
login: root
Password: CmdrTaco
--an unbreakable toy is useful for breaking other toys--
Why not use PGP to generate your next passwd? I find if i take a random 'coredump' (say BINARY for Windoze users) and encrypt it, I can randomly pick out a section of characters and have a typable password. This is particularly handy if you travel alot and must deal with unusual keybds. PGP allways generates typable text.
It may be very boring for psycholigists, but it is quite safe as most modern Unices use very strong encryption. If it is known this method is used, the limited keyspace could allow 'bruteforce' attacks. Windoze users, never mind -- your systems are so insecure you don't need passwords!
oh man, I can see every 2nd slashdot reader change his password due to this article :-)
Life sucks.
The best way to think of a password is to conjure up a phrase that's random, but easy to memorize. Then, just use the first letter of each word as your password.
:: Imagine There's No Windows(tm). It's Easy If You Try.
For example, if you're told to pick a password with at least six characters, you could randomly come up with: Dubya Doesn't Know A Goddamn Thing
Then, you'll have a good, random password (ddkagt) and you'll remember it, too.
If there are other restrictions (you need numbers, mix of upper/lower cases), just adjust your random phrase to coincide.
m o n o l i n u x
Back in '94 when I took over as network admin for the stockbrokerage I worked for the only joy I found in the job was guessing passwords. I could usually do it on the first guess. A tip here is if it's not in the roledex under "password" then it's in the pictures on the desk. This is especially true if the only picture on the desk is the guy's sailboat.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
The best authentication schemes involve something you know (a PIN or password) and something you have (a smartcard, RSA key fob, or some other device that implements a challenge/response system to authentication queries).
~wally
PHREAK
Alright, what are the three most commonly used passwords? JOEY
Love, secret, and uh, sex. But not in that order, necessarily, right?
CEREAL
Yeah but don't forget God. System operators love to use God. It's that whole male ego thing.
Passwords often have to be at least 6 characters long which is just about the largest thing that people will be able to memorise. Often, drachonian admins force people to change their passwords every few months forcing users to commit yet another password to memory so they end up using things that they already know well as passwords. At least the people wern't writing them down on post it notes (even if they were doing the next worst thing). Jakob Nielsen wrote a bit about this in Security and Human Factors.
I remember reading about how one of the most popular passwords in the 80s was fred because it was easy to remember and all four keys were close together.
...can't you just look over their shoulder? I mean really. If they aren't paranoid enough to pick a good password, then they won't care if you're standing right behind them.
Jake
Dating: while( 1 ){ call_girl(); get_rejected(); drink_40(); } return 0;
..was conducted in the university I go to. In face, Helen Petrie is my lecturer for the HCI module.
i see this research is as useful as the module thats taught...
I said no text
T Money
World Domination with a plastic spoon since 1984
...or they can be handed over to you voluentarily, if you say you're doing research on passwords. :-P
This is the typical crap about passwords that gets handed around. PGP encoding and changing passwords weekly. As if. Looking at the number of sites I have passwords to, it numbers something like 60. People want usable computers not sophisticated mnemonics.
Not that I always agree with him but this article is ideal:
http://www.asktog.com/columns/026Security.html
Time to accept that this is the reality of existence. You will never get people to memorize hundreds of passwords. I've seen businesses lose tons of money because they require cryptic passwords and the user moves on to the competitor.
BTW the password nightmare is currently handing M$ a big victory in Passport. God knows I would love to have a single password...
When I complete my PhD and become a lecturer, I'm going to try and cut the crap and focus on what's important.
Female Prison Rape in NY
In high school, a friend of mine has "hoyas" as his password for the school network. Another friend guessed this easily when we were talking outside the computer lab one day. He looked the guy up and down. Then he bolted into the lab and the idiot ran into the lab after him, both of them racing to change his password.
Of course, my retarded friend was wearing a Georgetown hat, and a georgetown Tshirt.
Duh.
And with regard to pets....whenever someone asked what they should set their password to, I would always tell them, "use the name of a DEAD pet." Much harder to guess than a living one. Especially if it's long dead.
My solution is not to use hotmail although there is no reason for me to use hotmail in the first place, but I have so many non-techie friends who love hotmail and will never switch.
I'm currently running a network for about 60 people.
I constantly bump into people whose passwords are "Password", "Password2", the name of the company, their own name, etc.
Part of me wants to force them to use complex passwords. And part of me knows that if I did, I'd spend my whole time resetting passwords for people.
When we got the new printer/copiers in, they had protection on them, so everyone got a 4 digit user id, and a 4 digit password, to retrieve their prints when they got to the printer. They were told that printing would be monitored and charged to their departments, and that they should keep their passwords secret.
I wandered around a week later, and over half of them had little yellow post-its on their monitors, with their id/passwords on them. Because, for some reason, people can't remember an 8 digit number unless it's a phone number.
My Journal
I AM, therefore I THINK!
So, why can't individual biometric devices also have a key, and only 'trusted' scanners are allowed to communicate?
Doesn't that solve your 'replay attack' scenario?
-Jerdenn
In Cliff Stoll's book "The Cuckoo's Egg" (it's about his experience as an astronomer/sysadmin chasing a cracker in the mid 80s), you get an entertaining window back into a very different era in computer security...and yet perhaps it wasn't all that different. At one point Stoll mentions changing the root password on a machine to something like "basilisk", because no one would ever think of trying the name of a mythological creature as a system password. =)
My own favorite piece of password advice came from the "Unix Handbook" that my university passed out to incoming students...a line in big, bold text:
Do not choose a password that is even remotely related to Star Trek of Monty Python.
* * *
It is a dada story -- it has no moral.
Enforce password conventions the way NASA does... Epasswd
If it isn't insulated and encrypted then this matters. The mass of the human race is still left with a cacophony of microsoft products. Anyone for a viewsonic/panasonic biometric 21'LCD. ;)
A good password is not necessarily one that is random characters. In my experience, an easy to remember one that is difficult to crack involves building one from common terms.
Let's take for example a Hitchiker's Guide to the Galaxy theme.
Take a 2 syllable word, say "zaphod"
Take a number, of course "42"
Put the number between the syllables word: zaph42od. It is still pronouncable, and you know where it came from, but now it is a common word that has numbers not at the end, but inside it, so even cracking programs will have a significantly more difficult time randomly generating it.
The other technique I use is to also hit the last key twice: zaph42odd. It ofuscates it further but at the same time has a minimal cost to you for remembering it.
So, even if you're a lamer whose password is "password," changing it to pass43wordd makes it significantly harder to crack but just as easy to remember.
--------
It's OK to be social, just don't tell anyone about it.
I once named a pet (it was a fish, in fact) after one of my passwords. Shame it wasn't one of the more pronounceable ones.
Slashdot? Oh, I just read it for the articles.
To run the script, click here.
You know, this sounds a lot like the 20/20 hindsight problem: Things become obvious after you know about them. If you know my passwords, it would be very easy for you to figure out how I came up with them. However, there are thousands upon thousands of ways I could come up with my
passwords, so the chance that somebody will come up with what one of them is at the right time on the right computer is rather low. For example, I
might have a slinky sitting on my desk, but that doesn't mean somebody will immediately think of my password as being "metalSlinky" or "51inky"
or "rollsdownstairs". They will be even more confused when they find out my password is actually created from the name of my dog. Since I might have a picture of my dog on my desk, they could then say "Oh, yeah, I knew that," but we both know they were really focusing on my slinky.
Of course, at the same time I would never underestimate the ability of people to come up with really, really bad passwords...
"The combination is: 1. 2. 3. 4. 5."
...
"Remind me to change the combination on my luggage."
Posted from the wireless couch.
According to the study, 50 percent of people use names of family members or pets as passwords.
The other 50% just have really weird pet names.
I agree. One guy assigned case-sensative passwords like "gHi#5o0!$!@". I think I got Carpal Tunnel Syndrom logging in every morning.
And then there is the systems that require one to change their password every few weeks.
If it is a system that I don't use much, then either I must write it down *somewhere*, or I have to harass the admins when I forget.
Somewhere is a middle-ground between "fluffy" and "gHi#5o0!$!@".
Table-ized A.I.
Oh, that's right, they do, and we all know how that story ended. The simple fact is that when readers are ubiquitous, somebody is going to figure out how to steal critical data from one of them, and after that happens it's "game over" for the security scheme.
One of the tricks I use to create Easy-To-Remember-Yet-Complicated (ETRYC) passwords is this: have the user select an electronic device in his/her office, or a particular part of his/her car (like the alternator) and use the first 8 to 10 alphanumeric characters of the serial number of that object as the password.
:-)
That way, if the user forgets their password, the can easily remember "Hey! It's the serial number for my monitor!" or whatever they chose. Then they can find the serial number, and voila! They remember their password!
So far, it's proven very effective both in creating complex passwords, and reducing helpdesk calls of "I've lost my password!"
The users also generally like the idea, because it gives them a nice, secure password that they can easily remember. Most of my users also think it's a clever idea, which doesn't hurt my ego in the slightest.
Of course, like anything involving passwords, the security of this process is only maintained so long as the user never tells anyone "I use my monitor's serial number for a password."
It's not fool-proof, but it's proven very effective for me.
"The dead do not shoo-bop-aloo-bah." -- Kai, 'Lexx'
get it?
If you go to a lot of trouble thinking up a very good password (nb: basilisk isn't good, as it's in the dictionary), it's probably not a good idea to print it in a book, especially if it's published in your own name...
At one company everybody there uses they type of car they drive, example, Nadia drives a VW Jetta, so hers is "jetta" hell the boss who I avoid 'cos she's crazy drives a BMW, guess what? Her password is "BMW" sometimes they get creative and use a pets name, or a child's name, but it's always one of those three: car type, pets name or child's name. Whenever soemone does use their pets name or kids name, they have a picture of that person/animal right by their machine all you gotta do is ask "wWhats your cats name?" boom, your in.
Finally something about poor security in Windows that isn't Microsoft's fault.
Everybody denies I am a genius--but nobody ever called me one!
"Good" passwords impossible to remember.
sulli
RTFJ.
I choose two unrelated short words. Then, I add a random punctuation mark in between and apply random capitalization. Any easy way to break this?
A friend of mine was given a set of instructions for a password audit... This was a policy that was approved by the CEO...
Change all insecure passwords, inform the users what the new password is. Talk to them about the problem of weak passwords *No Exceptions*
Repeat tiil everyone has a secure password...
Well the CEO had an insecure password. He chagned it as per the the Audit instructions... He also went and had a talk with the CEO about the danger of insecure passwords.
The CEO changed his password back to the SAME insecure password...
A week later another audit was run again and the password was changed and another talk with the the CEO was in order again...
The third audit came with the same result...
The CEO still had the same insecure password.
This time the talk was diffrent...
CEO says... If I do not get to use my old password and you don't stop doing this you will find yourself on the street....
He found another job and quit...
I think my passwords are usually pretty difficult to figure out...
::Colz Grigor
I pick some lyrics to a song that I know:
"Penny Lane is in my ears and in my eyes."
(I usually pick more obscure songs, but this is an example...)
I then (sometimes) swap two words...
"Penny Ears is in my lane and in my eyes."
Then I convert it to a lower-case acronym...
"peiimlaime"
Convert every other character to 'leet (sometimes starting with the first, sometimes starting with the second)...
"p3i!m1a!m3"
This password is too repetitive... it's got two !s, two ms, and two 3s. I unconvert some of the 'leet to help out...
"p3iim1a!m3"
Now I convert some of the letters to upper-case...
"p3iIm1A!m3"
Looking at that password and not knowing how it was derived, you might think it's pretty random. But if you were a big Beatles fan, it'd be pretty easy for you to remember this one.
One big problem with lyrical passwords, though:
Don't hum the tune while you're typing in the password!!!
Pity we can't turn this into a discussion/contest of what passwords everyone here uses, unless we were to change them all immediately beforehand.
The coolest voice ever.
I once needed access to someone's PC to update some software. The guy had a day of and nobody knew his password.
first guess: his favorite drink > damn.
second guess: first name of girlfriend > bingo.
He has a big picture of her on is desk... with her name on it...
When he noticed some things had changed on his workstation he laughed at me, he had no idea it was so easy and thought I had been trying for hours. (l)user
Welcome to the Slashdot Server
Login: CmdrTaco
Password: Kathleen
"Whoohoo! I'm in!"
It may solve this specific problem, but it doesn't change the fact that there is no easy way to recover from a compromised biometric. You can't exactly ask your admin to change your fingerprints :P
Hohum. 99% of 100% of thieves can recover a credit card number and expiration date by looking at the credit card itself, which is invariably kept in the owner's wallet. And that wallet is then left on their dresser when they sleep at night.
Every semester we run crack on Unix passwds at my university. Number one: "Princess." Number two: "GoVols." :-) We enforce no dictionary words, etc. now and shut down the offending accounts. We also moved away from Unix based mail to IMAP with a Webmail interface running on SIMS off LDAP. They don't even get Unix accounts anymore unless they ask. Well, excuse me, your worshipfulness!!!!
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
Lotus Notes mail has a cool password generator. I converted it to Javascript once and use it for all my passwords:
I can't post it here because it won't go past the lameness filter, but you can find it here.
It produces nonsense passwords, but they are easy to remember because they come out like pseudo-words. e.g. jenzog72, or slocrip16. It's about the only thing useful I ever got out of Notes.
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
i always wondered how so many people were able to post using my "Anonymous Coward" account name.
I work for a 2 billion dollar company here in the US and it's part of a much bigger world wide company.
Our Windows network as over 8,000 users. After running a cracker (lopht), it took 20 minutes the first time thru the SAM file.
After those 20 minutes, half of the 8k passwords were cracked, including 10 users in the admin group and even the Administrator account. Using just letters and numbers is not a secure way to protect a company.
After the first pass of lopht, we feed the user names back into the dictionary, and cracked almost the rest of the passwords.
On our windows domain, your password must be letters, and a symbol of some type. Most people would use passwords like Giovino3, then next month Giovino4. The head of MIS at our branch was acbdef.7, I bet it used to be abcdef.6 the month before.
And even after telling them about their password problems, they still refuse to fix it.
SPEKE
SRP
PAK
And my own public domain effort...SNAKE
Maybe its time to fix the systems rather than the users?This conclusion brings to mind the results of earlier studies that confirmed the following:
1) there are many people who get to the front of a long line at McDonald's and are still unable to decide what they want to eat.
2) many people, when given a choice between listening to Tiny Tim and Blues Traveller will in fact choose Tiny Tim.
3) a large portion of the population believes that Elvis is still alive in a bunker outside Las Vegas, and that he is in fact controlling world politics at the behest of the Area 51 aliens.
Sometimes, there's just no accounting for people. Bash them over the head with common sense, and they'll still go the other way.
Read the EFF's Fair Use FAQ
Since this style of an article was last posted, I have changed my password system from CourseNameRandomNumber (choose a educational course, choose a 4-5 digit number, put the two together) to just using REALLY long strings of random words and numbers intermixed, with both upper and lower case letters being used.
:)
It is still not compleatly secure, since it does have actual words in it, but 10-15 character passwords are pretty damn good for something that can be remembered by a mere mortal.
Need help treating your acne? Come here!
http://it.mycareer.com.au/industry/20001010/A36
An interesting development is the use of abstract computer-generated images for passwords - they display the images on screen and have the users pick which ones comprise the password. It's easier to remember since we're better at recalling images than random text. As a bonus it's impossible for users to tell other people the password if the images appear in different positions each login.
I use the Winguides.com Random Password Generator!!
This is how I got my password of "WrOc6eJo723od@a"
Passport forces you to have at least 8 characters in your password - in my opinion that actually makes it even LESS secure. Why? Because remembering an 8 letter password is much harder, so people are more likely to go with something easily memorable (and easy to social-engineer) or write it down somewhere. I have several highly secure, completely random 6 letter passwords but I was unable to use any of them for my hotmail account, so I ended up going for something pretty insecure.
At my undergrad institution, a prestigious technical university, we had login names based on our student numbers, a number like n4026001 etc. A friend of mine wrote a simple script to finger all accounts in succession and then tried to log in with a password with minor variation of the individual's name. It wasn't too long before he had logged into more than 50 accts out of some 3000 or so accts.
Even more surprising was how many people would run untrusted binaries coming from friends. A person wrote a simple script which would give how compatible would you be with a person if you typed in your name and her (almost always her)name. The only problem was it did more than that, it would email a copy of you and you crush to the creator of the binary. Before long he had a huge database of who was after whom. Even more pathetic was people trying variations of their name or the girls name when the script said they were incomaptible.
At the intersection of computation and biology.
Heh. When I *have* to write passwords down (I've got at least 20 completely different work-related passwords that I use maybe once a week if I'm lucky, and then they change in 6 weeks) I never write down the actual usernames. Now, all the really important and immediately obvious accounts are memorized because I use them a lot, so these aren't going to be easy to find accounts for.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
I read this as almost good news.
Most people think there are only two options, good passwords and bad passwords, but in practice there is also the "no password" option. If a user has to use an unique, hard to crack password there is a good chance he will write it down or save it somewhere, opening a new can of worms. If you tell management to add hard to crack passwords to screen savers in an office they will laught at you and say 'no', or you will soon find yellow notes on monitors, but let them just use any password and you now have 'some' security in place. I'm not saying sysadmins should change all root passwords to "God", hard passwords have its place, but so do easy ones. At least these people used passwords.
I used to get by on the net with just one password. It was very secure in that it was nice and random and not likely to appear in any cracker's dictionarys. I never really thought about security much... until a web based forum I was subscribed to was cracked. At the time I was an administrator on one of the largest online gaming forums in Europe (now sadly no longer with us), and another regular from those forums got hold of my password. Luckily he merely posted a few "hahaha I've got Skunk's password" posts and didn't do any damage, but the potentail was there.
:)
Since that incident I've instituted a strict policy of having at least 4 different "main" passwords, each with a different security level. I look at any site I sign up for very carefully - do es it look trustworthy? Do I trust the owner of the site (chances are my password will be stored in their database in plain text)? My "low level" passwords are used for unimportant sites while I save my "high level" ones for e-commerce and administrator functions.
All this should have been obvious from the start, but then that's the benefit of hindsight
The root cause of all this, IMHO, is the "expert" advice to "never write down your password". What nonsense! Real security experts understand that there are about 3 things that can be used as authenticators for you: something you know, something you have, something you are. The problem is that a ton of cognitive research and computing experience over twenty years has failed to demonstrate that you can know something complicated enough to serve by itself as a secure password!
Much more sensible is to randomly generate a password (using as much of the keyspace as reasonably possible), write it down, and stick it in your wallet or purse. Now it is something you have: a perfectly good authenticator that is as secure as the keys to your home and car.
Insufficient security? Combine it with something you know by not writing down the last four randomly-generated characters: you can probably remember those, and a hundred thousand combinations to try will at least force the person who stole your password to have a means of rapidly checking alternatives.
Alternatively, what I do is store the passwords on my PalmOS PDA, with a free app that lets me protect them with a "master password". Again, the master password is insecure, as it needs to be memorized, but it can be fairly strong, since it is all I need to memorize, and in any case it is only the second line of defense. In a more security-serious environment, you could combine this with the previous scheme.
Note that you will eventually memorize frequently-used randomly-generated passwords: these can then be thrown away.
Note also that the conventional advice to "change your password often" is a contributor to the problem here: it virtually guarantees that weak passwords will be chosen or that passwords will be written in too-convenient places. If your system is reasonably secured, there is no reason to ever change a password. Finally, if you do need to change a password for some reason, the "something you have" scheme described above works much better than memorization.
Helpdesk: Hello.
Jake: Hi, this is Jake in Publishing. My computer is messed up and I need domain admin to fix it.
Helpdesk: Really, that's odd. But ok, give me a minute to set you up.
Jake: THANKS!
Why can't individual DVD players have a key, and only "trusted" DVD players are allowed to read the content?
Because they used a ridiculously crackable number of bits for their encryption. If they had used a stronger encryption, the only DVDs which would have been cracked would be those created before that particular manufacturers decryption key was cracked.
Maybe if you weren't so retarded, you could remember something as important as your password.
How l33t does that make you look in your department when every six weeks you lock out your machine? Bet you blame the IT dept as well, since it was them who made you forget the password.
I think one good way would be to generate a completeley random password (i.e. creating each letter as an outcome of a discrete, uniform random variable, of course each letter should be indipendent from the other one). I think the biggest problem would be to produce true random numbers (pseudo random wouldn't be good at all).
Would it work?
Want "line noise"-looking passwords ?
I sometimes "play a tune" on the keyboard, using the old Amiga OctaMED or Protracker music software keyboard mapping (sometimes shifted to the left or right for variety's sake).
So even I can't immediately tell what my password is, since I'm not using the "remembering words" bit of my mind. The fastest way for me to find out the password as a series of letters and numbers is to retype it in a shell window...
Alternatively, I mentally superimpose a simple outline image of something onto the keyboard, and trace that outline, pressing keys...
Choice of masters is not freedom.
Reminds me of the good old movie Wargames. Man I love that movie :)
Most of the passwords I use are in fact quite weak. Why? Because I don't really care if someone hacks into my spam account and if there is no one I know who would have the patience or know how to hack into the Linux partition I have. The fact is that the vast majority people don't have the ability to crack even the simplest of passwords (with the exception of "password"), and any one who does has a lot better things to do than screw around with some of my accounts. True the important passwords I have are still strong (I don't want someone breaking into my university account) but feel free to screw around with my hotmail account.
I stole this Sig
unsafe
delete free(system.gc);
"Of course my password is the same as my pet's name.
My cat's name was Q47pY!3, but I change it every 90 days." - Roddy Vagg
I actually got sick of thinking up random passwords and wrote a utility to create them automatically. Check out http://wattersm.dyndns.org and click on the password generator link.
someguy[0-9]+[0-9]* is redundant. The extra [0-9]* buys you nothing.
--
Free software isn't free, but expensive software is expensive.
Instead of generating a meaningless encripted password that is hard to remember: learn to type in the dvorak keyboard layout. Then, anytime you enter a password, use any normal words, but type on a standard QWERTY. Instant obfustication!
For a little more insight on how people tend to pick passwords check out this story previously posted to slashdot.
hgh
"Iron rusts from disuse; stagnant water loses its purity and in cold weather becomes frozen; even so does inaction sap the vigour of the mind." -Leonardo da VinciDidn't /. already run something about secure password schemes? Anyhoo, I usually strive for easy to remember, yet hard to dictionary attack. The easiest ways are:
l33t-speak: replace letters with numbers. So your wife's name of Kathleen becomes "K@thl33n"
inserting numbers for syllables of a word like: "x10u8" (extenuate)
Using directions and keyboard geometry. (For my pin number I would use something like 36987, which is a backwards L on the keypad.)
Inserting a number sequence inside of a word. r3o1v4e1r5 = rover + pi
Using these methods, it's pretty easy to come up with a word that's relatively secure to a dictionary attack yet is as simple to remember as a much easier word.
(One thing: PLEASE don't use your SS# in any of these!)
Where the wind blows, the tumbleweed goes.
I thought it was common knowledge among sysadmins that people's passwords WILL suck.
One of my friends had a clever way of thinking up passwords. She would take her high school class schedule, say:
Study Hall
Calculus
Physics
Chemistry
Band
Literature
Biology
She would then alternate between the floor it was on and then the first letter of the class: 5c4p2c5b3l7s2b
It's something you did for a year of your life, so not that easy to forget, and you could always look it up.
----------
I am an expert in electricity. My father held the chair of applied electricity at the state prision.
You can get at least a little bit more secure by using MD5. Pick a master password - a really good master password. Something relatively long, that you've never used before. Something that you'll never forget. Now, find a javascript MD5 site. here's one. Type your master password in, and then type in the name of the site (all into the "Enter your message:"). Hit "run MD5". There's your password. Use the first 8 characters, or the last 8 characters, or something like that. The two advantages of this solution is that 1) you only have to memorize one password and 2) no one has your master password except you (and anyone looking over your shoulder). I wouldn't suggest using this technique for your really important passwords, but it's good enough for the medium important ones.
Didn't you see Hackers?
RonB
It is human nature to take shortcuts in thinking.
PASSWORD
Lol - okay, not really.
You only have to remember 2 (or however many area codes for the area) combinations for the first 3 digits. Thus you are really recalling 7 digits, then associating whatever area the number is in with its area code.
-
my best friends' email, login, pr0n-service and even `planetarion.com' was `finalfantasy'.
At least i could pre-empt his sad days... like when his pr0n servers went down...
0xC3
A collegue of mine wrote a great program that uses pgp. Basically, you can create a text file that contains the password and a description of what service it is for. Then another text file that contains the key list of users that are allowed to access that particular service. Then it pgp's everything. So you can't add another user to the key list unless you are already in the key list. It is great because it allows a central safe place to distrubute passwords.
One does have to wonder how many times CNN is going to do an article on this subject. Certainly this is about the 4th I've read in the past 12 months. Someone needs to tell CNN that this isn't news anymore. We bloody well know that people are not the greatest when it comes right down to passwords.
They never were and odds are they aren't going to improve anytime soon.
Back in '95 when the internet really started reaching John and Jane Q. Computer user we started an ISP (truth to be told they did and I was little more than aprentace help). One day we read about a hack that would allow us t oget a copy of the password file under the current versions of Linux at the time (thankfully long since patched up) and how to use a brute method (and a large dictonary file) to decrypt the passwords. Were we in for a shock when we got 40% of the passwords. Some were the same as the username, others were simple words, still others were user: College pass: Diner for the collage diner (not a real name, just an example of the type).
We all know that the best password is a random generated sequence of letters, numbers, and if we can get away with...characters, but that means that people have to take extra time in dealing with the passwords.
My best solution (and the one I use to this day) is a 8 character random alpha/numeric password that I put into my little Day Timers, with a backup list at my desk at home. Should I lose one of those, I have the other to tell me what passwords I have active and what needs changing.
Again sadly that takes more work than the average user is willing to put forth.
We know this CNN, we've been dealing with this for many years before you even went online. It just isn't news anymore.
-- Wiccan Army, 13th Airborne Division "We will not fly silently into the night"
I must admit I have been using the same password for all of my accounts in the past four or five years(excluding /.).. I guess my password is just strong enough.. then again, maybe i'm not that popular.
you can pick your friends,
you can pick your nose,
you can't however,
pick your friends' nose.
Easy enough - I just use a variance of my middle name - now - that being Loihika'uhane, I just add a few numbers - it already has a non-alphanumeric, and presto! Now, you might have a little trouble adapting your password scheme to fit mine, as most peoples middle names/initials aren't quite as complicated. : )
ftp://george_bush:spotty@whitehouse.gov
Do you think our president would use his pet's name for a passowrd? Hell, does the president know his own pet's name?
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
...bigfartingfatguy.
I used to work for a large company (cannot name it) but when customers phoned in for either opening or re-opening their accounts, I always confronted them with the question "And what do you want me to set as your password?". The silliest answers came. Their sons names, the name of their dog, car, their birth date, their social security numbers... anything predictable and crackable came up. I usually winded up by saying "*sigh* very well, 'Johnny' is your password then.
Oh... I'm pretty drunk, please have me exused.
Comment removed based on user account deletion
I use my nickname for my password, but so no one can guess it, I spell it backwards!
generate passwd base on your eX-GF name,
surely you wont let people know that u are still remembering your ex-Girlfriend.
if your wife know, it may cause civil war.
-- Hasbullah bin Pit (sebol)
SecurityFocus has an article on passwords, while it has a NT focus (Lanmanager myths and such) it touches on lots of the same thoughts. Of interest is the use of high ASCII and/or Unicode in passwords.
Bleh!
Not everyone uses weak passwords, I have seen some STRONG passwords at my workplace, usually on a post-it stuck to the monitor.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
I use the same crummy word for a lot of my passwords. If the service makes me use upper case, I capitalize the first letter. If they demand numbers, I turn the 'e' into a '3'. That's because all of these accounts are passwords that I DON'T MIND IF PEOPLE CRACK.
You're not going to do ANY damage if you somehow managed to crack into my NewYorkTimes account.
ICQ makes me create a password that half the clients out there don't authenticate. If you got in, you'd suddenly be able to forge messages from me. Just as you could before.
For real accounts (root, stuff involving my credit-card, etc.) I use simple hash involving the name of the service and a secure string of letters and numbers. But there are a lot of accounts that won't bother me if they get cracked, but WILL be a pain if I forget the password.
In my work as system administrator I have found that no matter one says, cries or yells, people keep using dumb passwords. First of all people do love to use the infamous "1234" password. Such password can be found in such interesting places like the main accountant network access on a commercial bank, on a door to a restricted area and, the most amazing of all on a half-forgotten sysadmin account into a backbone network (one guy just forgot a test account with such password). But that's not the worst. The worst is when your computer carries your account name, and your password is the same as your login.
The general claim that "50% of passwords are bad" is too optimistic. I prefer to risk my reputation and claim that more than 90% of passwords are worse than bad. Most people use Windows and this system carries so many holes that is easy to catch a few password hashes just by sniffing a network. Besides, most people don't have even a basic knowledge of security so it is tremendously easy to catch an account with administrator's rights. Once you get one, you are on the free road - all depends on your knowledge and experience.
But not only Windows is on the black road. UNIX also. Most people have a high tendency to call for trouble. Many don't even read in front of their eyes THOSE BIG WARNINGS STATING THAT IF YOU TURN ON THIS THING YOU ARE ON YOUR OWN! And so we get telnets, ftps and many other daemons running with SUIDS, root network accesses and "come in and get what you want! Bye and come again!!!" In result most netowrks are completely open to any attacks from outside. A black hat hacker needs only patience, accuracy and cold-blood to create havock. No one would even get a hint that someone is one their nets...
Not long ago I was asked to test one network. I roam the whole thing, reaching the most holy of the net and catching tons of sysadmin info just by grabbing network packages. Some passwords were so easy to calculate/guess that it took only minutes to become sysadmin. With them I went further and started to take control of the whole net. I was a few minutes of destroying the whole network when I stopped all tests. I tested the net for a few days. All that could be detected was that one sysadmin saw a "small" problem when I mistakenly sent ssh to another location (no matter that I sent tens of provocative actions over their net to get their attention). However this was too small info to check the author of the work. Their luck was that they had a greyer hacker in their nets... A Cyberpunker would not be so humble.
That's not the exclusion. That's the state of thousands of critical networks. That's the common denominator.
"There's nothing more useless than a lock with a voice imprint."
Except maybe a password policy. The overhead on keeping people in line, especially with draconian software that enforces password selection policies and aging, is more costly than the problem for all but the crown-jewel servers.
Security that prevents black-hats from getting cyphertext passwords in crackable codes is the only security that improves the bottom line rather than making it worse.
--Blair
Everyone should go out and buy some dice and use them.
http://www.diceware.com/
I remember working as a sysadmin for a company where the CEO was... a little less then brilliant... after setting up his new computer for him I set his local login password to "password" and had it force him to change it on first login so that nobody else would know the password yet it would be simple enough that even he could remember it the first time, when he came in the following conversation ensued:
ceo: what's the password to my new computer?
me: password
ceo: I know that but what is it?
me: password
ceo: of course it is but what IS the password?
me: the password is "password"
ceo: would you quit that and just tell me what the password is!?!
me: the password is "P - A - S - S - W - O - R - D"
ceo: don't get smart with me young man! you don't want to make the person who signs your paycheques angry!!!!!
(meanwhile in the other corner of the room the accountant and receptionist were just howling with laughter and the ceo couldn't understand why...)
I finally led him over to the machine and made him watch the keyboard as I typed in "p - a - s - s - w - o - r - d" he suddenly changed his tune and was extremely appologetic and suitably embarrased... I didn't have quite so many run-ins with him after that... and it provided a much needed comedic break for the rest of the office.
side note: I've since switched from that to using other simple words as initial passwords making sure to AVOID the word "password" (and after that initial password people were forced to use minimum 6 characters, not dictionary based)
Often times when someone joins a site they see the words "Username" and "Password" next to the boxes where they are supposed to choose a username/password. Guess what username/password they chose? Yep. "Username" and "Password" (or "username" and "password") which is mentioned at the bottom of the CNN story. They chose that combination because they did not know they were supposed to pick one themselves.
Just my $0.04 (adjusted for inflation)
(No, I'm not (that much of) an idiot and those are not my actual passwords)
This should come as no surprise to anyone who's ever done a sysadmin stint.
I remember reading an article on this in an old DEC Ultrix-32 manual, so went digging thru my boxes of old manuals and found it in "Supplementary Documents - Volume III - Systems Manager" (First Printing, May 1984). The article itself is "Password Security: A Case History" written circa 1979 by Robert Morris and Ken Thompson. You can find it easily enough in Google, but to summarize their findings:
3289 passwords were audited.
15 were 1 char.
72 were 2 chars.
464 were 3 chars.
477 were 4 chars.
706 were 5 chars all upper or lower case.
605 were 6 chars all lower case.
492 were dictionary words.
So, 86% of all passwords were insecure.
Back in a previous life as a systems administrator I saw similar results in running Crack on ~600 users.
In other words - Nothing has changed in 23 years!
This post is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License.
I've found that by using passwords based on keystroke patterns (with a random key at the beginning, end or middle) to be easily remembered *by my hands* though I couldn't tell you the actual passwords myself without some serious thought. The random non-pattern key is important since there are crack dictionaries that try things like "qwertyuiop" etc.
:)
One example of a pattern I've used in the past: BNGHTY%^~
Try typing it in and see how easy it is for you to "remember"
Do not taunt Happy-Fun Ball
I've observed the following:
/. and the type that know what they're on about. Therefore we have a big problem.
;), the reason is that it is awkward to login etc from the users point of view.
@ People hate remembering things.
@ People think that passwords are inconvenient.
Therefore, a normal person using a computer that requires a password will not only think of a password, but will try and make accessing that pc as easy as they can - ie the common mistakes we know of as writing the password on a post-it note and chucking it on the side of the monitor. Or if they can, getting a computer to auto-login. Why do most internet passwording systems nowadays have "remember me" and "auto-login"? Exactly - convenience.
The core problem with passwording systems are that normal users *do not give a shit* about security. Sad, but we all know that its true. Sysadmins and people who know anything about computing will obviously use clever passwords, different passwords for each login/signin etc but the majority will not.
And as we know, there is a lack of knowledgeable people in the it world - im thinking that only 10% of the people that use computers are the type that read
Im not suggesting a solution to the problem, but im saying that the cause is not that users are stupid as such (well they are generally stupid but thats not the point
Any system that lets you log 1,000 attempts a minute (or more than 3-10 attempts before locking the account) is poorly designed and should be rooted by one of those l33t h4x0rs to teach the sysadmin a lesson.
However, locking accounts after n attempts opens up a new denial of service: flooding the auth server with requests on known users but purposely invalid passwords to prevent the real user from being able to get in. Imagine what would happen if somebody tried to su with password "DoS" 20 times; the administrator would be locked out.
Will I retire or break 10K?
It's not perfect, of course, but I wouldn't want one compromised web site to compromise the rest of them (the trouble with using one password for everything) and I'm reasonably sure I can keep my own box secured from attack. And it beats using sticky notes :)
Ita erat quando hic adveni.
On a *nix system it's a 3-second wait if you type the wrong one. On my dad's car, it's 3 seconds first time, 10 minutes second time, and 24 hours the third time
Which means any car thief could just put in three intentionally wrong passwords, watch dad struggle to get in his own car, and then, after everything has closed and everybody is in bed, "social engineer" a tow truck into hauling the car off to a chop shop.
Will I retire or break 10K?
And the last one is easy. The ape wears a tie
This is supposed to represent 'a1', but how do you know not to substitute 'dk' instead? To me, an ape wearing a tie just screams Donkey Kong.
Will I retire or break 10K?
I can change them for you. Where did I put that cheese grater...
Mea navis aericumbens anguillis abundat
Any password that fits this criteria will take a long time to crack and even longer to figure out by looking over someone's shoulder.
ObTrivia: at a place I used to work, 246 out of 780 user accounts had a password of "", "pass", or "password". Before I convinced the IT director to let me implement strong passwords, anyway.
That's easier to find than some might think. For the hexadecimal representation there exists a formula that allows to calculate digits of pi starting at an arbitrary place, maybe there is such a formula for the decimal case too. Anyway given a decent PC you can probably calculate up to 10.000.000 digits in a few days. But why bother, when it's easier to simply download them. Your choosen password should be in here, starting with the 470344th or 470343th digit (depends if you count the 3., but you didn't, line 4704, 5th block from digit 4).
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
I do this too. I have 4 passwords and 4 pin numbers depending on the level of security appropriate. And its not just the level of security that I want my account to have, its also the level of security that I think the account provider gives me. So I'm not going to put my either of my top secret passwords on a website account where they might be cracked/intercepted. And if someone gets into the voicemail database at work and gets my voicemail PIN, they aren't going to be able to get into my bank account.
A couple of months ago, I called up the Wall Street Journal to get my password for the web site changed (I almost never use it, and so had long since forgotten what I'd used). I began to tell the lady on the phone the password I wanted (which I intended to change immediately through their online system, since I have no desire for another human being to know any of my passwords). Of course, the password I started to give her was a "good" password, with a mix of case, and non-alphanumeric characters. When I told her the first case change, she interrupted me, and told me that I should use a password of all the same case, so that it would be easier to remember. I responded by giving her a short lecture on computer security, and continued with my "good" password.
I think it's a general problem that people aren't trained properly in what would constitute a "good" password.
"If English was good enough for Jesus, it's good enough for everyone else."
One sunny day last summer I was out for a stroll along the scenic pathways of our fair city. As I was crossing the foot bridge across the river, I came upon two men doing some work on the river monitoring equipment. One man was at the control box on the shore, the other was at mid-bridge, fussing with the monitors. As I passed them, I was audience to this shouted exchange:
Man #1: WHAT'S THE PASSWORD?
Man #2: WHAT?
Man #1: WHAT'S THE PASSWORD?
Man #2: UH, I THINK IT'S SPACE, ENTER!
I briefly considered coming back sometime to see if I might crack into the system, but decided not to since there just wasn't any challenge.
Trickster Coyote
Living the illusion of reality.
Ideology is for ideots.
NEWSFLASH!!!
Many nerds* use 1701 as an ATM pin number.
*in addition to Wil Wheaton.
He must be really serious about his wife/girlfriend not finding his pr0n.
Pen-15
One trick for having many different passwords is to make them related. E.g. set aside one character in the password (3rd character, or whatever). Make that character "o" on your office computer (or "0", since I usually mix letters and numbers like "L" and "1" to make the passwords harder to guess). Then use the same password on your laptop, but make that character the letter "l". On your firewall, make it "f". And so on.
:-)
Sure, it's not as secure as a bunch of completely different passwords. But if you've come up with a really good password that's hard to crack, then all those permutations should be equally hard to crack, and if by some miracle someone does get one of them, they probably won't know which character to permute and what one-character abbreviations you've used for the various systems you use that password on. Of course, if everyone starts using this trick, then it won't be as secure.
It's worked for me. I can remember a couple of very good passwords, and the various permutations. There's probably no way I'd remember 8 different good passwords.
Since I carry my PDA with me at all times, somebody has to pry/steal it off me first before they can get my passwords (they have to crack the my passphrase also). At least you have another level of security (compared to a piece of paper) and you're less likely to lose your PDA. The other benefit is that on a PDA, it's easy to organize and search from hundreds of different passwords.
The downside to this is that having all your eggs in one basket. If your PDA is stolen, if somebody can does brute force methods to get your password, all your passwords will be compromised.
That being said, if you have a backup and your PDA does get stolen and you are worried, you could restore your back up to another PDA and quickly change all the passwords before that person has a chance to log in to any compromised accounts.
With gpasman you just have to remember 1 password (a really big one), that encrypts the others. This is a OpenSource app and written in gtk, what else could you ask? :). Get it here
http://securityportal.com.ar
I suppose you never saw The Sixth Day with Arnold Shwarzenegger (sp) :P.
I've been looking at possibly implementing something similar on the network at my workplace. I've had the same sort of problems the CNN article, and you, point out - not the same passwords, but just poorly-chosen ones. Got any pointers on how best to do this? I have a working LDAP directory and I use it for authentication already, but I'd like to setup a completely separate mail server (separate from shell, firewall and directory/name servers).
Sam: "That was needlessly cryptic."
Max: "I'd be peeing my pants if I wore any!"
I haven't logged in as root on my box since I installed linux, thanks to sudo. My root password is a rather complicated string of characters that bears no resemblance to any words. My user password is similarly strong. Unfortunately, remembering lots of strong passwords isn't exactly easy. So, I've gotten lazy and reused some of them. Based on my tech support experience, I would guess that most people only have one or two passwords that they reuse. Snoop their plaintext logins to thespark.com or something like that, and you've got them. I've never made an unencrypted login to my box, and my passwords are strong, but that doesn't make them secure. Excuse me while I go change them...
WARNING: there is a trojan on your
The best way to create a password is to come up with a passphrase that you'll remember. The password is then the first letter of each word in the phrase.
For example, I heard the song "Transylvanian Concubine" by Rasputina, and I told someone "I wish I had a Transylvanian Concubine." It was so funny we laughed at it, so my local password for a while was "IwIhaTC." Completely gibberish, but easy to remember.
It's easy to maintain multiple different passwords for different accounts/services by making up some phrase relating to the service you use, e.g. "Yahoo really sucks, but I like the games." would be "Yrs,bIltg." Or "YrsbIlg." if you have an eight character limit. Then whenever you're logging into the service you'll remember the password instantly.
And that way you don't have to write it down. The phrases are easy to come up with, but it's important to try and find a phrase that's hard to mutate (e.g. "I wish I had a Transylvanian Concubine." versus "I wish I was a Transylvanian Concubine."). You want to pick one that'll be remembered a specific way, and often times the easiest way to do it is to make sure the abbreviation is always a fixed number of characters (say, 8 or 14), one for each word and punctuation. That prevents you from adding in extra words, like "really": "Yahoo really sucks, but I really like the games." versus the above example. Or dropping words.
The most important thing is that anyone can do it without worrying too much about it.
Jake
Dating: while( 1 ){ call_girl(); get_rejected(); drink_40(); } return 0;
Hey, with /. trying to generate some money with big adds, maybe they should just hire some lawyers and sue all the sites with "whateverdot" type names.
There was some show on TLC once, and I only caught the end of it, but the part I did catch made me laugh. (memory fuzzy, so if I get a detail wrong sorry)
These guys were hackers turned security consultants and were consulting for a financial company. They were "wardialing" the company's phone service looking for a computer that would answer, and when they got one, they entered "root" for the username, and (get this) "password" (!!!) for the password... and got in.
You would think anybody who has the semi-intelligence to be a Unix sysadmin for that company would know to NOT USE "password" AS YOUR ROOT PASSWORD!
I hope somebody got fired for that... sheesh
There are only 10 kinds of people in this world... those who understand binary and those who don't
...as long as you give them names like "x/&Qrn7S=;q" and remember to rename them every month.
Take your personal favorite verses of scripture, that the first or last letters, and add the chapter verse to the end. Lots of combos possible, easy to recreate it you forget, and only someone who steals your personal Bible to check for wear and tear can figure it out!
Just wondering if it is safe to assume that all websites requiring passwords use case-sensitive passwords.
My usual way to generate a password is to pick a name from an obscure novel, or a fantasy/sci-fi one
(not a best-seller!) and put numbers or punctuation in somewhere other than the end. These are easy to remember, not normally in a dictionary, long, and have at least 2 of the 3 types of characters needed for a good password - capital letters, lower-case, and non-alphabetical.
They also are totally unrelated to my family or pets, plus I read so many books that even friends wouldn't know which book I chose to get a name from.
HELMET It worked, sir. We have the combination.
SKROOB Great. Now we can take every last breath
fresh air from planet Druidia. What's the combination?
SANDURZ One, two, three, four, five.
SKROOB One, two, three, four, five?
SANDURZ That's amazing. I've got the same combination
on my luggage. Prepare Spaceball 1 for immediate departure.
SANDURZ Yes, sir.
SKROOB, SANDURZ, and HELMET start walking out
the door.
SKROOB And change the combination on my luggage.
Build Your Own PVR/HTPC news, reviews, &
If you're on 32-bit Windows, Whisper 32 is fairly decent. Free, as in beer.
3.141592653589793238462643383279502884197169399375 10
that's how much of pi i can remember off the top of my head, and there's people out there who can't remember a 4 digit number....
I don't! (most of them)
:) These are for the sites where you could do some damage if you cracked the account.
I have a blowfish encrypted file on my palm with a single hard password to remember, another pgp encrypted copy on my hd at home, and one printed out in a safe. All passwords contained therein are randomly generated 8-16(dependent on max length allowed by site) characters -including letters (upper & lower case), numbers, and special characters. About the only thing I *don't* do is use the alt keyspace.
For everything else, i use the same stupid password, alghough it is 'hard' as well.
I've found kerberos-controlled and enforced passwords are pretty unreadable. unfortunately, the only places using kerberos I've encountered so far are large universities.
Now I've seen it all!
Appended to the end of comments I post? 120 chars?!
Thanks, you're right, I suppose I was thinking [0-9]{1,} which as you say would simply be [0-9]+.
Of course the Unix systems never seem to have this problem...
That policy is a sign of incompetence in the IT department.
If strong passwords are used, they should long expiration periods. It's not unreasonable to memorize a truly random password if you only have to do it once a year. If passwords are expiring every six weeks, you *have* to write it down (on a card in your wallet, on your PDA or celphone, etc.) because it's impossible to remember them otherwise.
Another good trick is to generate a list of a few dozen candidates and look for one with good "muscle memory." E.g., my main password now has a pattern of L-RR^-LL^-LRL where ^ means it's a key "straight above" the last key.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
enter old password, some random data from /dev/random and whatever else is handy, and SHA-1 it.
get milliseconds component of current time. Add PID. Recursively apply SHA-1 this many times. XOR in a byte or two from /dev/random each time.
Now the fun part. Strip the high bit and treat the first 8 bytes as an ASCII string. If it matches the password policy (e.g., 2 upper, 2 lower, 1 special, 1 digit, 2 wildcards) print it and increment counter.
Repeat prior step until counter hits 50 or so.
It usually takes 5-10 seconds to generate a list of candidate passwords. I pick one that's easy to remember because of "muscle memory." To guess my new password, you need to know both my old password and the contents of /dev/random.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
One of other common used ways is username and then username backward for password. Also admin/admin... administrator/administrator..
Use social engineering and you'll be amaized that people producing wooden boxes(for example) are choosing for the password. Examples: wood, box, cutting, nails...etc.
I recently found an issue where our helpdesk was setting passwords to a "default" password when a user called with a password related issue... the user is then supposed to change the password, however the users are just using the default password and calling the helpdesk again (30 days later) when the password expires again. A cycle that a quick LC3 run on the SAM file reviled that 10% (over a thousand) had the *exact* same password ... *sigh* anyone know a cure for typical user(s)???
many passwords can be guessed if access to the subject's desk is allowed Well, if access to desktop is allowed, couldn't the accesser just reboot the computer, say into single user mode, or otherwise use rebooting to infiltrate the system in nasty ways?
Furry cows moo and decompress.
for stories like this. Let's call it the No shit, Sherlock department and have a turd under a magnifying glass as its little icon.
Yes.
But you can add that it only is on the same TTY
So if someone do that on TTY1, then root can login on TTY2.
That would be easy to make, and then the DoS people got to change TTY to disable it at all TTY's.And you can say that root f. exkample _always_ are allowed to logon on TTY1 on physical computer...Then it would not be a problem...Or use trusted IP's.
If you first are on the physical computer it is not hard to get in.... Boot lilo with single mode or simply use a boot floppy.
Assembling etherkillers for fun an profit
how about using emoticons or ascii art as passwrods? Instead of words like bell, alarm
or rose, use something like
-C@ (((0))) or @--,'---
Some time ago, I coded a user interface
into a program I was working on where you
"drew" simple multi-line ascii art to
activate the various features. Maybe the
same thing can be done for passwords?
I a worker uses 'password' in a company and sticks it on a post-it note on the monitor and casually mentions that that is their password, then surely this would be a valid legal defence if suddenly their account was used to send nasty emails to the boss or whatever.
How could it be proved that it was this person that did it, if the password was publicly known, or assumed?
Hi,
I've been working in IT departments for a lot of years, seen it happen everywhere.. As the number of 'services/servers' groes, eveyone of them gets them a new (and often different) username. Those people often use the samepassword everywhere..
At the manufacturing company I now provide support services, the password is usually left blank. Tried to change it so not allow blank password, then whole hell broke loose !! So now it's back to empty passwords...
Oh well, not a too big a deal in my opinion.. No internet connection, and all data is on file somewhere also, there's even no pudget to lock up the server ; it's in a publicly accesable place, anyone just can take a backuptape and look at the contents...
I have a list of my passwords on my HD in plain-text. I don't mind that this list could get stolen somehow. That's because through the years I have devised a personal system of cyphering a password. I take a normal word, say the model of car I wish I had (porsche), and morph it (letter substitutions, doubling, pseudo-leetspeak, etc.) into something reasonably secure (poR%scK3), which I will then use as the actual string I type in. The plain-text list is only used to jog my memory in case I forget one of them.
Need a Linux consultant in New Orleans?
Cryptic passwords aren't all THAT hard to come up with. Weird thing about memory - if a group of words has rhythm or is rhymes (or both), then it's almost impossible to forget (everyone here remembers the theme to Gilligan's Island, right?).
:-)
Back at DEC, the max password lengths were ridiculously long (128 chars? someone out there remembers). So, my passwords were usually something like:
onceuponamindightdreary - next month was twiceuponamidnightdreary and then thrice..., and then I went to the next verse.
Not terribly cryptic, but nowadays, I typically use the first characters of each word in a poem, or whatever. Example above yields Ouamd - which is a reasonable start - add a number and increment, and you're set for a while until you move to the next line. Song lyrics work just as well as old Edgar Allen's stuff of course.
Oh, and of course, I strive to use song lyrics I'm not listening to at the time
We use pseudo-random strings for passwords that can't be remembered and have to be written down. We each have a copy of the password book, a small, black notebook, and they are kept locked when not on our person.
We use a little proggie that I wrote in C to generate these pseudo-random passwords.
Yeah, I know all about the dangers of writing passwords in books, but when you have close to 100 machines that you need to keep passwords for, you've really got no other choice. You need to make sure that security policy (keeping the password book locked up) is maintained at all times, which isn't so hard when there's only 2-3 admins who need the passwords.
Whenever somebody leaves, we change all the passwords for root and our admin user on all the machines. A bit tedious, but necessary.
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
If you read /., there is a good chance you built your own computer or have built one in the past. Part model and serial numbers are great handy alphanumeric strings that no one would ever guess. If my root password is the alphanumeric part of my motherboard's model number, it's both easy to remember and impossible to guess unless the attacker actually opens my box or know what mobo I use.
-Zuchinis
Welcome to the Slashdot Server
Login: CmdrTaco
Password: Handbrake
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
Back when I was a tech, I had to install some drivers on the VP of Technology's machine, but he was nowhere to be found. So, I began the guessing game:
1. Tried his login name - nope(good!)
Then I looked around his office/desk, saw he had pictures of his 2 kids and taped to the wall was some kindergarten art from them (complete with names!) So,
2. Tried son's name - nope
3. Tried daughter's name - I'm in.
Security is a compromise between security and ease-of-use. I use the similar same or similar passwords for different situations (low-med-high security) depending on the kind of info I'm protecting.
What I'm curious about is how the math-friendly sysadmin/consultant population generates passwords for math-impaired users. *I* have no trouble memorizing a randomly generated string of 32 ASCII charagers, but some of the people I work with have to write their password:'DOG' on the frame of their monitor - IN MAGIC MARKER - to make sure they don't forget. (Of course, they try to write real small, so it's not obvious...:)
I've found for these kinds of people, it's useful to take a favorite phrase/title/line from a favorite song and take the 1st letter from each word to generate a PW string. For example, for someone who's favorite song was "Talk Dirty To Me" by Poison, I'd have them take the line 'CC, pick up that guitar and talk to me' and generate: "CPUTGATTM"
1) It's longer than 4 characters.
2) It LOOKS random, but they'll remember it.
3) It's a LOT less obvious than their kid's/pet's/spouse's name, and you have to know them REAL well to even have a shot at guessing it.
Anyone else do anything like this?
"Lawyers are for sucks."
- Doug McKenzie
Enby in Waltham
Comment removed based on user account deletion
With this program, it is easy to keep track of a separate password for each web site, and there is a unlimited?) notes field for keeping track of extra account details or any extra challenge+response (You don't give every site your real mother's real maiden name, do you? Insanity!)
PSafe will generate random 'strong' passwords. For the really important systems, I use the 'strong' 8-character random password generated, but when I go to log in, paste the 8-characters from PSafe, and append a four-to-six letter string I keep in my head.
Voila --- Poor man's two-factor authentication!
I do not deploy Linux. Ever.
A friend who played piano woudl just position his hands on random places on the keyboard and play a bit. All he had to remember was where to position and the piece. Of course, there was no mixed case (unless Caps Lock was one of the keys he was playing), but still fairly non-dictionary.
I must say, I keep on getting tempted to put a slightly modified version of login that looks for a specific password and dumps them into a honeypot. And then leave that password on a post-it on my monitor. See how many people would be tempted by possible root access.
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
They can't be much of a geek if they can't decrypt a simple password file!
Video Game cheats, hints a
the best solution would be for each user to have a unique card that has a fingerprint scanner and a keypad on it. at login, the user is presented with a code which must be entered into their unique card, which then authenticates the user by their fingerprint and also calculates a password based on some formula which is unique to the card and involves both the code the user entered and the user's fingerprint. a friend of mine who worked for the DoD had a card similar to this, but it didn't involve fingerprints, so theoretically anyone with his card who knew his login might be able to login for him. of course, even if it DID have fingerprint recognition, someone smart enough could probably steal the card, get his fingerprint, and do some sort of hardware hack to trick the card into thinking my friend's finger was pressed to it... i dunno... sounds pretty secure, though...
I get the joke, just a little addon: An american mobster actually tried to change his fingerprints the hard way back in the twenties, when they started to become a mainstream method of identification (fingerprints, not mobsters). He "burnt" his fingers with acid, to regrow new prints. Spent three weeks in extreme pain, just to find that his old prints grew back...
The only way to "change" your fingerprint is to get a flesh wound at your fingertip, so scar tissue grows. Probably wouldn't be a valid fingerprint to the automated tools, though.
Excuse my less-than-perfect english
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!
could be yellow and have a "3M" watermark.
There's no difference between a smartcard and a password, except the input device (keyboard or mag reader) -- both of which can be bypassed.
I used a random password generator to pick out about 60 random passwords, then picked one.
I have about 50 or so accounts on various servers that I use frequently. I use about 10 passwords on those various services. Half of them would be considered 'strong'... liberal use of the shift key, number keys, etc. The other half are middling to weak.
On most of the sites, I use a single, weak password... on every site that I do not trust, or do not care about. On the important ones, I use one of the strong passwords, or a variation (shifted in different spot, etc).
As I am assigned passwords at work, I add them to my list of 'strong' passwords. I get a new random password yearly, so I have a long time to memorize it. Once it is no longer my work password, I add it to my farm of passwords I use elsewhere.
So for sites that don't matter, I use the poorest password manners possible... one weak password shared all over. But for important stuff (paypal, online banking, email, shells, etc) I use strong passwords that rarely duplicate.
For me, this is the best combination of convenience and security.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.