Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crappy Passwords Very Common

Posted by CmdrTaco on from the no-shocker-here dept.

KeatonMill writes "CNN released this story about passwords. Apparently, a group of UK psychologists did a study about password selection, and found that many passwords can be guessed if access to the subject's desk is allowed (the article gives an example of sports memoribilia representing sports-related passwords). According to the study, 50 percent of people use names of family members or pets as passwords."

17 of 422 comments (clear)

  1. Number Theory by ffatTony · · Score: 3, Interesting

    I've had good luck guessing passwords using the method of adding a number to the user's name: e.g. someGuy's password is probably someguy[0-9]+[0-9]*

  2. Biometrics... by MosesJones · · Score: 3, Interesting


    What this is saying is that if you know something of the person you can work out what they will say. This is always going to be the case until it is something actually unique for the person (fingerprint, iris etc). While we all _know_ that we should have passwords like "sdf987*(&^JJHASBDjkasdjkh231*()&as" and every account should have a different one it tends to be simpler to use something you can remember easily.

    So this isn't a suprise, and its what the Biometrics people have been saying for years.

    --
    An Eye for an Eye will make the whole world blind - Gandhi
  3. Best password ever by Apreche · · Score: 3, Interesting

    The best password ever is one my friend has. He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password. And after he told me this, he changed it. Because he changes his PGP keys every week.

    If you are one of these people who has a stupid password, you deserve what you get.

    I'm going to get the book of petnames now and write a brute force hack into paypal, wee! My money problems are solved. I don't do stuff like that, but someone should. Send all the money to me that is.

    --
    The GeekNights podcast is going strong. Listen!
    1. Re:Best password ever by ergo98 · · Score: 5, Interesting

      He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password

      That sounds like an interesting way of making a password a failsafe (i.e. you would be able to recover it if you forgot the special sequence of characters, and the password becomes not only the code sequence but also the process. i.e. A prehashing of hashing. An interesting scenario would be to say "my password is always WEAKPASSWORD but for each service I'll hash it through SHA1 with the service name, and I'll use characters 10-15 in hex form as my password"). I use strong passwords (bogus words, numbers and punctuations), yet one way in which my passwords are weak is that I don't prescribe to best practices for changing passwords regularly. Why? Because I've forgotten so many passwords that I'm cynical about the reality of password changing best practices...recently I was thankful that my FreeBSD box has the single user local mode (without physical security there is no security) that lets you supercede the security systems because it'd gone unmanaged for so long that I'd forgotten among the hundreds of passwords out there. I truly believe that if users are forced to regularly change passwords then they a) write it down, b) use weak passwords so they don't forget for the short period that they have to use it, c) they use the same password on many different services. I believe that c is very common, and if you analyzed people's ICQ, Hotmail, Slashdot, computer, domain, etc passwords you would find some pretty common correlations.

      And after he told me this, he changed it. Because he changes his PGP keys every week.

      He changes PGP keys every week? How do people that have to keep importing his public key feel about this? (Personally I'd have long refused to both importing a new key each week).

  4. Guessing seldom needed by TandyMasterControl · · Score: 4, Interesting
    If you have access to a person's desk like the study stipulates, you have probably a 1 in 3 chance of finding the password written down somewhere.

    --
    Johnny Quest has two Daddies.
  5. Better than arbitrary, complex passwords. by jonathanjo · · Score: 2, Interesting

    From Jakob Neilsen's UseIt column on usability and the Internet, comes this column on Security and Human Factors. His summary:

    A big lie of computer security is that security improves as password complexity increases. In reality, users simply write down difficult passwords, leaving the system vulnerable. Security is better increased by designing for how people actually behave.


    Sysadmins are fond of forcing users to use complex passwords. What happens then is that the user writes the password on a yellow adhesive note and sticks it on the monitor. Better to let the user use the first password that comes to mind, with possible gentle restrictions like no dictionary words, so that the user can hold the password in his or her head without writing it down -- or putting it in a "Passwords" file on the hard drive. How many theives really look up biographical information on computer users and find out all the names of their family members?
    --

    Fight for your right to read books!
  6. Typical linux geek answers by Anonymous Coward · · Score: 2, Interesting

    This is the typical crap about passwords that gets handed around. PGP encoding and changing passwords weekly. As if. Looking at the number of sites I have passwords to, it numbers something like 60. People want usable computers not sophisticated mnemonics.

    Not that I always agree with him but this article is ideal:

    http://www.asktog.com/columns/026Security.html

    Time to accept that this is the reality of existence. You will never get people to memorize hundreds of passwords. I've seen businesses lose tons of money because they require cryptic passwords and the user moves on to the competitor.

    BTW the password nightmare is currently handing M$ a big victory in Passport. God knows I would love to have a single password...

  7. Lyrical passwords... by Colz+Grigor · · Score: 3, Interesting

    I think my passwords are usually pretty difficult to figure out...

    I pick some lyrics to a song that I know:
    "Penny Lane is in my ears and in my eyes."
    (I usually pick more obscure songs, but this is an example...)

    I then (sometimes) swap two words...
    "Penny Ears is in my lane and in my eyes."

    Then I convert it to a lower-case acronym...
    "peiimlaime"

    Convert every other character to 'leet (sometimes starting with the first, sometimes starting with the second)...
    "p3i!m1a!m3"

    This password is too repetitive... it's got two !s, two ms, and two 3s. I unconvert some of the 'leet to help out...
    "p3iim1a!m3"

    Now I convert some of the letters to upper-case...
    "p3iIm1A!m3"

    Looking at that password and not knowing how it was derived, you might think it's pretty random. But if you were a big Beatles fan, it'd be pretty easy for you to remember this one.

    One big problem with lyrical passwords, though:
    Don't hum the tune while you're typing in the password!!!

    ::Colz Grigor

  8. Re:People don't get password security by Anonymous Coward · · Score: 1, Interesting

    Some interesting number crunching...

    Assuming you run 1,000 attempts a minute to crack a password, and a dictionary of 60,000 words (i.e. 'joke' and 'joking' are 2 different words).

    Time to exhaustivly run throug the entire set...

    1 word - 60 minutes
    2 words catenated - 6.8 years
    2 words catenated or possibly seperated by digit - 75.34 years
    2 words catenated or possibly seperated by digit or non-alpha (i.e. '/', '+', etc.) - 137 years
    1 word followed by up to 5 digits - 12.68 years

    Brut Force
    ---------
    case senstive alpha or 0-9 digit
    # of characters
    1 - 0.06 minutes
    2 - 3.91 minutes
    3 - 242.23 minutes
    4 - 10.43 days
    5 - 646.63 days
    6 - 110 Years
    7 - 6,810 years
    8 - 422,221 years
    9 - 26,177,713 years
    10- 1,623,018,211 years

  9. Lotus has a cool password generator by stand · · Score: 2, Interesting

    Lotus Notes mail has a cool password generator. I converted it to Javascript once and use it for all my passwords:

    I can't post it here because it won't go past the lameness filter, but you can find it here.

    It produces nonsense passwords, but they are easy to remember because they come out like pseudo-words. e.g. jenzog72, or slocrip16. It's about the only thing useful I ever got out of Notes.

    --
    Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
  10. Re:Epasswd by pmc · · Score: 3, Interesting

    Enforce password conventions the way NASA does

    Hmm - not too bad an application. Users will write them down if they are too complex; that is the difference between strong and effective.

    The policy I came up with at my last company was minimum of 6 characters, not like your name, must start and end with a letter, and must contain a non-letter. This got the success rate of lophtcrack with multilingual dictionaries down from 80%+ to about 4% on hybrid scan. This was enforced by Password policy enforcer (a company I have no connection with except as a satisfied customer), which has slightly better functionality than epasswd.

  11. Re:The fallacy of their argument by rfredell · · Score: 2, Interesting
    Why does the OS make a difference? Would your favorite be OS immune to rogue thumbprint scanners? And why would putting a biometric scanner on an OS that is already wide open to identity theft (e.g. Win9x) make a difference?

    I wholly agree that two-factor authentication (something you have & know) is the way to go, but some of the hardware used can be vulnerable as well. Say for instance that you have an RSA key on a smartcard that has its own encryption. Now say that someone figures out how to sniff the key from the card via RF emissions. Poof. You are now vulnerable to having your identity stolen. ISTR reading a research paper that indicated hardware tokens were not as secure as advertised, although at the end of the day two-factor authetication is still better than one.

  12. Re:If you can get at their desk... by blibbleblobble · · Score: 3, Interesting

    I think even people with crap passwords (especially people with crap passwords) will either shield their typing or give you an evil stare until you look away when they're typing it.

    That's the other advantage of keeping the same password for years... you can type it in a blur of fingers, and nobody'll ever see it.

  13. My two rules for passwords by rcw-home · · Score: 4, Interesting
    1. It has to take someone longer than 30 seconds to memorize it if they were to see it written down somewhere
    2. It has to take me less than 2 seconds to type it in

    Any password that fits this criteria will take a long time to crack and even longer to figure out by looking over someone's shoulder.

    ObTrivia: at a place I used to work, 246 out of 780 user accounts had a password of "", "pass", or "password". Before I convinced the IT director to let me implement strong passwords, anyway.

  14. Another problem: reuse by ca1v1n · · Score: 3, Interesting

    I haven't logged in as root on my box since I installed linux, thanks to sudo. My root password is a rather complicated string of characters that bears no resemblance to any words. My user password is similarly strong. Unfortunately, remembering lots of strong passwords isn't exactly easy. So, I've gotten lazy and reused some of them. Based on my tech support experience, I would guess that most people only have one or two passwords that they reuse. Snoop their plaintext logins to thespark.com or something like that, and you've got them. I've never made an unencrypted login to my box, and my passwords are strong, but that doesn't make them secure. Excuse me while I go change them...

    --
    WARNING: there is a trojan on your
  15. How I remember my passwords by Anonymous Coward · · Score: 1, Interesting

    I don't! (most of them)

    I have a blowfish encrypted file on my palm with a single hard password to remember, another pgp encrypted copy on my hd at home, and one printed out in a safe. All passwords contained therein are randomly generated 8-16(dependent on max length allowed by site) characters -including letters (upper & lower case), numbers, and special characters. About the only thing I *don't* do is use the alt keyspace. :) These are for the sites where you could do some damage if you cracked the account.

    For everything else, i use the same stupid password, alghough it is 'hard' as well.

  16. Sign of incompetence by coyote-san · · Score: 3, Interesting

    That policy is a sign of incompetence in the IT department.

    If strong passwords are used, they should long expiration periods. It's not unreasonable to memorize a truly random password if you only have to do it once a year. If passwords are expiring every six weeks, you *have* to write it down (on a card in your wallet, on your PDA or celphone, etc.) because it's impossible to remember them otherwise.

    Another good trick is to generate a list of a few dozen candidates and look for one with good "muscle memory." E.g., my main password now has a pattern of L-RR^-LL^-LRL where ^ means it's a key "straight above" the last key.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken