Crappy Passwords Very Common

Number Theory by ffatTony · 2002-03-16 05:44 · Score: 3, Interesting

I've had good luck guessing passwords using the method of adding a number to the user's name: e.g. someGuy's password is probably someguy[0-9]+[0-9]*

Biometrics... by MosesJones · 2002-03-16 05:45 · Score: 3, Interesting

What this is saying is that if you know something of the person you can work out what they will say. This is always going to be the case until it is something actually unique for the person (fingerprint, iris etc). While we all _know_ that we should have passwords like "sdf987*(&^JJHASBDjkasdjkh231*()&as" and every account should have a different one it tends to be simpler to use something you can remember easily.

So this isn't a suprise, and its what the Biometrics people have been saying for years.

--
An Eye for an Eye will make the whole world blind - Gandhi

Re:Biometrics... by BeBoxer · 2002-03-16 06:46 · Score: 5, Insightful

The problem with biometrics as passwords is that they can still be obtained via other methods such as password sniffing and they can't be changed. So by themselves, they are even worse than regular passwords.

Let's look at the "obvious" method of using say fingerprints as passwords. A print scanner on your keyboard scans your print into some sort of unique id. When you want to log in to some service, the keyboard sends your username along with your print id in lieu of a regular password. The service checks your username and print in it's database and decides whether or not to grant access. The problem with this type of setup is that every service you use has the ability to impersonate you to every other service you use. Not a good idea at all. This is the same fundamental flaw credit cards have. Every vendor you do business with has the ability to impersonate you to every other vendor who accepts your type of credit card. Hence all the fraud. But at least with credit cards you can get a new number if someone starts abusing it.

Really, the only way to do authentication that doesn't suffer from this flaw is to ue a public-key based method. It's absolute insanity to start sending your fingerprint everywhere and using it as an ID. Absolutely the dumbest way of doing authentication online I can think of. Which is not to say that biometrics don't have their place at all. It can be used in very limited means inside of closed systems and provide a reasonable increase in security. I think where this will end up is that we will each have a small portable hardware device which can do secure public-key based authentication for us. A fingerprint can be used to authenticate us to our hardware token. Since the fingerprint never has to leave the token, it isn't nearly as vulnerable to being stolen. Imagine an ATM card which has a small number pad on it. You type the amount you want to withdraw into your ATM card which scans your prints as you type the amount in. Then, you insert the card into the ATM machine and the card securely authorizes a withdrawal in the amount you entered. This authorization protocol can be public and standardized without any loss of security. Your fingerprint never leaves the card so isn't vulnerable to theft.

Note that there are companies now selling the keyboard-style scanners. In my opinion, these are nothing but snake oil. From looking thru the descriptions of the available products, all of the ones I've found appear to be transmitting a fingerprint 'hash' to an authentication database. It's not hard to imagine software hacks which can record the fingerprint info as it comes in off the USB or parallel port and later replay that information to spoof users. While some hackers might still be guessing passwords, a lot are now using software to grab passwords either off the network or off the keyboard. Fingerprint scanners do nothing to prevent this type of hack except make it impossible to change the password after it's been stolen. So not only are you still vulnerable, your options for correcting the problem after the hack are drastically reduced.

Inside of a corporate environment where all hardware and software installations are tightly controlled, there might be some value. But it's not a general purpose authentication technique. Every terminal you use will gain the ability to impersonate you, and every server you log into will gain the ability to impersonate you. Which is the case now, but I don't use the same password for Slashdot that I use for my shell accounts. And I don't log into my shell accounts from computers I have no reason to trust (such as at a cyber cafe.) If everyone is using biometrics, then the services you trust least (like Slashdot say) has the information they need to impersonate you to the places you trust most (your bank, your shell accounts at work, etc.) When I say 'trust', I'm probably using the wrong word. What I mean is I don't really care very much if someone steals my Slashdot password. It's not a big deal. I do care of someone steals my work passwords, or online banking passwords. I would never use the same password both places which is exactly what biometrics force me to do.

In other news... by bwulf · 2002-03-16 05:45 · Score: 5, Funny

... water found to be wet[1], sky found to be blue, Earth found to be round[2] and CNN found to be obvious.

[1] at certain temperatures
[2] well, almost

Best password ever by Apreche · 2002-03-16 05:45 · Score: 3, Interesting

The best password ever is one my friend has. He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password. And after he told me this, he changed it. Because he changes his PGP keys every week.

If you are one of these people who has a stupid password, you deserve what you get.

I'm going to get the book of petnames now and write a brute force hack into paypal, wee! My money problems are solved. I don't do stuff like that, but someone should. Send all the money to me that is.

--
The GeekNights podcast is going strong. Listen!

Re:Best password ever by ergo98 · 2002-03-16 06:02 · Score: 5, Interesting

He took the name of a family pet, just like an idiot would. But then he encrypted it with 4096 RSA PGP and the passphrase was his favorite saying. The 15th through 23rd characters where his password

That sounds like an interesting way of making a password a failsafe (i.e. you would be able to recover it if you forgot the special sequence of characters, and the password becomes not only the code sequence but also the process. i.e. A prehashing of hashing. An interesting scenario would be to say "my password is always WEAKPASSWORD but for each service I'll hash it through SHA1 with the service name, and I'll use characters 10-15 in hex form as my password"). I use strong passwords (bogus words, numbers and punctuations), yet one way in which my passwords are weak is that I don't prescribe to best practices for changing passwords regularly. Why? Because I've forgotten so many passwords that I'm cynical about the reality of password changing best practices...recently I was thankful that my FreeBSD box has the single user local mode (without physical security there is no security) that lets you supercede the security systems because it'd gone unmanaged for so long that I'd forgotten among the hundreds of passwords out there. I truly believe that if users are forced to regularly change passwords then they a) write it down, b) use weak passwords so they don't forget for the short period that they have to use it, c) they use the same password on many different services. I believe that c is very common, and if you analyzed people's ICQ, Hotmail, Slashdot, computer, domain, etc passwords you would find some pretty common correlations.

And after he told me this, he changed it. Because he changes his PGP keys every week.

He changes PGP keys every week? How do people that have to keep importing his public key feel about this? (Personally I'd have long refused to both importing a new key each week).
Re:Best password ever by zzyzx · 2002-03-16 08:38 · Score: 4, Funny

My PIN is pi... The last 4 digits.
Re:Best password ever by ryanvm · 2002-03-16 09:40 · Score: 3, Funny

Because he [my friend] changes his PGP keys every week.

Wow - every week, huh? Does your friend wear a tinfoil hat and worry about Major League Baseball spying on him with a satellite, too?

Guessing seldom needed by TandyMasterControl · 2002-03-16 05:46 · Score: 4, Interesting

If you have access to a person's desk like the study stipulates, you have probably a 1 in 3 chance of finding the password written down somewhere.

--
Johnny Quest has two Daddies.

Has to be crappy. by Account+10 · 2002-03-16 05:47 · Score: 5, Insightful

The password policy where I work is 10 characters, mix of upper and lowercase, at least 1 non-alphabetic, expires every 6 weeks. So of course I write it down (indirectly) or put it in "logon.bat".
Because of Windows' stupid caching, I already have to phone the helpdesk every 6 weeks to get my account unlocked when windows somewhere decides to try my old password 5 times in succession.

Re:Has to be crappy. by beer_maker · 2002-03-16 12:05 · Score: 3, Insightful

Try this on your boss every day, make them hate IT as much as you. (-;

/RANT ON
Make them hate IT as much as [they hate] you? You can't even remember your password and now you want to get the poor IT staff in trouble? Thanks a lot.
I LOVE folks like you. You're the one with the 30 GB of mp3s on the server, the collection of screensavers on your desktop machine, and the Zip disk you swore would be used "only for work files, really."
You, Sir or Madam, put the "L" in user!
/RANT OFF
Whew, that felt good. Who needs Karma, anyway ...

--
Hmmm. Your ideas are intriguing to me and I wish to subscribe to your newsletter.

My password is... by jwinter1 · 2002-03-16 05:50 · Score: 3, Funny

My password is and always has been newline, newline, newline.

Gets me logged in quick, and noone seems to be able to guess those last two characters.

--
Anything you can do, I can do meta.

People don't get password security by defile · 2002-03-16 05:50 · Score: 5, Funny

I went to my bank the other day to assign a PIN to my ATM card. For this you need to sit down with a bank person at their desk. Just to be a pain in the ass, I asked her how many numbers I could enter (it's 7). She said 4. I entered 7 and it took.

Then she went "How do you remember 7 numbers?" and I said "The same way I'd remember 4 numbers. It's not like remembering yet another set of numbers is going to be hard--I've memorized the passwords of at least 20 other services".

To which the lady at the bank said "See, the best way is to just use the same password for EVERYTHING. This way you only need to remember one!"

Re:People don't get password security by oo7tushar · 2002-03-16 05:56 · Score: 4, Funny

The reason you want to enter 4 is because a lot of old systems only supported 4. They were trying to make you backwards compatible.
But you raise an interesting point, passwords used to be the domain of the l33t (5, 10 years ago), but now everybody uses computers and they aren't as proficient. They can type, they can message but they don't understand computer security, for them the net is still their computer and the most secure box on the planet, why? because it's in their home.

--
internet like monkeys'

Passwords.. by bje2 · 2002-03-16 05:50 · Score: 5, Insightful

you know what my problem is??? i have dozens and dozens of passwords to remember...i have my work computer, my work e-mail, my home computer, my 2 home e-mail accounts, eBay, Slashdot, IM, etc...it's just too many passwords to remember...

because of that, i've fallen into a bad rut for my passwords, i only have like three that i use on a regular basis, and i just reuse them whenever i register for a new account...don't get me wrong, i know that's a terrible thing to do...but i just can't bother myself to rememeber more and more passwords...god forbid someone found one out...

does anyone have any tips for things they do, or products they use to keep track of their dozens and dozens of passwords...?

...that said, i think i'll go change my slashdot password...

--

"Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson

Re:Passwords.. by Remus · 2002-03-16 06:16 · Score: 3, Insightful

I was in the same situation and decided that neither using only a few passwords nor trying to memorize >= 10 passwords is a really good idea. So I started using Keyring for PalmOS on my Palm. It even generates random passwords for me (useful for all those web accounts) and I only have to remember one master password.

Passwords that I use regularly stick after a while anyway.

Remus
Re:Passwords.. by zbuffered · 2002-03-16 10:49 · Score: 3, Funny

does anyone have any tips for things they do, or products they use to keep track of their dozens and dozens of passwords...?

Use Microsoft(R) Passport(tm).

--
Synergy is your friend

No s**t, Sherlock by seldolivaw · 2002-03-16 05:51 · Score: 4, Funny

I realised this the moment the team leader of our software development project -- a woman who is about to graduate with a *degree* in *computer science* revealed that her password for nearly everything was her name, spelt backwards. *D'oh!*

How to pick a good password by EricKrout.com · 2002-03-16 05:53 · Score: 4, Informative

The best way to think of a password is to conjure up a phrase that's random, but easy to memorize. Then, just use the first letter of each word as your password.

For example, if you're told to pick a password with at least six characters, you could randomly come up with: Dubya Doesn't Know A Goddamn Thing

Then, you'll have a good, random password (ddkagt) and you'll remember it, too.

If there are other restrictions (you need numbers, mix of upper/lower cases), just adjust your random phrase to coincide.

m o n o l i n u x :: Imagine There's No Windows(tm). It's Easy If You Try.

Re:How to pick a good password by Tony+Hoyle · 2002-03-16 06:02 · Score: 5, Funny

MY boss does this using nursery rhymes. Sometimes when he's on holiday we have to get into his machine... you end up with half a dozen geeks reciting nursery rhymes to each other until the correct permutation is reached.

The fallacy of their argument by Walter+Bell · 2002-03-16 05:54 · Score: 5, Insightful

...is that, although biometrics will generate a nice password like "sdf987*(&^JJHASBDjkasdjkh231*()&as" that nobody could ever guess, the problem of a replay attack is undeniable. That is, once somebody can obtain your biometric hash through the use of a rogue thumbprint scanner, there's no way (by definition) that you'll ever be able to change it to something different and make it secure again. And that is why putting biometric scanners on personal PCs with insecure Micro$oft operating systems opens the door quite wide to identity theft.

The best authentication schemes involve something you know (a PIN or password) and something you have (a smartcard, RSA key fob, or some other device that implements a challenge/response system to authentication queries).

~wally

Epasswd by jhunsake · 2002-03-16 06:11 · Score: 4, Insightful

Enforce password conventions the way NASA does... Epasswd

Re:Epasswd by pmc · 2002-03-16 06:39 · Score: 3, Interesting

Enforce password conventions the way NASA does

Hmm - not too bad an application. Users will write them down if they are too complex; that is the difference between strong and effective.

The policy I came up with at my last company was minimum of 6 characters, not like your name, must start and end with a letter, and must contain a non-letter. This got the success rate of lophtcrack with multilingual dictionaries down from 80%+ to about 4% on hybrid scan. This was enforced by Password policy enforcer (a company I have no connection with except as a satisfied customer), which has slightly better functionality than epasswd.

What about the inverse? by dsb3 · 2002-03-16 06:13 · Score: 5, Funny

I once named a pet (it was a fish, in fact) after one of my passwords. Shame it wasn't one of the more pronounceable ones.

--

Slashdot? Oh, I just read it for the articles.

Lyrical passwords... by Colz+Grigor · 2002-03-16 06:24 · Score: 3, Interesting

I think my passwords are usually pretty difficult to figure out...

I pick some lyrics to a song that I know:
"Penny Lane is in my ears and in my eyes."
(I usually pick more obscure songs, but this is an example...)

I then (sometimes) swap two words...
"Penny Ears is in my lane and in my eyes."

Then I convert it to a lower-case acronym...
"peiimlaime"

Convert every other character to 'leet (sometimes starting with the first, sometimes starting with the second)...
"p3i!m1a!m3"

This password is too repetitive... it's got two !s, two ms, and two 3s. I unconvert some of the 'leet to help out...
"p3iim1a!m3"

Now I convert some of the letters to upper-case...
"p3iIm1A!m3"

Looking at that password and not knowing how it was derived, you might think it's pretty random. But if you were a big Beatles fan, it'd be pretty easy for you to remember this one.

One big problem with lyrical passwords, though:
Don't hum the tune while you're typing in the password!!!

::Colz Grigor

Welcome to the Slashdot Server by Wordsmith · 2002-03-16 06:25 · Score: 4, Funny

Welcome to the Slashdot Server

Login: CmdrTaco
Password: Kathleen

"Whoohoo! I'm in!"

Re:If you can get at their desk... by blibbleblobble · 2002-03-16 07:49 · Score: 3, Interesting

I think even people with crap passwords (especially people with crap passwords) will either shield their typing or give you an evil stare until you look away when they're typing it.

That's the other advantage of keeping the same password for years... you can type it in a blur of fingers, and nobody'll ever see it.

Re:So? Only allow 'trusted' devices... by Detritus · 2002-03-16 08:49 · Score: 4, Funny

You can't exactly ask your admin to change your fingerprints.

I can change them for you. Where did I put that cheese grater...

--
Mea navis aericumbens anguillis abundat

My two rules for passwords by rcw-home · 2002-03-16 09:08 · Score: 4, Interesting

It has to take someone longer than 30 seconds to memorize it if they were to see it written down somewhere
It has to take me less than 2 seconds to type it in

Any password that fits this criteria will take a long time to crack and even longer to figure out by looking over someone's shoulder.

ObTrivia: at a place I used to work, 246 out of 780 user accounts had a password of "", "pass", or "password". Before I convinced the IT director to let me implement strong passwords, anyway.

Another problem: reuse by ca1v1n · 2002-03-16 10:25 · Score: 3, Interesting

I haven't logged in as root on my box since I installed linux, thanks to sudo. My root password is a rather complicated string of characters that bears no resemblance to any words. My user password is similarly strong. Unfortunately, remembering lots of strong passwords isn't exactly easy. So, I've gotten lazy and reused some of them. Based on my tech support experience, I would guess that most people only have one or two passwords that they reuse. Snoop their plaintext logins to thespark.com or something like that, and you've got them. I've never made an unencrypted login to my box, and my passwords are strong, but that doesn't make them secure. Excuse me while I go change them...

--
WARNING: there is a trojan on your

Re:That leads to DoS by RainbowSix · 2002-03-16 13:03 · Score: 3, Insightful

Perhaps a good way to implement a lockout is that once lockout occurs it will still accept passwords but it must be typed in 3 times in a row at 15 seconds apart. It would only take 45 seconds to log in (as opposed to getting locked out for x minutes) but the delay and requirement would be a buffer against a cracking program.

--
--------
It's OK to be social, just don't tell anyone about it.

Sign of incompetence by coyote-san · 2002-03-16 15:27 · Score: 3, Interesting

That policy is a sign of incompetence in the IT department.

If strong passwords are used, they should long expiration periods. It's not unreasonable to memorize a truly random password if you only have to do it once a year. If passwords are expiring every six weeks, you *have* to write it down (on a card in your wallet, on your PDA or celphone, etc.) because it's impossible to remember them otherwise.

Another good trick is to generate a list of a few dozen candidates and look for one with good "muscle memory." E.g., my main password now has a pattern of L-RR^-LL^-LRL where ^ means it's a key "straight above" the last key.

--
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken

32 of 422 comments (clear)