Slashdot Mirror
Users feel Password Rage
Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."
yup. that's my password.
USB keys are really neat to store keys (PGP, SSH, etc) .
This is definitely the handiest way to replace multiple passwords.
{{.sig}}
Store then in your wallet like Bruce Schneier does.
Note: I don't store mine in my wallet, so keep your hands to yourself!
I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.
Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.
Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).
People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...
And then, of course, the techs (us!) would get blamed.
Honey, I shrunk the Cygwin
My passwords are 12-14 characters long alphanumeric codes. These codes are combinations of two 6-7 character long subsequences that I have in my tactile memory. This way I only have to remember which combination made up the password for which site.
BOO! TERRO
Why not use a simple password manager program such as the popular Gator... uhm, er, uhm, maybe that's not such a wise idea!
I keep my passwords on small post-its, stuck to the edges of the monitor. Even though I must admit that recently I had to upgrade to a larger monitor because I ran out of space...
Built into every Mac is a utility called Keychain that remembers all your passwords for you. Of course you can get add-ons for Windows that give the same functionality for a price...
Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.
Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]
I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.
And BTW - everyone on site, even the IT dept., did it the way I did.
"As God is my witness, I thought turkeys could fly." A. Carlson
For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.
This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.
My cats ate my karma. They also wrote this comment.
Until biometrics become more mainstream people should check out those cheap USB key chain mini drives. They work okay, but I still find them a pain to use.
I get password rage myself, although it is caused by moronic users who can't remember their passwords. Since they laid off all the fist level support and helpdesk people in my company, now I'm stuck resetting passwords all day. I blame the users for this, but it *will* be nice for IT staff when biometrics replace passwords.
I think the enraged users would benefit from the years of experience contained within the Open Source developer community. Their impartial review of all password would facilitate the password creation password. By providing a publicly-available password list and the application of such password, users would be able to leverage off the peer-review methodology with is quite popular in Ukraine.
The Open Source developers would also be granted much quicker access and approval to systems that they deemed important to their project work. This would improve fund generation and IP (Intellectual Property) sharing which are some of the stumbling blocks in current academic circles.
Only when we improve the texture-layer vortex shading in the Matrox drivers can be unleash the full potential of quad-monitor Parphelia configuration.
Which is nice.
Wearing pants should always be optional.
Biometrics do seem to be the solution to this problem. The problem in itself is PATHETIC, people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.
s /5f11/ plus ThinkGeek has an iris recognition camera, and a stand-alone fingerprint authenticator. The only real problem is that they're all $100+, and I'm not quite sure if all of those people are willing to pay that much money to rid themselves of a problem that can be so easily fixed for free.
Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboard
I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.
Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:
:))
- something you have (such as a token) or
- something you know (such as a password or pin
http://blog.astyran.sg
...and tell you if you forgot them. Your duty is only to remember the master password. That's called Keychain, and is provided by Mac OS X.
For extra security you can also put your keychain to an USB key along with your GPG & SSH keys, and keep it away from your computer when you're not using it.
You've got a Windows box? Sorry. I'm quite sure there are some similar solutions for Linux out there, though.
“Wait for Hurd if you want something real” –Linus
Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"
Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
I never thought I'd hear that on Slashdot.
I imagine it's a long process of finger pointing all over the corporate world, though. The bottom line is that this just might be an inherent flaw of conventional passwords, and we either have to accept that, or develop a better system.
I keep all my passwords in a spreadsheet. The spreadsheet is passworded. That password is the concatenation of all my passwords so it's hard to break into and if I forget a password, all I have to do is.....hmmmm, wait.....
I just pick a poem/song text/... that I know by heart, and take the first letter of every word. That gives me an easy to remember, random-looking password of ~20-30 chars.
If so, your problem's solved!
CEE5210S The signal SIGHUP was received.
I dont so much mind managing the dozen or so passwords I have to memorize... namingly because I get to pick them. What I cant get over is our damned voicemail system!!!
;)
First off... the damned thing expires every 3 weeks, secondly, it remembers your last 10 or so entries and wont allow you to repeat them. Also, the damned thing does pattern recognition... Ironically, the most secure thing I have is my phone at work right now!
Its gotten so bad, probrably half the phones at work have their voicemail password sticky noted to the phone. Weakest link is always the user, eh?
Now THAT gives me password-rage.
IMHO, the easiest (cheating wisely) solution is to pick 2-3 keyboard sequences then add shifts at various places to created a number of passwords per sequence. This way you only have to remember 2 or 3 typing patterns (um not repeating or obvious ones mind you....try to be random) and then where you used or don't use shifts. It also lets you switch passwords regularly without having to force yourself to remember a new pattern. I usually change my patterns up at least once ever year (probably not enough but I'm lazy and if you want my pr0n collection more than me then God bless, I probably don't need it, anyway)
One guy I worked with set his password to "Viewsonic" so that whenever he forgot it he could just look at his monitor.
Apple Keychain
Now I only have to remember 2 or 3 different passwords. Keychain does the rest of the thinking for me.
Are you an open source warrior?
Build a system for generating passwords from other information that's easier to remember. Books and their authors. Songs. Quotes from your favourite movies. American Football players. It's easy enough to build a quick and easy set of rules for which letters should be capitalised, where numbers should appear and so on. And it's a hell of a lot easier for me to remember that my root password is American Pie than it is to remember that it's dm7aO2Eg, or that my password for the database server at work is One Week rather than bl31eOWs. There's a huge range of subject matter to pick from, and although the passwords aren't random and do have patterns that make them slightly weaker than genuinely random , they're a damn sight better than the ones most people use, they won't succumb to a dictionary attack, they're easy to remember, and they meet the requirements set down by any password security checker.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Part of the problem is that by putting passwords on too many things you are requiring people to do something that most people simply can't do. Think about it, a good password has to be essentially random, at least eight characters long, and only used once. And then the passwords should be changed monthly. Seriously, how many of you can remeber %Fhe#jhx*, $%SDh!@l, (*^GKk32vc and sd)hdf@m? Studies done by various phone companies show that people tend to only be able to memorize about seven numbers at a time..
And think how many passwords you end up using: your account password on 3-4 computers, various root passwords, passwords to hotmail, your Amazon.com and eBay accounts, your ATM PINs, your credit card PINs, the access to your wireless router at home, and all the access codes to various subscription websites (hot asian teens and whatnot :) )?
Faced with this deluge of things to remember (which most people simply do not have the neurons to do), what do we do? Either use only one password, use something easy to remember, or write it down on a piece of paper kept in ones wallet. All of which are security no-nos. But security people have to face reality - passwords are only good security when used judiciously!
Human genome = 3 billion base pairs = 6 GBit. Windows + Office = 20 Gbit. Which is more impressive?
Biometric Encryption Thingamajigs (BET) cards, pins, chips, ... would be great, but dang there ain't no frick'en standards. Guess how many BETs would be on your key-ring and/or in your wallet/purse .... Yep, that's right maybe as many as your passwords. ....
Each credit card company will require you use theirs, each business/agency/... and maybe departments will require that only theirs be used for this da-dumb location/job, you banks do not want to use the same BETs as your brokerages, the city/county will want their own BET for property taxes/..., the state and federal will require different BETs be used for driving, travel, airlines, passports,
I guess, more piss-poor-planning before it gets any better. We may as well continue with passwords, because it won't cost anymore and BETs won't help the situation improved anytime soon.
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Pick a memorable phrase. Like "we have nothing
to fear but fear itself".
Use the first letter of each word in the phrase
as your password at site #1. Use the second
letter of each word at site #2. Using that phrase
the passwords would be:
whntfbfi
eaooeuet
Diceware definitly provides the most secure but easily remembered passwords, and even lets you make pretty exact estimates of the entropy content of your passwords, which makes all sorts of calculations simple and fun.
What's wrong with passwords? I love passwords! They're so fun to memorize. Especially when they belong to other people.
Seriously, though, not everyone thinks like your average computer geek. For most of us, passwords and other alphanumeric sequences are simple to memorize. For many other people, even phone numbers can be very difficult. Not that geeks are necessarily better (okay, we are, but that's beside the point), we're just skilled at soaking up random information. Other people have skills in other areas. We shouldn't really expect everyone to think like us.
[insert witty quote here]
here's what i do... feel free to tear it apart if its actually a bad idea...
lets say i have 10 machines. for each of them, i just memorize an easy to remember 8 letter password. there's also one nasty long password stub that i have thats like 12 characters. i remember just one of those, and after i do the first 8 of the machine specific, simple password, i append the big nasty one, and that's the password for the machine. if someone gets one of them, i know i have however long it takes to brute force crack an 8 letter password to get the other machines.
not that i see what the big deal is -- isnt a password of "i like to eat pumpkin pie" just as strong a password as "sj34##@dj3"? (roughly; dont do the actual math as i know they are different. all i mean is that they're both good enough most of the time)
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
I use word+number combinations; I have passwords with several structure types: WACKY_WORD+SOME_NUMBER and WORD+SOME_NUMBER+ANOTHER_WORD and even WORD+SOME_nUMBER+ANOTHER_WORD+SOME_OTHER_NUMBER
Usually the two words relate to each other, and the numbers are in a range of my favorite numbers - which I don't tell anyone - which makes it easier to remember. Sometimes it's not even a real word, but something that's readable/pronunceable (spelling?). The biggest one I use has like 15 chars...
I avoid using real tottaly random stuff like: a020xoasjdksi90 which may be a pain to remember if you use more than one. BUT, if the purpose is to use *real random* strings, then the best thing is to have like 3 of them and use them in the several services.
I try not to remember users passwords at my work, just to watch my ass....But let me tell you...Users passwords are dumbest password I've seen. Everyone uses there kids name or pets name or something releated to them. That's the worst passwords in the world!!
How easy is that to hack!!! Use letters and numbers!!
My company has a bad way with passwords in the past too...the password for the MAIN NT server was....PASSWORD!! I couldn't believe that!!!
It's all about security, they had none....
It's left blank because I have nothing to say to you punks!
The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.
The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.
Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.
Oolite: Elite-like game. For Mac, Linux and Windows
Biometrics still have a lot of basic advantages over passwords.
Today:
[Informed cracker dials front desk]
Cracker: Hi, this is John in Support. We're having a problem with your account, could you just confirm the ID and password you use to log in so I can fix it up?
Clueless front desker: Sure, I type johndoe and the password is "reindeer flotilla".
Cracker: Great, thanks. I'll fix your account up right now, and you shouldn't see any difference from usual once it's done.
Next year:
[Informed cracker dials front desk]
Cracker: Hi, this is John in Support. We're having a problem with your account, could you just send me your fingerprint so we can fix it?
Clueless front-desker: Um...
Remember, the two biggest problems with passwords are (a) choosing dumb ones allowing brute-force attacks on a system, and (b) their vulnerability to social engineering attacks. Even simple biometrics would go a long way to fixing those, and thus restricting cracking to those who actually have a clue and not s'kiddies with nothing better to occupy their time.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
when I need to fill out a new password I just use "level" and then add the general name for that service, fe: levelisp, levelmail, levelwork, levelweb, levelforum etc.
We recently put an openBSD machine on the network as our "admin login server". Previously, we were just logging into our main server directly via ssh, which wasn't really extremely safe, but, i mean, it was IP restricted to a /22 of IP's that we all had at home (lack of ISP's in the area lends to all of us using the same one).
/bin. Pissed me off royally. I mean, if you're root, you should understand and weigh the consequences of a password like RfoLr65 as opposed to WsukF&2, and understand that the &, while making it very hard to crack, is also an annoyance to someone who has to type it a hundred times a day.
So anyway, we locked down the main server and set up an admin-only login server, running OpenBSD. Previously, my password had been (backwords name of a person + two numerals), which was fairly secure. So, when I was setting up my account on the OpenBSD machine, i logged in via the password that my coassociate had given me, and tried to change my password to the other password. But, it wouldn't let me.
I was kinda miffed, but i just su'd to root, to change my password as root with passwd username. But, it wouldn't let me change it there either! It told me that it was too simple! So, i changed it, in case the program recognized people's names, backwards, for some reason - Changed it to a random string of 6 characters plus 2 numerals. Still wouldn't accept it!
Sometimes you can take security too far. If I am ROOT on a system, I AM GOD. If I want my password to be "1", i should be able to do that. I was very resentful when that system told me that I couldn't do something when I was root. If I'm root, I should be able to rm -rf
There's always a trade off. And, if I'm root, don't fucking tell me I can't do something.
~Will
sig?
I would have had first post but I forgot my Slashdot password. :-(
I recall the lack of imagination I had towards passwords. I would always use something like: "Good Administrators Never Use Passwords Other Then Alphanumeric 528"
I simply make up random passwords for web forms or entry boxes and a program I use automatically captures the information, encrypts it, and stores it in a database. Each time I need a password again, it automatically fills it in for me. This system can be configured to require a master password every time it is used, to be on a timer, or to stay unlocked for as long as I am logged in. I can configure it based on application depending on how much I "trust" the program to use my passwords. I can always recover my passwords by simply launching the app, clicking the key I want, and clicking to decrypt it. This program is built into my operating system and is hooked into every program I use. It is called the Apple Keychain, and it is a life saver.
...those crackers/hackers from the movies will usually guess it on the third try... while mouthing inanities like " "It's a UNIX system, I know this..."
---
A woman is helping her computer-illiterate husband set up his computer, and tells him that he will now need to choose and enter a password that he wants to use when logging on. The husband, thinking he'll be oh-so-manly, types in the following letters when prompted for his desired password by the computer... m - y - p - e - n - i - s His wife rolls her eyes. Then she nearly falls off her chair howling with laughter when the computer replies: PASSWORD REJECTED. NOT LONG ENOUGH
Another component to the problem is the 500000 websites that want passwords - web forums, etc, etc. (Slashdot...) Most of them I could care less about if someone were to crack the password - oooh, someone could look at my personalized list of stories or post under my name, I better use a good 9-digit random password for that! :-)
So I have a low-security password I use for all of them (though it's not dictionary-attackable), and only use "real" passwords for sites and computers that protect real information. But even for those, I mostly use one longer, harder-to-crack password because even eliminating the don't-cares, I still have WAY too many sites/computers to reasonably remember totally different passwords, let alone change them regularly.
The security expert interviewed recently (story linked to on Slashdot) about the Patriot Act said similar things - his solution is to write them down and put them in his wallet. As he put it, he has a lifetime of experience in keeping his wallet safe. (Though I hope he has a backup piece of paper somewhere...)
The concept of single is good. but i hate the idea of using commercial/proprietary/closed-source technology like netegrity's siteminder to implement authentication on my application/servers. What happen if siteminder goes belly-up or they triple the siteminder's licenses???? Nothing is stopping them from doing that. Then my application will secured by a technology that i can NOT afford to license......
Consensus is good, but informed dictatorship is better
I used to work somewhere which had fairly draconian password requirements (needs to include digits, can't be made up of real words, can't have more than two characters in a row the same), including changing passwords every month. I ended up picking a simple pattern on the keyboard ('qq1122qq'), and just moving the pattern along by one character each time I had to change it. I've yet to find a password system which rejects this password pattern sequence, despite its simplicity.
-- Help Digitise the Public Domain at DP.
..a password-keeper. Has a master entrance code, and a "self-destruct" sequence.
http://www.thinkgeek.com/gadgets/security/5a60/
Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.
"The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
A biometric authentication key, if compromised, cannot be revoked. You can't just be issued a new thumb.
Will I retire or break 10K?
It would make a lot more sense if websites allowed you to identify yourself by your PGP or SSH public key. At the very least this could provide a secure way of doing the 'I've forgotten my password, please reset it' thing.
-- Ed Avis ed@membled.com
Imagine this: Creating account for Yahoo:
. fang
Sharpfang
Sharpfng
shrpfng
sharp_fang
sharp
sharp-fang
shrpfang
sfang
sharpf
sharpy
sharp
Yahoo claims all of the above are already in use.
Do you believe them?
That's one of the reasons why I stopped using Netscape Mail, my original account name was deleted (supposedly it conflicted with someone when Netscape joined its all services. I really doubt so), and I couldn't come up with anything nearly decent. More and more our usernames start to resemble really good passwords, in digits and punctation characters in them... And I bet the "huge services" reserve ALL the possible good names (i.e. no digits in them) for some potential VIPs and lie that they are "already taken".
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
When users have password rage, look out! They might start throwing all those letters and numbers at you!
// file: mice.h
#include "frickin_lasers.h"
Perhaps a discussion of boycott will motivate web designers and other developers to consider picture matching and other forms of authentication and help do away with the over-passwording...
Then the end user will stop supporting poor interface design, and cease to be the (second) weakest link.
Looks good for your age..
Silly Passwords: for free access to newspapers and such.
Same one all around. You figure it out, enjoy. And remember, you are male/female, young/old, rich/poor, etc.
REAL Passwords: Bochs cylinder. Script that passes the blowfish password, decodes, calls up an editor, does Norton wipefiles on close.
The real problems arise when we start enforcing complexity policies. My university recently started enforcing complexity rules on their web portal passwords. I really didn't have a problem with this, I currently use complex passwords where I can, with caps and special characters and all that rot. However, in this particular instance not ALL special characters were allowed, which lead to to my favorite rejected password @ss@n1n3, it was rejected too.
The fear of losing my hotmail account is my sole motivating factor in changing my password on an hourly basis. Imagine what would happen if someone cracked my account and i couldnt recieve my daily prOn?
...anyone who played Splinter Cell would know that!
I don't understand this "security experts say biometrics will fix the password problem", since I'm a professional security geek and I don't think that and I know of no fellow security geeks who think that. Indeed, most of us make fun of biometrics when they are mentioned as a solution to such problems.
Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.
Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.
In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.
Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.
Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.
Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.
"Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future"
What kind of "security expert" would reccomend fixed, unchangable biometric "passwords" in place of text passwords? They have their place in some situations, but for general use they're as bad as putting the same password on every account and never changing it even if you know that it's been compromised.
I tell peope to assign a word for each symbol above the numbers. They can write this down (better than writing down the actual passwords). Then come up with a phrase that uses the some of the words selected. (if 1=love, 2=kids, the "I love my kids" would give a password of I!@MyKids.) I use this method to teach people who would otherwise just write their passwords on a sticky. Not recommended for sys-admins.
But memorizing them is simple... for the difficult part is not in the passwords.
Each password is a phrase that holds a specific meaning for me, like a quote from a movie, a song, etc. Each of these passphrases go through the same algorithm that replaces characters with numbers, adds upper and lower-case, adds non-alpha-numeric values, etc.
The resulting password is pretty hard to recognize as the original passphrase and almost impossible to reverse-engineer.
This approach has several advantages:
What does (|) mean?
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
So yeah, people laugh at how users leave passwords on sticky notes or use simple things such as names, dates, etc....but hell, with policies like these it's impossible to be able to remember all of this crap. I say let me use one password for everything and I'll gladly tote one of those ghastly RSA Securid keys again.
"The strong will do what they want, the weak will do what they must."
-Thucydides
Perhaps the best thing would be a blue tooth device that will broadcast my long key, without any identifying string. Then all I have to do is remember how my login was formatted for site x an press the "authorize" button on my keyfob. This could work from amazon.com to the gym lockers down the street.
...as long as ther is a way to generate the same key again after my bluetooth SkelKey breaks, gets lost... maybe dna analysis..
Looks good for your age..
It's perhaps bad because it's a single point of failure, but all of my passwords are, one way or another, stored using the Mac Keychain. Safari stores its passwords in there, as do some other browsers. I use PasswordWallet (for Mac and Palm) to store passwords (and more) in an encrypted file, which is accessed via a passphrase stored in the Keychain. Even my SSH passphrases are stored in there (accessed via SSHPassKey).
Anyway, what prompted this was Schneier saying, "Don't let Web browsers store passwords for you." Sometimes, the browser is as secure as anything else on your computer, as in the case with Safari + Keychain.
One way to use a unique password for each website: take the webiste's name and apply a non-trivial algorithm to it. For example you can 1337ize it then subtract 2 from all the digits or rot-n the remaining alphas.
This doesn't make the passwords uncrackable, but should be enough to dissuade the casual cracker. To be extra safe, use different algorithms for different categories of passwords (websites, work accounts, home accounts, etc).
I usually take a sequence of words, say "Bow before me, for I am root", turn them into '1337-speak', throw in a couple of swedish characters (which, of course, slashcode won't display) and then I'm set: :).
"bOwb3f0r3m3fOr14mr0Ot"
(note how only every second "O" is a "0", for ease of memorization
I have to support the executives at work, and they have the absolute worst passwords ever. None of them are set to expire or follow the company standards at all either. It really freaks me out because when they do get hacked, I'm afraid they will blame me!
Sound waves should be free!
... was going to write an interesting reply, but couldn't remember my damn Slashdot password :-(
set your password up using welsh or irish gaelic.
haven't come a cracking dictionary written in gaelic yet
and i don't suppose many hackers are fluent in gaelic.
-> if someone knows my password, they still need the card and my userid
-> if someone has the card, they still need the password, and userid
-> if someone has the card, reasonable chance I'll notice I no longer have it, and will cancel it
Seems pretty secure. No particular strong password required, and no (or very little) chance of someone using a keylogger to grab the password.
No longer put much store in single-factor password systems: too easy for someone to see you typing it, and no way to know if someone saw you or not.
From the article: ...written in Chinese digits in Korean script
I am having trouble making sense of this. Don't the Chinese use ideograms* for their numbers as well as their words? Ok, then how can these be rewritten in Korean? Those would simply be Korean digits. What am I missing here?
* I think this is the right word to describe the word-characters.
Instead of using words or numerical sequences or anything, i remember patterns on the keyboard, for instance:
op[]kl;'
a complex and effective password, but easy to remember because it's a simple pattern on the keyboard. It also naturally ends on the enter key. Another example:
5tgb^YHN
Also effective. But you only really need to remember 1 key and the pattern.
This method is also effective because if someone were to ask me what my password was, I couldn't recall because I don't really know it. Instead I have to physically input it.
This harkens back to an idea I had some time ago for a poor man's facial recognition security method which involves pressing your face into your keyboard at the password prompt.
The biggest problem is the large ammount of different services which all want their own random password.
I've got more than 20 different passwords for all kinds of services. In the beginning it wasn't all that hard to remember 5 different passwords. But it starts to get difficult when you're starting to confuse passwords from one service with another. I don't know about everyone else, but I don't reuse my passwords; it's just as bad as using a weak password.
There should be some central auth service which just uses 1 password, and then verifies to another service you are really that person you claim you are...
I find I have the greatest problem with SHORT passwords, because they have to be something concise yet random and you have to remember it. And the shorter they are, the easier they are to crack. My favorite was one bank's site where your password "cannot be any longer than 7 characters and must not contain any symbols and must otherwise be ludicrously easier to hack, crack, or guess." Sites like that kill me, because I like even my most throwaway passwords to be 8-10 characters long, so I have to come up with a completely new, completely guessable password. THAT's when I get frustrated.
sic
A single card that provides complete and total identification of ourselves in every form imaginable, to any system in the world (or off it) that requires identification. This sort of super card would be used for everything from providing our drivers license to storing a DNA workup, and would be compatible with every type of card reader in existance. /douglas adams
I keep a very long password file on my PDA
(Actually now it's two files)
and on my computer.
There is an application for the palm that let's you store all your passwords on your PDA then protect the whole batch with a password. Umm just one thow.
I do confess to use one password for very low priority items.
(Neopets, message boards, NY times)
But have unique passwords for anything of any importance (anything that should have a password)
(Slashdot, Paypal, Ebay, yahoo)
My e-mail and webserver passwords are always cryptc becouse I only enter them once into the clients I'm using on my workstation at home.
I don't actually exist.
I understand why most passwords are needed. I also understand why needed passwords need to be difficult to guess (and therefore difficult to remember.
That said, I get very irritated when web sites require you to set up a user account, supply an email address, and remember the username and password for that account just to access some information.
For example, to get to many of Oracle's technical documents on technet.oracle.com, one needs to have a password-protected user account. The account is free, but its only purpose appears to be to allow them to track users. I really wouldn't care if someone broke into my Oracle account, as all it lets them do is search Oracle technical documents. This is just one example.
A few previous posters have noted that strict memorization of passwords is not that difficult. I don't dispute that fact. But my password database has, literally, about a hundred passwords. It grows regularly. I could certainly study the list, but who has time -- especially as the list grows and the passwords need to be frequently changed.
I hope that SSL/SSH client authentication alleviates the need to memorize passwords to some extent. The difficulties are that users use multiple computers, and that the client software to manage this is more difficult to use than many are prepared to deal with.
Three things that would be a nice replacement for passwords in every day life. Of the three, the easiest/nicest would probably have to be access card. We are beginning to use them in the military - our new IDs act as our access card. The biometric data on the card need not be intrusive (certainly less so than military ID cards) for common use. States could standardize on using a common driver's license with a chip on it with no more information stored in it than is on a normal driver's license. This and a single pin number would suffice.
Quicker and/or easier...computers come with a card reader and you can just purchase or get a dedicated access card when you get a new computer/reader. Each card could simply contain some generic, unique data in it that combined with a pin is all you need. If using a standard card/data system then all corporations, schools, etc, could adopt it. One card, or just a few, no more onerous than carrying around several credit cards, insurance cards, etc. The only thing you need to memorize is one or two pins. Tied to public key (no M$ DRM server-type nonsense), best to use PGP/GPG to keep it open and universal, and you are set.
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
Why have the user remember a password? I use a Safeword Silver 2000 token fob to log into the company. I don't know what the next hex password is going to be, and becuase it changes every time I use it, only the fob and the server know what it is. If I lose it, who cares, it gets disabled and replaced. This, or course, requires that applications know to ask the Safeword Server for authentication, so it is not available everywhere, but can be cross-platform.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
A good Directory Services implementation combined with "single sign on" technology will eliminate the need for so many passwords at the workplace. While Active Directory has problems with this, Novell's eDirectory (NDS) handles this quite well.
Doesn't do much for the passwords you have on your personal stuff on the web - but check out the Liberty Alliance for that--it's a "peer-to-peer" password management system based on a good directory--like Microsoft's crappy "Passport" system, but good.
AND HERE IS WHERE IT FAILS THE TEST
These rights and freedoms may in no case be exercised contrary to the purposes and principles of the United Nations.
Only a damned fool would rely on that bunch of shit. The "purposes" could change from day to day depending on who was in charge. Principle? What fucking principles?
Only a recognition that human rights are inalienable and that they come from a source higher than mere humans (God) is good enough.
It's sheeple like you that dictators dearly love. You fucking idiot!
Learn Klingon, make passwords in it. Barely anyone knows it, so you should be safe. Still, for even more security, you could 1337ize it: t1hIng@n_#01
When you don't have a leg to stand on, don't even get up.
12345?
Good enough for the advanced civilization depicted on Spaceballs. Good enough for me!
I use a single real word for each password, and in order to make it uncrackable using dictionaries, I transliterate the words to japanese "kana", and then transliterate the kana back to roman letters.
For instance, the password "laptop" would transliterate into something like "rapputoppu"
For a bried explanation of roman to kana transliteration:
1. The japanese language doesn't have a syllable with the letter L and thus use R instead. Hence "la" -> "ra".
2. There are no syllables that end with a P, so the syllable "pu" is used instead, the U left unpronounced).
3. Hard consonants, like tha Ps in 'laptop', become double consonants, "pp".
The word I use is usually related to the account it's for, so "rapputoppu" would be for my laptop, and "uebbusaabaa" would be for the webserver.
Finally, I replace I with 1, A with 4, E with 3, etc, you get the idea. So "laptop" becomes "r4pput0ppu", a string that's easy to remember, because it's my laptop password, and difficult to crack, because it's fairly long, has both letters and numbers, and isn't a real word (except in japanese, since the japanese for laptop actually IS "rapputoppu" AFAIK, so this is actually not an optimal example.
Of course, if you're not familiar with japanese, this system isn't for you.
I agree with you in part, but I think it's premature to dismiss biometric security entirely. There are instances and occasions where it makes good sense. For instance, let's say that you're a bank teller. Every day you deal with a steady stream of customers, the vast majority who don't know their account number.
No problem. Do what Citibank's been doing for the last few years; put ATM keypads at each teller window. To authenticate yourself, swipe your ATM card and enter your PIN. Poof. While this isn't the best system around it's not too bad, especially since there's a teller standing right beside it to make sure you don't do anything obviously hinky with it.
But then there are going to be lots of people who don't have their ATM card with them for whatever reason--let's say they accidentally left it at home. Okay, the system still works, but instead of swiping your ATM card and punching your PIN you show the teller your driver's license. The teller looks you up in their database, makes sure you match your photograph, etcetera.
What happens if your wallet's been stolen and you have no identification? Let's say you're mugged and you lose your wallet, and you're forced at gunpoint to give up your PIN. As soon as you get away you run to your bank and talk to the teller. You have no ATM card. You have no driver's license. There's no way they can authenticate you.
But you still have your thumbprint.
So now you authenticate yourself via a thumbprint scanner. The teller takes the thumbprint scanner out of a locked drawer (where it's been stored precisely to limit the amount of access people can have to it, and thus, their opportunities for malfeasance with it) and sets it out in front of you.
Presto, you're logged in, and the teller can have some degree of confidence that you're a customer and need to have your credit cards and ATM access cancelled.
Yes, there are significant problems with biometrics over the Net. Most of these problems can be alleviated by adding a trusted human being to the equasion, someone to stand by the biometric reader and make sure nobody does anything obviously hinky with it. (In this case, the teller serves that function.)
I certainly agree that biometrics aren't a panacea and they aren't a replacement for a real security policy. But I think you go a little too far to say that security people think biometrics ought never be used for over-the-Net transactions.
I use a simple scheme that allows having lots of easily rememberable not-so-bad passwords. It's similar (actually a generalization) to what some other /.ers have proposed:
What you need is: a) a set G, not very small, of things you can remember easily. b) a function f:G->K, where K is the key space. Then, for each password you need you choose some element x in G, and use f(x) as the password.
An example helps a lot. For example, let's choose G=the st of Scienci Fiction books (bc you probably know titles of a lot of them). Then, given a book x you say:
f(x)=the first word of x title, capitalized, followed by the initials in all-caps of the remaining word, followed by the number of words, followeed by the author of x backwards.
For example if x is "Stranger from a strange land", written by Heinlein, f(x)="StrangerFASL5nielnieH"
Now, for each password you remember just one SF book. That is easier to memorize and changes for each password, and f,G become part of every password of yours. If you choose more carefully f, and G, someone getting one of your passwords will get a hard time guessing f and G, assuming he already knows you use this system. And even if he knows f and G, he will probably not have automated tools to scanning through all G (that's why G should be big; the G I proposed is probably not good enough, but better than having a single password anyway).
Why not get one of these , or, you could always use one of these ...either way you will always remember your passwords.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
"New Password should not match with any of the previous 5 passwords. It should have minimum 8 characters. It should contain at least one capital letter (UPPER CASE), one small letter (lower case), one digit(0-9) placed in between the letters".
Why not just have an 8 character alphanumeric combination instead of compulsorily having a captial letter and no numbers at the end of the password?Kerberos based Single Sign On?
Come on now, its not like there aren't solutions to this problem.
Just protects the passwords so you don't have to lock down your whole PDA all the time (I don't really care if someone nabs my schedule/phone list). It works really well, and seems to be written with security in mind (as opposed to ease of use). According to the website, it uses "secure triple-DES encryption using a 112-bit key derived from the password". And the best part: it's open source. Pick it up here: http://gnukeyring.sourceforge.net/
passwordsafe.sourceforge.net
"There ought to be limits to freedom"
Why not use a Kerberos based password management solution?
- Users have one password.
- They enter it once on system login.
- They can securely access all services on the network without typing it again. (The password is never sent over the network)
- As an admin, you have one place (the KDC) to add/remove users/passwords.
- All services pick up these changes automatically, so you don't have to sync password lists between servers.
Saves time, money, and increases security. And its an open standard.
http://web.mit.edu/kerberos/
I use it for most of my online accounts, because all I need to memorize is a single passphrase and one password. (look for "universal password" on their home page for info)
This javascript utility generates a different password for any site I want. Much less hassle than managing pwds on my palm (fearing I might lose it, or not having it with me when I need it!)
Also, I'm not worried about using this utility from an internet cafe where a keylogger might grab my passphrase, since you use a mouse to input the characters of your passphrase/password. (this is actually it's primary function, the universal password thing seems to be a minor feature for them)
And yes, I've actually looked at the javascript code to make sure its not sending my passphrase to be recorded somewhere.
Check it out at www.loginguardian.com (click on the LoginGuardian icon under "see it in action", and then click the "More..." button on the virtual keyboard)
I've never used Keychain so I'm not exactly sure what it's functionality is like. Many months ago an article in 2600 magazine informed me of "password bag" applications, software that stores multiple passwords in a file which is only accessible through a master password. Perhaps this is somewhat like Keychain?
One such application for Windows is Password Safe. It is free and open source. It stores all of a user's passwords in an encrypted database that is accessed with a "safe combination" (just another password). It then displays a table of all the stored accounts with accompanying usernames (it does not display the passwords by default). The user double clicks an entry and the corresponding password is copied to the clipboard. It can also generate passwords with some options to set their parameters (only uppercase letters, use symbols etc.).
I've been using Password Safe for several months and have found it incredibly convenient and well designed. Since it never actually displays the passwords on the screen, I can use it in public environments, and the encrypted database file can be easily transferred using a floppy.
P.S. I've found it unwise to use a different password for everything, relying of Password Safe for each one. I've now switched to using different passwords for things involving money, and for stuff like slashdot, gamespy and various messageboard accounts using a single password.
Is different systems requiring differing password change times (this prevents me from using the same password on all of them.) On one system it's every 45 days, on another it's every 30 days, and on yet another it's every 90 days...but I can't change it for at least 60 days - so there's no way to keep that password synced up with the rest of mine (the Vax and NT...well I just change the Vax early)
Now the 60 day minimum is designed to keep people from changing their password and immediately changing it back - but do they really need to set that at 60 f---ing days? Gah!
Okay guys and gals, I am going to share the methodology I use to create pseudo random passwords:
1. Make up a phrase that you will remember - make it fairly long - at least 12 words, e.g:
night of the living dead zombies eat flesh for fun and kicks
2. Pick out key letters. A simple key is to use is just the first letters of each word - you can get more complex by alternating the first and the last letters or some number of letters, like alternating 1st and 3rd letters (on words smaller than 3 letters just use the last letter) etc. We will just use the simple method:
night of the living dead zombies eat flesh for fun and kicks
so we end up with:
notldzefffak
3. Make it even more difficult to break by inserting numbers and special characters in the password. Many password systems are set up to require numbers within passwords - so you may not have a choice in the matter; also, some systems will not let you use special characters - adjust as needed for your local conditions:
notl96dzefff%ak
And there you have it, a password that a normal dicationary lookup will not break - and yet one you can easily remember by recalling the original phrase, and applying your letter picking rule. No need to keep stickies on your computer, or in your desk drawer, or under your desk, or in a book, or in your wallet etc... (you would be amazed where you can find people's passwords just by examining their work area...lol).
Now, get out there and change your passwords!
Good luck!
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
in a plain text file on my desktop.
Of course, nobody knows what there for.
The Kruger Dunning explains most post on
I really don't want that much information going out about me, just to log into a stupid computer. This sort of information gathering technology will eventually be abused, like everything else is..
99% of the work people do in the world does NOT this paranoia of security.
Just lock the damned doors on your building, give people a key, toss in a guard at the door to prevent break-ins, and 85% of your problems are solved.
10% is solved by common sense.. and the last 5%, well you cant stop them no matter what you do anyway.
Its just NOT this important to usher in methods of tracking people down to what square foot they are standing in 24/7..
---- Booth was a patriot ----
I was seriously worried that this article was a propoganda push for M$ Passport.
Now we're talking security!
"One touch of Darwin makes the whole world kin." George Bernard Shaw
Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.
The keychain is basically a small, encrypted database with an accompanying API that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.
Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.
Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.
One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.
I just click on the "send me my password" button a lot.
Let me recommend a book for anyone having serious issues with inventing and memorizing secure passwords.
William Steig wrote a wonderful series of books which were like cryptograms. When you read a seemingly random string of numbers and letters you would have a full sentence.
For example:
CDB! (See the bee!)
D B S A B-Z B (The bee is a busy bee.)
O, S N-D! (Oh, yes indeed!)
The phrases become increasingly complicated and start adding numbers and symbols.
CDB has been the definitive guide to helping me choose passwords that are secure and I will easily remember them. For example, on one machine that was sitting underneath a poster of Corn from around the world, the password WAS (And is no longer...) e10a3-rfrn. (eating an ear of corn).
CDB!
"One touch of Darwin makes the whole world kin." George Bernard Shaw
I remember one password for all websites- BUT- I add a few characters from the website name to the password. So I've generated a unique password for each site, but only have to remember one.
e.g. for SlasDot.org the password might be "Sdogn4meD" and for mybank.com it might be "Mdogn4meB", etc etc.
Users will still be stymied, however, because they need to have accounts from many organizations and don't have good guidance. The linked article only breifly mentioned passphrases and gave no good reasoning for levels of security passwords. Users need to know this stuff too, so that they don't complicate their lives too much.
Understanding levels of security cuts much crap. If it's not secure anyway, don't tax your brain with it. Pop is a good example. It is an unfortunate fact of life that most ISPs do not offer, and sometimes even forbid, secure email transport. For pop and other inherently insecure transport protocals there is no need for many hard to remember passwords, just pick one and use it for all. Fetchmail has all of mine. This also works for all the other services, regardless of how secure, that will do you an no one else any harm if cracked. Silly things like job search sites get one of my dinky passwords and I put it in my html reference page that holds the site address, jobs I've applied to and other notes. Two or three passphrases can work for all the other stuff you use. Just pick a random book off your shelf, highlight and memorize a sentence. If you absolutly must, you can write the sentence down in your wallet, but flipping through a book is more normal than taking your wallet out at work. My most important systems at home get my best and least used passwords, others get less work.
Of course, all is in vain, if you use an insecure operating system or under the thumb of the clueless. Your system going to be cracked and used to harm you and others, as the continuous waves of M$ worms and trojans show. Clueless administrators will give you dozzens of mindless and impossible to remember garbage like "Mkaf5-Ap1" and then suspect thier users when blaster blows them out. You are not such an administrator, are you mraymer?
Friends don't help friends install M$ junk.
These problems are mostly due to cluelessness
Friends don't help friends install M$ junk.
By the way, do you realise that your proposed system is not as secure as the sum of every step but as the WEAKEST link? You shoud NEVER design a secure system that way, ESPECIALLY when you are trying to add as insecure and flawed idea like fingerprint readers. So I guess you forgot to read Crypto-Gram even ONE YEAR AGO? Please read Fun with Fingerprint Readers and stop embarassing yourself. If you have so strong aversion to Crypt-Gram then read at least
Body Check: Biometric Access Protection Devices and their Programs Put to the Test
Body Check: Biometrics Defeated; Germany's c't blows through 11 biometric systems
Impact of Artificial "Gummy" Fingers on Fingerprint Systems
I am just sick of "leet" Slashdot kids calling themselves professional security geeks... *sigh*
I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.
I just use a formula using two different input lists (i.e. Shakespeare characters, '60 muscle cars, etc.). The inputs are then run through a formula and combined to form a password. It's easy to remember the list items and the formula makes a good non-sensical password.
I drank what? -- Socrates
I had the same problem - I solved it by using the names of all the girlfriends I ever had followed by the year...
...?
.... really!"
Trouble was I ran out and was not about to dump my current one.... so I started on the cats. Just glad my girlfriend never knew the system I used... how to explain bimbo89
"No no that's my cat
Choose a word you won't forget. I'll use 'slashdot'. Now, hit the key *next* to each letter - 'woqwye95'. This example uses the key above and to the left. You can use some other positional encoding like up-right-bottom-left in sequence or interlacing the letters with the number in the same column - "s2l9a1s2h6d3o9t5". Just pick one method and stick with it, and you can choose a dictionary word to start from.
Don't tell anyone what method you use.
The latest Slashdot meme.
Let's generate you a password right now. Opening a copy of JAVA to page 135, I see many sentances. "There is also a 64-bit double for double precision." Looks promising. From it, we can have:
Highlight the phrase and use the password for a few important but unrelated sites. You should not need many such passwords as most things requiring a password are either inherently insecure anyway or can do you or others no harm if cracked. Things like pop3 and job search sites can and should use throw away passwords like "baddog" like you currently use. Oh yeah, you need even fewer of those because none of them should matter to you anyway.
Passphrases are a good system that for which you only have to remember the system. The length is random. It's not something you will ever write anywhere else. You don't even have to remember the phrase if you can remeber the books you use. Hell, it's easier than 1eet 3pe4k, which also fall to dictionary atacks.
Friends don't help friends install M$ junk.
Net cafes is problematic when it comes to passwords - how can you be sure the machine you're sitting on isn't logging your keystrokes? The only solution I've found for this so far would be to create a system of one-time passwords - either have a few of them in hand all the time or have someone generated and sent to you over SMS as they're needed.
Any other ideas on how to protect yourself when you're working in an evirnoment where you don't know if security has been compromised or not?
I have long held the belief that biometrics (biological measures) are useless as an authentication method unless a challenge-response mechanism is integrated into the design.
"The teller takes the thumbprint scanner out of a locked drawer (where it's been stored precisely to limit the amount of access people can have to it, and thus, their opportunities for malfeasance with it) and sets it out in front of you."
The last research I read on thumb scanners a group from an Israeli educational institute had gotten 95% success rates (on authentication, not identification) using casts made from wax prints of thumbs. In case that wasn't scary enough, they got the same results after using acetylene to enhance prints on a glass, then wax again to create the casts.
To put it another way: Anyone who can get a copy of your thumbprint can impersonate you at your bank (well, at least 19 out of 20 times).
If the bank was using a biometrics system that output a signal and received a related response from the actual user, it would be able to have a higher confidence in the authentication. It is this invariance in your thumbprint (as noted by the first poster) that is the weak link in this chain - this of course applies equally well to voice, retina, facial recognition, and in many ways especially DNA.
The example I gave in dicussions on the UK "mouse signature" article was that the system could ask the user to sign/replicate a particular glyph or glyphs instead of an invariant "signature".
Of course research would be required to determine a time invariant, and repeatably measurable feedback mechanism that has the required properties - but that is what professional security geeks are for...
Q.
Insert Signature Here
But don't do it in an obvious way.
Say you need to remember a password, put it in an address in your PDA or book.
BS name
123 'password here' st
NY, NY zip
Easy.
Passwords are a pain because people try to remember all of them. Don't. Write them down, but in a non-obvious way.
I saw a great security device a few months back, a keyring with a number on it that changes regularly. The software also has the same changing number which you need to type in to gain access. Because it is continuously changing you don't have time to crack the code.
A stolen keyring won't work, because you'd need to know the username to go with it.
In my public library they recently started asking a 4 digit PIN. Not exactly the worlds most important data. But then I looked around and asked myself: "how many people use the same pin as on their ATM card?"
10 ?"Hello World" life was simple then
Most people I know store their voicemail passwords as a "quick dial" number on their office phones. Sure, it's insecure, but it's an effective workaround! And if someone's rifling through your desk, the possibility that they might pick up a voicemail message is usually not the most serious risk.
Biometrics is a dumb idea, it does take a rocket sciencetist or a hacker to figure out the flaw.
Use biometrices would mean you have a single password for your entire lifetime. No matter how long a the digital code is, someone will figure it out. Whether from a trojan for a internet cafe you or from a bank ATM that printed out your account and password and dumped into the trash.
You can never change your biometic password. Think about that!
...I am using is PINS
. I have evaluated several and this one seemed to be the best. I think it still is.
It can simulate typing passwords in the browser login pages/login dialogs.
The program is open-source and free but like PasswordSafe it is it only for M$oft world.
I would be happy to have one that supports Windows & Palm & Mac, but I am not holding my breath.
Kerberos or more generally, trusted 3rd party authentication was invented to solve this problem. You enter one password to gain access to the ticket granting service, and that service handles authenticating you for all the other ones you can use. This problem has been solved correctly for a long time, there is no need for fancy tricks like biometrics to solve it again.
Passport is a great example of such a system (obviously lacking in implementation, but the idea is great).
What is it now with this "Rage"-mania? Why do we have to give even the most trivial behavior some pathological nomenclature?
There was a story in the local paper here about a guy who woke up and fired his shotgun at a bunch of bass fishermen who zoomed by his camp in their speedboats. He was labeled the guy with "wake rage". I guess in a few months Pfizer will have some pill for this, accompanied by the "It's not your fault - it's a disease and it's treatable" drivel.
Excuse me, I think I may be getting Rage-Rage. Is there a pill for that?
I doubt anyone will get down to reading this but too much of this discussion is being approached from the wrong side. A password of 2 simple english words (ie: treecat) would be enough to require a dictionary attack of 500 000 tries (1000 common words squared or better yet, 3 words for 500 000 000). Enough time that a dictionary attack could be detected because regular users alwyas give up after 12 or so failed tries.
If 12 failed attempts in an hour required you to call IT to reset the counter then 500 000 attempts now takes 40 000 hours or 40 000 calls to IT; either of these makes it unusable as a hacking route. Even a distributed attack would only get 12 tries an hour on jdoe's account. The worst side effect would be jdoe getting locked out while his account was being hacked (rather a DoS attack that way... which is a different problem and not my forte)
Why is attack detection not given more attention than making users remember noisy passwords?
My list of multiplayer
E.g. the pattern zse4rfvgy7ujm on the keyboard or bvfr56yh or something like that. Circles, triangles, squares, serpentines or whatever form and their connections. I would never remember the actual assword in letters but the pattern is a spinal reflex by now. If password crackers would search for these patterns I suppose the key space wouldn't be so large. For me the damage wouldn't be so great. Actually, someone making my research papers in medicine public would be a great help! :)
As sysadmin where I work, I've configured the three main computer applications we use (Samba, web email, and a database application) so that a user's login_id and password are always the same on all of them. Considering the difficulty I've had teaching users to remember one password, I can only imagine the difficulty they'd have with three. Keep in mind that I work in a rescue mission, and most of the people using the system struggle with basic literary and life skills. Just using the computer is a real challenge for them, so adding the difficulty of multiple passwords can be a significant problem.
I have a strict password policy at the mission. All passwords consist of both letters and numbers. I grind it into everybody's head that NOBODY should EVER share a password. I won't ever ask for your password, the director of the mission won't ever ask for it, and anybody who does ask for it is breaking the rules. I make sure everyone knows that I'll go to bat for them if they ever refuse to give a password to anybody. Having become friends with most people n the mission, I think I've gained their trust on this issue. I pounce on anybody who is discovered sharing a password and make a big issue of it every time. It seems to be working.
While I'm on the topic, I'd like to ask for your experiences on how login ID's are formatted. I originally used the format firstname_lastname, for example, joe_smith. I found out that that underscore is really throwing people for a loop. I wish now I had gone with firstnamelastname (eg joesmith), and configured the login programs to quietly remove non-alphanumerics. I need to go back and change everyone's Linux accounts, but that will take some time.
The underscore created even more problems when combined with Internet Explorer's auto-complete feature. People became so used to picking their name out of the autocomplete list that they forgot their login ID's. Mainly, they forgot to use the underscore instead of a dash. Keep in mind that the underscore is a geek thing... normal people don't use it in their daily lives. If somebody tried to login on a different computer than the one they usually use, or if the autocomplete listing got deleted, they couldn't login anymore. Then they would tell anybody who was nearby that "their password doesn't work anymore", which makes ME look bad. I've had a few talks with my bosses about that phrase and made sure they know that it really means the user can't remember how to login. Anyway, I finally removed the autocomplete feature from the login screens using autocomplete="off" . After a few initial complaints, people now remember how to type their login ID's.
I've found that my posts don't format quite right w/o a sig.
Why would the Mac world need one? We have Keychain.
For passwords that need to be *good* but which I don't use often enough to memorize, apps like keyring for the palm (yes, gpl) are pretty useful.
As well a storing a bunch of passwords encrypted (only need to have one good password memorized) it can randomly generate long good passwords - ideal for stuff like the ssl key for your apache install where you only need to enter it every six months or so, but it needs to be non-trivial.
You don't memorize characters, you memorize a phrase. Please see, this quick explaination of passphrases. Repetition would indeed help, but you could just as easily use a line from the Matrix you are sure you remember.
Are you sure enough? Assides from simple lines, like "There is no spoon.", I'm not.
Friends don't help friends install M$ junk.
I admit that I know nothing about business, but it seems clear to me one of the primary goals should be to to make it as easy as possible to separate willing customers from their money. If people want to give you money, don't make them jump through hoops.
For example, an alarming number of sites I've visited require me to create an account to buy something. This is a turn-off.
For a first-time shopper who may never visit your site again, it's an extra, unnecessary step.
An account implies that my name, address, telephone number, email address, and credit card number are stored on file. No thanks.
Creating an account means I have to supply a password. This means that I either make up a new password (which I will need to remember but won't should I ever return), or I re-use a password I've used elsewhere. In other words, that's either one more password I need to remember or one more place where someone can steal it.
I have no evidence of this, but I suspect at least 90% of people re-use passwords. As a consequence, I must ask myself: do I trust your site with my password? (It suddenly strikes me as odd that I would trust a site with my credit card number but not my password, but I do.) Even if the answer is yes, that's one more decision the customer who has already decided to buy something from you has to make; that's one more point where the customer can change his/her mind.
Please, don't require accounts. Provide them as a convenience to repeat customers, but don't make them a barrier to first-timers. Make the first- timers happy, build up trust, and they'll be more likely to come back.
(If you do use accounts, it would be reassuring to know if your site hashes or encrypts passwords before storing them.)
I have a workable system for myself as regards to passwords. Not a problem.
What *has* become a problem is remembering what login I used at various web sites. I usually prefer a certain 2-letter or 5-letter login, depending on the nature of the site. Some sites require 6 or more. Some require *8* or more. On a lot of *big* sites/services (think AIM or something like hotmail), my favored logins and various permutations have long been taken.
It's come to a point where I have more logins than passwords and when presented with a login screen, it's the login I can't remember- I know the password.
The trouble with logins, unlike passwords, is that they have to be unique on a given system, but you don't want random gibberish per se as they often function as 'screen names' or 'nicks'.
-h3
When I have password rage (can't remember) I throw my monitor at the nearest coworker (it's an LCD - I'm not that strong).
2600 only informed me of the concept of a password bag application. By the time I actually felt the need to acquire such an application, I had forgotten any specific software titles mentioned in the article. I discovered Password Safe on my own. And like any open source application, exploits should be discovered by those "many eyes" (of course that is not to say that being open source shields it from any longstanding exploits, but it does assist I think).
Sometimes I get the impression that people are far too hung up on the term "password." Any system worth its salt will allow the use of long passwords, permitting the use of full sentences.
Sentences are easy to remember, and as long as you don't choose a common phrase, you're not terribly susceptible to attack. "Faraday likes to eat scones on Tuesday." Capitals, lower case, special character. Fits most password schemes.
The only problem is that some applications don't accept long passwords. The locking program for X that's running on our WPI's DEC UNIX systems, for instance, stops accepting characters after reaching a certain quantity, effectively preventing me from unlocking my #@$*(& console. *ahem* Sorry.
Oh, and anybody who uses, "My voice is my passport. Verify me." deserves to be shot, and often, by someone who knows how.
-Adam
The problem most people have with passwords is that they try to *remember* them. That's alright for, oh, four to six passwords for a more technically oriented person, but unfortunately a lot of people are not technically oriented and/or have more than six passwords.
:)
Solution? As with computers, the human brain is an interesting device; and there are always ways around things. I, therefore, propose using a proxy for storing passwords: the motoric memory.
I always use 10-16 character passwords, rule is at least two numbers, two capitals, two lowercases and one special character. I have about 15 or 16 passwords I need to remember, a few of which I change monthly, and while I usually do actually remember all, the method I use for storing the information is in the beginning to actively only remember the first character of the password per each site, and let my fingers do the rest of the work on their own. I usually tap the password in a few times right after I set it (and usually jot it down on a piece of paper if I need a reference -I always destroy said piece of paper at the end of the day I set the password, and until that it's stored in the secret compartment of my change pocket.)
Anyway, they point is: people can walk, run, swim, jump, write, play an instrument. All of those are subconscious motoric memories, and the capability can be easily used to store trivial things (compared to, say, walking, which requires hundreds of muscle movements) like a sequence of keys.
For beginners (the 'cool, my new pc has a neat apple logo on it and it's got an integrated cupholder' folk you work with all day), actual keypress sequences can be devised -for example, left-index, right-ring, right-index, right-pinky, left-ring & right-pinky and so on; however, purely motoric (i.e. non-mnemonic) memory is better in the long run.
Subconsciousness is the key. It works great for me until I can actually remember the password so I don't need a keyboard to write it -and I'd assert most people would never need to remember theirs at all. Of course, I've noticed sliht problems since I started learning Dvorak
--
Most of us are just pseudonymous cowards.
Marxist evolution is just N generations away!
like a thumbreader right on the side of the mouse. much more convenient than buying extra hardware.
-
Single guys use passwords based on their cars. Married guys use kids, wives (if they are newlyweds) or cars. Married women use kids names. You would be surprised how easy it is to guess other peoples passwords at work using these simple rules.
FuckY0U!
G0DdamM!T
Ih4tEP4SSW0RDS!
now that's password rage...
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
An account implies that my name, address, telephone number, email address, and credit card number are stored on file. No thanks.
So you think they aren't going to store this info ina database if you don't have an account? Of course they are, since they need the info in case you need to return something, for tax records, inventory purposes, rebate verification, and a host of other reasons. Of course, part of it is so they can send you catalogs, emails, ect, but they would do that if you have an account or not.
I buy hundreds of dollars of equiptment a month from the 'net, much for resale, so this is usually a plus for me because I don't have to reenter info. But they would have my info anyway, and I would have to reenter it without an account.
I have blog like everyone else
You started dating the cats?
"I found out that you can be allergic to the latex in condoms... and I thought I was just allergic to the cat!"
DIRT!
And I wish to subscribe to your newsletter.
Ok, it's not portable but I keep my passwords in one password protected file. The idea is, that if anyone can access that file, which only exists on my computer, while unencrypted, I've got bigger problems to worry about...
Kjella
Live today, because you never know what tomorrow brings
I store a "password" list online. Instead of writing the password down, however, I put down something like "college addr##" against an entry and use some version of one of my many college addresses. Memorization is about tricks, and mnemonics are a common answer. I can't be bothered to remember the mnemonics so I write those down! Its odd, but so am I!
A biometric key (one that is not mathematically reducible) is the best insurance.
Even then, our systems are deaf and blind, there will be no proper, certifiable security until we addres that.
Security comes from ''provenance'' and maintaining a chain of trust. We're still a long way from being able to provide that.
Passwords suck. I just the default one that I get from the help desk, put 'em on a PostIt note that I keep in my wallet, and use it until the sys admins roll it over.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Why not use a single-sign on solution like Novell/Protocom SecureLogin ?
If it gets owned somehow, I'm screwed, but it's a trade-off I'm willing to make for the total convenience. Read up on it so you're comfortable with it, but I highly, HIGHLY reccomend it. HIGHLY.
Luck favors the prepared, darling.
I finally figured out that it's pretty easy with GPG and XEmacs. One thing to add is that emacs isn't needed to decrypt, gpg --decrypt works on the resulting file. That way, you can decrypt and pipe through grep, which will only show one password and keep the rest from prying eyes.
Liam Healy
I was required to change my password recently at a major finacial services (share trading) bank (Comsec.com.au) and found that they now required a 10 digit number as a password, no alphas or special characters, just numbers, as well as a numeric account number! Apparently this is due to them using the same user accounting system for the web and for the telephone banking, I sort of understand but the security on this I consider way too low and I dont beleive even meets the industry and government regulation standards on such a service.
kerberos, or Microsoft Passport, or the Mac keychain, or Mozilla's password manager, or PGP?
Fuck Beta. Fuck Dice
I use barcodes as passwords.
:)
I have a big 3 ring binder full of them. I scan 3 barcodes for 1 password. It makes it to remember 15 letter passwords like 293ehfwe80sdyh.
It is probably the best system that I have come across yet. Easy to remember and quite secure.
Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare.
God, if you can't remember 10 or 15 passwords / pin numbers etc., you've got to be a bit mentally challenged !
A slashdotting - you get the stick first and then the carrot !
I have to remember so many passwords now that I have clues written down in appropriate places to give me some idea of what they all are.
It's a bit like walking round being the guy in Memento, albeit much less interesting to watch.
One time pads are a pain, so useage ought to be minimized. One way to minimize the usage is to combine one time pads with ticket granting services like kerberos (heimdal). KTH has done excellent work on Heimdal. Gothenburg has years of experience with similar systems in production. Combining Kerberos and one time pads would still allow for authentication in a quite compromised environment.
Many of the people and teams that gave Sweden the enormous lead in technology in the 1970's and 1980's are still there. You just have to look past all the dot-commers who have worked so hard to make knowledge unfashionable.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
There's a worrying trend for sites to ask for personal information such as date of birth, place of birth, mother's maiden name, etc, for later use in authenticating you. One account I have asks for all of the above. This makes it very easy for any hacker / criminally inclined employee to steal your identity if the info is compromised.
Nowadays, I give each site different info about me and (sigh) record what I've given in a database alongside the password. If you ever have cause to authenticate yourself over the phone, have your database open and ready. Otherwise the delay in 'remembering' your date of birth might raise suspicions!
How do you folks get info from your password database into the authentication form? Is cut-and-paste considered risky?
I just changed my password this morning upon which I had to come up with several different ones until passwd accepted the change. They were all long and all but it kept complaining it didn't contain enough different characters.
To me it seems stupid enforcing such a policy as it reduces the number of different passwords an attacker must try if brute forcing.
Could anyone convince me otherwise?
... it makes mroe sense to use a system where part of the password is static, set by the user and changed by the user, and the other part of the password changes every 60 seconds. You carry a token around and that token is sync'd to your auth server. only you know the static part of the password and only the token and the auth server know what the shifting password is from one minute to the next.
Like, say, SecurID!
"The cup... the drop... it's a YES!"
Check out this Micro$soft link for the ultimate in password security. Maybe they are getting serious about security issues now?
The Internet worm of 1988 took advantage of stupid passwords: http://world.std.com/~franl/worm.html
Password rage - I have it. I can't contain it. I feel compelled to go find a rifle and shoot at random vehicles on the highway. Feel free to sue the password industry if I succeed.
Here is a good article from interaction architect Bruce Tognazzini that discuss the compromisse about security and usability. If you forget the human factor side, you don't have good security.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
The RSA SecurID time-based tokens are covered by US patent no. 4,885,778, no. 5,097,505, no. 5,168,520, and 5,657,388.
Yeah SecurID works, and can be secure, but it's also overpriced. There are alternative hardware token products (e.g. SafeWord from Secure Computing) which are less expensive and not much more difficult for the end user.
Most vendors that sell hardware tokens offer a "soft token" and/or PDA solutions, but these approaches are inherently less secure.
I do not deploy Linux. Ever.