Slashdot Mirror
Users feel Password Rage
Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."
USB keys are really neat to store keys (PGP, SSH, etc) .
This is definitely the handiest way to replace multiple passwords.
{{.sig}}
Store then in your wallet like Bruce Schneier does.
Note: I don't store mine in my wallet, so keep your hands to yourself!
I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.
Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.
Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).
People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...
And then, of course, the techs (us!) would get blamed.
Honey, I shrunk the Cygwin
Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.
Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]
I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.
And BTW - everyone on site, even the IT dept., did it the way I did.
"As God is my witness, I thought turkeys could fly." A. Carlson
For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.
This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.
My cats ate my karma. They also wrote this comment.
Biometrics do seem to be the solution to this problem. The problem in itself is PATHETIC, people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.
s /5f11/ plus ThinkGeek has an iris recognition camera, and a stand-alone fingerprint authenticator. The only real problem is that they're all $100+, and I'm not quite sure if all of those people are willing to pay that much money to rid themselves of a problem that can be so easily fixed for free.
Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboard
I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.
Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:
:))
- something you have (such as a token) or
- something you know (such as a password or pin
http://blog.astyran.sg
Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"
Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
Post-it notes by keyboards don't bother me so much, unless they are on mission-critical accounts, in situations where untrusted individuals (e.g. janitors, or the public, as in the case of someone who works at an Internet Cafe/public library/school) can get to them.
What bothers me is when users use passwords like "sophia" or "pears" or "1952" and then expect ME to safeguard their accounts... AND to make matters worse they have zero clue about the risks they are placing OTHER accounts in by doing so.
Honey, I shrunk the Cygwin
Pick a memorable phrase. Like "we have nothing
to fear but fear itself".
Use the first letter of each word in the phrase
as your password at site #1. Use the second
letter of each word at site #2. Using that phrase
the passwords would be:
whntfbfi
eaooeuet
..a password-keeper. Has a master entrance code, and a "self-destruct" sequence.
http://www.thinkgeek.com/gadgets/security/5a60/
Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.
"The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
Perhaps a discussion of boycott will motivate web designers and other developers to consider picture matching and other forms of authentication and help do away with the over-passwording...
Then the end user will stop supporting poor interface design, and cease to be the (second) weakest link.
Looks good for your age..
I understand why most passwords are needed. I also understand why needed passwords need to be difficult to guess (and therefore difficult to remember.
That said, I get very irritated when web sites require you to set up a user account, supply an email address, and remember the username and password for that account just to access some information.
For example, to get to many of Oracle's technical documents on technet.oracle.com, one needs to have a password-protected user account. The account is free, but its only purpose appears to be to allow them to track users. I really wouldn't care if someone broke into my Oracle account, as all it lets them do is search Oracle technical documents. This is just one example.
A few previous posters have noted that strict memorization of passwords is not that difficult. I don't dispute that fact. But my password database has, literally, about a hundred passwords. It grows regularly. I could certainly study the list, but who has time -- especially as the list grows and the passwords need to be frequently changed.
I hope that SSL/SSH client authentication alleviates the need to memorize passwords to some extent. The difficulties are that users use multiple computers, and that the client software to manage this is more difficult to use than many are prepared to deal with.
Three things that would be a nice replacement for passwords in every day life. Of the three, the easiest/nicest would probably have to be access card. We are beginning to use them in the military - our new IDs act as our access card. The biometric data on the card need not be intrusive (certainly less so than military ID cards) for common use. States could standardize on using a common driver's license with a chip on it with no more information stored in it than is on a normal driver's license. This and a single pin number would suffice.
Quicker and/or easier...computers come with a card reader and you can just purchase or get a dedicated access card when you get a new computer/reader. Each card could simply contain some generic, unique data in it that combined with a pin is all you need. If using a standard card/data system then all corporations, schools, etc, could adopt it. One card, or just a few, no more onerous than carrying around several credit cards, insurance cards, etc. The only thing you need to memorize is one or two pins. Tied to public key (no M$ DRM server-type nonsense), best to use PGP/GPG to keep it open and universal, and you are set.
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
Let me recommend a book for anyone having serious issues with inventing and memorizing secure passwords.
William Steig wrote a wonderful series of books which were like cryptograms. When you read a seemingly random string of numbers and letters you would have a full sentence.
For example:
CDB! (See the bee!)
D B S A B-Z B (The bee is a busy bee.)
O, S N-D! (Oh, yes indeed!)
The phrases become increasingly complicated and start adding numbers and symbols.
CDB has been the definitive guide to helping me choose passwords that are secure and I will easily remember them. For example, on one machine that was sitting underneath a poster of Corn from around the world, the password WAS (And is no longer...) e10a3-rfrn. (eating an ear of corn).
CDB!
"One touch of Darwin makes the whole world kin." George Bernard Shaw
I remember one password for all websites- BUT- I add a few characters from the website name to the password. So I've generated a unique password for each site, but only have to remember one.
e.g. for SlasDot.org the password might be "Sdogn4meD" and for mybank.com it might be "Mdogn4meB", etc etc.
I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.
The problem most people have with passwords is that they try to *remember* them. That's alright for, oh, four to six passwords for a more technically oriented person, but unfortunately a lot of people are not technically oriented and/or have more than six passwords.
:)
Solution? As with computers, the human brain is an interesting device; and there are always ways around things. I, therefore, propose using a proxy for storing passwords: the motoric memory.
I always use 10-16 character passwords, rule is at least two numbers, two capitals, two lowercases and one special character. I have about 15 or 16 passwords I need to remember, a few of which I change monthly, and while I usually do actually remember all, the method I use for storing the information is in the beginning to actively only remember the first character of the password per each site, and let my fingers do the rest of the work on their own. I usually tap the password in a few times right after I set it (and usually jot it down on a piece of paper if I need a reference -I always destroy said piece of paper at the end of the day I set the password, and until that it's stored in the secret compartment of my change pocket.)
Anyway, they point is: people can walk, run, swim, jump, write, play an instrument. All of those are subconscious motoric memories, and the capability can be easily used to store trivial things (compared to, say, walking, which requires hundreds of muscle movements) like a sequence of keys.
For beginners (the 'cool, my new pc has a neat apple logo on it and it's got an integrated cupholder' folk you work with all day), actual keypress sequences can be devised -for example, left-index, right-ring, right-index, right-pinky, left-ring & right-pinky and so on; however, purely motoric (i.e. non-mnemonic) memory is better in the long run.
Subconsciousness is the key. It works great for me until I can actually remember the password so I don't need a keyboard to write it -and I'd assert most people would never need to remember theirs at all. Of course, I've noticed sliht problems since I started learning Dvorak
--
Most of us are just pseudonymous cowards.
Marxist evolution is just N generations away!
I store a "password" list online. Instead of writing the password down, however, I put down something like "college addr##" against an entry and use some version of one of my many college addresses. Memorization is about tricks, and mnemonics are a common answer. I can't be bothered to remember the mnemonics so I write those down! Its odd, but so am I!
Why, then, do biometrics keep getting press?
.sig, you'll find my security document theory whitepaper, which talks about photo ID cards. People think of the photo ID card concept in such simple terms, when it's really a very ugly, complex security model. (I have this theory that people are bedazzled by the photograph, and really don't think much about where that photograph came from. Honestly, you could probably do quite a lot of crimes if you had a laminated photo ID hanging around your neck. )
Yes, you're right in saying that it's partially because they are so sexy and that millions of development dollars are going into them...and there is quite a lot at stake. Biometric companies have to make sure that people trust their products for the job at hand, and they're putting their money to that task.
People really do not understand security issues...they seem to think of security as a very basic transaction. If you click the link in my
With regards to biometrics, I believe the trust comes from the 1 to 1 correspondence idea. When an indivdual is professionally fingerprinted, and then later the same individual is profesionally fingerprinted again, the likelyhood that you would choose the wrong individual is very low, that's why fingerprints work so well in establishing identity of criminals. People assume that that can therefore be translated into some sorta security authetication system, which is simply not the case.
A fingerprint is simply an image. Nothing more, nothing less. Yes, it's an unusual image, small and compact. Sometimes this image isn't scanned visually, but scanned 3 dimensionally (like with a small electrical current...that's how some of the more advanced fingerprint readers work.) But it's still a damn image. Same applies to retinal scans, facial recognition, palm prints (which then may combine heat with an image. Ooo. Temperature...how unusual.) Since a counterfeit photo ID card is really just a plastic card with...an image, how are biometrics any different?
(Incidentally...how did photo ID cards become so popular? Cuz photo ID card manufacturing companies through a lot of money at convincing us they're worthwhile. You didn't see the photo driver's licenses (in the US) until Polaroid came up with instant color photography.)