Users feel Password Rage

Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."

USB keys

[chrysalis]

USB keys are really neat to store keys (PGP, SSH, etc) .

This is definitely the handiest way to replace multiple passwords.

Re:USB keys

[neglige]

If you have a PDA, use a software to store the (encrypted) passwords. And make damn sure your PDA won't get stolen :)

Re:USB keys

[TCM]

How does this protect malware to read it off your USB stick _and_ use it? Right, you protect your private PGP key with.. a password!

The only thing that comes to mind that's even remotely sophisticated is an "intelligent" USB stick, so to speak. It contains your private key and never gives that out to anything. Instead, it gets fed a challenge, encrypts it using the key and sends it back to the computer where the corresponding public key is stored.

Is anyone using something like this on a regular basis (for his home server/desktop)?

Re:USB keys

[gl4ss]

and you should trust the computer you stick that stick in anyways.

one guy i used to know had a system (5-7years ago?) of cycling passwords on his computer, so that if somebody find out one of the passwords it didn't really help the thief shit, banks use this type of system frequently.

Wallet

[spoonist]

Store then in your wallet like Bruce Schneier does.

Note: I don't store mine in my wallet, so keep your hands to yourself!

Re:Wallet

[amcguinn]

And check his reasons for doing it: A wallet is a secure container for things you don't want to lose or have stolen. If I lost my wallet, the handful of medium-high importance passwords I would compromise would be among the least of my worries.

Using the same passwords for multiple different services is much more dangerous, and no-one could possibly memorise unrelated secure passwords for everything needed. I need about 20 just to do my work, and I'm usually required to change one or two of them every week.

The worst was my office voicemail. I rarely used it, and the required password change frequency was set so high that it demanded a new password every single time I tried to pick up a message. The end result was I turned the fscking thing off as it wasn't worth the effort to use.

Password rage? Try password-phobia.

[JessLeah]

I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.

Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.

Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).

People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...

And then, of course, the techs (us!) would get blamed.

Old Problem

[R2.0]

Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.

Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]

I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.

And BTW - everyone on site, even the IT dept., did it the way I did.

use a token

[neglige]

For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.

This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.

Re:use a token

[PurpleFloyd]

So someone would go through every item in your office, trying to find possible alphanumeric strings that might be a password, and type it in? Using a password like "CD" or "book" is a very bad idea, but using the password "0441328008-sand" (the ISBN of my copy of Heretics of Dune, which I just picked at random out of my 1000+ books, plus a random word relating to the book), isn't something that's easily guessable.

Furthermore, until it gets firmly implanted in my tactile memory, I just have to remember "Heretics of Dune" rather than a long ugly string of numbers. Things aren't nearly as easy for an attacker, though. Any attacker looking to get my password would have to first know that it is a book they're looking for, then go through every single book I own, typing in likely numbers (not only the ISBN, but also the barcode, and any other likely numbers; for example, I might work the price in there somehow).

Also, an attacker would have to have physical access to my home for a good long time to even know what books, CDs and other things I own. The set of all possible passwords, although restricted compared to a truly random string, is still incredibly massive and would take a long time to crack with a dictionary attack. Assuming I change the password every 2 to 3 months, the attacker would be better off looking for exploits to bypass the password mechanism entirely.

A few thoughts

[arvindn]

OnceUponATime, I used to have a password dictionary for download, here's the thoughts on passwords I'd written on that page:

Humans are horrible at selecting and using passwords. We have to live with passwords, however, since no other authencation mechanism is good enough to find use outside niches. (Let's face it: when humans interact with computers, we still have to go more than halfway to meet them.) We keep forgetting passwords, because we aren't really good at remembering lexical/numerical data. There are three things people to about this: write passwords down, choose weak passwords and choose the same password for several unrelated accounts. All of these are bad. Very bad.

Choosing the same password for different accounts is particularly bad. I imagine script kiddies have well-maintained databases of username:password pairs going around. (If they don't, at least the NSA has one.) I remember reading somewhere about how someone could easily acquire a sizeable list of username:password pairs. Set up a website offering free porn. No popups or other annoyances, but require users to create an account before being able to access much. Get word out about your site. Bingo. There you go.

A lot of websites store their users' passwords as plaintext. If crackers were consceintious enough to update a centralized list every time a website got cracked, I suppose anyone who uses the same password everywhere can be more or less certain that the black hats have got it.

I'm guilty of reusing passwords myself. I use one of only about 3 or 4 for accounts on random websites, but at least I use different ones for the machines on which I have any data that matters. The alternative of remembering all your account:password pairs is simply too much work. Browsers that fill in your password for you alleviate the problem somewhat, but if you browse from a lot of different accounts its still a pain.

As a sysadmin there is nothing much you can do about users writing down passwords or reusing them (except perhaps lecturing), but you can ensure that they don't choose weak passwords.

Biometrics

[rikun]

Biometrics do seem to be the solution to this problem. The problem in itself is PATHETIC, people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.

Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboards /5f11/ plus ThinkGeek has an iris recognition camera, and a stand-alone fingerprint authenticator. The only real problem is that they're all $100+, and I'm not quite sure if all of those people are willing to pay that much money to rid themselves of a problem that can be so easily fixed for free.

I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.

Biometrics on it's own is weak authentication

[Herrieman]

Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:

- something you have (such as a token) or
- something you know (such as a password or pin :))

Silly...

[mraymer]

Memorization is one of the easiest skills that the human brain is capable of. I think a lot of the frustration with passwords (and computers in general) is simply due to users lacking confidence.

Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"

Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.

Re:Silly...

[Zachary+Kessin]

Problem is we are good at memorizing paterns. And patterns are easy to guess. When Richard Feynman tried to crack the safes at Las Almos he found that a very large number of them were set to 31 41 59 or 27 18 28 (pi and e). We are good at memorizing things because we expect to find paterns, which is makes it easy to attach the password.

Now if you are cleaver you can change things just enough, or say put in letters of two langages. But most people just pick something stupid and go with it.

I will admit to having a throw away password, that I use when I need a password for something I don't care about.

Thinkgeek has something for this..

[Darth+Fredd]

..a password-keeper. Has a master entrance code, and a "self-destruct" sequence.

http://www.thinkgeek.com/gadgets/security/5a60/

Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.

Strict password guidelines = easier to crack?

[Max+Webster]

I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.