Slashdot Mirror
Users feel Password Rage
Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."
yup. that's my password.
USB keys are really neat to store keys (PGP, SSH, etc) .
This is definitely the handiest way to replace multiple passwords.
{{.sig}}
Store then in your wallet like Bruce Schneier does.
Note: I don't store mine in my wallet, so keep your hands to yourself!
I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.
Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.
Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).
People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...
And then, of course, the techs (us!) would get blamed.
Honey, I shrunk the Cygwin
Why not use a simple password manager program such as the popular Gator... uhm, er, uhm, maybe that's not such a wise idea!
I keep my passwords on small post-its, stuck to the edges of the monitor. Even though I must admit that recently I had to upgrade to a larger monitor because I ran out of space...
Built into every Mac is a utility called Keychain that remembers all your passwords for you. Of course you can get add-ons for Windows that give the same functionality for a price...
Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.
Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]
I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.
And BTW - everyone on site, even the IT dept., did it the way I did.
"As God is my witness, I thought turkeys could fly." A. Carlson
For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.
This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.
My cats ate my karma. They also wrote this comment.
Until biometrics become more mainstream people should check out those cheap USB key chain mini drives. They work okay, but I still find them a pain to use.
I think the enraged users would benefit from the years of experience contained within the Open Source developer community. Their impartial review of all password would facilitate the password creation password. By providing a publicly-available password list and the application of such password, users would be able to leverage off the peer-review methodology with is quite popular in Ukraine.
The Open Source developers would also be granted much quicker access and approval to systems that they deemed important to their project work. This would improve fund generation and IP (Intellectual Property) sharing which are some of the stumbling blocks in current academic circles.
Only when we improve the texture-layer vortex shading in the Matrox drivers can be unleash the full potential of quad-monitor Parphelia configuration.
Which is nice.
Wearing pants should always be optional.
Biometrics do seem to be the solution to this problem. The problem in itself is PATHETIC, people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.
s /5f11/ plus ThinkGeek has an iris recognition camera, and a stand-alone fingerprint authenticator. The only real problem is that they're all $100+, and I'm not quite sure if all of those people are willing to pay that much money to rid themselves of a problem that can be so easily fixed for free.
Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboard
I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.
Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:
:))
- something you have (such as a token) or
- something you know (such as a password or pin
http://blog.astyran.sg
Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"
Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
I never thought I'd hear that on Slashdot.
I imagine it's a long process of finger pointing all over the corporate world, though. The bottom line is that this just might be an inherent flaw of conventional passwords, and we either have to accept that, or develop a better system.
I keep all my passwords in a spreadsheet. The spreadsheet is passworded. That password is the concatenation of all my passwords so it's hard to break into and if I forget a password, all I have to do is.....hmmmm, wait.....
If so, your problem's solved!
CEE5210S The signal SIGHUP was received.
I dont so much mind managing the dozen or so passwords I have to memorize... namingly because I get to pick them. What I cant get over is our damned voicemail system!!!
;)
First off... the damned thing expires every 3 weeks, secondly, it remembers your last 10 or so entries and wont allow you to repeat them. Also, the damned thing does pattern recognition... Ironically, the most secure thing I have is my phone at work right now!
Its gotten so bad, probrably half the phones at work have their voicemail password sticky noted to the phone. Weakest link is always the user, eh?
Now THAT gives me password-rage.
One guy I worked with set his password to "Viewsonic" so that whenever he forgot it he could just look at his monitor.
Apple Keychain
Now I only have to remember 2 or 3 different passwords. Keychain does the rest of the thinking for me.
Are you an open source warrior?
Build a system for generating passwords from other information that's easier to remember. Books and their authors. Songs. Quotes from your favourite movies. American Football players. It's easy enough to build a quick and easy set of rules for which letters should be capitalised, where numbers should appear and so on. And it's a hell of a lot easier for me to remember that my root password is American Pie than it is to remember that it's dm7aO2Eg, or that my password for the database server at work is One Week rather than bl31eOWs. There's a huge range of subject matter to pick from, and although the passwords aren't random and do have patterns that make them slightly weaker than genuinely random , they're a damn sight better than the ones most people use, they won't succumb to a dictionary attack, they're easy to remember, and they meet the requirements set down by any password security checker.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
Part of the problem is that by putting passwords on too many things you are requiring people to do something that most people simply can't do. Think about it, a good password has to be essentially random, at least eight characters long, and only used once. And then the passwords should be changed monthly. Seriously, how many of you can remeber %Fhe#jhx*, $%SDh!@l, (*^GKk32vc and sd)hdf@m? Studies done by various phone companies show that people tend to only be able to memorize about seven numbers at a time..
And think how many passwords you end up using: your account password on 3-4 computers, various root passwords, passwords to hotmail, your Amazon.com and eBay accounts, your ATM PINs, your credit card PINs, the access to your wireless router at home, and all the access codes to various subscription websites (hot asian teens and whatnot :) )?
Faced with this deluge of things to remember (which most people simply do not have the neurons to do), what do we do? Either use only one password, use something easy to remember, or write it down on a piece of paper kept in ones wallet. All of which are security no-nos. But security people have to face reality - passwords are only good security when used judiciously!
Human genome = 3 billion base pairs = 6 GBit. Windows + Office = 20 Gbit. Which is more impressive?
Diceware definitly provides the most secure but easily remembered passwords, and even lets you make pretty exact estimates of the entropy content of your passwords, which makes all sorts of calculations simple and fun.
What's wrong with passwords? I love passwords! They're so fun to memorize. Especially when they belong to other people.
Seriously, though, not everyone thinks like your average computer geek. For most of us, passwords and other alphanumeric sequences are simple to memorize. For many other people, even phone numbers can be very difficult. Not that geeks are necessarily better (okay, we are, but that's beside the point), we're just skilled at soaking up random information. Other people have skills in other areas. We shouldn't really expect everyone to think like us.
[insert witty quote here]
here's what i do... feel free to tear it apart if its actually a bad idea...
lets say i have 10 machines. for each of them, i just memorize an easy to remember 8 letter password. there's also one nasty long password stub that i have thats like 12 characters. i remember just one of those, and after i do the first 8 of the machine specific, simple password, i append the big nasty one, and that's the password for the machine. if someone gets one of them, i know i have however long it takes to brute force crack an 8 letter password to get the other machines.
not that i see what the big deal is -- isnt a password of "i like to eat pumpkin pie" just as strong a password as "sj34##@dj3"? (roughly; dont do the actual math as i know they are different. all i mean is that they're both good enough most of the time)
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.
The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.
Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.
Oolite: Elite-like game. For Mac, Linux and Windows
Biometrics still have a lot of basic advantages over passwords.
Today:
[Informed cracker dials front desk]
Cracker: Hi, this is John in Support. We're having a problem with your account, could you just confirm the ID and password you use to log in so I can fix it up?
Clueless front desker: Sure, I type johndoe and the password is "reindeer flotilla".
Cracker: Great, thanks. I'll fix your account up right now, and you shouldn't see any difference from usual once it's done.
Next year:
[Informed cracker dials front desk]
Cracker: Hi, this is John in Support. We're having a problem with your account, could you just send me your fingerprint so we can fix it?
Clueless front-desker: Um...
Remember, the two biggest problems with passwords are (a) choosing dumb ones allowing brute-force attacks on a system, and (b) their vulnerability to social engineering attacks. Even simple biometrics would go a long way to fixing those, and thus restricting cracking to those who actually have a clue and not s'kiddies with nothing better to occupy their time.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Now...Was this site 15 or 16?
Big Brother Bush is doubleplus ungood.
User: I can't log in!
Tech: Your biometric data's become corrupted, we'll have to resample it
Tech pulls out meat cleaver
Tech: Now, are you left- or right-handed?
...those crackers/hackers from the movies will usually guess it on the third try... while mouthing inanities like " "It's a UNIX system, I know this..."
---
A woman is helping her computer-illiterate husband set up his computer, and tells him that he will now need to choose and enter a password that he wants to use when logging on. The husband, thinking he'll be oh-so-manly, types in the following letters when prompted for his desired password by the computer... m - y - p - e - n - i - s His wife rolls her eyes. Then she nearly falls off her chair howling with laughter when the computer replies: PASSWORD REJECTED. NOT LONG ENOUGH
..a password-keeper. Has a master entrance code, and a "self-destruct" sequence.
http://www.thinkgeek.com/gadgets/security/5a60/
Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.
"The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
Perhaps a discussion of boycott will motivate web designers and other developers to consider picture matching and other forms of authentication and help do away with the over-passwording...
Then the end user will stop supporting poor interface design, and cease to be the (second) weakest link.
Looks good for your age..
I don't understand this "security experts say biometrics will fix the password problem", since I'm a professional security geek and I don't think that and I know of no fellow security geeks who think that. Indeed, most of us make fun of biometrics when they are mentioned as a solution to such problems.
Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.
Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.
In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.
Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.
Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.
Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.
It's perhaps bad because it's a single point of failure, but all of my passwords are, one way or another, stored using the Mac Keychain. Safari stores its passwords in there, as do some other browsers. I use PasswordWallet (for Mac and Palm) to store passwords (and more) in an encrypted file, which is accessed via a passphrase stored in the Keychain. Even my SSH passphrases are stored in there (accessed via SSHPassKey).
Anyway, what prompted this was Schneier saying, "Don't let Web browsers store passwords for you." Sometimes, the browser is as secure as anything else on your computer, as in the case with Safari + Keychain.
I understand why most passwords are needed. I also understand why needed passwords need to be difficult to guess (and therefore difficult to remember.
That said, I get very irritated when web sites require you to set up a user account, supply an email address, and remember the username and password for that account just to access some information.
For example, to get to many of Oracle's technical documents on technet.oracle.com, one needs to have a password-protected user account. The account is free, but its only purpose appears to be to allow them to track users. I really wouldn't care if someone broke into my Oracle account, as all it lets them do is search Oracle technical documents. This is just one example.
A few previous posters have noted that strict memorization of passwords is not that difficult. I don't dispute that fact. But my password database has, literally, about a hundred passwords. It grows regularly. I could certainly study the list, but who has time -- especially as the list grows and the passwords need to be frequently changed.
I hope that SSL/SSH client authentication alleviates the need to memorize passwords to some extent. The difficulties are that users use multiple computers, and that the client software to manage this is more difficult to use than many are prepared to deal with.
Three things that would be a nice replacement for passwords in every day life. Of the three, the easiest/nicest would probably have to be access card. We are beginning to use them in the military - our new IDs act as our access card. The biometric data on the card need not be intrusive (certainly less so than military ID cards) for common use. States could standardize on using a common driver's license with a chip on it with no more information stored in it than is on a normal driver's license. This and a single pin number would suffice.
Quicker and/or easier...computers come with a card reader and you can just purchase or get a dedicated access card when you get a new computer/reader. Each card could simply contain some generic, unique data in it that combined with a pin is all you need. If using a standard card/data system then all corporations, schools, etc, could adopt it. One card, or just a few, no more onerous than carrying around several credit cards, insurance cards, etc. The only thing you need to memorize is one or two pins. Tied to public key (no M$ DRM server-type nonsense), best to use PGP/GPG to keep it open and universal, and you are set.
In Bushworld, they struggle to keep church and state separate in Iraq as they increasingly merge the two in America.
I agree with you in part, but I think it's premature to dismiss biometric security entirely. There are instances and occasions where it makes good sense. For instance, let's say that you're a bank teller. Every day you deal with a steady stream of customers, the vast majority who don't know their account number.
No problem. Do what Citibank's been doing for the last few years; put ATM keypads at each teller window. To authenticate yourself, swipe your ATM card and enter your PIN. Poof. While this isn't the best system around it's not too bad, especially since there's a teller standing right beside it to make sure you don't do anything obviously hinky with it.
But then there are going to be lots of people who don't have their ATM card with them for whatever reason--let's say they accidentally left it at home. Okay, the system still works, but instead of swiping your ATM card and punching your PIN you show the teller your driver's license. The teller looks you up in their database, makes sure you match your photograph, etcetera.
What happens if your wallet's been stolen and you have no identification? Let's say you're mugged and you lose your wallet, and you're forced at gunpoint to give up your PIN. As soon as you get away you run to your bank and talk to the teller. You have no ATM card. You have no driver's license. There's no way they can authenticate you.
But you still have your thumbprint.
So now you authenticate yourself via a thumbprint scanner. The teller takes the thumbprint scanner out of a locked drawer (where it's been stored precisely to limit the amount of access people can have to it, and thus, their opportunities for malfeasance with it) and sets it out in front of you.
Presto, you're logged in, and the teller can have some degree of confidence that you're a customer and need to have your credit cards and ATM access cancelled.
Yes, there are significant problems with biometrics over the Net. Most of these problems can be alleviated by adding a trusted human being to the equasion, someone to stand by the biometric reader and make sure nobody does anything obviously hinky with it. (In this case, the teller serves that function.)
I certainly agree that biometrics aren't a panacea and they aren't a replacement for a real security policy. But I think you go a little too far to say that security people think biometrics ought never be used for over-the-Net transactions.
Just protects the passwords so you don't have to lock down your whole PDA all the time (I don't really care if someone nabs my schedule/phone list). It works really well, and seems to be written with security in mind (as opposed to ease of use). According to the website, it uses "secure triple-DES encryption using a 112-bit key derived from the password". And the best part: it's open source. Pick it up here: http://gnukeyring.sourceforge.net/
I've never used Keychain so I'm not exactly sure what it's functionality is like. Many months ago an article in 2600 magazine informed me of "password bag" applications, software that stores multiple passwords in a file which is only accessible through a master password. Perhaps this is somewhat like Keychain?
One such application for Windows is Password Safe. It is free and open source. It stores all of a user's passwords in an encrypted database that is accessed with a "safe combination" (just another password). It then displays a table of all the stored accounts with accompanying usernames (it does not display the passwords by default). The user double clicks an entry and the corresponding password is copied to the clipboard. It can also generate passwords with some options to set their parameters (only uppercase letters, use symbols etc.).
I've been using Password Safe for several months and have found it incredibly convenient and well designed. Since it never actually displays the passwords on the screen, I can use it in public environments, and the encrypted database file can be easily transferred using a floppy.
P.S. I've found it unwise to use a different password for everything, relying of Password Safe for each one. I've now switched to using different passwords for things involving money, and for stuff like slashdot, gamespy and various messageboard accounts using a single password.
Okay guys and gals, I am going to share the methodology I use to create pseudo random passwords:
1. Make up a phrase that you will remember - make it fairly long - at least 12 words, e.g:
night of the living dead zombies eat flesh for fun and kicks
2. Pick out key letters. A simple key is to use is just the first letters of each word - you can get more complex by alternating the first and the last letters or some number of letters, like alternating 1st and 3rd letters (on words smaller than 3 letters just use the last letter) etc. We will just use the simple method:
night of the living dead zombies eat flesh for fun and kicks
so we end up with:
notldzefffak
3. Make it even more difficult to break by inserting numbers and special characters in the password. Many password systems are set up to require numbers within passwords - so you may not have a choice in the matter; also, some systems will not let you use special characters - adjust as needed for your local conditions:
notl96dzefff%ak
And there you have it, a password that a normal dicationary lookup will not break - and yet one you can easily remember by recalling the original phrase, and applying your letter picking rule. No need to keep stickies on your computer, or in your desk drawer, or under your desk, or in a book, or in your wallet etc... (you would be amazed where you can find people's passwords just by examining their work area...lol).
Now, get out there and change your passwords!
Good luck!
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.
The keychain is basically a small, encrypted database with an accompanying API that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.
Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.
Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.
One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.
Let me recommend a book for anyone having serious issues with inventing and memorizing secure passwords.
William Steig wrote a wonderful series of books which were like cryptograms. When you read a seemingly random string of numbers and letters you would have a full sentence.
For example:
CDB! (See the bee!)
D B S A B-Z B (The bee is a busy bee.)
O, S N-D! (Oh, yes indeed!)
The phrases become increasingly complicated and start adding numbers and symbols.
CDB has been the definitive guide to helping me choose passwords that are secure and I will easily remember them. For example, on one machine that was sitting underneath a poster of Corn from around the world, the password WAS (And is no longer...) e10a3-rfrn. (eating an ear of corn).
CDB!
"One touch of Darwin makes the whole world kin." George Bernard Shaw
I remember one password for all websites- BUT- I add a few characters from the website name to the password. So I've generated a unique password for each site, but only have to remember one.
e.g. for SlasDot.org the password might be "Sdogn4meD" and for mybank.com it might be "Mdogn4meB", etc etc.
I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.
Kerberos or more generally, trusted 3rd party authentication was invented to solve this problem. You enter one password to gain access to the ticket granting service, and that service handles authenticating you for all the other ones you can use. This problem has been solved correctly for a long time, there is no need for fancy tricks like biometrics to solve it again.
Passport is a great example of such a system (obviously lacking in implementation, but the idea is great).
What is it now with this "Rage"-mania? Why do we have to give even the most trivial behavior some pathological nomenclature?
There was a story in the local paper here about a guy who woke up and fired his shotgun at a bunch of bass fishermen who zoomed by his camp in their speedboats. He was labeled the guy with "wake rage". I guess in a few months Pfizer will have some pill for this, accompanied by the "It's not your fault - it's a disease and it's treatable" drivel.
Excuse me, I think I may be getting Rage-Rage. Is there a pill for that?
I doubt anyone will get down to reading this but too much of this discussion is being approached from the wrong side. A password of 2 simple english words (ie: treecat) would be enough to require a dictionary attack of 500 000 tries (1000 common words squared or better yet, 3 words for 500 000 000). Enough time that a dictionary attack could be detected because regular users alwyas give up after 12 or so failed tries.
If 12 failed attempts in an hour required you to call IT to reset the counter then 500 000 attempts now takes 40 000 hours or 40 000 calls to IT; either of these makes it unusable as a hacking route. Even a distributed attack would only get 12 tries an hour on jdoe's account. The worst side effect would be jdoe getting locked out while his account was being hacked (rather a DoS attack that way... which is a different problem and not my forte)
Why is attack detection not given more attention than making users remember noisy passwords?
My list of multiplayer
I admit that I know nothing about business, but it seems clear to me one of the primary goals should be to to make it as easy as possible to separate willing customers from their money. If people want to give you money, don't make them jump through hoops.
For example, an alarming number of sites I've visited require me to create an account to buy something. This is a turn-off.
For a first-time shopper who may never visit your site again, it's an extra, unnecessary step.
An account implies that my name, address, telephone number, email address, and credit card number are stored on file. No thanks.
Creating an account means I have to supply a password. This means that I either make up a new password (which I will need to remember but won't should I ever return), or I re-use a password I've used elsewhere. In other words, that's either one more password I need to remember or one more place where someone can steal it.
I have no evidence of this, but I suspect at least 90% of people re-use passwords. As a consequence, I must ask myself: do I trust your site with my password? (It suddenly strikes me as odd that I would trust a site with my credit card number but not my password, but I do.) Even if the answer is yes, that's one more decision the customer who has already decided to buy something from you has to make; that's one more point where the customer can change his/her mind.
Please, don't require accounts. Provide them as a convenience to repeat customers, but don't make them a barrier to first-timers. Make the first- timers happy, build up trust, and they'll be more likely to come back.
(If you do use accounts, it would be reassuring to know if your site hashes or encrypts passwords before storing them.)
The problem most people have with passwords is that they try to *remember* them. That's alright for, oh, four to six passwords for a more technically oriented person, but unfortunately a lot of people are not technically oriented and/or have more than six passwords.
:)
Solution? As with computers, the human brain is an interesting device; and there are always ways around things. I, therefore, propose using a proxy for storing passwords: the motoric memory.
I always use 10-16 character passwords, rule is at least two numbers, two capitals, two lowercases and one special character. I have about 15 or 16 passwords I need to remember, a few of which I change monthly, and while I usually do actually remember all, the method I use for storing the information is in the beginning to actively only remember the first character of the password per each site, and let my fingers do the rest of the work on their own. I usually tap the password in a few times right after I set it (and usually jot it down on a piece of paper if I need a reference -I always destroy said piece of paper at the end of the day I set the password, and until that it's stored in the secret compartment of my change pocket.)
Anyway, they point is: people can walk, run, swim, jump, write, play an instrument. All of those are subconscious motoric memories, and the capability can be easily used to store trivial things (compared to, say, walking, which requires hundreds of muscle movements) like a sequence of keys.
For beginners (the 'cool, my new pc has a neat apple logo on it and it's got an integrated cupholder' folk you work with all day), actual keypress sequences can be devised -for example, left-index, right-ring, right-index, right-pinky, left-ring & right-pinky and so on; however, purely motoric (i.e. non-mnemonic) memory is better in the long run.
Subconsciousness is the key. It works great for me until I can actually remember the password so I don't need a keyboard to write it -and I'd assert most people would never need to remember theirs at all. Of course, I've noticed sliht problems since I started learning Dvorak
--
Most of us are just pseudonymous cowards.
Marxist evolution is just N generations away!
I store a "password" list online. Instead of writing the password down, however, I put down something like "college addr##" against an entry and use some version of one of my many college addresses. Memorization is about tricks, and mnemonics are a common answer. I can't be bothered to remember the mnemonics so I write those down! Its odd, but so am I!