Slashdot Mirror
Users feel Password Rage
Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."
USB keys are really neat to store keys (PGP, SSH, etc) .
This is definitely the handiest way to replace multiple passwords.
{{.sig}}
Store then in your wallet like Bruce Schneier does.
Note: I don't store mine in my wallet, so keep your hands to yourself!
I had an ex-boss-- the CEO of a dot-com-- who simply hated passwords. Her solution? Set up all of our workstations without a password at all, or with the same password, which never changed. (The password was the name of the company.) This was in an office in New York City, which we shared with other companies.
Apparently, this hatred of passwords had even spread so far as the techs-- when I joined the company, I almost immediately found that one of our three servers (running Windows (NT 4.0 Server), no less, had NO Administrator password whatsoever.
Users simply do not understand why passwords are important. They are completely unaware of the concept of a bad password (say, "apple") being cracked by a dictionary attack, and then being used as a stepping stone to gain root (at which point it's all over). I run a Web host myself, and I constantly have to explain to users why good passwords are important. And this problem has gotten much worse with time (at present my company is 5 years old).
People generally have the attitude of "Oh, who would try breaking into my account, I just have some photos of my cat there." Maybe so, but if your account has a one-word password, and you have shell or FTP access to the system, Bad Things could happen if your account was compromised...
And then, of course, the techs (us!) would get blamed.
Honey, I shrunk the Cygwin
Why not use a simple password manager program such as the popular Gator... uhm, er, uhm, maybe that's not such a wise idea!
I keep my passwords on small post-its, stuck to the edges of the monitor. Even though I must admit that recently I had to upgrade to a larger monitor because I ran out of space...
Built into every Mac is a utility called Keychain that remembers all your passwords for you. Of course you can get add-ons for Windows that give the same functionality for a price...
Former job: had access to 3 different database systems and the Lan. Passwords had to be changed every month, and no repeats were allowed for 6 months.
Result: ALL my systems used the same password, and it was of the form [lastname+sequential 2 digit number]
I was in blatant violation of the password policies, but they were unworkable. Policy was: different passwords for each system, composed of a random string of letters, numbers, and sysmbols. Add in changing it every month, and you get the picture.
And BTW - everyone on site, even the IT dept., did it the way I did.
"As God is my witness, I thought turkeys could fly." A. Carlson
For those really secure passwords, I look around in my office, pick a token, and use something from it as a password. Could be the ISBN number from my favourite book. Could be a book title. Could be the favourite track on a CD (or the MD5 sum of your favourite MP3). The model of your monitor. Anything. It's unlikely you will forget which token you used and what from that token you took as a password. If you really forgot, just take a look around, and you'll remember.
This assumes, of course, that there are passwords that you only need at work, and not at home (and vice versa). It's a start, though, and reduces the number of password you really need to memorize.
My cats ate my karma. They also wrote this comment.
I think the enraged users would benefit from the years of experience contained within the Open Source developer community. Their impartial review of all password would facilitate the password creation password. By providing a publicly-available password list and the application of such password, users would be able to leverage off the peer-review methodology with is quite popular in Ukraine.
The Open Source developers would also be granted much quicker access and approval to systems that they deemed important to their project work. This would improve fund generation and IP (Intellectual Property) sharing which are some of the stumbling blocks in current academic circles.
Only when we improve the texture-layer vortex shading in the Matrox drivers can be unleash the full potential of quad-monitor Parphelia configuration.
Which is nice.
Wearing pants should always be optional.
Biometrics do seem to be the solution to this problem. The problem in itself is PATHETIC, people who put no password or easy ones deserve to be hacked, or deserve to be fired, or whatever happens. It's not THAT big of a hassle.
s /5f11/ plus ThinkGeek has an iris recognition camera, and a stand-alone fingerprint authenticator. The only real problem is that they're all $100+, and I'm not quite sure if all of those people are willing to pay that much money to rid themselves of a problem that can be so easily fixed for free.
Anywho, there are already some biometrics hardware out for people to buy, if no one has seen it yet: http://www.thinkgeek.com/computing/input/keyboard
I can't say I'd mind biometrics getting cheaper and then doing that, though... heh.
Biometrics on it's own is still one-factor, and thus weak, authentication. To make it strong authentication, you still have to add:
:))
- something you have (such as a token) or
- something you know (such as a password or pin
http://blog.astyran.sg
Ever notice that the people who always forget passwords are the same ones that, when presented with one, will say "I'll never remember that!"
Granted, some people have better memories than others, but a little more confidence couldn't hurt. When a person says "I'll never remember that" they're basically choosing not to.
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
I keep all my passwords in a spreadsheet. The spreadsheet is passworded. That password is the concatenation of all my passwords so it's hard to break into and if I forget a password, all I have to do is.....hmmmm, wait.....
I dont so much mind managing the dozen or so passwords I have to memorize... namingly because I get to pick them. What I cant get over is our damned voicemail system!!!
;)
First off... the damned thing expires every 3 weeks, secondly, it remembers your last 10 or so entries and wont allow you to repeat them. Also, the damned thing does pattern recognition... Ironically, the most secure thing I have is my phone at work right now!
Its gotten so bad, probrably half the phones at work have their voicemail password sticky noted to the phone. Weakest link is always the user, eh?
Now THAT gives me password-rage.
One guy I worked with set his password to "Viewsonic" so that whenever he forgot it he could just look at his monitor.
Build a system for generating passwords from other information that's easier to remember. Books and their authors. Songs. Quotes from your favourite movies. American Football players. It's easy enough to build a quick and easy set of rules for which letters should be capitalised, where numbers should appear and so on. And it's a hell of a lot easier for me to remember that my root password is American Pie than it is to remember that it's dm7aO2Eg, or that my password for the database server at work is One Week rather than bl31eOWs. There's a huge range of subject matter to pick from, and although the passwords aren't random and do have patterns that make them slightly weaker than genuinely random , they're a damn sight better than the ones most people use, they won't succumb to a dictionary attack, they're easy to remember, and they meet the requirements set down by any password security checker.
++ Say to Elrond "Hello.".
Elrond says "No.". Elrond gives you some lunch.
The worst is the password policy that not only requires you to have a password that resembles line noise and is a minimum of 9 characters long, but also requires a change every 28 days.
The unintended consequence of this policy is instead of users bothering to choose a good quality password and making the effort to remember it, they either write it down and stick it on a post-it to their monitor (!) or they use something as a password that's on a book by their desk (such as a book name + part of its ISBN). The result is that the password is orders of magnitude easier to crack than if they weren't forced to change it as often or faced with a bizarrely complex password policy. And of course, when they change it, all they do is increment or decrement the trailing digit or character anyway.
Then there's password synchronization. On one network at $ORK, the password has to be synced in (a) a Novell netware tree (b) M Sexchange server, (c) web proxy (d) Windows domain. There are frequent failures with this synchronization (usually (a) (c) and (d) synchronize fine, but the M Sexchange server doesn't. The only solution is to reset the password which will resync it on all. It would be much nicer to have a passphrased public/private key pair, and use those to authenticate with everything.
Oolite: Elite-like game. For Mac, Linux and Windows
User: I can't log in!
Tech: Your biometric data's become corrupted, we'll have to resample it
Tech pulls out meat cleaver
Tech: Now, are you left- or right-handed?
...those crackers/hackers from the movies will usually guess it on the third try... while mouthing inanities like " "It's a UNIX system, I know this..."
---
A woman is helping her computer-illiterate husband set up his computer, and tells him that he will now need to choose and enter a password that he wants to use when logging on. The husband, thinking he'll be oh-so-manly, types in the following letters when prompted for his desired password by the computer... m - y - p - e - n - i - s His wife rolls her eyes. Then she nearly falls off her chair howling with laughter when the computer replies: PASSWORD REJECTED. NOT LONG ENOUGH
..a password-keeper. Has a master entrance code, and a "self-destruct" sequence.
http://www.thinkgeek.com/gadgets/security/5a60/
Since it comes from thinkgeek, you'll be supporting OSDN, and besides, anything with a self destruct sequence is cool. Really, really cool.
"The most looniest, zaniest, spontaneous, sporadic Impulsive thinker, compulsive drinker, addict"
I don't understand this "security experts say biometrics will fix the password problem", since I'm a professional security geek and I don't think that and I know of no fellow security geeks who think that. Indeed, most of us make fun of biometrics when they are mentioned as a solution to such problems.
Biometrics are essentially useless for over-the-net identity verification because you have no way of knowing whether the equipment on the other end has been tampered with. There might be no retinal scanner there at all -- just software that pretends there is one and feeds you faked up scans. There is also no way to change your retinal scan if it is compromised, so if someone finds a way to get information on your retina, they can thereafter fake your scan over the net with impunity. It isn't like your retina can engage in a public key authentication protocol with the equipment -- the equipment just makes a measurement, which once stolen can be replicated and by definition cannot be easily changed. Ditto for fingerprint scanners or any other biometric measuring instrument.
Also, the quality of biometric authentication, even when the scanners are known good and untampered with, is very questionable. The false positive and negative rates are unacceptably high -- measured in percent, not in hundredths or thousandths of a percent. That might be fine for unlocking the weather report, but is completely unacceptable for authorizing a purchase. Worse still, those false identification rates are unlikely to change.
In short, biometrics are not of any use for over the net authentication. They are only useful in very limited applications, like verifying identity at a door with a guard who makes sure you don't tamper with the equipment, and even then only if the system is verifying your identity based on another mechanism of conveying identity (like an ID badge) rather than attempting to determine who you are based on the scan.
Determining who you are based on the scan has an amazing error rate -- put a fingerprint scanner up on a door to identify rather than to verify an ID card and one in ten people will just walk in by putting their thumb up to it after being falsely identified as a user of the system. If you actually need security, such rates are unacceptable.
Anyway, as I said, serious security people rarely mention biometrics in any context, and never for over the net transactions.
Why, then, do biometrics keep getting press? I'm guessing because if you don't know anything about security, biometrics seem like a sexy idea, and because there are so many startups that have millions of dollars gambled on biometrics and would like people to think that they are going to be of some use in the security world.
Just protects the passwords so you don't have to lock down your whole PDA all the time (I don't really care if someone nabs my schedule/phone list). It works really well, and seems to be written with security in mind (as opposed to ease of use). According to the website, it uses "secure triple-DES encryption using a 112-bit key derived from the password". And the best part: it's open source. Pick it up here: http://gnukeyring.sourceforge.net/
I've never used Keychain so I'm not exactly sure what it's functionality is like. Many months ago an article in 2600 magazine informed me of "password bag" applications, software that stores multiple passwords in a file which is only accessible through a master password. Perhaps this is somewhat like Keychain?
One such application for Windows is Password Safe. It is free and open source. It stores all of a user's passwords in an encrypted database that is accessed with a "safe combination" (just another password). It then displays a table of all the stored accounts with accompanying usernames (it does not display the passwords by default). The user double clicks an entry and the corresponding password is copied to the clipboard. It can also generate passwords with some options to set their parameters (only uppercase letters, use symbols etc.).
I've been using Password Safe for several months and have found it incredibly convenient and well designed. Since it never actually displays the passwords on the screen, I can use it in public environments, and the encrypted database file can be easily transferred using a floppy.
P.S. I've found it unwise to use a different password for everything, relying of Password Safe for each one. I've now switched to using different passwords for things involving money, and for stuff like slashdot, gamespy and various messageboard accounts using a single password.
Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.
The keychain is basically a small, encrypted database with an accompanying API that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.
Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.
Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.
One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.
I wonder if someone will come up with "reverse dictionary attacks". That is, generate random combinations of letters, numbers, and symbols, and then discard all the dictionary words, words with 1 digits, repeated letters, proper names, words with substituted digits, etc. Make the password policy strict enough, and at some point this might become faster than a dictionary attack on a system without so many rules.
I admit that I know nothing about business, but it seems clear to me one of the primary goals should be to to make it as easy as possible to separate willing customers from their money. If people want to give you money, don't make them jump through hoops.
For example, an alarming number of sites I've visited require me to create an account to buy something. This is a turn-off.
For a first-time shopper who may never visit your site again, it's an extra, unnecessary step.
An account implies that my name, address, telephone number, email address, and credit card number are stored on file. No thanks.
Creating an account means I have to supply a password. This means that I either make up a new password (which I will need to remember but won't should I ever return), or I re-use a password I've used elsewhere. In other words, that's either one more password I need to remember or one more place where someone can steal it.
I have no evidence of this, but I suspect at least 90% of people re-use passwords. As a consequence, I must ask myself: do I trust your site with my password? (It suddenly strikes me as odd that I would trust a site with my credit card number but not my password, but I do.) Even if the answer is yes, that's one more decision the customer who has already decided to buy something from you has to make; that's one more point where the customer can change his/her mind.
Please, don't require accounts. Provide them as a convenience to repeat customers, but don't make them a barrier to first-timers. Make the first- timers happy, build up trust, and they'll be more likely to come back.
(If you do use accounts, it would be reassuring to know if your site hashes or encrypts passwords before storing them.)