Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Memorability and Securability

Posted by Hemos on from the what-about-portability dept.

NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example: 1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed. 2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed. 3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the other. So this belief is debunked. 4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap- peared to be just as easy to remember as the other. So this belief is debunked. 5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."

31 of 436 comments (clear)

  1. I just use my phone number..... by MrIrwin · · Score: 2, Funny

    oops!

    --

    And if you thought that was boring you obviously havn't read my Journal ;-)

    1. Re:I just use my phone number..... by Dr.+GeneMachine · · Score: 5, Funny

      Hah! Now I also know how to reach you on the phone...

      --
      This comment does not exist.
  2. Longest... summary... ever... by Da+Fokka · · Score: 4, Funny

    Not RTFA has never been so easy! How am I supposed to have an uninformed opinion like this?!

  3. Now keep them away from chocolate by enkafan · · Score: 5, Funny

    Yeah, passwords and standards are fine as long as you keep snickers out of the office

  4. Easy solution: by Anonymous Coward · · Score: 1, Funny

    Just patent password cracking as a business method, and sue everybody for patent infringment who attempts to guess your passwords!

  5. Re:gosh, that sure is a lot of words... by Anonymous Coward · · Score: 1, Funny

    So, all systems normal, right?

  6. Use these... by mcgroarty · · Score: 5, Funny
    These are the best passwords ever:
    jieph9Ee eik4zahW que8aiQu wahK6pee nie1eCho aNg2raew
    exeif0Ta ooqu9Aye Eid7iici eiZ6boin Waeg5kah Mi9vegoh
    eelae9Oo Ua7yojie Jiquaud5 Vohw7iwi Eit7laax Aesae2ax
    They are relatively random, easy to remember (you can kind of pronounce all of them), and best of all, nobody has guessed a single one of them yet. I've been using these for years, and you should too!
    1. Re:Use these... by scottme · · Score: 2, Funny

      Damn you! How did you guess my passwords? I have been using these and others like them for years, but now I see I was only kidding myself when I thought they were secure.

      Still, plenty more where those came from.

  7. I sense a good social engineering technique here by Spatula+Sam · · Score: 5, Funny

    "Hello, I'm doing a study for the Cambridge University Computer Laboratory on passwords..."

  8. Revolutionary... by danielrm26 · · Score: 2, Funny

    What's next? Long passwords better than short ones?

    --
    dmiessler.com -- grep understanding knowledge
  9. Re:Sys admin and internal support by anon*127.0.0.1 · · Score: 2, Funny

    No, the post-it on the monitor is way too obvious.

    Clever users put the post-it on the bottom of their keyboard, where no one will ever think to look.

    --
    I am NOT a man!
    I am a free number!
  10. a password policy I've been dying to implement... by rivaldufus · · Score: 2, Funny

    1. password must be at least 64 characters long, with no dictionary words, and at least 8 special characters
    2. Passwords expire in 24 hours
    3. Account is locked out after two mistakes
    4. A given character may be used only once in a particular password (No repeated characters)
    5. Account locks out on second attempt

    I'd love to see someone implement this policy at some corporation - just so long as I'm not the administrator there.

  11. Read Lots Of HP Lovecraft For Password Ideas by pandrijeczko · · Score: 3, Funny
    After all, with creatures like Cthulhu, Nyalarthotep, Tsathoggua, Hounds Of Tindalos, the Wendigo, etc., there's plenty of scope for non-dictionary passwords and I've never seen a Cthulhu mythos word file for password crackers...

    ...having said that, with having uttered these names so frequently in the past, I now have a large black tentacle growing from the back of my neck and keep seeing strange shapes lurking in the shadows...

    Gibber...

    --
    Gentoo Linux - another day, another USE flag.
    1. Re:Read Lots Of HP Lovecraft For Password Ideas by Dun+Malg · · Score: 2, Funny

      Heh. Yeah, my sig is a veritable GOLD MINE of passwords.

      --
      If a job's not worth doing, it's not worth doing right.
  12. Mnemonics questionable by Anixamander · · Score: 5, Funny

    My menmonic, which should have been hard for people to guess, was "Please ask sister sally where's our rottweiler dog"

    And the thing is, we didn't even have a rottweiler, it was a shepherd. But people still guessed it, so I don't use mnemonics anymore.

    --
    Do not taunt Happy Fun Ball(TM)
  13. Re:The best security by the_mad_poster · · Score: 4, Funny

    So, basically, you're saying that Slashdot is impenetrable?

    --
    Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
  14. Re:Sys admin and internal support by Liselle · · Score: 2, Funny

    Hmm, bottom of the keyboard, I'll have to try that. I'm still trying to figure out how he guessed that my password was "summer1", though.

    --
    Auto-reply to ACs: "Truly, you have a dizzying intellect."
  15. 6. The sixth folk belief... by cedmond · · Score: 5, Funny

    Using the term "folk belief" more than once in a paragraph can become very annoying. This belief is confirmed.

    --
    ----------------------------------
    I'd rather not take sides until I hear the monkey's version - PHB
  16. Divorces and Passwords dont mix by MajorDick · · Score: 5, Funny

    Well when going through a really rough divorce (I had an easy one too) I was in serious fear , and justifably so of my Ex hacking accounts using some of my known Passwords , I like many others have a cycle of about 10 that are used interchangably. All these were , with the exception of 1 personal passwords. I found she was accessing my work mail and personal mail almost immediatley , Soooo I decided to have some fun with it, passing all kinds of bogus information into forged emails to myself. Then came court, she was ACTUALLY Stupid enough to bring up several points in court, my Attorney was aware and asked where she found this informationout, "Around, friends, etc" Bwwwahhaaaa talk about someone looking stupid she bought it hook line and sinker.

    Sometimes easy to crack passwords are a GOOD thing :)

    On another note, after I took her to the cleaners at court I decided to TIE one One, well....NEVER....and I mean NEVER....change you passwords while really drunk..it took me 2 days to reconfigure redit and reset all my passowrds I changed on that drunken celebration. I still have NO idea what some of them were or how I came to decide on their usage

  17. Pretty Simple Solution... by Anonymous Coward · · Score: 1, Funny

    The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords.

    Not for me. Most common password ever used: sex.

    Easy for me to remember my password... 8==D()

    Course, I have to post this as an AC so no one can root my system...

  18. Re:My password method by maximilln · · Score: 2, Funny

    Writing random passwords has always been my personal policy. The password must be a mix of upper and lower case letters with at least 2 numeric digits and a length of at least 6. I try never to have the numbers next to each other but this happens on occasion.

    The trick is then to remember the passwords. My own personal systems at home have root and at least two users with login, ftp, and samba passwords for each. There are also e-mail passwords, /. password, various internet service passwords, and passwords for websites. At work I have at least five passwords directly related to work and another dozen or so which log on to websites for work-specific information. With so many alphanumeric passwords the memory task is a large load for even someone with a super-human memory.

    My personal system has been to give in to the necessity of writing all of the passwords down. Cleartext passwords would defeat the purpose of the complex passwords so I keep an encryption algorithm in my head. I have four or five encryption algorithms in my head that I use. Which algorithm is used for any particular password is usually noted using a cryptic set of symbols next to the u/p combination on the paper. Thinking ahead reveals that a dedicated stalker might be able to cross reference the encryption algorithms as they're noted on the paper (much like cross-referencing databases of cookies which "do not store personally identifiable information") so I also have a store of null symbols which I scatter over the pages. I have also briefly experimented with letting the meaning of the symbols change relative to their page position but this has caused a fault more than once.

    Needless to say such a complicated system is not foolproof. At least a dozen times I've found that the encryption algorithm in my head doesn't correctly translate the information on the page. Usually I find that I'm "one-off" in either the translation or the algorithm used. Fortunately I have never permanently locked myself out of an account. It usually takes a day or two of trying different combinations before I get the "eureka!" and enter the correct combination.

    The tin-foil in my hat still nags me that all of this effort is wasted, though, since the NSA has secretly contracted with all manufacturers to install hardware keyloggers on every keyboard manufactured since 1995. They access the 1mb keyboard cache using backdoors, built into all computer BIOS chips since 1995, similar to the superuser backdoors built into Cisco equipment.

    --
    +++ATHZ 99:5:80
  19. Re:Sys admin and internal support by wwest4 · · Score: 2, Funny

    > The number of times I've seen summer1 is ridiculous.

    "coffee[1-9]" is another one. the best is when people pick embarrassing ones, like "imabadas", "jacked", or "bigman33".

  20. I like that analogy by A+nonymous+Coward · · Score: 3, Funny

    Wonder how well it would improve secuirty at aparrtment buildings at houses if we required users to change physical keys every 90 days ... got to prevent someone from sneaking in every morning and raiding the cookie jar and kids' piggy banks.

    --
    Infuriate left and right
  21. Re:My password method by deadlinegrunt · · Score: 2, Funny

    1. generate a password using some word algorithm: I was born on a Monday = "IwboaM"

    That's what I do with all my passwords, for example:

    People Always Suspect Secret Words Or Random Dates
    Wait a minute, D'oh!

    --
    BSD is designed. Linux is grown. C++ libs
  22. Slashdot passphrase by MoreDruid · · Score: 2, Funny

    IANAL&IneverRTFA

    Oh wait... did I just give away John Katz's password?
    --
    The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
  23. Re:quepasa by caluml · · Score: 1, Funny
    "slash" which maps to the password Z?+JTLZ?4&

    Reply anonymously to this if you tried to log in as Nizo. Bonus points if you reply as him, and swear a lot.

    --
    Get your own free personal location tracker
  24. Re:Random Passwords aren't the problem by RKBA · · Score: 3, Funny
    No, the problem is with the password police who requires those women to change their password every month.

    You mean like Mordac ?

    --
    9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
  25. Re:quepasa by Nodatadj · · Score: 2, Funny

    Fuck fuck shit shit taco is a stupid ass fuckweed.

    Oh wait, shit, it didn't work.

  26. The Most Secure Password by Anonymous Coward · · Score: 1, Funny

    Research has shown that the most secure password is 'X7no0RsTT'. Everyone should change all there passwords to 'X7no0RsTT' immediatly, or they will be at a greator risk of being violated by hackers.

  27. Re:Randon or mnemonic? by gnu-generation-one · · Score: 2, Funny

    "It just doesn't matter. It still going to be written on a yellow sticky and stuck on the screen."

    So set somebody's password to "don't forget to pick up the kids from school", and don't let them change it.

    The next person to get an account gets a password of "phone message from john"

  28. Re:how do you guys store your passwords? by Fortran+IV · · Score: 2, Funny

    National brand 31-120 Handi Notes notepad, 60 Sheets / 3 x 5 Narrow Ruled White Paper . Sanford Expresso Extra Fine in green or blue or Bic SOFTFeel Medium in black.

    --
    I figure by 2030 or so my 6-digit UID will be something to brag about.