Password Memorability and Securability
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example:
1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed.
2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed.
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the
other. So this belief is debunked.
4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap-
peared to be just as easy to remember as the other. So this belief is debunked.
5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a
non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times
harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
How many passwords have you got? turn on pc, open email, encrypted files, bank account login's, ftp login's, forum memberships, the list goes on. How many have you forgotten? We need a better authentication system than text passwords. Security agencies have developed stunning biometrc identification technologies, perhaps these could be put out for the general public to use?
Do you need a website upgrade?
If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.
Hoist Number One and Number Six.
Most of the time, people just don't care. And why should they?
I probably have 200 passwords floating around in cyberspace, and 90% of them are "password". For example, I have to supply uid/pwd in order to read the Washington Post (my local newspaper). Is it important to keep this password secret? No, because I'm not very worried about someone reading the newspaper under my name.
Unless I have confidential personal information at stake, I am not usually motivated to create a strong password.
So, sysadmins, if the security of your overall network is more important than Joe User's individual data, you need to enforce strong password rules. Relying on users to create strong passwords voluntarily under such conditions is foolish.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Perhaps I'm crazy but I've always felt an application which allows a brute force attack is flawed.
Surely by this point in software development it should be regarded as standard for every program to LOCK access for a given account after X consecutive failed logon attempts?
Even setting this to something arbitrarily high like, say 1000, is more than any user would ever try before asking for help, but much MUCH MUCH less than any dictionary attack would require. Combine this with the possibility of real time notification for admins (facilitated by email/inter application messaging, or a small add-on service for the OS) when more than Y accounts are locked for this reason in Z minutes, and as a community we'd effectively end all dictionary attacks - or at least turn them into DOS attacks, but at least we'd know it was going on...
Stay late one night. After they are all gone walk from desktop to desktop. Look for post-it notes on the side of the monitor and under the keyboard, and in their drawers. The results will scare you, if your users are anything like mine, and I bet after that you start letting them pick less cryptic passwords.
Also, if you know their password there goes any semblance of Non-Repudiation. And if you can 'remind them' either you have a very short list of users and can remember them, or you have a written list somewhere - nifty, but a bad idea.
Glonoinha the MebiByte Slayer
-The Libra
"You've got no kids, no wife, no job, and you're not in The Tigger Movie!!!"
- my best friend's son, Gabe, at 5 years old.
-The Libra
"Please be patient--The future will begin momentarily."