Slashdot Mirror
Password Memorability and Securability
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example:
1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed.
2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed.
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the
other. So this belief is debunked.
4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap-
peared to be just as easy to remember as the other. So this belief is debunked.
5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a
non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times
harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
Freaking PDF files. Link to a version translated into HTML. By the time this goes live, maybe the FTP will be slashdotted, too. Thanks, Google.
I suppose I should make a comment. Okay, here it is: looks like users are still the weakest link in security. Whoever said that social engineering was the ultimate hack is a genius.
Google's HTML Cache Version
Hmmm.
oops!
And if you thought that was boring you obviously havn't read my Journal ;-)
Not RTFA has never been so easy! How am I supposed to have an uninformed opinion like this?!
So take a look at quepasa. It combines remembering a passphrase, with cryptographically generated passwords (SHA-256 hashing of the passphrase and account name followed by mapping of the hash to typeable characters).
The combination means that I can always "recall" the password for any of my accounts using the quepasa application (all I remember is a single passphrase), and the passwords are not stored anywhere.
John.
Mitnick had a neat suggestion in the Art of Deception. The Consonant-Vowel Method. It provides an easy to remember password because it is pronounceable. You take the following template and swap in consonants and vowels: CVCVCVCV. The examples he gave are MIXOCASO and CUSOJENA. The point is they won't be in the dictionary but you can remember these nonsense words.
Support the First Amendment. Read at -1
Sometimes even the most vigilant sys admin as not able to halt these problems.
Where I work the passwords are changed by internal support and logged into a database as well as entered into the system.
Despite requests to us strong passwords the internal support view is get as quiet a life as possible and just accept whatever password a user chooses.
The number of times I've seen summer1 is ridiculous.
Personally I think users should choose their own passwords and the system should limit them to >8 characters and a %age difference from their last 10 passwords. But I don't make up the policies.
Matt Thompson - Actuality - Insert product here.
Yeah, passwords and standards are fine as long as you keep snickers out of the office
In order to investigate these trade-off factors in a real context of use, we have conducted an experiment involving 400 first-year students at our university.
While the size was larger than I initially expected it to be, I don't know if you can definitely "debunk" myths --as the poster definitively states -- using a 400 person focus group to simulate several dozen millions of varied abilities.
Watch the Teaser Trailer for "The Lightning Thief" Her
One area I'd like to see would be strength of a password in terms of randomness, requireing use of characters, etc. vs length. Is an 8 character password with a punctuation mark better than a 10 character pasword with all lower case characters? If so, by how much?
Then we can determine a good password policy that fits with the security model at the facility.
On the other hand, I don't have a password retention policy either, so really if someone is in my employ for more than six months, there's a good chance of a password getting lost into the wrong hands. Yes, I know this is a bad idea.
Kinetic stupidity has a new brand leader: Allen Zadr.
How many passwords have you got? turn on pc, open email, encrypted files, bank account login's, ftp login's, forum memberships, the list goes on. How many have you forgotten? We need a better authentication system than text passwords. Security agencies have developed stunning biometrc identification technologies, perhaps these could be put out for the general public to use?
Do you need a website upgrade?
Just patent password cracking as a business method, and sue everybody for patent infringment who attempts to guess your passwords!
So, all systems normal, right?
I'm confused as to why you would care how strong the passwords your users select are. As long as you control the authentication system, you can prevent repeated guessing--the days of globally-readable encrypted password files are gone. If you get more than a small number of failed guesses on a given account or from a given address, you cut off access, at least for a time.
The key is to detect the attack.
"Hello, I'm doing a study for the Cambridge University Computer Laboratory on passwords..."
What's next? Long passwords better than short ones?
dmiessler.com -- grep understanding knowledge
There are a couple things i do....
1) On my servers te password changer forces them to not use dictionary words, has to have numbers, letters and nonnumeric characters, and they can't use their previous so many passwords
2) For my password I use a few things from my childhood that no one will ever come up with.
3) There is nothing like keeping up on your security patches.
Evolution or ID?
Seriously, even if you are using something other than passwords, say biometric authentication, security will remain as shabby as it is today unless users understand the importance of keeping the system secure. And that is a tall order.
declare @consonants char(20),
@vowels char(5),
@password varchar(255),
@length tinyint -- passed to sp
select @consonants = 'bcdfghjklmnpqrstvwyz',
@vowels = 'aeiou',
@length = 8 -- maximum of 254. any more will overflow
while (@length > 0)
begin
select @password = @password + substring(@consonants, convert(int, ( round (rand()*100/5, 0) )),1)
if (@length > 1)
begin
select @password = @password + substring(@vowels, convert(int, ( round (rand()*100/25, 0) )),1)
end
select @length = @length - 2
end
select @password
Silpon Designs
Scented Paper Products
How about using a smartcard for system logon and decryption of an AES database with your passwords?
http://keepass.sourceforge.net looks like it has potential.
If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.
Hoist Number One and Number Six.
Back in the days of limited capacity, 8 or 10 character passwords made sense. Today, there's no reason why we shouldn't be moving towards pass phrases of 20-50 characters. How difficult would it be for someone to remember "It was the best of times, it was the worst of times." as their password, and yet, how difficult would it be to crack a 52 character password?
It's really just a matter of changing mindset to use passphrases instead of passwords.
Most of the time, people just don't care. And why should they?
I probably have 200 passwords floating around in cyberspace, and 90% of them are "password". For example, I have to supply uid/pwd in order to read the Washington Post (my local newspaper). Is it important to keep this password secret? No, because I'm not very worried about someone reading the newspaper under my name.
Unless I have confidential personal information at stake, I am not usually motivated to create a strong password.
So, sysadmins, if the security of your overall network is more important than Joe User's individual data, you need to enforce strong password rules. Relying on users to create strong passwords voluntarily under such conditions is foolish.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
It just doesn't matter. It still going to be written on a yellow sticky and stuck on the screen.
All your i286 are belong to us.
Kinetic stupidity has a new brand leader: Allen Zadr.
I used to work on a military installation with really elaborate guidelines for choosing passwords. It would usually take me at least a dozen times to choose a valid, unused password. My buddy had a trick that would get him a good password every time. Being fluent in Korean, he would come up with a phrase in Korean and spell it out phoenetically to produce a new password. I wonder how many foreign language workers in the US do the same thing?
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
I'm confused.... all those answers that were listed in the front page version of the article (yes in true slashdot style .. i don't even wanna read the actual link..and have no time otherwise)
.. not like its a real proof or anything.
are pretty much what i would think of passwords. I think i lost some knowledge by reading the results of that study. It amazes me how people can study things to come up with a non-scientific proof answer to things we already know. I mean its a survey.. its not exact... we all knew the answers anyways.. so why even survey
I think the real problem with passwords is nobody ever teaches anybody how to make a strong password that is easy to remember. You're just told the parameters and left to fend for yourself. I myself personally have always come up with combinations of letters and numbers and special characters that have a seemingly random look and in fact have a correlation to some phrase i have in my head, and usually its a phrase i would only think of and not neccessarily say in real conversation to people.
Who makes you Sig?
Perhaps I'm crazy but I've always felt an application which allows a brute force attack is flawed.
Surely by this point in software development it should be regarded as standard for every program to LOCK access for a given account after X consecutive failed logon attempts?
Even setting this to something arbitrarily high like, say 1000, is more than any user would ever try before asking for help, but much MUCH MUCH less than any dictionary attack would require. Combine this with the possibility of real time notification for admins (facilitated by email/inter application messaging, or a small add-on service for the OS) when more than Y accounts are locked for this reason in Z minutes, and as a community we'd effectively end all dictionary attacks - or at least turn them into DOS attacks, but at least we'd know it was going on...
I find that a good way of generating passwords is to come up with a sentence or a phrase that makes sense to you, take the first letter of each word, and then 1337 it up. For instance, Windows XP loves the Sasser worm becomes: WxP175W It's cryptic enough and easy to remember
The perfect sig is a lot like silence, only louder
1. generate a password using some word algorithm: I was born on a Monday = "IwboaM"
2. come up with some kind of replacement strategy: w=m, a=1. IwboaM = Imbo1M
3. bookend it with the year you were born: Imbo1M = 19Imbo1M69.
It looks totally random, but there is a method to the madness. If you need to change it, you can just inc the year, or use some other rule on it. The strength is that you completely make up the rules, and they don't have to make any sense. All you have to do is remember the original phrase (easy) and your rules (easy to complex).
(and the example I gave is completely arbitrary)
You could also do one where your password is the answer to the question. Remember the question "What month was I born?" Answer: October
Password starting point = HalloweenMonth. Then apply crazy rules to it. In this way, you can write down your reminder phrase "Month born?" and it is nowhere near what your password is.
My beliefs do not require that you agree with them.
For users who claim they can't remember passwords, I recommend that they use the names of two of the favorite pets they have had in their lifetime, with one or more numeric or symbolic characters in between and/or at the beginning or end.
i.e. Rover8Kitty!
It's not great, but better than Mary2.
I'm sure I'm not the only one who occassionally uses keyboard patterns for passwords. I'm not talking qwertyuiop or asdfg (obvious) but things like !@()ZX>? Hell, half the time I remember friend's phone numbers by the way you punch in the numbers. Sometimes when asked what a number is I'll even do the "phantom phone dial finger wiggle" so I can recite the damned thing.
Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?
It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?
Amoeba
Do not taunt Happy-Fun Ball
I find it particulary annoying when people use what I call the 'license plate' passwords -- if you know what the mnemonic is, the password makes sense, but it's difficult to consistently go from the mnemonic to the password --
- !4m32s@y -> Not for me to say -> !4me2say
- !4us2d0 -> Not for us to do -> !4us2do
(yes, I worked with some people who were rather negative)Personally, I was working on a program for generation of passwords from fortune, so that things are handled consistently, but I've stalled the idea until I get get it to use a significantly larger basis for the mnemonics (as if you knew the source of the mnemonics, and the rules for generating passwords, it's just as easy to brute force as a dictionary attack)
Build it, and they will come^Hplain.
Some people have been claiming that using things like "fsa7ya" or "4sa7ya" as the 1st letters of "four score and 7 years ago" is a good way to make up paswords. I've got a friend who has a dictionary of about 20,000 such phrases and it took a few of us about a half hour to find a common quote that wasn't in his list. He also happens to have a 50 word lists that is very effective at brute force attacks.
1. password must be at least 64 characters long, with no dictionary words, and at least 8 special characters
2. Passwords expire in 24 hours
3. Account is locked out after two mistakes
4. A given character may be used only once in a particular password (No repeated characters)
5. Account locks out on second attempt
I'd love to see someone implement this policy at some corporation - just so long as I'm not the administrator there.
Looking at through cynical eyes it doesn't matter how secure your method is because, you are ultimately placing trust in the typical user who will most likely do something stupid when given the chance.
Gibber...
Gentoo Linux - another day, another USE flag.
My menmonic, which should have been hard for people to guess, was "Please ask sister sally where's our rottweiler dog"
And the thing is, we didn't even have a rottweiler, it was a shepherd. But people still guessed it, so I don't use mnemonics anymore.
Do not taunt Happy Fun Ball(TM)
So, basically, you're saying that Slashdot is impenetrable?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I used to do that back in the USMC - I converted my walllocker combination to base 7 and then put that on tape on the back of the lock. Everyone in the barracks tried it and failed. Meanwhile I had a nicely documented combination. Of course, I suppose I was fairly lucky that nobody simply removed the tape - but the same combination was also in my wallet along with all my pin numbers. Again in base 7...
I use "socket2me" for a password. Is this random enough not to be guessed?
Just use pattern passwords: ;-)
:-/
1) Put both hands on our friend, QWERTY
2) Move fingers into a natural, systematic position
3) Bang out a pattern using all fingers
4) Randomly include the shift key and those keys at the top, including the Back Space
5) Keep hitting some keys even after you've hit Enter; Then hold the Back Space key (optional)
6) "Practice, practice, practice!" so it can be typed very fast
Results?
* I rarely mistype a password
* I don't know my own password
* I couldn't share my password with security unless a keyboard was around
* I type it in so fast, it would take a video recording to spy-capture it (me thinks)
Of course, nothing can help you with key logging
Using the term "folk belief" more than once in a paragraph can become very annoying. This belief is confirmed.
----------------------------------
I'd rather not take sides until I hear the monkey's version - PHB
If someone gets to post as Allen Zadr to slashdot, the worst that would happen is my karma would be burned. No big deal. I drop the account, start a new one, give Slashdot another 5 bucks.
The passwords I use on anything important, are far more secure.
For this reason, I would be far more suspicious of the 10% that use extremely complex passwords. Likelyhood is that those passwords will match their online banking account and work passwords.
Kinetic stupidity has a new brand leader: Allen Zadr.
In my consulting practice I will often set up new server at a client site and assign a password, which is always a random string of letters and numbers. I usually get a shocked look when I tell them the password, but they do commit it to memory (I've never had a client write it on a post-it). I repeat the password with a cadence that makes it easy to remember.
One thing I have noticed is that clients will often be reluctant to change a random password they have memorized, as if their brain can only memorize one random string. I'll go back months later to find they are still using that same password. In fact, it often becomes the "standard password" on numerous systems.
The one practice that really makes my skin crawl is the system of using words with numbers replacing letters, like "5ecur1ty" and "pa55w0rd". No one would ever think of adding those to a dictionary attack, would they?
Ask me about my vow of silence!
I read a story about a book method for developing crypto keys. It was a fairly common method in the past before computers. I thought about it and have used it for years for choosing my passwords. Then tend to be mnemonics, but I can right down a hint sheet that is pretty safe.
It works like this. I choose a book at random from my work area, choose a page at random and then pick a line. I develop a mnemonic password from that line. If I need a hint, I write down the page and line number on a piece of paper, I can even stick it to my monitor if I need to. My average library of reference books at work is over 50 books. How big a hint to an atacker is 347 12? All I have to remember is what book I chose.
My last job, my boss couldn't remember any password that wasn't part of his name until I introduced him to mnemonic passwords.
I have to change several passwords every month or 3 months. The systems have all the integrity checks for the passwords, checks for dictionary words, numbers in the middle, special characters, all that stuff. it used to take me several trys to come up with a password that met criteria and that I could remember.
So finally I figured out a pattern of keyboard taps that would meet the rules no matter which key on the keyboard you started with. So now I memorize 1 pattern and effectively have a 1 character password for every system I deal with.
Is it secure? no clue. Since I type it 1 fingered, it is probably vulnerable to shoulder surfers, but other than that I don't see a problem with it. I only know one other person that uses this technique, so there are probably not any specific attacks for it.
But if someone makes me use a Dvorak Keyboard, I am SOL.
"However, both random passwords and mnemonic passwords suffered from a non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement."
The problem here is giving the users the ability to choose their password.
ugh. Don't give users a choice. When their password expires, give them a new one. Let them hit the "re-generate" button until they are happy or tired.
What really bugs me is that most ERP vendors don't recognize this as a problem. Most use screens/forms that have to be significantly customized to remove the "enter bad password here" choice.
Or use SHA2. Cause I don't have rainbow tables to crack that. Yet. For those of you who don't or cannot follow security, the new buzz is creating your own crack tables in a couple of weeks or months. There is more info at the project rainbowcrack page.
The misconception that everyone has about passwords now (because we as sysadmins pushed it so hard in the late 90s, early 00s) is that alphanumeric is the way to go. With the advent of generating your own cracking tables, that is no longer the case anymore.
An alphanumeric md5 set of rainbow tables can be generated in about a weeks time with a 2.4 ghz processor. That's my rough estimate based on the couple days it took me to make the alphanumeric one for LM hashes.
I would highly suggest that if you want your users to come up with good passwords you have them make a "one-time" password, seed with a 20-character salt that looks like someone pounded the keyboard, and store it inside a SHA2 hash.
A good administrator is going to salt their passwords with a string of characters that already satisfies the "alpha-numeric-symbol" requirement. If there is any reason to do something other than the first name of your child it is to stop coworkers or friends or people that already know about you.
When using brute-force/guess method this is what I try first and my guess is that at least 1% of Slashdot fathers use this or a form of it as their pass. It's okay to be proud of your kid, but don't think you're honoring them by including them in your password.
You can easily generate mnemonic passwords using pwgen.
It's definitely easy to remember mnemonic passwords. I've been able to not log into a machine for months, come back to it and remember the mnemonic password unique to that machine.
Well when going through a really rough divorce (I had an easy one too) I was in serious fear , and justifably so of my Ex hacking accounts using some of my known Passwords , I like many others have a cycle of about 10 that are used interchangably. All these were , with the exception of 1 personal passwords. I found she was accessing my work mail and personal mail almost immediatley , Soooo I decided to have some fun with it, passing all kinds of bogus information into forged emails to myself. Then came court, she was ACTUALLY Stupid enough to bring up several points in court, my Attorney was aware and asked where she found this informationout, "Around, friends, etc" Bwwwahhaaaa talk about someone looking stupid she bought it hook line and sinker.
:)
Sometimes easy to crack passwords are a GOOD thing
On another note, after I took her to the cleaners at court I decided to TIE one One, well....NEVER....and I mean NEVER....change you passwords while really drunk..it took me 2 days to reconfigure redit and reset all my passowrds I changed on that drunken celebration. I still have NO idea what some of them were or how I came to decide on their usage
The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords.
Not for me. Most common password ever used: sex.
Easy for me to remember my password... 8==D()
Course, I have to post this as an AC so no one can root my system...
I just keep a handful of dice in the desk to roll new passwords with. 2d6 >> base 36 >> letters and numbers. My logon pw, for instance, is 24 digits of that stuff.
I'd be interested in a password cracking study comparing passwords where this DLL was turned on (for Windoze domains) and where users are given a free choice. The DLL enforces stronger passwords, but IME few companies use it.
When I am king, you will be first against the wall.
There are so many places online where i am required to use a password, and there are so many ways for those different accounts to be linked together with some form of datamining on the other end. What I am concerned about is malicious intent from the other end. How can i trust that insiders with access to these password databases don't use my password info to sign into other account i may have on the net (i.e. financial accounts)?
I try to used different passwords depending on the level of trust i have for a certain company. For example, all of my banking passwords are different than say a password i would use to log into /. or hotmail. The problem with this is trying to remember which passwords are for which sites.
Of course, i then run into the problem of accounts where i must change my password monthly or quarterly, and i can't use previous passwords. This seems to be another huge security risk (unless a strong form of hashing is used) as the system now has a list of all my previously used passwords, and once again i have more passwords to rememeber as i can no longer stick with the few i would like to.
I feel that my passwords are relatively random and reasonably strong, and wish i could keep them. Does anyone what to test this theory and post AS ME from this /. account?
So, your passwords are made from the "reply-to" of random SPAM messages!
Kinetic stupidity has a new brand leader: Allen Zadr.
-The Libra
"You've got no kids, no wife, no job, and you're not in The Tigger Movie!!!"
- my best friend's son, Gabe, at 5 years old.
-The Libra
"Please be patient--The future will begin momentarily."
I occasionally like memnonic passwords, but another good alternative is a randomly-generated but pronounceable password. It turns out that we're much better at remembering passwords that we can pronounce. (Where "Voolakun5" is pronounceable and "zqx17yvy" is not).
FIPS-181 describes a NIST-endorsed system for producing pronounceable passwords. There is a GPLed FIPS-181 implementation here.
Sample run:
$ apg
dyijenuloa
bifliecar
yishjied&
IfHydrovia
yutsOlg/
DipUkcat
APG is a lot more sophisticated than this, and allows you to do a lot of tweaking of the types of passwords it outputs, print pronunciation guides. It's a good tool, IMHO, for security-conscious types to have around.
For Fedora Core 2 users, Red Hat does not package apg in the base distribution, but it is available from freshrpms.
May we never see th
I find that forcing the user to change their password every three months and then not allowing them to use the previous 4 passwords virtually guarantees that the person will write down all 5 password and then type in all 5, one after the other and until they get to the one that they are currently using. Personal passwords that are kept by one person, should not be forcibly changed on a rotating basis. Shared passwords that several people have should to handle people leaving and what not.
Please explain to me the benefit of frequently forcing changes to personal passwords.
THIS SPACE FOR RENT
Bah, my password at work meets your requirements and rases is a minimum of 5 nonalphanumeric ascii codes. I always add ASCII codes to my passwords when a field will accept them. I mean who is gonna look for '®æÝ' in a password?
Sigs? We don't need no stinking sigs!
"Hello, I'm doing a study for the Cambridge University Computer Laboratory on passwords..."
And i'd like to offer you some chocolate in exchange for your password.
Goto love that information,
how many hours do you burn trying to hack someones password when all you had to do was promis to send them a block of choclate.
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
I might be in the minority by remembering over a dozen different passwords that all expire at different times but isn't these passwords getting out of hand? Instead of studying the effects of having a well thought out password, how about devising a way that we don't have to use a password for every application and every website and have them all expire at different varying times. Some expire after 30 days and you can't reuse the password for 3 years! You have to expect people to start writing down passwords when there are so many.
Try out this nice password generator. You can customize the output based on what you feel would be most secure and easiest for you (randomness, length...). Just don't complain if an admin of that site craxx0rz j00.
purely biometric passwords are inherently flawed. i worked on a system which is really a combination of the two: handwriting signature verification. you can pick your password by picking what your "signature" will look like. it can be a simple shape, or your name, or whatever. furthermore, unlike a password, even if an attacker can guess what your password is (which is much harder since the space of possible passwords is much larger), he has to be able to forge it, writing it the way you write it. this is very difficult. more importantly, even poorly chosen passwords (simple shapes) cannot be cracked with brute force attacks since the password space is so large.
BSD is for people who love UNIX. Linux is for those who hate Microsoft.
The password for a particular login is then the random rubbish for that login plus the memorable word. The memorable word can be the same for every login.
A brute force attack remains unfeasible without obtaining the piece of card; not perfect but it makes it a good deal harder as it requires the physical presence of the attacker. At the same time the user is more likely to obey your instruction not to write their word down as there is only one, easy to remember word to remember.
Stealing the password then requires both physical access to the bit of card and a brute force attack. That raises the bar quite a bit from needing only one of those two.
The question I would like looked into is how many "old" passwords should a system remember and not allow a person to reuse.
I'll give you an example, a place I used to work required all the standard things: caps, non-alpha, 90 day expiration, etc. but what bugs me is that your new password can't be the same as any of your previous 6. Now, I have three or four good solid passwords that meet (or can be made to meet) all those requirements, but when I have to come up with 7 different ones, they start getting weaker and weaker near the end. I know that in most systems you can just run through half a dozen passwords in about two minutes and get your old one back, but they also instituted a minimum age so you couldn't do that.
All these things are generally considered good network security, at what point do you start doing more damage than good though? How many passwords does your system require, and does anyone else find themselves in the same situation I'm in?
Never underestimate the power of human stupidity -RAH
Our production users either have them barcoded for easy scanning or written ON the monitor. Super secure...
We just had a security audit...crash and burn! Well that's what you get when you have to "Do more with less."
Sean D.
"Hmm. I am to metaphor cheese as metaphor cheese is to transitive verb crackers!"
ASCII codes? We used to DREAM of ASCII codes. 456 of us, living at a corp, using only 128 characters... etc.
Is this a typo, or is there a new meaning of "mnemonic"? The whole point of mnemonic passwords is that they're easy to remember. That's what mnemonic means.
Am I part of the core demographic for Swedish Fish?
Wonder how well it would improve secuirty at aparrtment buildings at houses if we required users to change physical keys every 90 days ... got to prevent someone from sneaking in every morning and raiding the cookie jar and kids' piggy banks.
Infuriate left and right
If you have a lot of passwords, use a program to store them in encrypted form and have one good rotating password to open them all up. Ultimately I guess one of these could be cracked but it's a distant chance and thus a good compromise for someone who's got a lot to keep track of.
It's that fucking attitude that makes my life miserable. ALL computers are desireable. MOST attacks are automated. they have nothing against YOU personally.
I wrote this a long time ago and figured now would be a good time to post it on the internet. It uses a uniform random number generator based on /dev/random and generates passwords of arbitrary length based on printf-like format specifier. It also prints the strength of the generated password, assuming that /dev/random is truly random (pffft).
My favorite part is that it can use the short-word list from skey (a OTP system) to generate easy to remember passwords. A format specifier of %6s will spit out something like "at bum his dud fay bid" which is actually 66 bits strong and alot easier to remember (for me) than the equivalent 11 character alphanum string.
<sig>Sick of playing to rent DVDs or losing your O'Reilly books to your coworkers. Try office-exchange.com today!</sig>
...you can solve this one by throwing money at it.
Buy one of these and relax. You'll never have to worry about passwords again.
When I was working at NASA, I was still using a very simple password consisting of a very unusual word plus a number. One day the sys admin sends me a mail and says "Hey, I cracked your password. You must be a fan of [band name who had a song by this title]". I was embarassed enough that I immediately changed my password to something much stronger, and use a strong password to this day.
It works well because many people (myself included) just didn't get how easy it is to crack simple passwords until someone does it. If it's your friendly sysadmin, a normal desire to appear less idiotic is a sufficient motivator to choose a strong password.
IANAL&IneverRTFA
Oh wait... did I just give away John Katz's password?The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
oops, must remember to preview next time
I've seen [dictionary word][non-alphanumeric character][dictionary word] (e.g. chrome=turnip) or even [dictionary word][dictionary word] (e.g. purplegearbox), where the concatenated words do not form a dictionary word. Googlewhackers could have fun generating (in)secure passwords along these lines.
This is hardly new research.
Sigs. We don't need no steenking sigs.
You can get software to enforce the policy to avoid the 10% non-compliance mentioned above. In the Unix/Linux world, you can use something like NPasswd to do it. For you Windows' people, something like Password Bouncer would do the trick.
Lucent's R&D people once put the same functionality into a public proxy, the Lucent Personalized Web Assistant (LPWA). In its first implementation you could fill a form with username, password and email address by typing /u, /p and (I think) /e. The proxy would hash your proxy login with the site name to create a unique username and password for every site that required them. They remembered the unique email address and forwarded it to your real one, just like sneakemail.com does today but more automated.
Of course it didn't work with SSL, which is why the functionality belongs in the browser. There's no good answer for locating the email address generation.
LPWA is dead now. Lucent sold it to a small company and the project has never been heard from again.
So what kind of data do they have access to? Is it critical data, or just their local machine? If it's critical, do they need that access all the time?
For a while we had strict passwords on our PCs - but there was nothing important you could get at from a PC, unless you used it to connect to a Unix box - at which point you had to enter your Unix password. There really was no reason why the PC even needed a password.
2) For my password I use a few things from my childhood that no one will ever come up with.
;)
Now I can extort you with the dirty details AND use your login
Sigs for Nerds. Sigs that Matter.
Account locking doesn't deal with offline attacks where the attacker has a copy of the keyfile or password file. In fact, it makes the situation worse, because with automatic account locking a malicious user who wants to lock another user's account (or the entire company) need only run a small script that rapidly attempts to log into each account with a known bad password.
my scheme: math
grab a simple equation:
4+6=10
spell out one or two words
4+six=ten
bingo. easy to remember, hard to guess.
BTW, figure more like 45M tests per second.
t m).
The numbers in the parent are the right way to analyze a simple isolated system like machine storage of crypto keys.
If you're storing the passwords inside humans, the Law of Unintended Consequences walks up and socks you in the nose. Make the passwords too strong and they wind up taped to the monitor.
My answer to the problem is heretical (http://www.berylliumsphere.com/password_heresy.h
... but not in the way that you might think.
True story, if about ten years old:
Back in my freshman year of college, my roommate and I were discovering the wonder of the internet. The way the school internet access was set up, usually you would dial up, then get this sort of telnet prompt, from which you could pick one of the uni's student UNIX boxes to connect to to check your e-mail or whatever.
Now, there really weren't enough of the UNIX boxen to handle the load the students placed on them in peak hours. Sometimes they'd be down, and sometimes they'd just have too many users doing too much shit to make you want to use them in anything less than an emergency. My roommate, in the process of trying to feed his burgeoning MUDding addiction, discovered that you could telnet to anywhere, not just the uni's student boxes, despite what they had taught us about our student accounts. This let him connect to his MUD of choice regardless of the status of the UNIX machines.
He had a macro he would hit to enter the MUD's IP, his character's name, and his character's password together in quick succession. His character's password, as it happens, was Cthulhu.
One day, the MUD was down, and so 'Cthulhu' ended up being entered by the macro into the faux-telnet-prompt thing. This connected him to a U.S. government computer in Indiana, apparently named Cthulhu. There wasn't, as far as we were aware, any sort of escape character for this faux-telnet prompt, so he kept typing things like 'exit' and 'quit' trying to get out as Cthulhu demanded his login information. Eventually it cut him off.
The FBI reported him to the uni for "hacking" and they cut his student internet access off for the rest of the year. Comically sad.
No idea if there's still a Cthulhu out there, somewhere in Indiana...
Why do we need passwords when we can just swipe into our terminal with our government-issued biometric ID cards? Add a quick check of the fingerprints, iris scan, cheek swab for DNA, and a urine and stool sample and we're good to go. You can then start the day with all waste voided, your eyeballs scrubbed for greater acuity over those long productive work sessions, and your employer can keep signing those paycheck with a smile in their heart knowing that you've never actually spent any of the money they've given you doing anything as crass as enjoying yourself.
Plus the government will know you've been good too. You. Specifically. That ought to thrill you down to your toes.
C'mon! What are we waiting for?!
One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors - Plato
For authentication purposes, biometrics are nearly as good as it gets. Remember, authentication, is to show that you are who you say you are.
Biometrics cannot be shared (except, in some cases, among identical twins). The other issue of biometrics is legacy and diverse systems (see last paragraph). Not all systems can handle/be retro-fitted with biometric scanners.
However, if you want to have a username and password that can be shared among a group of people (service specific userid), biometrics won't do at all. (Yes, this is still relatively common). Or, have a reltively anonymous service (like Slashdot) - where a userid may want to keep multiple accounts (see my sig-link).
Does anybody know of a decent biometrics system that works well with a Hybrid linux/windows network? I researched it, and can't find anything. Maybe someone else will know.
Kinetic stupidity has a new brand leader: Allen Zadr.
Reading through that summary, I couldn't help but think one thing: The first rule of your password is you do not talk about your password.
This kind of reminds me of another novel by Chuck Palahniuk (author of Fight Club): Lullaby. In that novel, everyone's password is "password". The main character manages to break into someone's computer simply on the hunch that that was the password.
As many others have posted, the problem with 'secure' passwords is often that users will start noting them down and keeping them on their screen or in the drawers of their desk.
I have had good results with instructing 'reluctant' users to select an item in the room (or something on a picture on the wall next to the desk) as their password hint. An elderly secretary very uncomfortable with their computer and very forgetful when it came to passwords finally did well when I recommended her to use the name of a bird on a poster (in German). I think this is still a lot better than either a random password noted on a Post-It or the name of your late pet or 'secret' lover.
But, of course, this is totally insecure in a high security environment. So, eventually, we have to conclude that there is a strong relation between security requirements and user capabilities (and enthusiasm/reluctance). It is a 'social engineering' matter after all, isn't it?
Kind regards
zapyon
I like my spaghetti with source.
n|t
-- It only takes 20 minutes for a liberal to become a conservative thanks to our new outpatient surgical procedure!
Feel free to take a look at our approach to solve this never ending problem http://www.mindlocked.com ;-)
There are good ideas out there just waiting to be discovered
Basically it assigns random chars/numbers/symbols to each letter of the alphabet ... Now I print this nice little table and use it for passwords all over the place. For example I could just remember "slash" which maps to the password Z?+JTLZ?4&
The table itself isn't a terrible idea, but where you really go wrong is printing it out. If anyone gets a look at your "alphabet," and you've used a simple dictionary password, then it's as simple as doing a dictionary attack -- just with your modified alphabet instead of the standard one.
This is why, as the article states, user-devised password schemes aren't very good (although yours is probably somewhat better than many), as they only give the illusion of security.
Cheers,
IT
Power corrupts. PowerPoint corrupts absolutely.
I would advise against using pronouncable passwords. My university requires all students to use their login and password to log in at every computer in the university.
/tab/ password /enter/"-rythm.
The problem is, that you're sometimes too tired and hurried to log in, that you don't notice that the cursor is still in the login field when you type your password. This happens especially when your login failed, because then you're out of your usual "login
In those cases, it is very important that your password is NOT pronounceable. I've regularly seen glympses of the passwords of people sitting next to me in front of the computer. When the passwords were not pronounceable, like "i4H62qBr", you couldn't possibly remember in the second or two time you're given, because users get a shock reaction when they see their own password on the screen, and backspace it frenetically.
But, of course, if your password is "IfHydrovia", people are able to read and memorise it instantly, if they want it or not.
I can give another useful tip though, especially for Europeans: if you have to use both QWERTY and AZERTY keyboards, pick a password that is entered the same way on both. This will mean that you won't enter your password incorrectly because of the different keyboard layout. And in most casees, it's when you have to log in again that people accidently use the wrong field to type their password.
He was briefly in Chile for a US$420 a seat conference, and the head of the Computer Science Dept. asked him if he could give the students a little talk.
A representative answered exactly this:
Thank you for your inquiry. Kevin is indeed in Chile next week-- and would love to address your students. He does, however, charge a fee for his presentations (it's how he earns his livelihood)--- A standard presentation is 45 min. long plus 15 min. Q&A and covers the information presented in his book, The Art of Deception. The cost for a presentation like that is typically $15,000 US; however, due to the fact that you are an educational institution and Kevin will already be in the area delivering his other presentation, I could offer you a discounted price of $9,000 US (a savings of 40%)plus any related travel costs to/from your organization to his hotel.
One comment I'd make is that you can pretty easily compress long english prases without losing the mnemonic help of the phrase
one flew over the cuckoo's nest -> 1flu^th3CnesT
still easy to remember, not too painful to type.
Research has shown that the most secure password is 'X7no0RsTT'. Everyone should change all there passwords to 'X7no0RsTT' immediatly, or they will be at a greator risk of being violated by hackers.
Take a song that you like, and use the first letters of each line as your password.
If your password requires numbers or special characters, use the line number of the song, plus its shifted equivalent.
If it requires both upper and lower case, use one upper-case letter, the same position each time.
For example:
A long long time ago,
I can still remember
How that music used to make me smile.
Month 1: aLlta1!
Month 2: iCsr2@
Month 3: hTmutmms3#
etc.
Each year, pick a new song.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Before implementing any security measure, one should ask "Why?" What is the hard reason? (not just feel good).
When it comes to forced password changes, it's "Because the password may be compromised".
So the next question is, if it 'may' be compromised, then how long are you willing to live with it compromised?
And that is your password change rate. So, if you force password changes every 90 days, it means you're willing to live with passwords being compromised for 89 days.
So what, force them every day?
The real answer is that if you think your users' passwords are being compromised, then you need some other form of security. Forced password changes are changes for not reason.
What I've been doing so far seems to be okay
:)
I wrote a program to generate high quality random numbers from the high quality entropy source (/dev/srandom).
Then I stick a number on the end and increment it. I RTA, but having a high quality random password just makes me feel good.
I have an iBook, so I have to get it repaired a lot due to the logic board thing. I generally make a new password when I have it repaired. And they always compliment me on my password.
I rarely criticize things I don't care about.
That's what security is all about. Every company should have a single standard - iButtons or smart cards - which replace door key cards, login names, passwords etc., and work on every system to which an employee is supposed to have access. Authentication should be automatic - plug the iButton into your terminal, and you can ssh transparently to any machine to which you have access, without any further passwords. That way there is just one thing for the employee to "guard with his life"; and by increasing convenience you increase productivity too. The cards or iButtons should use a rolling-code system, with computation performed on-chip, so that it is extremely hard to duplicate a key. And in cases where extreme security is required, it could be supplemented with a password, but I think the extra security which that provides is minimal.
But probably the open-source, cross-platform software to make it possible still needs to be written.
I have sometimes used a printed table to aid myself in memorizing a pseudorandom password, too. I did it by printing a table of random characters from the set of lower and upper case letters, numbers, and some punctuation, like this:
0 3 x C 6 m c Q 5 q u s8 e v 7 u K T / W 8 4 1
6 j B y . 8 o r = 8 S 5
O F v L 4 g 3 4 p I W 6
c l B P E u Z 9 6 L y 5
% p U A a 9 % d 5 A H v
J e % ! C 3 b . D U 5 U
Q O S l t J Q E P r c L
P 4 g n a S 9 9 C R b 7
% 9 x E = 5 d i o l 8 G
R h Q Q A e o y x R 9 Z
R E 3 N 8 c A e I 7 0 d
and then deciding from where in that table to read a password. Obviously the password could not be in a straight row. It could be a spiral around an initial character, part of a knight's tour, alternating picks from several lines, characters at intervals based on the Fibonacci sequence, or whatever rule one could devise. This effectively replaced remembering the password by remembering a pattern. I liked to think that the number of possible permutations would probably pay back some of what I lost in randomness.
(I now fancy wallpapering my cubicle at work using sheets like this, with characters randomly colored for additional visual cues.)
My online bank has 2 techniques they use to try and fight key logging.
1) Provide a mouse-driven numeric keypad (they use short numeric pins as a primary password)
2) Require a strong secondary password, of which random characters are requested each time. So, if I login today, they will request characters 1, 6 and 7. The next time they may request 1, 5 and 7.
Point 2 provides dubious benefits, I think. Sure, it defeats keylogging but I would guess that most people write down the 2nd password, so that they can easily find the requested letters. Plus, it is complicated enough to be a tech-support nightmare.
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
Set up a dedicated machine like this and use it for your security awareness training. Dare users to come forward and try their best passwords.
Cubicle rats will do ANYTHING for that big chunk of swiss cheese!
It may sometimes = bad security but it isn't necessarily bad.
The assumption of many many posters is that the chief threat is someone poking around a worker's desk and getting the password that way.
RTFA
The problem is not choosing a good password, and social engineering (and that is all in the summary).
I had through the results were entirely intuitive and the original poster didn't know what he was talking about, but so many miss the point that maybe I'm wrong.
Or maybe there are a lot of 'post first, think never' people on Slashdot......Nahhhhh.
Writing down passwords isn't bad in itself. I write mine down and keep them in a locked drawer. Security keeps out everyone who doesn't have business in the building, and you'd have to know a lot to be able to guess that I wrote down passwords and where they might be, and which it might be. And my work-group is 24x7. So it is no problem. Oh, and my coworkers all have the same access as I do. So is it bad I wrote down my passwords? Nope. Could it be bad in some circumstances? Yep, but to rail against a good password policy because someone might (horror of horrors!) write down a password down is pretty stupid.
7. Writing the password down on a yellow sticky note and sticking it to the keyboard is more secure than sticking it on the monitor. - Debunked, we found that hackers generally look for sticky notes in both places, in addition, they will sometimes look under the keyboard and in the top drawer of cubicle desk.
I can't afford a sig!
I work on a web app (one that I didn't design, but that I customize) that stores an md5 hash of the password in the db. And I noticed that you can still glean information from the hash, if the password is common (such as the word "password"). So my idea was to store a hash of the concatenation of the username AND password, ensuring with a high probability that no two hashes will be alike.
I use a modified method of this, picked it up here a few years ago. Pick a sentance from a big book (LoTR, Illiad, Odyssy etc) then take the first letters (Tell me Oh Muse...) Now if the word is a noun use the number of letters in the word, if it's a verb use the last letter, if none of these use the first letter of the word. From the line above you would have the password lmo4oti4wd3a4ahhdtf4o4. What you remember is, "Tell me oh muse of that ingenious hero who travelled far and wide after he had sacked the famous town of Troy." You have enough for two passwords there. If you wanted extra security you could add a rule to use the symbol (shift+number) of letters in pronouns or linking words. Feel free to improve on my letter swapping method, all that matters is consistency. This method has the advantage that you can leave your cypher book near the computer as long as and the basic scheme (and rotation frequency and method) is memorized.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
but the same combination was also in my wallet along with all my pin numbers. Again in base 7...
Thank you.
Now, where do you live?
http://github.com/gbook/nidb
Speaking as someone who understands the value of choosing hard-to-guess passwords, the biggest problem I have is with the sheer volume of passwords I need to remember. So often I go back to a site I've registered at and wind up with my account locked because I can't remember which password mnemonic I used.
;-)
With mnemonics, I would imagine that access to one or two of a user's passwords would enable an attacker to guess many of their other passwords. It seems like an all-too-obvious attack to set up a pr0n site with user registration, collect user names and passwords, and them run them on yahoo, hotmail, online-banking, etc. One could easily harvest hundreds of passwords this way. (Uh-oh, I hope this kind of idle speculation isn't some kind of DMCA or Patriot violation...
How do slashdotter's deal with password volume? Even the no-no of writing them all down can be a difficult task to manage..
So long, and thanks for all the Phish
Really, who breaks into systems anymore by brute forcing passwords? In the pre-shadow days it was easy to attack all of /etc/passwd with thousands of tries a second but now with /etc/shadow you're relegated to tapping at the the ssh socket or the like. And with a three-try lockout, that's not really much of an option either.
CommentBot 0.7a running with args "-module irritate,disagree -target random"
I hope Slashcode doesn't munge this... It's got configurable stuff. Just save locally to an html file and fire up in your open-source web browser of choice. Enjoy.
//number of output columns //hash lookup dictionary //hash table
//generate dictionaryi )]=outsymbols.charAt(Math.random()*outsymbols.leng th)+outsymbols.charAt(Math.random()*outsymbols.len gth);
//output dictionary to screen and clipboard
//hash keyword and put results on clipboard //keyword hashx t.charAt(x)];
<head>
</head>
<body>
<script language='JavaScript'>
var insymbols="abcdefghijklmnopqrstuvwxyz1234567890";
var outsymbols="ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "abcdefghijklmnopqrstuvwxyz" + "1234567890" + "!?.:@#$%^&*-+=";
var cols=4;
var dict=new Object;
var dictTable="";
for(var i=0;i<insymbols.length;i++)dict[insymbols.charAt(
for(var x=0;x<insymbols.length;x++){
dictTable+=insymbols.charAt(x)+' '+dict[insymbols.charAt(x)];
(x+1)%cols==0?dictTable+='\r\n':dictTable+=' ';
};
if(window.clipboardData){
var cleartext = window.clipboardData.getData("Text");
var hashtext="";
for(var x=0;x<cleartext.length;x++)hashtext+=dict[clearte
window.clipboardData.setData("Text",hashtext);
};
document.write("<p"+"re>");
document.write(dictTable);
document.write("</p"+"re>");
</script>
If you've copied a keyword, the hash of it, using this table, is already on the clipboard.
</body>
</html>
I started using passwords designed around a visual pattern formed by keys on the keyboard: a line, a circle, a cross, whatever. I just remember the starting key and pattern. For instance, a Y-Circle password might be y-t-g-b-n-m-j-u, or y-h-j-k-i-8-7-6. I tend to pick a pattern and keep it for a year or so, moving the starting key around when I need to change the password.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Why bother? Just open a website.
No passwords at all to register documents. Instead they use digital signatures. (As in actual GIF images of someone's signature.)
I keep asking them which is easier to change? Passwords or Signatures?
Their complaint: Passwords are insecure.
My comeback: Enforce better password security and have spot inspections of how passwords are kept secure.
Their comeback: Got the money to do that?
We haven't managed to get a lot farther than that.
Someone put a black hole in my pocket and now I'm broke.
i just dont make my passwords in english. i make them in obscure languages. or a mix of english and obscure languages (obscure = not languages that are widely known in the us, or languages that very few people know exist)
I agree with with "social engineering was the ultimate hack is a genius."
... ... more or less 789&*(HJKLkjhl .... extream primes are fun.
Kb patern, as in hjk78&*KJH 10 characters cap/small-alpha-numeric-spec
pick your patern and don't forget. I never repeat and never forget. Age and experience
OldHawk777
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the other. So this belief is debunked.
Its always confounded me as to why people have insisted on this folk belief. I, for one, have always insisted that mnemonic phrases are no less secure than random numbers. (Likewise for the memorability vs. single-phrase passwords.) I'm glad there's finally some proof so that I can get people to use sane passwords (neither easy to guess, nor difficult to remember).
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
If you are spend too much time on the internet, like me :), you must have hundreads of passwords for all sorts of things including message boards, websites, e-mail accounts, etc. How do you guys store your passwords? Do you use any software tools?
:( that is encrypted via gpg. Unfortunately it is sitting on my computer, which is connected to a network (i.e. internet) so it is very unsafe. Do you guys do anything to secure your passwords? Do you store it on a CD-ROM/floppy/whatever and keep it off the computer?
:(
Presently, I just keep them in a big file
Just wondering what you guys do with your passwords... Oh, one more thing, I have a horrible memory so I HAVE to store them somewhere
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
Take if from someone whose been in IT for a long long time. User's are so sick of passwords they completely hate that they have to keep multiple passwords and then they hate it when the passwords expire.
The password police are constantly tightening the password rules. It used to be 90 days till a password expired. Now it's 60 days. It used to be 6 characters now it's 8 characters. You used to be able to re-use an old password, now you end up having to wait until it's 15 passwords old before you can re-use it. All passwords must contain 8 characters and include at least one number. You cannot set a password that is too similar to the old one. Many words have been outright banned from use as a password.
As an IT person with access to a lot of things, I have 28 different passwords just for work alone! There's about 8 mainframe ones, 4 PeopleSoft ones, 2 Windows Domain, etc., etc., etc. I actually set up an encrypted file on a USB pen drive that I unlock and reference when I need to see my password list. I have a couple of Mac's at home and I love the KeyChain solution!
The average user has about 5-10 passwords they have to worry about. User's write them down, come up with elaborate rotation schemes, etc. Mostly they just call the Help Desk repeatedly because they lock themselves out in the process of changing their password.
I am all for a smart-card or USB keychain along with a single sign-on system to everything. It would cut 600 calls to the help desk every month and it would make thousands of employee's very very happy.
A solution that works for many is PasswordSafe. This is a small application that keeps all passwords encrypted (using the Blowfish algorithm). Entries are presented either as a flat list or tree, and double-clicking an entry decrypts the password and copies it to the clipboard. The project originally came from Counterpane, Bruce Schneier's company, and is regarded as a useful and secure application.
PasswordSafe has random password generation that can be customized rather nicely.
Of course, the PasswordSafe database itself needs to protected by a passphrase...
[Disclaimer: I'm currently the project admin for PasswordSafe.]
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
and everyone seems to have their own way of generating them. I know one person that uses license plate numbers he memorizes while on the highway. I use Cloak on my Palm to keep the 40 or so that I have to use to get my job done - yes, I said 40. I'm of the firm belief that none of these practices are secure at all. If it's a password; it will be broken eventually. Where I can use passphrases; I do. Even those can be broken given time. When they come up with reliable, inexpensive biometrics; and combine them with digital certificates or encryption keys (pick your flavor) - I think we'll be far more secure. I know that privacy can be an issue with biometrics but what if you encrypt the biometric data itself and don't make any of it personally identifiable except to its owner?
I think with the interesting people, their lives can't possibly be wrapped up into a nice little package.