Slashdot Mirror
Password Memorability and Securability
NonNullSet writes "Who would have thought that that something new could be said about how best to select passwords? Ross Andreson of Cambridge University and some of his colleages have performed new empirical studies and found some pretty non-intuitive results. For example:
1. The first folk belief is that users have difficulty remembering random passwords. This belief is confirmed.
2. The second folk belief is that passwords based on mnemonic prases are harder for an attacker to guess than naively selected passwords. This belief is confirmed.
3. The third folk belief is that random passwords are better than those based on mnemonic phrases. However, each appeared to be just as strong as the
other. So this belief is debunked.
4. The fourth folk belief is that passwords based on mnemonic phrases are harder to remember than naively selected passwords. However, each ap-
peared to be just as easy to remember as the other. So this belief is debunked.
5. The fifth folk belief is that by educating users to use random passwords or mnemonic passwords, we can gain a significant improvement in security. However, both random passwords and mnemonic passwords suffered from a
non-compliance rate of about 10% (including both too-short passwords and passwords not chosen according to the instructions). While this is better than the 35% or so of users who choose bad passwords with only cursory instruction, it is not really a huge improvement. The attacker may have to work three times harder, but in the absence of password policy enforcement mechanisms there seems no way to make the attacker work a thousand times
harder. In fact, our experimental group may be about the most compliant a systems administrator can expect to get. So this belief appears to be debunked."
Freaking PDF files. Link to a version translated into HTML. By the time this goes live, maybe the FTP will be slashdotted, too. Thanks, Google.
I suppose I should make a comment. Okay, here it is: looks like users are still the weakest link in security. Whoever said that social engineering was the ultimate hack is a genius.
Google's HTML Cache Version
Hmmm.
Not RTFA has never been so easy! How am I supposed to have an uninformed opinion like this?!
So take a look at quepasa. It combines remembering a passphrase, with cryptographically generated passwords (SHA-256 hashing of the passphrase and account name followed by mapping of the hash to typeable characters).
The combination means that I can always "recall" the password for any of my accounts using the quepasa application (all I remember is a single passphrase), and the passwords are not stored anywhere.
John.
Mitnick had a neat suggestion in the Art of Deception. The Consonant-Vowel Method. It provides an easy to remember password because it is pronounceable. You take the following template and swap in consonants and vowels: CVCVCVCV. The examples he gave are MIXOCASO and CUSOJENA. The point is they won't be in the dictionary but you can remember these nonsense words.
Support the First Amendment. Read at -1
Yeah, passwords and standards are fine as long as you keep snickers out of the office
One area I'd like to see would be strength of a password in terms of randomness, requireing use of characters, etc. vs length. Is an 8 character password with a punctuation mark better than a 10 character pasword with all lower case characters? If so, by how much?
Then we can determine a good password policy that fits with the security model at the facility.
How many passwords have you got? turn on pc, open email, encrypted files, bank account login's, ftp login's, forum memberships, the list goes on. How many have you forgotten? We need a better authentication system than text passwords. Security agencies have developed stunning biometrc identification technologies, perhaps these could be put out for the general public to use?
Do you need a website upgrade?
Hah! Now I also know how to reach you on the phone...
This comment does not exist.
I'm confused as to why you would care how strong the passwords your users select are. As long as you control the authentication system, you can prevent repeated guessing--the days of globally-readable encrypted password files are gone. If you get more than a small number of failed guesses on a given account or from a given address, you cut off access, at least for a time.
The key is to detect the attack.
"Hello, I'm doing a study for the Cambridge University Computer Laboratory on passwords..."
Auto-reply to ACs: "Truly, you have a dizzying intellect."
There are a couple things i do....
1) On my servers te password changer forces them to not use dictionary words, has to have numbers, letters and nonnumeric characters, and they can't use their previous so many passwords
2) For my password I use a few things from my childhood that no one will ever come up with.
3) There is nothing like keeping up on your security patches.
Evolution or ID?
If IT keeps warning, they're told to stop worrying. If something happens, IT is blamed. These morons (leaders) need to figure out that IT isn't something that helps them do business. Their business runs on IT. Without it, they have no business.
Hoist Number One and Number Six.
Statistically speaking, a 400 person focus group is going to so accurately represent the population from which they were selected it is almost overkill. Bear in mind, however, that they don't represent users in general, but computer users that are smart enough to get into college, aged roughly 18-19 years old, and open minded enough to participate in a college survey regarding passwords on computers.
But yes, 400 people is way more than enough - heck you can usually predict the outcome of most elections using exit polls asking less people than that.
Glonoinha the MebiByte Slayer
Most of the time, people just don't care. And why should they?
I probably have 200 passwords floating around in cyberspace, and 90% of them are "password". For example, I have to supply uid/pwd in order to read the Washington Post (my local newspaper). Is it important to keep this password secret? No, because I'm not very worried about someone reading the newspaper under my name.
Unless I have confidential personal information at stake, I am not usually motivated to create a strong password.
So, sysadmins, if the security of your overall network is more important than Joe User's individual data, you need to enforce strong password rules. Relying on users to create strong passwords voluntarily under such conditions is foolish.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
It just doesn't matter. It still going to be written on a yellow sticky and stuck on the screen.
I used to work on a military installation with really elaborate guidelines for choosing passwords. It would usually take me at least a dozen times to choose a valid, unused password. My buddy had a trick that would get him a good password every time. Being fluent in Korean, he would come up with a phrase in Korean and spell it out phoenetically to produce a new password. I wonder how many foreign language workers in the US do the same thing?
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Perhaps I'm crazy but I've always felt an application which allows a brute force attack is flawed.
Surely by this point in software development it should be regarded as standard for every program to LOCK access for a given account after X consecutive failed logon attempts?
Even setting this to something arbitrarily high like, say 1000, is more than any user would ever try before asking for help, but much MUCH MUCH less than any dictionary attack would require. Combine this with the possibility of real time notification for admins (facilitated by email/inter application messaging, or a small add-on service for the OS) when more than Y accounts are locked for this reason in Z minutes, and as a community we'd effectively end all dictionary attacks - or at least turn them into DOS attacks, but at least we'd know it was going on...
1. generate a password using some word algorithm: I was born on a Monday = "IwboaM"
2. come up with some kind of replacement strategy: w=m, a=1. IwboaM = Imbo1M
3. bookend it with the year you were born: Imbo1M = 19Imbo1M69.
It looks totally random, but there is a method to the madness. If you need to change it, you can just inc the year, or use some other rule on it. The strength is that you completely make up the rules, and they don't have to make any sense. All you have to do is remember the original phrase (easy) and your rules (easy to complex).
(and the example I gave is completely arbitrary)
You could also do one where your password is the answer to the question. Remember the question "What month was I born?" Answer: October
Password starting point = HalloweenMonth. Then apply crazy rules to it. In this way, you can write down your reminder phrase "Month born?" and it is nowhere near what your password is.
My beliefs do not require that you agree with them.
Stay late one night. After they are all gone walk from desktop to desktop. Look for post-it notes on the side of the monitor and under the keyboard, and in their drawers. The results will scare you, if your users are anything like mine, and I bet after that you start letting them pick less cryptic passwords.
Also, if you know their password there goes any semblance of Non-Repudiation. And if you can 'remind them' either you have a very short list of users and can remember them, or you have a written list somewhere - nifty, but a bad idea.
Glonoinha the MebiByte Slayer
I'm sure I'm not the only one who occassionally uses keyboard patterns for passwords. I'm not talking qwertyuiop or asdfg (obvious) but things like !@()ZX>? Hell, half the time I remember friend's phone numbers by the way you punch in the numbers. Sometimes when asked what a number is I'll even do the "phantom phone dial finger wiggle" so I can recite the damned thing.
Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?
It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?
Amoeba
Do not taunt Happy-Fun Ball
Looking at through cynical eyes it doesn't matter how secure your method is because, you are ultimately placing trust in the typical user who will most likely do something stupid when given the chance.
Gibber...
Gentoo Linux - another day, another USE flag.
My menmonic, which should have been hard for people to guess, was "Please ask sister sally where's our rottweiler dog"
And the thing is, we didn't even have a rottweiler, it was a shepherd. But people still guessed it, so I don't use mnemonics anymore.
Do not taunt Happy Fun Ball(TM)
So, basically, you're saying that Slashdot is impenetrable?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
I used to do that back in the USMC - I converted my walllocker combination to base 7 and then put that on tape on the back of the lock. Everyone in the barracks tried it and failed. Meanwhile I had a nicely documented combination. Of course, I suppose I was fairly lucky that nobody simply removed the tape - but the same combination was also in my wallet along with all my pin numbers. Again in base 7...
Just use pattern passwords: ;-)
:-/
1) Put both hands on our friend, QWERTY
2) Move fingers into a natural, systematic position
3) Bang out a pattern using all fingers
4) Randomly include the shift key and those keys at the top, including the Back Space
5) Keep hitting some keys even after you've hit Enter; Then hold the Back Space key (optional)
6) "Practice, practice, practice!" so it can be typed very fast
Results?
* I rarely mistype a password
* I don't know my own password
* I couldn't share my password with security unless a keyboard was around
* I type it in so fast, it would take a video recording to spy-capture it (me thinks)
Of course, nothing can help you with key logging
Using the term "folk belief" more than once in a paragraph can become very annoying. This belief is confirmed.
----------------------------------
I'd rather not take sides until I hear the monkey's version - PHB
If someone gets to post as Allen Zadr to slashdot, the worst that would happen is my karma would be burned. No big deal. I drop the account, start a new one, give Slashdot another 5 bucks.
The passwords I use on anything important, are far more secure.
For this reason, I would be far more suspicious of the 10% that use extremely complex passwords. Likelyhood is that those passwords will match their online banking account and work passwords.
Kinetic stupidity has a new brand leader: Allen Zadr.
I read a story about a book method for developing crypto keys. It was a fairly common method in the past before computers. I thought about it and have used it for years for choosing my passwords. Then tend to be mnemonics, but I can right down a hint sheet that is pretty safe.
It works like this. I choose a book at random from my work area, choose a page at random and then pick a line. I develop a mnemonic password from that line. If I need a hint, I write down the page and line number on a piece of paper, I can even stick it to my monitor if I need to. My average library of reference books at work is over 50 books. How big a hint to an atacker is 347 12? All I have to remember is what book I chose.
My last job, my boss couldn't remember any password that wasn't part of his name until I introduced him to mnemonic passwords.
Or use SHA2. Cause I don't have rainbow tables to crack that. Yet. For those of you who don't or cannot follow security, the new buzz is creating your own crack tables in a couple of weeks or months. There is more info at the project rainbowcrack page.
The misconception that everyone has about passwords now (because we as sysadmins pushed it so hard in the late 90s, early 00s) is that alphanumeric is the way to go. With the advent of generating your own cracking tables, that is no longer the case anymore.
An alphanumeric md5 set of rainbow tables can be generated in about a weeks time with a 2.4 ghz processor. That's my rough estimate based on the couple days it took me to make the alphanumeric one for LM hashes.
I would highly suggest that if you want your users to come up with good passwords you have them make a "one-time" password, seed with a 20-character salt that looks like someone pounded the keyboard, and store it inside a SHA2 hash.
A good administrator is going to salt their passwords with a string of characters that already satisfies the "alpha-numeric-symbol" requirement. If there is any reason to do something other than the first name of your child it is to stop coworkers or friends or people that already know about you.
When using brute-force/guess method this is what I try first and my guess is that at least 1% of Slashdot fathers use this or a form of it as their pass. It's okay to be proud of your kid, but don't think you're honoring them by including them in your password.
You can easily generate mnemonic passwords using pwgen.
It's definitely easy to remember mnemonic passwords. I've been able to not log into a machine for months, come back to it and remember the mnemonic password unique to that machine.
Well when going through a really rough divorce (I had an easy one too) I was in serious fear , and justifably so of my Ex hacking accounts using some of my known Passwords , I like many others have a cycle of about 10 that are used interchangably. All these were , with the exception of 1 personal passwords. I found she was accessing my work mail and personal mail almost immediatley , Soooo I decided to have some fun with it, passing all kinds of bogus information into forged emails to myself. Then came court, she was ACTUALLY Stupid enough to bring up several points in court, my Attorney was aware and asked where she found this informationout, "Around, friends, etc" Bwwwahhaaaa talk about someone looking stupid she bought it hook line and sinker.
:)
Sometimes easy to crack passwords are a GOOD thing
On another note, after I took her to the cleaners at court I decided to TIE one One, well....NEVER....and I mean NEVER....change you passwords while really drunk..it took me 2 days to reconfigure redit and reset all my passowrds I changed on that drunken celebration. I still have NO idea what some of them were or how I came to decide on their usage
-The Libra
"You've got no kids, no wife, no job, and you're not in The Tigger Movie!!!"
- my best friend's son, Gabe, at 5 years old.
-The Libra
"Please be patient--The future will begin momentarily."
I occasionally like memnonic passwords, but another good alternative is a randomly-generated but pronounceable password. It turns out that we're much better at remembering passwords that we can pronounce. (Where "Voolakun5" is pronounceable and "zqx17yvy" is not).
FIPS-181 describes a NIST-endorsed system for producing pronounceable passwords. There is a GPLed FIPS-181 implementation here.
Sample run:
$ apg
dyijenuloa
bifliecar
yishjied&
IfHydrovia
yutsOlg/
DipUkcat
APG is a lot more sophisticated than this, and allows you to do a lot of tweaking of the types of passwords it outputs, print pronunciation guides. It's a good tool, IMHO, for security-conscious types to have around.
For Fedora Core 2 users, Red Hat does not package apg in the base distribution, but it is available from freshrpms.
May we never see th
Wonder how well it would improve secuirty at aparrtment buildings at houses if we required users to change physical keys every 90 days ... got to prevent someone from sneaking in every morning and raiding the cookie jar and kids' piggy banks.
Infuriate left and right
When I was working at NASA, I was still using a very simple password consisting of a very unusual word plus a number. One day the sys admin sends me a mail and says "Hey, I cracked your password. You must be a fan of [band name who had a song by this title]". I was embarassed enough that I immediately changed my password to something much stronger, and use a strong password to this day.
It works well because many people (myself included) just didn't get how easy it is to crack simple passwords until someone does it. If it's your friendly sysadmin, a normal desire to appear less idiotic is a sufficient motivator to choose a strong password.
He was briefly in Chile for a US$420 a seat conference, and the head of the Computer Science Dept. asked him if he could give the students a little talk.
A representative answered exactly this:
Thank you for your inquiry. Kevin is indeed in Chile next week-- and would love to address your students. He does, however, charge a fee for his presentations (it's how he earns his livelihood)--- A standard presentation is 45 min. long plus 15 min. Q&A and covers the information presented in his book, The Art of Deception. The cost for a presentation like that is typically $15,000 US; however, due to the fact that you are an educational institution and Kevin will already be in the area delivering his other presentation, I could offer you a discounted price of $9,000 US (a savings of 40%)plus any related travel costs to/from your organization to his hotel.
Take a song that you like, and use the first letters of each line as your password.
If your password requires numbers or special characters, use the line number of the song, plus its shifted equivalent.
If it requires both upper and lower case, use one upper-case letter, the same position each time.
For example:
A long long time ago,
I can still remember
How that music used to make me smile.
Month 1: aLlta1!
Month 2: iCsr2@
Month 3: hTmutmms3#
etc.
Each year, pick a new song.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Before implementing any security measure, one should ask "Why?" What is the hard reason? (not just feel good).
When it comes to forced password changes, it's "Because the password may be compromised".
So the next question is, if it 'may' be compromised, then how long are you willing to live with it compromised?
And that is your password change rate. So, if you force password changes every 90 days, it means you're willing to live with passwords being compromised for 89 days.
So what, force them every day?
The real answer is that if you think your users' passwords are being compromised, then you need some other form of security. Forced password changes are changes for not reason.
I use a modified method of this, picked it up here a few years ago. Pick a sentance from a big book (LoTR, Illiad, Odyssy etc) then take the first letters (Tell me Oh Muse...) Now if the word is a noun use the number of letters in the word, if it's a verb use the last letter, if none of these use the first letter of the word. From the line above you would have the password lmo4oti4wd3a4ahhdtf4o4. What you remember is, "Tell me oh muse of that ingenious hero who travelled far and wide after he had sacked the famous town of Troy." You have enough for two passwords there. If you wanted extra security you could add a rule to use the symbol (shift+number) of letters in pronouns or linking words. Feel free to improve on my letter swapping method, all that matters is consistency. This method has the advantage that you can leave your cypher book near the computer as long as and the basic scheme (and rotation frequency and method) is memorized.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
... the real problem with passwords is nobody ever teaches anybody how to make a strong password that is easy to remember.
;-)
Yeah, but there's something that makes it worse: Every time you have to make up a password, your first try is rejected because it violates the rules of that software. So you keep trying until you stumble across something that is acceptable.
As a result, my file of passwords now has 68 entries, and that doesn't even include the half dozen logins that I use often enough to remember. I don't keep them on paper, of course. I keep them on my web site, so I can find them from anywhere.
Of course, the file has a misleading name, is hidden behind a number of index.html files, and has a name that starts with a dot so that the server doesn't give it out even during server changes when the index.html files are sometimes ignored for a short time. I know I should still be worried about the URL being intercepted in transit. But so far, this is the best solution I've found to what is a rather intractable problem.
The real problem is security dummies that impose such complex password rules on users that we are forced to resort to schemes like this to "remember" our passwords.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.