Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords - 64 Characters, Changed Daily?

Posted by timothy on from the too-much-overkill-is-never-enough dept.

isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

10 of 645 comments (clear)

  1. Use a CueCat by Safety+Cap · · Score: 5, Insightful
    , as each one has a unique serial number encoded into its output. When you're ready to log in, plug in your :Cat, and use it to scan that barcode that only you know is the right one.

    Even if some one steals your :Cat, they can't get in, and if someone steals your copy of "Learning the VI Editor" that you've used for the barcode without stealing your :Cat, again they can't get in.

    --
    Yeah, right.
  2. Pointless by jolyonr · · Score: 5, Insightful

    The harder a password is to remember, and the more frequently it is changed, the more likely people are going to forget it, and resort to insecure tricks such as writing it on a post-it note stuck to their monitor.

    I can't see any good reason to change passwords frequently, other than to limit the damage done from a succesful intrusion. And then, is one month any worse than three months? All your data is 0wned regardless.

    --


    Please read my Canon EOS tech blog at http://www.everyothershot.com
  3. Exponential growth problem by Kufat · · Score: 5, Insightful

    Every time you add another character onto an alphanumeric, case-sensitive password, the total number of possibilities is multiplied by 62. CPU throughput takes a very long time to increase 62-fold. So going from 8 to 10 characters increases the passwordspace 3844 times, and that's assuming only uppercase, lowercase, and numbers.

    There's nothing to worry about until quantum computers can handle problems like this AND are available by someone you don't want accessing your data.

  4. Bad assumption by Phexro · · Score: 5, Insightful

    You're assuming we won't have a better, harder-to-crack hashing mechanism by then.

    This has been a process of incremental improvements - first crypt(), then shadow passwords, then MD5 hashes, and so on. We will certainly have something harder to crack in the future.

    1. Re:Bad assumption by grumbel · · Score: 4, Insightful

      Shadow passwords aren't a hashing mechanism, all they do is store the hashes in a file that the users can't read. Just Unix permissiosn, pretty trivial after all.

      About crypt() vs MD5, I don't think that they make much different when it comes to cracking actual passwords, all MD5 does is allow you to use longer passwords, it doesn't enforce it by any means. If your password is in a dictonary, no matter what hashing algo you use, I can brute force it in a few seconds.

      The only advantage a good hashing algorithm provides is that it ensures that you can't from a given hash calculate back the original password by other means than brute force. Brute force, however, will always work, no matter what algorithm you use. The only way to make a more secure password, is to use a better password, a better hash algo won't help a damn.

  5. Re:Just do what I do by Abcd1234 · · Score: 5, Insightful

    This should be modded insightful. These kind of forced password-change policies do one thing only: encourage people to choose easy-to-remember (and hence, likely easy-to-crack) passwords. Even worse, it encourages people to write their passwords down and store them in what is probably a very insecure location! So, in the end, you get only a marginal increase in security.

    Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, more than just alphabetic characters, etc), but don't force them to change it. After all, brute-forcing a complex, 8-character password is still a fairly difficult process.

  6. Re:Biometrics by Blastrogath · · Score: 5, Insightful

    If you use biometric data for your passwords then you can never change your passwords. The first time you use a cracked login terminal you've lost security forever, unless you have surgery.

    --
    "The price good men pay for indifference to public affairs is to be ruled by evil men." -Plato
  7. Re:Simple... by gl4ss · · Score: 4, Insightful

    it's restricted on most/all systems already that way and besides the throughput limitations on bruteforcing a live system would prove quite troublesome.

    generally you would sniff the datastream and try to crack that I imagine(because that's the only thing you could do).

    (insecure software with flaws proves the biggest security problem for the foreseeable future anyways, there's always possibility of using single use passwords which are _already_ in use on sensitive/important systems)

    --
    world was created 5 seconds before this post as it is.
  8. Re:Yes and No...Better solution:Assign the passwor by slash.dt · · Score: 5, Insightful
    There is a MUCH better way to do this. First off, instead of letting users choose their own passwords, assign them for each person. This lets you, the administrator to be entirely in control of all passwords on the system. With this control, you can maintain a master list of all users and passwords securely in either encrypted/secure files (with no permissions to anyone but root). This also allows you to force good passwords onto users. They do not need to be impossible, but something like 2 three letter words or partial words (chosen at random) with 2 other ASCII characters are usually not too hard for people to remember, but are still tough enough to make it hard to guess with password word lists.

    There is so many things wrong with this that it is hard to know where to start. I'll just chose a couple.

    First, forcing passwords on users is dumb. What might be an easy combination of words and number s for you to remember might be completely impossible for me to remember if the word means nothing to me. And if I can't remember I am going to write it down. It is much better to allow people to chose their own passwords to that they can make a combination that they can remember.

    Second, accountability for your password goes out the window when someone else knows and controls the password. If the adminstrator knows all the passwords, they can logon as the user without the user knowing. Alternatively, the user can suggest that the administrator did the action which the user is being accused of.

    More intelligent password checking rules is a much simpler and more effective solution.

  9. Re:Just do what I do by arminw · · Score: 4, Insightful

    Some systems do not allow any more tries at logging in after a few unsuccessful attempts. After an hour or so, the systems resets and gives the user another chance to try to get in. If that also fails, the user must call the system admin. This process goes a long way toward thwarting multiple access atempts.

    None of this helps of course if the user's system is breached and some sort of keyboard sniffer is active.

    --
    All theory is gray