Passwords - 64 Characters, Changed Daily?

isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"

"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.

What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"

Normal users

[Skiron]

In my opinion as a Sysadmin, it doesn't matter what device[s] you bring in to try to 'secure' users and passwords.

They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.

Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.

makemeapassword.com

[mgkimsal2]

Not a perfect system, but is something which can help people come up with something more secure than 'password' while incorporating numbers and punctuation marks.

makemeapassword.com

Something you know, you have, and you are

[jncook]

To quote Bruce Perens, if security really matters, you should base it on three things:

* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)

This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)

Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.

For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.

James

Moores law needn't require longer passwords...

[sanermind]

As computers get faster, simply use more difficult and time consuming algorithims to verify passwords. If you use a verification step that takes 256 times a long [even for the same old 6-character password], when computers get eight times faster, they are worse off then they were before in trying to brute-force the password.

Re:Just do what I do

[Pharmboy]

What I never got was this: If I have a password, and no one else ever knows it, AND I check my logs so I know if someone is trying to hack my account, what good does changing it anyway?

As soon as I see at attempt to hack it, I would change it. Until then, I have a great password that my wife doesn't even know about. If someone tries to hack it on Wednesday, it doesn't matter that I changed it on Monday, or last year: It will still take more time to crack than will pass before I check the logs.

Re:Just do what I do

[Megor1]

Since password cracking relies on having access to the password hash, simply make the hashes an order of magnitude longer to calculate.

Re:Exponential growth problem

[einhverfr]

You are probably reasonably right on the basic probabilistic mathematics of this approach. However, I still take issue with your conclusions because:

1) Trojan back-doors could be used to covertly do a distributed crack on a password. Thus you have to deal both with the exponential growth in processor power *and* the exponential growth of the internet. So Moore's law gets beat.

2) I find that about 8 characters is the best for my general security. If use 8 character passwords, I use a lot of mnemonic devices. An 8 character password can then contain shortened versions of two strings which are far longer and are more likely to contain non-alphanumeric characters (!,@, &, #, etc). If I get longer passwords, I tend to write out the phrases which although they tend to be in obscure languages still allow for an avenue of dictionary attack which might be otherwise difficult if I am using contractions.

IMO, the future of security is in public key authentication. In this model, you will carry with you a key AND have to provide somesort of passcode to unencrypt the key. This passcode could be biometric, passphrase-based, etc. They key can be lengthened transparently to the user so that they don't have to be aware of it, or replaced when lost.

sweet someone should tell my company

[BeerSlurpy]

Where to begin?

First off, the root password for the main application server is a straight alpha password that hasnt changed in about 5 years and is known by most of the operators and developers.

Second, there are trust relationships between most of the hardware in the company such that gaining root on one server effectively grants root on all of them.

Thirdly, many of the important infrastructure pieces (routers and stuff) have been given identical admin passwords that are well known (this was at least recently changed for the routers).

Fourth, much of the software we use to perform infrastructure functions is hopefully out of date, such that there are many published root level vulnerabilities for nearly every service running on our network.

And we are a medical device company under FDA regulation. No audit has ever turned up a single discrepency. How's that for reassuring?

Re: Or what I do

[E_elven]

I need to start cut-n-pasting this. There should be a topic for Passwords.

Use visual passwords rather than mnemonic ones. My standard-prescribed solution is to teach this to all new users; I set them next to a computer and give them some strips of coloured paper (not necessary but helpful with complete newbs). They'll get the gist fast and be able to be pretty savvy shortly -and changing a password is exceedingly easy.

1. Pick a letter. Any letter will do but to start with you may want to take the first letter of your name.
2. On the bottom row of the keyboard, pick any key from Z to M.
3. Using the paper strips, draw your letter on the keyboard so that you start from your starting key (Z to M)
4. Look at the keys under your strip. That's your password.

Here's a visualization for the letter A starting from the key V:

= 1 2 3 4 5 6 * 8 9 0 - = \
== q w e r t * * i o p [ ]
=== a s d f * * * k l ; '
==== z x c * b n * , . /

The plain password is: vgy7ujmh
Using alternate shift: VgY7UjMh or vGy&uJmH

This can easily be expanded to even more secure ones by adding more letters. A good scheme for variant passwords is to use something that identifies with the realm -for example for Slashdot, a password could be made from letters 'slash' (on a dvorak here, sorry):

qJkU.#4%kUp$xBjUy^fDbIxBmHf^7*xIy%mHg&f

Variation made easy. Try it.

Re:decent compromise between security and convenie

[RetroGeek]

First of all, they could put their passwords on post-its in the locking drawers most desks have. Almost as convenient, but MUCH more secure.

You mean those locking drawers where the key number is stamped on the lock?

I usually place a sticky note with a ramdom number of characters under my keyboard. It looks like a password, and may even BE someones password.

But it is not MY password and is it not close to my password. This entertains whoever is trying to break into my computer for hours....