Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

Integrate the pin with securid

[stecoop]

required dongle is a note under your keyboard

There are more advanced security schemas. I know some places I have worked use securids where if you get possession of the key chain and know their userid, then you can become them. This isn't any good.

A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

The best password schema I have seen so far is where the securid and pin are integrated so that the seed in the random number generator for synced securids is the pin - the securids are just random numbers where the next number is based on some fixed patter and the number is only good for 60 seconds. But this still this has a few holes, I could figure out the pattern in securid and brute force the pin then re-add the pin as the seed. But for nowadays, this is best I have.

Re:Integrate the pin with securid

[wfberg]

The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.

Re:Integrate the pin with securid

The required dongle is in my pants.

Re:Integrate the pin with securid

I'd venture that's pretty damn safe then...don't think anyone is going *there*

Re:Integrate the pin with securid

[Jeff+DeMaagd]

One thing that bugs me is the number of sites that require accounts, even if to get freely available information and not like ordering or posting.

Re:Integrate the pin with securid

[Longstaff]

... I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

SecurID's are not limited to a 4 digit PIN. I have to use them to log into various client machines and my PINs are always 7+ chars that are alpha/numeric. You type in the PIN - which is really a password at this point - and follow it with the 6 digit number on the SecurID.

Re:Integrate the pin with securid

[Z00L00K]

I have also been working some with different security systems, and I have found a device that is fairly nice to have and fits onto your keyring. It is the Aladdin eToken. The only disadvantage I have found this far is that Windows XP doesn't support it with device drivers automatically. You need to install from a CD. It's somewhat annoying for something that is supposed to be a key to the system.

This token allows you to use a full password, not only a PIN code as most smartcards do, and you can install your own certificates on it.

For the security paranoid, the maximum key size is only 1024 bits, which may be considered a little low in some applications.

Re:Integrate the pin with securid

Securid pin numbers are useless. I worked in a company that used securid cards and everyone had their pin number stuck to the back of their securid card so they wouldn't forget it.

Re:Integrate the pin with securid

[gioan]

Your example has to be the worst use of SecurID (if you're referring to the RSA product) imaginable. Whoever paid for that equipment and implemented it so poorly should be fired for spending money and achieving no benefit.

The whole point to SecurIDs is that they provide you with easily manageable two-factor security, including for legacy applications without needing a hardware re-outfit of biometrics, smart cards, redesigning custom prompts, readers, etc. They have agents for most popular things you'll integrate to it if Radius or native SecurID isn't compatible. They have a stable, documented API.

You do however need to use your brain while deploying it. Specifically, you must inform the user they should pick a unique pin/password (which the admin has no access to by the way) to use with the code on the card that changes every 60 seconds. This ensures anyone logging in has either PIN+card code, or Pin + live video feed to fob, (insert other unrealistic scenarios here). The fact the PIN doesn't require frequent/regular changes allows the user to actually use something complex that they end up remembering.

For what it's worth, the system is based on public/private key encryption and timesyncs between the servers and fobs. No, you can't hack it, not unless you have access to the SecurID server and then your actions are likely to be more obvious. There is no realistic server-side known exploit for it that doesn't involve somehow stealing the fob keys from the server, then guessing the user's pin in order to make a similar one-way hash and response to the challenge from the system requesting login validation. Finding a card/fob gives you access to nothing. Keylogging the pin is useless without stealing the card. It's secure. It's easy to use. It does require work on the admin's side to integrate various authentication systems to the SecurID architecture, but then that's a lot more fun than complaining about users, right? There is a reason it's been used in the banking industry for a long time.

Of course, if the admin does the right thing, it also assumes the user isn't stupid enough to put their username, login URL (or relevant), and Pin on a Postit note on the back of the SecurID fob. But then, that's what HR departments and involuntary separations are for.

And no, I (no longer) sell the stuff. Simply a knowledgeable user.

Re:Integrate the pin with securid

This token allows you to use a full password, not only a PIN code as most smartcards do, and you can install your own certificates on it.

Uh, on most smartcards the "PIN" actually is a password. Often it is 8+ characters long and accepts any 8-bit binary set of values.

It's just that in times past banks and such have only required a 4 digit numeric value. The card was not setting that limit though.

Re:Integrate the pin with securid

[techno-vampire]

A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

You still have 10,000 possibilities, and if the pin's randomly assigned, that's fairly safe. My personal favorite for logging into specific programs/servers is s/key. Easy to set up, easy to use if you have a password generator on the client computer. The one I'm familiar with allows you to set up a password for up to 1,000 logins. Each time, the program is given the number of logins left, a key and your password. It runs your password through the hash that many times and you put that in as your password. That way, even if the password you enter is intercepted, whoever gets it can't tell what it would be if you ran it one time less, as they don't know the *original* key used to set things up.

Re:Integrate the pin with securid

[zfusion]

I once worked for an internet provider that assigned completely random 8 character passwords to all client accounts. We had few complaints about it. I'm actually surprised that we didn't have more complaints. I think it all comes down to the simple fact that people are just downright lazy. Where I work about 90% of the employees passwords are 'password' which drives me nuts. All password authentication methods should be written to not accept "dumb" passwords.

On another note, I once was asked by a lady that wanted to be refered to as Dr. Jane Doe (I don't remember the exact name) and I was asked "Is it the zero next to the nine or the one next to the "p"?" I repeated what she said cause I didn't get what she was talking about. Everyone else in the room started cracking up. I had to put her on hold.

Anyway .. I have about 6 or 7 different passwords. Sometimes I can't remember so I go through each one, then I have to go back through them cause I'm not perfect and I typed it wrong. When it comes to any device to help secure a system, I'm not sold on any yet cause it's easy to walk off with someone else's possessions even a finger if necessary. A device and a password would not make me feel any more secure. I personally would feel less secure if I had a pin number and a securid cause it's easier for someone to watch me type in numbers.

Re:Integrate the pin with securid

[BeBoxer]

This token allows you to use a full password, not only a PIN code as most smartcards do, and you can install your own certificates on it.

For the security paranoid, the maximum key size is only 1024 bits, which may be considered a little low in some applications.

For the security paranoid, it is the first feature which is the weakness here. There is no keypad on the card itself to enter the PIN, correct? You enter your PIN via your regular keyboard, correct? So if somebody has 0w3n3d your workstation, they can read your PIN when you type it and then ask your smartcard to perform as many authentications as they want. All without your knowledge. If you could be sure your workstation was secure, you wouldn't need the token in the first place.

See the Cypak card mentioned below. THAT is how a smart card should work. I hadn't heard of them before, but I'll have to do some research.

Re:Integrate the pin with securid

In Soviet Corea, old dongle requires YOU!

Re:Integrate the pin with securid

Your example has to be the worst use of SecurID (if you're referring to the RSA product) imaginable.

So what do you think about using the employee's phone extension (even twice for doubled security!) as a prefix for the SecurID generated passcode? I work for a "global player" company that even technically enforces this policy (prefix cannot be changed by the user).

Funny/Sad addition: When I asked my boss whether he could tell me some details about our VPN solution (so I could connect to it with Linux), he advised me not to ask questions like these because some people would think I wanted to "hack" the network. Well, actually not "some" people, but the responsible ones.

Re:Integrate the pin with securid

[fanatic]

still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

Unless you've also limited failled login attempts to , say, 5, before the account is disabled. Then unless the pin is *really* stupid (say 1234), you're good to go.

Re:Integrate the pin with securid

[grahamsz]

For secure environments i've got to deal with.

1) Log into staging environment with one username/password
2) Ssh to final environment using my own username password
3) Receive challenge code at login prompt
4) Enter my pin + challenge code into secureid
5) Give one time password to server.

It's a royal pain in the ass, but you'd need to intercept:

1) My account details/password
2) Our team account details/password
3) My secureid card
4) My secureid pin
5) My secureid login - not the same as my *nix one.

Re:Integrate the pin with securid

[jim_v2000]

They need to do away with passwords/codes/pins altogether. Work on making things like finger print scanners or retinal scans more accurate and feasable to impliment. Then we could do away with passwords altogether.

Re:Integrate the pin with securid

[Flower]

The SecureID solution has mechanisms built-in to determine if someone is possibly trying to crack the PIN and will lock the account out if those thresholds have been hit. The default settings are almost too touchy and it only takes two failed logins to generate an alert. I'd have to do some reading and play around but I don't think the majority of hackers are going to have the patience to try and break the initial 4 digit PIN. One also hopes that the token would be reported as lost before the hacker had any real window to try and break the code.

The real problem comes with policy. If a client loses a token they have to report it immediately so it can be disabled on the system. Policy has to be in place so a user is properly verified before a token is unlocked. You have to train the user to handle the PIN with care. At the local DMV it was neat to see they were using SecureID. The sticky note with the PIN tacked onto the token kinda made the whole exercise futile.

Re:Integrate the pin with securid

[devilspgd]

Making that a fireable offense (And enforcing that policy) should be sufficient.

Re:Integrate the pin with securid

[devilspgd]

That only works if you can secure the input device and the authentication system, and everything in between.

If the scanner or anything between the scanner and the authentication device is compromised, an attacker can intercept the digitized copy of your finger print (or whatever biometic you decide to use) and you're screwed. Worse, you can't just change your finger print (Well, you've got 8 fingers and two thumbs, but after that, you're out of luck)

Re:Integrate the pin with securid

[gioan]

So what do you think about using the employee's phone extension (even twice for doubled security!) as a prefix for the SecurID generated passcode? I work for a "global player" company that even technically enforces this policy (prefix cannot be changed by the user).

I would say you were working for a place that purchased a product and had either a) no clue what they were doing, or b) didn't care, so long as it met the audit requirement and/or bragging rights for the responsible manager and the "look what I implemented" factor.

It's pretty sad to see how much money gets thrown down the drain in the pursuit of security, only to see any gains falter when faced with either the immeasurale stupidity of the users, or that of the administrators themselves.

I only have 2 passwords

[xyeeyx]

2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?

Re:I only have 2 passwords

[Kiryat+Malachi]

I have 5, now. Each time I rotate passwords (once per year, usually), the highest security one moves down a notch, and everything below it gets bumped down by one.

Re:I only have 2 passwords

[ifdef]

I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

Re:I only have 2 passwords

I use aaaaaaaa and goatse911 for everything. Haven't been rooted yet...

Re:I only have 2 passwords

[maskedbishounen]

Yes. :)

I have two different sets. One specifically for online site like PayPal, my bank, etc. The other is for generic internet thing.

The important stuff set is then further split into one of two passwords, chosen depending upon how "important" the site is. So my Amazon account won't use the same as my bank, and such.

The generic set is split into three, or occassionally four, also based on importance.

The rare fourth is my root password, the third my normal login, second for general web usage, and last for throw away usage.

I tend to use the throwaway one a lot. /., IRC, Gmail. In fact, all my friends know it, and I'd yet to have them play around with my stuff. YMMV, and you should still rotate passwords every so often . . . or so I'm told.

Re:I only have 2 passwords

[Profane+MuthaFucka]

My luggage is 1, 2, 3, 4, 5. Probably your luggage too.

Actually, I have my luggage combination written in sharpie on the outsize, right next to the lock. It's 0-0-0-0. That's so the TSA can open it up if the numbers happen to get bumped away from 0-0-0-0.

Online I have an easy password, which is used everywhere unimportant; a medium password, which is used on sites that I would not want to lose the account for; a hard password used on sites with sensitive and personal information; and a secure password which is used on sites with direct access into my bank account, such as bill pay sites.

At work they require us to have those unmemorizable passwords, so I just tatooed it on my cock where it's always 'handy'. Had a bit of trouble when they increased the length from 6 to 8 letters. Those last two letters hurt quite a lot.

Re:I only have 2 passwords

[99BottlesOfBeerInMyF]

anyone else have a few standard passwords?

For low security operations, like your online accounts, using a standard password is not too unreasonable. With just a hair more effort, however, you can use a standard password scheme. For example, instead of using "8dogs8food" as your password for all of the random online accounts you have, prepend or append the first letter of the web site you are accessing. For Amazon.com you can have "a8dogs8food" and for slashdot you can have "s8dogs8food." This gives you a better idea if your password is leaked, and keeps insiders from using your userid/passwd on other consumer sites. I think that a password scheme like this strikes a good balance of security and ease of use.

Re:I only have 2 passwords

Tell me about it, just the other day I rooted some guy who used aaaaaaaa and goatse911 for everything. Poor sucker probably doesn't even realize he's been rooted yet.

Re:I only have 2 passwords

[Hognoxious]

I have 1 which is used for stuff that doesn't really matter, but I keep different ones for root on my box, logons to production servers, my bank etc.

I keep the ones I don't use often in a spreadsheet which is password protected. Even if you did decrypt that, it only contains clues that that only I would get (sometimes one other person...).

Re:I only have 2 passwords

[kiatoa]

I have about 10-20 wierd "words" I munge and cycle through for passwords. Policy is now 90 day passwords. Yeesh. Too burdensome as far as I'm concerned but you gotta do what you gotta do. I am waiting with bated breath for the day when computers are smart enough to recognise you by sight, sound and scent. "I'm sorry Bob, please run around the building twice and then attempt to log in again, your scent levels are too low for a positive id."

Re:I only have 2 passwords

[maskedbishounen]

..except once they have two of your passwords, they've figured out your pattern.

Perhaps a better way would be to take the ASCII value of the first letter and tack it on to the end as well. Even better if you were to square it, or something. Or is it just me?

Re:I only have 2 passwords

[Jim_Maryland]

Even this scheme is not adequate for all environments. I'm one of the unfortunate people who manage several different networks where passwords must not be duplicated between systems. Throw in that I have a regular user account, root, and administrator (domain, server, and clients all different) and slightly different password requirements (alpha numeric, mixed case, length, non-dictionary) and I have way to many to easily remember. I also have my home and online passwords different from any of my work versions (although I don't force myself to change these as often). I end up having to leave obscure clues that would be meaningless to anyone (example: "car#" could be a clue where it would translate to one of my cars and a significant number to me).

I for one would welcome a new authentification overlord if available.

Re:I only have 2 passwords

[Tet]

Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

I'm glad someone else understands this. I've successfully fought against mandatory password changes at my company, but it rears its head again every few months, as some bright spark in management (usually in our parent company) thinks it would be a good idea, and it's "standard best practice" in the IT industry.

Re:I only have 2 passwords

[ajs]

I have one password that I use for generic stuff I don't care about someone cracking.

Then I have my PIN for bank stuff.

Then there's my home, work and high-security passwords.

The last three I use a program that I wrote to generate. It's available from my home site, but I haven't really fully released it yet (this is just an alpha version). Eventually, I'll upload it to CPAN.

Re:I only have 2 passwords

[jxyama]

i completely agree. we have an ancient VAX system at work, which requires me to change my password every 4 months and any password previously used is not accepted. and the password must be between 6 to 8 letters long.

at first, i gave it an honest password. however, i ran out of easy to remember passwords, so i resorted back to a string of 6 numbers. i had no choice - there's only a finite number of things i can remember as passwords.

i realize this is an extreme and (hopefully) outdated case. clearly, whoever designed this protocol didn't do real-world testing, but thought naively that requiring change of passwords so often, with no duplicates allowed and must be within a very narrow range of characters, would be improving security.

Re:I only have 2 passwords

[99BottlesOfBeerInMyF]

..except once they have two of your passwords, they've figured out your pattern.

Depending upon your scheme that is entirely possible. Using an ASCII value would not be a bad way to go, if you know them offhand. And there are plenty of other ways this sort of security can be boosted. I just provided a very simple and easy example that is the "low hanging fruit." Using the scheme I originally mentioned if you go to two sites that both start with the same letter, they would both have the same password. If someone at allofmp3.com tried your password to buy things on amazon.com, the system has failed. The point I was trying to demonstrate was that 90% of the time, just adding that letter will prevent someone from one site that is compromised from guessing another site. Most internet fraud perps don't have to work very hard, and they are not going to bother trying to cross check names and passwords across sites to try to figure out your pattern. They will just skip to the next name on the list.

Re:I only have 2 passwords

[CatsupBoy]

Personally, i've had only one or two passwords I ever used for online accounts.

But it seems like almost all sites have some easy method for resetting your account or sending your password over e-mail. I'm beginning to think the best way would be to make up something each time you log on, and if you cant remember it the next time, reset the account and pick a new one.

I suppose this all depends on how secure your e-mail account is, not to mention there is a timing factor if someone is snooping your internet traffic. But as long as you can log in and reset the password to something differnt, this may even be a very secure method.

Essentially you establish a one time session password that is very difficult to remember/guess. And you dont have to store it anywhere because you start over the next time.

Re:I only have 2 passwords

[prgrmr]

I've successfully fought against mandatory password changes at my company, but it rears its head again every few months, as some bright spark in management (usually in our parent company) thinks it would be a good idea

Of course it's a good idea. But like everything else in life, it, too, is subject to the "Too Much of a Good Thing" syndrome. The trick is to change passwords often enough to maintain security and protect against those who will, inevitably, give-away there passwords in exchange for trinkets or favors, and to balance that against not making the change so often as to be more trouble than it is worth. Depending on the environment, 2-5 times a year is sufficient.

Remember, a login/password scheme is there to ensure limited access to a limited number of systems (usually one) is granted to a known, limited number of individuals (usually just one per login). As soon as you don't have this, you don't have security. The best firewall in the world won't save you from the dumbass user who calls the vendor directly and gives their login & password to the tech support drone on the phone.

Re:I only have 2 passwords

[harlows_monkeys]

2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?

Yes, I have a few. One for my accounts on machines I basically have sole control of (and never use anywhere else), one that is used for things where I don't care too much if other people find it out, and a couple in between. I also have one really good password (equivalent to about 110 random bits) that is used only to protect my personal GPG secret key.

However, note that this is not really all that good a way to do things. The problem is that if you use standard password X with unrelated services S1 and S2, then if your password to S1 is compromised, S2 also falls. Also, I occassionaly forget which standard password goes with which site, so might first try to login to S1 using standard password Y. So, if S1 is compromised, they might get more than one of my passwords! Oops.

What is really needed is something that generates good random passwords on demand, that you can use whenever some site or place asks you to register. This needs to be easy to use, and it then needs to store the password, encrypted, locally. There then needs to be something that makes it very easy to retrieve said local encrypted passwords when needed. This too needs to be easy to use (which includes only asking you to provide your master password once per session), AND it needs to be safe against malware, AND it needs to work with most or all websites and with most email clients.

This is the kind of thing that needs to be built into the OS, actually, so that every application that might want to deal with passwords can count on it being there, and make use of it.

On Windows, the problem will be all the malware out there. You need the system to protect this thing so that even on a compromised system, you don't lose all your passwords.

On Linux, the problem will be getting anyone to agree on how to do it. I'm sure the Gnome people and the KDE people will have different ideas of how it should work, and they will be mutually incompatible.

Re:I only have 2 passwords

[Not_Wiggins]

We have a similar policy at work... and it is applied (with random expire times) on over 40 different server boxes.

Since our dev environment is on a Windows platform, I use Password Safe and have it generate/store new passwords for me for all of the production machines.

Sure, it is a pain because I have to fire it up and put in my one secure password to get to the other passwords. But, at least it limits my security exposure to one bastion host (the shared drive on the LAN, so my encrypted password database is backed-up).

Re:I only have 2 passwords

[JuggleGeek]

I've worked in places that required the monthly password change. And of course, they won't let you use a password that you used recently.

But at one place, I also figured out that the system had a list of your 20 most recent passwords, and wouldn't let you use any of those. So every month, I'd change the password 21 times in a row, then change it back to what I wanted. That way I didn't have to memorize a new password every month, and I didn't have to leave a note with my password hidden under the keyboard (or wherever.)

Re:I only have 2 passwords

We have very tight security. Every time I change my password, someone in the IT department calls me up and asks what I changed it to so they can verify that the new password is really secure.

Re:I only have 2 passwords

[IWorkForMorons]

Nope...at my last job, we were required to change passwords every monthon the ancient AS/400. This lead to me and most of the people I worked with using an easy to remember password with a number on the end. Not a very secure system, plus it was kinda demoralizing since you would slowly count away your life every time you changed your password. I was at 41 when I was laid off. And with the passwords starting at 0, I was laid off after 42 months of working there. Whoa...that's the first time I realized that. So the answer to life, the universe, and everything...is becoming a lazy unemployeed slacker with relatively little stress. I think I like this plan.

Re:I only have 2 passwords

[prgrmr]

we have an ancient VAX system at work, which requires me to change my password every 4 months and any password previously used is not accepted

Ask the system admin modify the password history. See here:

http://groups-beta.google.com/group/comp.os.vms/ms g/c6f28f73c3ff7b95?dmode=source

BTW, between work and home I have over 100 passwords and pins. Only a select few for work are anywhere in writing. I was using a password safe on my plam, but that was a pain to update every 4 months when passwords rolled so gave-up on that.

Re:I only have 2 passwords

[99BottlesOfBeerInMyF]

That is really not too bad of an idea. Someone can still get into your account by asking for a new password as you and snooping your mail server, but they can do that no matter what your password is. I think the main drawback is the inconvenience. Not too many people are willing to wait for a new password via an automated mailing. Most of us just want to buy something and be done with it. I guess it depends on the response time of their automated password mailer.

Re:I only have 2 passwords

[Gr8Apes]

Heck, I use a limited number of base rotating patterns. I just have to remember in what phase of the pattern I'm in, and everything just falls into place. Much easier than dealing with "memory enhanced" passwords, and other crap that tries to be totally unique every 4 months or less.

The benie? The patterns are truly random sets of characters, as they're not based on real words.

Re:I only have 2 passwords

[Foobar+of+Borg]

Where I work, I think they actually do it sensibly. They make you change your password every couple of months, but the system only remembers your last eight passwords. So, you only have to have a "variation on a theme" idea in your head that only you would know and remember in order to have enough passwords to cycle through every 1.5 years.

Re:I only have 2 passwords

[TFloore]

But at one place, I also figured out that the system had a list of your 20 most recent passwords, and wouldn't let you use any of those. So every month, I'd change the password 21 times in a row, then change it back to what I wanted.

Where I work, the network server will only let you change your password twice a day. It would take you 10 days to cycle through the 20-password history, and on the 11th day you could set to whatever you wanted. I'm not sure how long the password-history is here... longer than 5, but more than that I haven't checked.

I've always thought we had particularly evil network admins here...

Re:I only have 2 passwords

[russotto]

The Mac has the password-storage part already (Keychain).

Re:I only have 2 passwords

[INetEngineer]

I have a password list (based on the English language and science/mathematical equations) that goes into rotation after one has been used. Separate passwords for Operating System, each email account, general web applications, online banking, etc. Once used, it goes into rotation at the bottom of the list. Each password gets updated. How do I remember them all? I don't! I remember 1 password changed each month that encrypts/decrypts my password list using a program that I wrote that also generates an additional "discovered" token appended to my password for the encryption key that can be retrieved and appended when decrypting.

Obviously this only works for computer-related passwords. PINs and other passwords require a much more human element to keeping them secure.

Fun stuff...

Re:I only have 2 passwords

[Lumpy]

no kidding....

the IT gurus that pide themselves at security at the HQ were bragging that most of our company users were using good passwords.

I suggested they let me have a crack at it.

I broke over 40% of the passwords by simply adding the YYMM as in last 2 digits of the year and the month as digits to the end of every password tried from the dictionary.

they were suprised and I said, "your fault for forcing 30 day password expiration on the domain."

this was 1 year ago.

they still have not changed their policies, and now want everyone to have their last 4 social security number in their username..

now i can spoof tech support easily as they ask you for validating who you are.....

the last 4 of your Social security number.

we have complete morons running our IT department.

Re:I only have 2 passwords

[stretch0611]

I agree. Mandatory change forces less secure passwords.

For passwords outside of work I use hard to know passwords - Mixed-case, number added, no dictionary words, and the password is not a friend, relative, or pet name.

Most of my passwords expire in a month at the office, the longer ones every 45 or 90 days. I use a simple word (capitalized if needed) and this is December so I appended 1204. This way I can use the same word next month by appending 0105.

I'm sorry, I consider myself an intelligent person, but if I am forced to use a dozen not-easy-to-remember passwords that change every month I would forget them and need my password reset regularly (which would increase the number of new passwords I have to come up with).

Re:I only have 2 passwords

[Stephen+Samuel]

..except once they have two of your passwords, they've figured out your pattern.

For any site where you care enough about that that's a real issue, then you shoule probably be using a more secure method. On the other hand, there are lots of sites where I'm only going to be moderately pissed if someone gets the passwords to all of them at one shot.

For me things like bank accounts get unique passwords, as do root and personal accounts with (remote) shell access. Other accounts tend to get 'communal' passwords.

Re:I only have 2 passwords

[fupeg]

I have three. I have one though that I use the most. I've been using it since my college VAX account got hacked, and I'm not even going to say how long ago that was...

Re:I only have 2 passwords

[shepd]

I've successfully fought against mandatory password changes at my company, but it rears its head again every few months, as some bright spark in management (usually in our parent company) thinks it would be a good idea, and it's "standard best practice" in the IT industry.

My college did this.

The solution all students, and all IT staff took was to add a number to the end of your password.

For example, password01 becomes password02.

Yes, this provided absolutely no security. Yes, I worked for this IT staff, so when I tell you they actually thought nobody else thought of this novel way of working around their stupidity (and that they thought they weren't stupid) you can be assured I'm correct.

They did attempt to fire me once. That didn't work out so well... well, not for me that is. I ended up with a *better* job in IT there as a result. Oh, so many stories, so little time.

Re:I only have 2 passwords

[kcbrown]

Yeah, I do too and haven't been roo

Re:I only have 2 passwords

[MikeXpop]

There are a few good tricks like that. Here are some of my favorites that I recommend to people who don't like coming up with or remembering passwords with letters and numbers.

One is to take whatever password you have now and make it into really basic l337. This is really one of the most useful uses of l337 I've thought of. If a password is mycatkittens, tell them to change only 1 or 2 letters into l337, making it into myca7ki773ns. This is good because it allows them to have a more secure password while also preventing them from having to remembering a new one.

Another one I've thought of is similar to yours in that it varies from site to site based on the site's name. Take the name of the site, and then take the md5 hash of that name. Use the first 9 characters and you have a new secure password that changes from site to site. Also, it's very easy to look up if you ever forget without the danger of leaving post-it notes around.

I'm sure there are several other tricks and tips out there (though the best ones won't be posted for obvious reasons). What do all the rest of you slashdotters recommend?

Re:I only have 2 passwords

[hackstraw]

2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?

I'm wierd about my passwords.

I have a very long and wierd password that unlocks my ssh private key and then I march around from box to box w/o having to use a password. Usually I only have to use my own password if I use sudo for something. OS X's keychain comes in handy too for passwords that I do not care about.

Personally, I have 1 password for root access that I tell noone. If others "need" to know the root password, I let them set it to something stupid and I never even remotely try to remember it (sudo works well for me).

I then have a scheme that I use for passwords where they are unique for each machine/site, but have a common extra characters in it to make it "secure".

IMHO, passwords are insecure, period. Most password based "breakins" come in 2 flavors. 1) Its incredibly weak like "joshua" in Wargames (the name of the user's son) or most common is 2) people give the password away via plaintext, people looking at their typing, typing the password in a wrong field and its visable, sticky notes, or any other way that they feel like simply giving the password away. Back when bash was lax about the permissions on .bash_history, I would look for passwords there. People used to do something like:

us - root typo on 'su', then the shell would say:
bash: command not found: us and then the user would do:
rootpasswordhere followed by:
bash: command not found: rootpasswordhere and bash would store it in history for future reference (why bash stores unfound commands in history anyway is another question)

One account at a DOE lab that I have and never use insists on changing my password every X months with insane rules to make it "secure". It pisses me off so much that I have a mail filter to securly store those email reminders in /dev/null for future reference.

Passwords suck.

Re:I only have 2 passwords

[rcamera]

here's an idea to keep your old password...

change your password when required and immediatly change it back to what it was. if they don't let you use your last 3 passwords, change when required (add a number at the end), change again (increment number at end), change again (increment number at end again), and change it back to you original.

Re:I only have 2 passwords

[Sentry21]

At work, we have several passwords - one for the Windows login, one for Lotus Notes, and one for mainframe access. We also had another password for a system we recently phased out, but it was read-only anyway.

The upshot of all this is that in order to really be me, you need to know all three passwords. You have to log into the domain, which requires a password that rotates per the standard security policy (once every few months). You then have to log into Lotus Notes if you want to send e-mail as me, and this is a completely different password that I have changed myself; in addition, the Lotus notes.ini file is stored on the server and shared over CIFS so you have to be logged in as me in Windows to log in as me in Lotus. Lastly is the mainframe password which was provided by ITS and is unique to each person. Oh, and we have two accounts for the mainframe, and we need to be able to log into both at once.

For the Windows login, the username is Fname.X.Lname, which is easy to guess, but for the mainframe, it's a three-letter Login ID which is also generated by ITS, and is supposed to bear at least some resemblance to your initials. Because of limited namespace, however, a friend, let's call him James Roberts, has FJR, and myself, let's say Dave Underwood, I have DIE (my last name was read incorrectly from my application - no one had my correct name for weeks; also, no customers ever believe me when I tell them this). FYI, these are all made up names/IDs, they're just for examples.

Oh, and if you want to log into my phone, you need to have my Symposium ID, which is a four-digit number. Per company policy, managers can send out information (like # of calls taken/made per day) by name XOR by login ID.

Keep in mind, none of this is for security, it's actually because all of our systems are a pain in the ass. Still, it provides quite a few levels to security, and requires you get at least two passwords in order to really do anything as me.

Re:I only have 2 passwords

[mjmartin_uk]

For online accounts I tend to use the same lame method unless the online account can lead to important information. I.e. my Slashdot account has a different password to my Amazon account for obvious reasons... Slashdot contains sensitive information :-)

Re:I only have 2 passwords

[techno-vampire]

I have one generic password that I use for most places. It's simple to type, easy to remember and a pronouncable word. However, you'll never find it in any dictionary because it's not a standard word. I like it because it's easy for me to remember, but impossible for a stranger to guess. Of course, if there are real security issues involved, I use something else, and rotate as needed.

Re:I only have 2 passwords

[ifdef]

This gets confusing, but eventually you learn all of these passwords.

UNLESS they make you change them all in 6 weeks. How would you handle it then?

Re:I only have 2 passwords

My passwords are really secure. I can't even remember them half the time, so I spend a lot of time on "Forgot your password" or "Forgot your username" forms. Then I answer easy to research questions like my mother's maiden name and they send me the passwords in nice secure plaintext email.

Re:I only have 2 passwords

You could use something like b0nehead or URN1d10t
or 31337hax0r, but substituting 31337 5p33k is something a dictionary attacker could try without too much added effort.

Re:I only have 2 passwords

[nelsonal]

The best security scheme I've ever heard of had no rules about password creation/maintenance. They just ran Jack the Ripper and possibly a brute forcing program against everyones password. If you got hacked you lost your account.

Re:I only have 2 passwords

[ifdef]

Many systems will not let you change passwords more than once a day (or some other arbitrary period), so that will not work there.

Re:I only have 2 passwords

[techno-vampire]

When I worked at an ISP, they decided to go with 30 day passwords for employees. This is for programs on the internal network, behind the firewall, that only employees have access to. It was also to log onto internal servers, similarly protected. The most anoying thing of it was that you would have to log into these programs or servers each time you needed them and it'd time out in less than five minutes of inactivity. If we'd been telecommuting, and logging in from home, this would have been A Good Thing, but we were all in their call centers, making most of this redundant. Naturally, the passwords were mixed case, alphanumeric, ten letters or more. Highly agravating, to say the least. My was of fighting back was to use passwords like m0therFucKer or fUcKing4ssh01e. OK, it did get embaressing once. I was having trouble with it and had to give it to my lead to check. She was rather amused by my way of making it easy to remember.

Re:I only have 2 passwords

There's also techniques against that - a minimum password age, where you can't change your password within a certain number of days of the last change

So, if you change your password, and notice somebody shoulder-surfing while you do it, then you're stuck with a known-compromised password for the next 24 or 48 hours.

Also put me in the dumb situation at work, where I wanted to change my password to something secure, but I was stuck with the braindead default password the helpdesk gave me for the first two days here.

Re:I only have 2 passwords

[shades6666]

I used to do this... But now one of our systems keeps track of the last 10 passwords you've used, requires that the password be changed every 3 months, AND does NOT allow you to change the password more than once in a three day period.

Re:I only have 2 passwords

[techno-vampire]

we have complete morons running our IT department.

And you're surprised? I bet they have all sorts of certifications, like A+ and MCSE, but no Real World experience.

Re:I only have 2 passwords

[techno-vampire]

Before my last job got hooked on frequent password changes, I had a set of passwords I couldn't forget and nobody else there could guess: I used the names of some of my DND characters. Not in any dictionary, not spelled phonetically, but the way I liked to spell them. Unforgettable and unguessable.

Re:I only have 2 passwords

They remember ALL passwords you have used here. And they make you change it every 60 days. And you need a certain ratio of letters to numbers. And only a certain percentage of characters can be the same as your last password. This last is a vain attempt to prevent password01 -> password02 type things, but of course, the determined can just do password01 -> myxlpyk01 -> password02 etc.

So I do one of the following:

• Keep it written down nearby my computer on a slip of paper
• Use an easy to remember pattern on the qwerty keyboard like: 1qaz2wsx or 2wsx3edc or 3edc4rfv etc
  

People who put security policies in place don't give a rats ass whether what they are securing gets broken into. They only care that in the event of a breakin, they can't be blamed for being too lax. Being so strict about passwords that users are *practically* if not actually limited to a tiny keyspace in choosing their passwords is better than leaving open a channel through which blame can find them.

Re:I only have 2 passwords

[bcrowell]

I keep important passwords in an encrypted file, like you. Unimportant passwords for web sites I just generate using a little perl script like this. I type in the name of the web site, along with a generic password, and it tells me a unique password to use for that site. It's just a little more convenient than the encryption method, because sometimes I'm on machines that don't have gnupg.

#!/usr/bin/perl

use Digest::SHA1;
use Term::ReadKey;

use strict;

my $x = "ldkjh897gydfdf8n"; # <--change this for your own use !!!!

print "Web site: ";
my $w = <STDIN>;
chomp $w;

my $k = '';
print "Password: ";
Term::ReadKey::ReadMode('cbreak');
for (;;) {
my $c = ReadKey(0);
last if ($c eq chr(10));
print ".";
$k = $k . $c;
}
Term::ReadKey::ReadMode('normal');
print "\n";

# The following has should be changed to be the SHA1 hash of the $k you actually use:
if (Digest::SHA1::sha1_base64($k) ne '1ZVGbjjZTqvja1aSJuVt4IYw8Ng') {
die "Incorrect password.\n";
}
my $t = "$x$k$w";
my $p = Digest::SHA1::sha1_base64($t);
$p =~ m/^..(......)../;
$p = $1;
print "$p\n";

Re:I only have 2 passwords

certifications are 100% worthless.

I want someone in charge of setting IT security policies that knows nothing about It and everything about security.

someone that knows how to keep documents secure at a location would know that using the SSN and putting it in the username is completely stupid.

but corperations will not pay the $250-300K a year that a good security manager would demand.

but they will pay that to a worthless upper manager that has no skills other than kissing ass and having others make him look good by doing his work.

Re:I only have 2 passwords

I'm the reverse, I have a handful of secure passwords I use for financial and other personal information.

Everything work-related is under one password, that I can hand over on a sticky note if I leave.

Re:I only have 2 passwords

[unother]

I've always thought we had particularly evil network admins here...

Don't worry. They're evil everywhere...

Re:I only have 2 passwords

[baadfood]

See, its twits like fubar1971 that demonstrate why we are in this situation.

The problem is caused by a complete and utter lack of grip on reality. A total inability to understand human nature, and worse, expect people to bend to the system, rather than designing the system to facilitate its use by people.

Ill say this in capital letters so you get it this time.

CHANGING PASSWORDS EVERY 60 DAYS IS TOO HARD YOU DICKFUCK!

And if you arsehole IT fucks cant get your brains around that, and design a system the recognises that fact then you shoudl really get a job shovelling manure or something.

If you really think that something is easy, merely because its easy to write an algorithm to solve it, you need help. People are not computers, and something as trivial as generating a password becomes an onerously difficult task when asked to perform repeatedly.

Rather than cursing the l-users, get off your fat arse, and start doign your Job - provide them with the tools to do their jobs.

Re:I only have 2 passwords

[dbacher]

When a password is compromised, it allows corporate assets to be accessed.

There are two things that they put this restriction in place for.

One is because once a hacker gains access to a system, you don't want the hacker to have access to it indefinitely.

The other is that users tend to use a single password for every system, and in some cases databases or memory dumps have to be sent to software vendors or, worse, open source groups for diagnosis.

These databases or dumps could contain sensitive data such as passwords, etc. and if someone finds a dump in google from 10 years ago, or if the company/group you sent your database or dump to doesn't dispose of the data in a secure way (or even if they just don't store it in a secure way) then at least it's likely that they have a dated copy of the passwords that they can't use to access current systems.

If you want to complain, the real problem is that companies don't require ISV's to secure the passwords adequately in the databases they are stored in. If the passwords were secure in the databases in the first place, then it wouldn't be as big of a deal.

Providing the capability to view an access log also helps a lot. This needs to be viewable by users and not just the admin, but only for themselves. If you're out sick or whatever, you're a lot more likely to notice an unauthorized access in a log than your boss or a security admin would be.

The big issue I have is the requirement for things like at least one upper and one lower case letter, at least one number, at least one of "$_.!". I would rather see a test that looked for dictionairy attacks, etc. because each requirement like this excludes billions of possible combinations that the hacker has to try.

Re:I only have 2 passwords

[krgallagher]

' 2 passwords, none of them are words, easy to remember."

Yeah I have several. None are words. All include letters and numbers or special charachters. They are all easy enough for me to remember. I use them according to the level of security I think I need for that system. As time goes by I add new ones and drop the older ones with everything moving down the security scale when I do.

My last job had me on a two month password cycle with no repeats. In no time I had run out of imaginative passwords. That is part of how I remember them, I think they are clever. I used to dread the "Your password will expire in 5 days" message. I would spend the next few days trying to come up with something I could remember and would not mind giving up in two months.

Fianlly the day came that I forgot a password and had to call IT. The IT person reset my password to "password" and then the system would not let me change it again for 24 hours. That was when I stopped caring.

Re:I only have 2 passwords

[golgotha007]

When I was a sysop for a BBS sometime around 1984, I decided to do a little experiment.

I randomly picked a username and password from my system, and then tried to use it on another local BBS. Sure enough, I logged in flawlessly. Unethical? yes, but I was only 14 at the time.

However, I did learn something valuable! You should always have a different password for every single service you belong to.

But how can you do that without having a ton of passwords to remember?

Here's what I do: commit to memory some random letters, numbers and maybe a special character.
Then, every site you connect to, attach the first two letters of the service to the front of the password.

For example, if I chose hik#57, then my Slashdot password would be slhik#57 and my Yahoo password would be yahik#57.

Better security than only using one password for everything, with the added bonus of only having to remember a single password.

Re:I only have 2 passwords

[networkBoy]

I have 4 passwords commited to memory at any given time.
1) Super generic insecure(i.e.: slashdot) non-word password
2) Super generic semisecure (i.e. server stores pwd in one way hash and I don't have any critical info) password
3) Secure work password
4) personal life key. This one is a pwd to a pgp volume and is 2048 bits worth of non-dictionary entropy (it is significantly longer though). The PGP volume is only 10 megs and is a lookup table for all other secure passwords. It is backed up monthly to a security box at my bank.

-nB

Re:I only have 2 passwords

[ifoxtrot]

That is why my organisation has implemeted password policies require at least 8 characters, at least 1 uppercase letter, 1 number, and one special character, or it will not let you change it, and will lock out your account. We then run security audits to ferret out the l-users like you that make them to simple. If we find a password that is to simple, or easy to crack, we force you to change it. If you do not, then your account will be locked out.

When I read this, I seriously started thinking this was great sarcasm.
Unfortunately I've since changed my mind.

There has been a lot of research in the area of password usability here is a short summary:
Fact 1: human memory is fallible
Fact 2: people cannot forget on demand
Fact 3: non meaningful things (i.e. random) are amongst the hardest things to remember
Fact 4: items in human memory interfere with each other making 100% recall very hard
Fact 5: unaided (no prompts) recall is much harder than providing prompts (which becomes a recognition exercise - passfaces is an interesting technology for example)
Fact 6: ambushing a user to change their passwords stops them from doing their work (which they get paid for) and encourages them to bypass the system as quickly as possible - i.e. write the password down

CONGRATULATIONS you are following rules which were laid out in the original FIPS guidelines (1985) for password management... Maybe you ought to revisit their document, they have updated it and it makes a LOT more sense now (check out FIPSPUB112)... I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.

Re:I only have 2 passwords

[rustl]

And you're surprised? I bet they have all sorts of certifications, like A+ and MCSE, but no Real World experience.

I would say that they are getting Real World experience, but they are just not learning from it.

Re:I only have 2 passwords

[Cro+Magnon]

I once worked on a system that wouldn't let you change your password more than once in 3 days. Which means that if anyone discovered your password right after you changed it, you were screwed for 3 days.

Re:I only have 2 passwords

Did you ever get to fuck her? : )

Re:I only have 2 passwords

[ugauaauag]

I have found that this program helps me. I keep scrolling through until I find one that strikes my fancy.

Java Password Generator

Re:I only have 2 passwords

Dude, you're a grade A asshole.

Re:I only have 2 passwords

[ydrol]

CHANGING PASSWORDS EVERY 60 DAYS IS TOO HARD YOU DICKFUCK!

And if you arsehole IT fucks cant get your brains around that, and design a system the recognises that fact then you shoudl really get a job shovelling manure or something.

Bingo. They totally disregard the different types of memory the human brain has. Just as your ultra secure password is about to make that leap into your long term memory - you have to change it. So even clever people will end up writing them down or reducing them to simple sequences because regularly changing passwords goes against how the human brain works. If you must change passwords constantly then issue everyone with SecureID+Pin (And please dont make them change their pin all the time!)

Re:I only have 2 passwords

[fubar1971]

I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.

And 4 charachter passwords that never expire of your wife/child/pet name or initials is better. How about picking a plain word out of the dictionary, like say 'password'. Insecure passwords, post notes, what's the difference. You have to pick one evil or the other. I choose to try and have secure passwords. Apparently you have never been involved in a security breach that occurred from the direct result of password hacking. At least if I have policies in place, I can not get in the sh*t again. Trust me upper management will come down on IT when a breach occurs, and they usually come down alot harder on IT then the l-user that had his kids name for his password.

(Yes that is the voice of experience speacking, I used to believe like you, make it easier for the l-users to do their jobs. Unfortunately, I was burned on this particular topic. I have since left that employer, but I also have the motto fool me once shame on you, fool me twice shame on me.)

At least by having complex passwords that expire and must change,(Notice I did not say random charachters I preffer to have pass phrases, and instead of spaces, I reccomend special characters for example insecure-passwords&suck1) clean desk policy, security policies, and security trainning, for all my l-users my arse is now protected. Now someone has to try and bruteforce a password which would take an extremely long time, find a security exploit, or (IMHO the easiest way)social engineer the user.

If they social engineer the employee or find the post-it note, then that employee is now in trouble and not IT. Not only is your IT staff trying to protect the organisations information assets, but they are also looking out for there arse as well. Hmmm let me think, make it easy for the users or protect my job so I can continue to support my wife/children/parents/coke habit/etc.

Re:I only have 2 passwords

[edgezone]

I have a similar variation. Except I use a 6 character string with a few symbols and numbers, but try to make it easy to remember, like:
silly1 --> $i!!Y1
Then I pick a place where to put in a 2 character site identifier.
so something like:
CitiBank --> $i!!cbY1
HotMail --> $i!!hmY1
SlashDot --> $i!!sdY1

So someone first needs to crack 2 of them, then know what accounts I have and the logins all within the 4-6 months between password changes...at which point I come up with a new 6 character key, and a new location within them to put the 2 characters.

I've given this advice to a lot of less tech savvy people and they seem to be able to do ok with it. Given, they don't change passwords as often as me, and typically put the 2 characters at the beginning or ending, but at least they end up with a more secure password then "mydogspot99"

Re:I only have 2 passwords

[vsprintf]

Normally, I'd steer clear of a smoking response like that, but I have to agree with much it.

The password rules at work have become so restrictive that everyone now has their passwords written down in easily found places, and it has become a running joke.

The rules require upper- and lower-case alpha, mumerics, and punctuation or special characters. The password may not contain a dictionary word, so 5cow_iza-bote is not allowed because cow is a word. If it was allowed, you would not be allowed to use 5cow, bote, or iza in any subsequent password for 18 months.

I used to use misspelled words with numeric prepends for passwords, and as far as I know, they were never guessed in the decades I used them. Now it's just a matter of carrying around a list of passwords. Some security.

Re:I only have 2 passwords

[fubar1971]

CHANGING PASSWORDS EVERY 60 DAYS IS TOO HARD YOU DICKFUCK!

Try looking at ifoxtrot's post below users. He made fine arguments trying to persuade me to see their view.

Unlike you, who just proved to me that you are the type of l-user that causes me to have to implemt those polices to protect the organisaztion. Not to mention l-users like you are the owns that make me rant like i do in the post above.

Let me put it in caps for you to understand:

WE HAVE TO PROTECT THE ASSETS FROM L-USERS INABILITY TO THINK THAT USING THERE KIDS NAMES ARE SECURE.

L-users need to understand that security starts with them, not the IT department. If l-users could be trusted to have secure passwords, then the IT department would not have to implement password policies. Just like the IT department would not need to lock down workstations (which by the way I do not believe in and do not practice) to protect l-users from fubaring their PC's. Another example is like when the IT department deines certain attachment type in via email due to viruses being deployed from l-users opening unknown/untrusted/unexpexted email. The IT department is just doing it's job.

Unfotunatelly they can not implement policies for that one's that don't get it (like you)and not others(like ifoxtrot). That would open the organisation up to another whole set of problems.

Re:I only have 2 passwords

[arminw]

I have over 15 passwords, but they are all encrypted under my laptop keychain which requires one encrypted password to unlock. For many servers and websites, the keychain automatically supplies the correct password, for some, I have to look them up in the unlocked keychain window and then type them in.

If someone wanted to install a keystroke logger on the laptop or if it got stolen, they'd have to know the admin password. If they would boot the computer from an outside disk or CD they could get into the computer and change the admin password, but they would not be able to unclock the keychain with it.

I think that Apple's arrangement for security and ease of use is better than many of the "secure" but inconvenient password management schemes commonly available. This way I only had to come up with one good, memorable, impossible or at least impractical to crack password.

Re:I only have 2 passwords

[Theatetus]

I used the names of some of my DND characters. Not in any dictionary, not spelled phonetically, but the way I liked to spell them. Unforgettable and unguessable.

Umm... unguessable except by the people you play D&D with...

Re:I only have 2 passwords

Reusing passwords isn't a good idea. One of the oldest social engineering tricks out there is to match up people between two sites & see who dupes their passwords.

If you're going to do this, make it complex & write it on a card in your wallet. At least I hope you take more care of your wallet than your password :P

Re:I only have 2 passwords

[fubar1971]

If you must change passwords constantly then issue everyone with SecureID+Pin

Not every organisation can afford to implement SecureID.

They totally disregard the different types of memory the human brain has...

Apparentlly you have a sh*ty IT staff. Complex passwords can be done if implemeted correctly. You must at a minimu provide the l-users proper security trainnig, and improve the customer service skills of the IT department so that the l-users don't feel bad/mad/stupid/etc. for calling for help. I make the passwords complex, and it definetilly seesm to work. I also make sure that I stress to my l-users that there is no shame in forgetting it, and that they will never be chastised for calling to have it reset.

Re:I only have 2 passwords

[fubar1971]

d00d, coming from an AC, that's a compliment. Try logging in, or is that 2 complicated for U.

Re:I only have 2 passwords

Can you switch back to the previous month's password, or do they keep track of every password you have every created?

Since you need 2 passwords, I suspect these are different lists. So you could also just swap passwords.

Re:I only have 2 passwords

[MichaelSmith]

Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

I am sure they realise it. But now if your password is cracked it will be your fault, not theirs, so their real problem (liability) is solved

Re:I only have 2 passwords

[ifoxtrot]

At least if I have policies in place, I can not get in the sh*t again.

Actually if you haven't read it yet, I would highly recommend you read the FIPSPUB112 since it is a federal policy guideline (and no it doesn't advocate using "password" or a 4 digit pin as your secret...)
The point is that you need to have the buy in from the top - which is what this policy describes. It sounds as though you were made a scapegoat (and I do sympathise) by someone who didn't know or do their job properly.

At least by having complex passwords that expire and must change, (Notice I did not say random charachters I preffer to have pass phrases, and instead of spaces, I reccomend special characters for example insecure-passwords&suck1) clean desk policy, security policies, and security trainning, for all my l-users my arse is now protected. Now someone has to try and bruteforce a password which would take an extremely long time, find a security exploit, or (IMHO the easiest way)social engineer the user.

While I do understand why you have this attitude, I reiterate that this is not actually improving your security - it's improving your cya (cover your a**).
I agree that social engineering is the easiest way to get the password, and ironically the 'draconian' approach to password management you advocate makes it easier to exploit this by fostering a culture in which people expect problems with their passwords. So in a sense you are making what most serious attackers would choose as the most effective 'hack' even more likely to succeed - ironic no?

I think I should also make myself a bit clearer, I'm not saying we need simple passwords that any cracker can break (which is obviously insecure), but I am saying that, for example, forcing people to change their passwords too regularly can cause problems (and it does depend on your users!). Most IT admin staff can happily cope with changing their passwords every month (and even then I expect many just increment the end of their password... anyway..), most non IT literate people can't cope. I'm not sure why, but passwords are scary things - on par with usernames I might add - which make the magic box allow them to do their work. They don't understand, or care, about why it's necessary for it to be hard to guess - only that it's a pain in the a**.
Educating the users (as opposed to only training them) is the only way of defeating this and one of the hardest problems to solve in computer security (IMHO). Educating bosses and management comes a close second...

Re:I only have 2 passwords

[w9wi]

Lucky.

I have numerous passwords imposed from outside. Let's see:

• Root on two Linux boxes
• Administrative accounts on the above boxes (for when work requires more permission than an ordinary user but doesn't require root. Several other people share responsibility for these accounts.)
• My regular user account on these systems.
• Corporate domain account, into which I must login to access the machine on my desk
• Local administrator password on Windows XP desktops, necessary as I'm responsible for occasionally installing software. Corporate changes this every 60 days, but sometimes it doesn't work so you're never too sure when you may need to use an old password - and which one
• Four additional server systems, administered by various vendors and each requiring its own password.
• My machine at home
• My Earthlink account password
• My ATM PIN code
• etc.....

Point is, many users don't have only one set of passwords to remember - they have many. Some at work, some at home.

Demanding regular changes to securely-chosen passwords is simply not humanly possible. If you were to steal my wallet, you'd find at least three of my passwords... (no, not my ATM PIN!)

Re:I only have 2 passwords

[John+Courtland]

Go for 8, simply because the difference in brute force cracking time between 6 to 8 chars is (on current hardware) a few hours to ~ a million-ish years.

Re:I only have 2 passwords

[techno-vampire]

That would be an issue only if I ever played with people at work. In my case, I not only didn't, I'd stopped playing because my various gaming groups had broken up. It worked well for me, but might not be right for everybody.

Re:I only have 2 passwords

at my job, I have a 100 different usernames and passwords for different applications, each needing to be changed every 30 days to something not even remotely close to what I used in the last YEAR.

Guess what? I have a plain text file with all the info. Its horrible, I wish i didnt have to do it, but you give up after a while.

Re:I only have 2 passwords

[sageman]

I change my user passwords to my system about every 2-3 weeks. Nice little perl script passook makes pronoucable nonsense alphanumeric passwords. Really cool. For other data that I don't really care too much about, I just have a number of passwords.

Re:I only have 2 passwords

[ricotest]

I have a standard password suffix, then add a unique word (related to the site or service in question) before it. That way, none of my passwords are identical but I can remember them all.

Example: your password suffix is 'rabbit', your slashdot password is 'nerdrabbit' or 'slashrabbit', gmail could be 'gmailrabbit' etc. Simply pick the first word that comes to your head as a prefix, that way chances are if you forget what the word is you can rely on it being the first one you think of.

Re:I only have 2 passwords

[thomasdelbert]

Flamebait, but I'll bite.

The password policy for my client site is every 180 days, which is reasonable. The difficulty with haveing to change too often is that I have to access dozens of different applications that each have their own password protection - my PC, unix, the intranet, all the AS/400 machines, the build repository, the source control, my lotus notes, the list goes on. Some items I access frequently, others I do not. When the passwords have to change frequently, they are likely to become more and more out of synch. If I have to guess which passwords I have changed and how many password cycles ago I changed them, I may run out of guesses before my account is locked out. If my account gets locked out, I have to change the password again, to something different, which puts the passwords even farther out of synch, which makes me guess more often.... it's a vicious cycle.

Yes, every 60 days is too freaking hard, even for intelligent people.

- Thomas;

Re:I only have 2 passwords

I'm with you dude.
If you have problems changing passwords
every 60 days then you should be compensated for your trouble, and realize that it DOES help and
that we care that you care, and if there is anything we IT dipshits can do to ease your pain,outside of sexual gratification, we will do it.
I love my users. They are the reason I have a
job.
BTW: A job for me means stripper sex,alcohol
and long sodden weekends that shouldn't end on
monday.
What does it mean for you?

Re:I only have 2 passwords

[nfk]

Yes, this provided absolutely no security. Yes, I worked for this IT staff, so when I tell you they actually thought nobody else thought of this novel way of working around their stupidity (and that they thought they weren't stupid) you can be assured I'm correct.

Are you sure you weren't fired just because you couldn't express your thoughts coherently?

Re:I only have 2 passwords

Sounds like it is Comcast IT department.

they are the largest bunch of bumbling idiots I have EVER met in IT.

and they refuse to take advice, if they did not think of it they will not listen to you.

They usually have a virus run rampant in their network at least 3 times a year.

Re:I only have 2 passwords

[Justice8096]

I've always wondered how people think that reducing one of the characters in your password to 1-out-of-28 characters (punctiation) plus reducing one of the characters to 1-out-of-26 (Capital Letters) plus reducing another of your characters to 1-out-of-10 (numbers) increases your password security. And if you say that you remove all of the "easily hacked" values that just means I can remove all of the dictionary entries from the possible values... And common names... It seems to me that the more secure you say your system is, the more possible combinations you have removed, so the easier it is for me to hack it.

Re:I only have 2 passwords

[CrackerJack9]

I don't see how so many people are overlooking this...the system of changing passwords isn't causing a lack of security--the slacker's way around the system is. On my network at home I change my passwords once a month to avoid being brute-forced (eventhough I'd see it happening anyway), and don't require passwords to be different; HOWEVER, I use my own brain and imagination to change them anyway-since not doing so would be futile. This way I do not compromise the system's security--and I don't blame the system for my own lack of imagination either...

Re:I only have 2 passwords

[CrackerJack9]

The time something stays in your short-term memory is less than a minute. Read a book.

After I type my new spiffy password a few times my mind and muscles (fingers) can memorize it, which is only reinforced every time I log in after that. This takes about a minute to go from short-term to long-term. Once it's in long-term it is there forever, you just have to know how to retrieve it. Don't blame the policy or the IT people your IQ is too low.

If you take 60 days to get something into your long-term memory then you have some serious problems.
Grow a brain, use that illusive imagination, or just get an IQ

Re:I only have 2 passwords

[Sentry21]

UNLESS they make you change them all in 6 weeks. How would you handle it then?

I'd quit.

Re:I only have 2 passwords

[Abel29A]

My online bank has a similar idea. Whenever I request a new certificate to install on a computer they send a sms to my cell phone. That way I get a unique password whenever I install a certifiacte. This means anybody who wants to enter my bank account must either have access to my cell phone or a computer with my certificate installed(which is my home computer) - in addition to guessing/cracking my PIN of course. This extra layer of security is non-obtrusive and convenient, and it doesnt require me to remember an extra password. It could be a pain if you constantly use public terminals and only install one-session certifiactes, but I doubt many people do that with their bank account.

Re:I only have 2 passwords

[devilspgd]

Usually a quick call to IT will get your account set to require an immediate password change.

However, three quick calls to IT (to wipe out the cache of 3 most recently used passwords) would probably raise some flags.

Re:I only have 2 passwords

[devilspgd]

Why not use a strong password plus the number of the month?

So they force you to change your password, fine -- Why use the same simple word (+date)over and over, why not use a strong password (+date) over and over?

Re:I only have 2 passwords

[ydrol]

The time something stays in your short-term memory is less than a minute. Read a book. I have read a book. Ok I admit just articles. This takes about a minute to go from short-term to long-term. Once it's in long-term it is there forever Hmm! I was lead to believe there was intermediate stage between short term and long term memory. Related to usage. Eg on return from a long vacation if you remember your password its in your proper long term memory. Don't blame the policy or the IT people your IQ is too low. Thats nice. Grow a brain, use that illusive imagination, or just get an IQ Ok. Thats nice too. I'm sure you're a swell guy/gal in real life.

Re:I only have 2 passwords

[ydrol]

This takes about a minute to go from short-term to long-term. Once it's in long-term it is there forever, you just have to know how to retrieve it. If I gave you a completely ramdom sequence of say 10 characters to memorize by rote (ie without using any "memory techniques" other that "rote") then this will *I think* highlight the "other" area of memory besides short and (true)long term.

Re:I only have 2 passwords

[ydrol]

Not every organisation can afford to implement SecureID. True Apparentlly you have a sh*ty IT staff. No our staff abandoned this and went for semi-permanent suitably complex passwords. Complex passwords can be done if implemeted correctly. Agreed. Now how often does that happen? Often bank websites to be the worst. Their password mechanisms are often inferior to ecommerce websites! Many prohibit non-alphanumeric characters and set length limits at 8 characters.

Re:I only have 2 passwords

[CrackerJack9]

ok, i'll bite...but the average human can only remember 7 (mean) random characters...actually we learned that trick using cards that would have had values and suits...not sure how/if that changes things...but it was still an excercise of seeing what your short term memory throws out (happens immediately) and what makes it to long term (where it stays forever). So i'm still confused about what point you were trying to make?

And since you obviously won't believe me about the time duration something is in Short term memory (30-45 seconds), I guess I was a little off...sorry about that.

Gee, it must be so much better walking through life in ignorance and bitterness, aye?

Re:I only have 2 passwords

[Senzei]

I've always thought we had particularly evil network admins here...

Yeah, because stopping you from circumventing measures they put in place to protect the system is somehow evil. Learn to make strong passwords then you and the sysadmins will be happy.

Re:I only have 2 passwords

[ydrol]

So i'm still confused about what point you were trying to make?

I guess I wasnt making myself clear! And since you obviously won't believe me about the time duration something is in Short term memory (30-45 seconds) [wikipedia.org], I guess I was a little off...sorry about that.

If you review my posts, I never once disputed (or even asserted) the duration of short term memory. Not once. So its not obvious that I should think this. However there is a misunderstanding due to my incorrect use of terminology. I shall attempt to clarify...

Short term memory is a matter of seconds. That is patently obvious. I was talking about the transition to permanent effortless recall from long term memory. (Altough granted A left the qualifications off in earlier posts)

My error was assuming there was a kind of middle ground. Ie why do so many people forget their passwords after a vacation but can remember it after a weekend. I mistakenly assumed it was because there is a middle type of memory because, like others here who, orinically, argue against me, I thought Long Term memory generally meant "fairly permanent". And tried to reconcile this with experience.

After reading a bit more my confusion is because Long term memory is from a minute or so to weeks or even years.

In other words, LONG TERM MEMORY IS NOT BY DEFINITION PERMANENT and can be just minutes, hours, days or years

I shouted that bit out because that is the essense of the point I was clumsily trying to make. Let that soak in, mix it with real life experience, and the point I was trying to make should I hope become clear.

Anyway , as I'm clearly not a memory expert, My original point being, that just before the password , through recall/usage etc, gets past the stage where it can be remembered for days, months or years, the admin force users to change them. Users then think, that they dont want to invest effort recalling clever passwords that will be redundant in days, so will start using, often insecure, sequences.

Its not that users are too dumb to learn or use clever passwords, but they cant be bothered if its going to change in a months time.

The error is mine for conveying it badly. My mistaken view of "mid-term" memory is actually "short" long-term memory (see shouting above)

Thats all I can say on it because if I havent made it clear after this, I dont think any further attempts will be any better! Not always, but sometimes, its good for the reader (for their own sake) to try and meet someone part of the way!

Gee, it must be so much better walking through life in ignorance and bitterness, aye?

Now this I dont understand - "Bitterness" ???

Surley a bitter person is more likely to throw insults at people they dont know just because they are wrong or badly-convey their point of view. Its very much related to the "bully mentality" IMO.

Except some more spineless bullies find Internet forums and web forums a safe environment to practice their brand of "bitterness" from.

Re:I only have 2 passwords

[ydrol]

short term memory throws out (happens immediately) and what makes it to long term (where it stays forever). Just in case my long reply is too long, my point is Long Term Memory may actually be just Days

So I shouldnt have been talking about short term memory but rather the frustration is passwords having to change faster then the period for which they can be usefully remembered. This of course differs for different people depending on their own personal makeup and how much they really care!

Re:I only have 2 passwords

[CrackerJack9]

ok, so your entire point is coming from experience?

Coming from research (google, psych books) and the fact that I know people learning to be Dr's, and from speaking to people who really are Dr's, I know that long term memory is infinite. The questionable part is that of 'recall'. So I must refute Wikipedia for this one. I can 'forget' something, which is actually me losing track of how to retrieve it. The neurons haven't actually gone anywhere, but are merely lost (picture a messy file cabinet with poorly labeled folders and papers). This is where the problem is with people going on vacation of 'forgeting' their password.

But that's not really what we're talking about either, since no matter how often you change your password, you can still forget it over a long period of non-use (read memory reinforcement). The fact that the SysAdmins are having people change their passwords every so often doesn't make them harder to remember, nor easier to remember. It's simply something else that you need to creatively create (think of a new one) and memorize it (read type over and over again) however you want to. usually people log onto their computers several times a day anyway, if they're secure at least, so it may take a day or two to completely comit the new password to memory. But if you work the next day, you should be able to retrieve it fairly easily...and easier each subsequent day (from continued usage). This means the day before you change it again you should have it stored in memory and easily accessable (the most its ever bin) This is true if you change it after 10 years or 2 weeks. So, truly I do not understand your point. Perhaps lazyness is overcoming a security-minded way of thinking. Perhaps you want to bend the definitions to fit your argument.

I'm not trying to be a bully, but ignorance doesn't have any real place in an intelligent conversation, online or otherwise. So toss your blame at the SysAdmins all you want, but its really just your IQ (or lack there of) that makes the situation difficult to bare - that was my point for the first post and all subsequent posts...thanks for playing.

Re:I only have 2 passwords

[ydrol]

I'm not trying to be a bully, but ignorance doesn't have any real place in an intelligent conversation, online or otherwise. So toss your blame at the SysAdmins all you want, but its really just your IQ (or lack there of) that makes the situation difficult to bare - that was my point for the first post and all subsequent posts...thanks for playing.

Well juding by my last reply and yours I would assert that

- You quote wikipedia on short term memory and its right. I quote on long term memory it and its suddenly wrong?

-The whole issue regarding passwords is RECALL not retention. Thats why they are passwords. And RECALL is clearly NOT permanant. Retention may well be - but "recall" is the crux of the matter - so saying you know researchers that know long term memory is permanent is IRRELEVANT to the discussion, but a good reflection on your character.

- Like it or not, you continue to behave and respond like a childish bully and even when disputing this fact still cannot refrain from baseless insults over the matter.

Re:I only have 2 passwords

[CrackerJack9]

But the problem with recall is the person, not the fact that you have to recall something. Is that hard to understand? Yes, I am a childish bully...but I wouldn't want to sling baseless insults or anything.

Wikipedia is not the end-all source. I quoted it because in regards to the particular point I was making it was correct to the best of my knowledge. From the Dr's and psychologists (some Dr's too) that I have spoken to personally, I can say that Wikipedia is incorrect in that specific regard. You prove my point yourself...its a matter of recall, which is prone to human error (or low IQ). But then I guess if you type in bold and caps you have to be right, and especially if you repeat yourself three times in a row...then you don't need facts. I'm gonna say this because I have to, but it seems you live in a very small protected world? Perhaps it is time for you to take a mystical trip outdoors...

And I never said recall was permanent, but you can argue the point I made in my last post if that makes you feel better about yourself. But then some may say that is childish. (BTW, judging someone's character when you can't even read their posts usually isn't a very accurate science)

Re:I only have 2 passwords

[nmx]

Your "l337" suggestion doesn't work. Modern dictionary crackers know to search for this.

Just get rid of them...

[danielrm26]

Asking users to learn to create and manage complex passwords is not realistic; user education and/or "awareness" just isn't all that viable. The way the password problem is going to be solved is very simple - they aren't going to be used anymore.

Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.

Re:Just get rid of them...

[Neil+Watson]

Jane: 1111
John: 0000

If there is a easy way they will take it.

Re:Just get rid of them...

[Woogiemonger]

Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.

Biometric identification is the way to go. No passwords. The only time you need administrative support is if you've been in a horrible accident and lost your eyes/fingers/vocal cords/etc.

Re:Just get rid of them...

You'd have to do the same if someone has stolen a copy of your finger prints off of, say, a mug. Or something.

Re:Just get rid of them...

... is if you've been in a horrible accident ...

... or you have a cold. .. or your eyes are red from staying up late. ... or you got a sunburn. etc etc etc. Biometrics = feh.

Re:Just get rid of them...

[Desert+Raven]

Yeah, no kidding. A junior manager in a company I worked as IT manager for got all pissed off because I required minimum 8-char passwords, so he set it to FFFFFFFF.

Imagine his surprise when he found himself locked out of the system the next morning. Seems he didn't know I ran a password cracker against the password database every morning. 'course, he also didn't know I had caller-id. It took him until mid-afternoon to finally get hold of me, and only then because he got off his fat butt to physically track me down.

He tried to threaten me by saying he'd report me to the company owner. Seems he also didn't know that the company web proxy kept logs of all activity. :) Funny part was, he also didn't know that the company owner had a much better catalog of porn links than he did...

I kinda miss that job.

Re:Just get rid of them...

[suso]

Actually, wouldn't Jane have the 0 and John have the 1? ;-)

Re:Just get rid of them...

[Ckwop]

Biometric identification is the way to go. No passwords. The only time you need administrative support is if you've been in a horrible accident and lost your eyes/fingers/vocal cords/etc.

Biometrics are not secrets. I leave my finger prints everwhere.. i've had my eyes photographed many times.. everyone knows how tall I am.. a few girls know how big my penis is.. you get the picture..

For security you need a secret but you also need something that is easy to change. Biometrics don't satisfy either of these constraints. Remember, there's a different between identification and authentication.

Simon.

Re:Just get rid of them...

[lanced]

What do you mean not realistic? Where I work, security is a major concern, and we do have random passwords. On my first day, I was given a letter that had a random, unique password that was obviously not touched by human hands until it was handed to me. The password is random length, mixed upper, lower, numeric and it gets changed annually for everyone.

Further, I cannot change it on my own. I need to call an administator who runs the script that generates a new print out. My account becomes unusable until I get the printout.

As for the printouts, policy requires that the print out is shreded (observer req.). If you get caught with a written password, your password is changed, and you may or may not be told what it is.

This all may seem strict and unreasonable, but it really isn't that bad. Because the password is used in so many places, from logging-in first thing to filling out a time sheet at the end of the day, it really doesn't take long to memorize the password. After a week, it feels like second nature.

Of course, your milage may very, depending on the type of stuff you are securing. We also have some systems that requires a second physical key and/or biometric. Heck, we even have vaults, with spheres of isolation around them where no electronic system can be placed without being subject to the same scrutiny and restrictions as those in the vault -- you know, just in case someone wants to read the EM emmissions.

Re:Just get rid of them...

[Kazoo+the+Clown]

Yeah, and I'll wager a goodly portion of employees keep it on a post-it note stuck to the front of their monitor or under their keyboard.

Get real-- one critical characteristic of a truly secure password is that no human being knows what it is. Any security system that is dependent on user behavior is seriously flawed.

Re:Just get rid of them...

[arminw]

...solution that todays users need...

There are really only two ways, something you know (password) or something you have or both together. Anyone who has ever lost a set of keys know the something you have method will then lock you out. Security and ease of use have always been at loggerheads. Like a master key, a master password is a solution that is a good compromise of security and ease of use. Apple has such a system built into their OSX and I have a master password which unlocks all the other passwords.

As an admin...

[0racle]

I hate people that put their password under their keyboard. Like damn people, on the underside of the desk, is that so much to ask.

Re:As an admin...

Those are the same people who put their housekey under the welcome mat. There's no hope for them.

Re:As an admin...

[maskedbishounen]

Pfft.

We all know "real" men just kick down the door after they lock themselves outside.

And real geeks lock themselves inside. ;)

Re:As an admin...

[vasqzr]

Imagine the people who leave a house key under the doormat/porch/etc

Re:As an admin...

[Barlo_Mung_42]

I write mine on the yellow note paper taped to the pull out section above the top right drawer.
I change it every week. This week it is 'Pencil'. Don't tell anyone though.

Re:As an admin...

[Lao-Tzu]

Yeah, I'd like to claim my prize for being a real man, please. I left my keys inside my apartment, and it has a lock that doesn't require using the keys on the outside. Got home, figured out where my keys were, and kicked in the door to get them.

Try explaining it to your landlord. "Uh... see... I was carrying this heavy box... and I unlocked the door, then backed into it. By golly, somehow it had closed, and I went crashing right through it expecting it to be open. Damn man, you need to get me a stronger door."

I don't think he believed me, but it's the only bad incident I've had with him after years of paying rent, so he didn't question me. I never figured the door would be so easy to break.

Re:As an admin...

[fdiskne1]

I actually saw a user who wrote their password on a sticky note and stuck the note on the side/back of their monitor. You know the place, not the back of the monitor, but you have to be nearly behind it to see the sticky note. This would be bad enough, but they worked in a place open to the public for business and that side of the monitor faced her office door. I walked BY (not IN) her door and saw her password. Yes, I had a talk with her about password security.

Re:As an admin...

[krosz]

Wargames! I get your reference, though it seems noone else does or you would have been modded higher. :-)

Re:As an admin...

Wargames! I get your reference, though it seems noone else does or you would have
been modded higher. :-)


I got it. In fact when I read the summary I came to the discussion just to search for "pencil" and see the obligatory Wargames discussion.

Gadget

[John+Girouard]

Didn't ThinkGeek used to sell a little keychain device that was built to keep track of these things? I was looking for this a couple days ago, and couldn't find it for the life of me.

Known for quite some time...

[Omniscientist]

No matter how complex our security systems get, no matter how secure we can encrypt passwords to prevent brute force cracking of them, there will always be that human element of weakness. There will always be that one person who can be easily tricked over the phone to give out a password. There will always be that one person who will use their first name and last initial (ahem...half life 2 forum admin) as their password. So we really can't get top notch security without excellent education to these people on what to do in these situations.

Re:Known for quite some time...

[savagedome]

There will always be that one person who will use their first name and last initial

Yeah. Bunch of idiots. That's why I drop the last initial.

Re:Known for quite some time...

[Kehvarl]

it's just as easy to rot13 the last letter of the first name, and the last initial, then tack a number onto the end of that.

Re:Known for quite some time...

You, sir, are both a thief and a murderer, for you have killed a baboon and stolen his face.

Re:Known for quite some time...

[oliverthered]

Hey, thats what I do at work.
It's no like their arn't a million other people who would just give you the info. ....I phoned up my previous empoyer the yesterday to get my payroll information for the last couple of years, and there going to stick it in the post to me without any requirement for ID, now if this were a small company you'd say fair enough, but its one of the largest holders of personal data in the UK and should be a little tighter with there security.

Re:Known for quite some time...

[Kehvarl]

I can't tell if you're taking me seriously and calling me an idiot, or taking my comment as a joke... so I'm going to assume joke and call myself an idiot. and no, I don't actually use such a technique for my passwords.

Re:Known for quite some time...

"Social Engineering Specialist: because there is no patch for human stupidity"

Re:Known for quite some time...

[drakethegreat]

Well honestly if companies do a better job getting the word out to pick secure paswords it would help. If you pick a good password it will never be brute forced because encryption can stay ahead enough that brute forcing will only work for smaller passwords no matter if its next year or 20 years down the road. Maybe people should start by explaining it to the people they know and helping to make them aware.

Special Characters != More Secure

I can't remember how may IT admins thought by requiring a password with special characters and numbers would make the system more secure. Sure it will add an extra 12 hours on a brute force attack, but if you don't notice a 8 hour running brute force attack you really are not a good admin.

Re:Special Characters != More Secure

[jdunn14]

Note that not all brute force attacks take place against the online system. Through a bug in some service, a poorly configured database, or a single compromised username (plus a privalege escalation) an attacker may be able to send the passwd (hopefully shadow) file to another machine where they can brute force at their leisure. Much smaller chance of detection this way.

Also note that requiring special characters does far more than add "an extra 12 hours". In most cases the brute force attack would be many *times* longer when you increase the possible characters by 1, let alone a bunch of special characters. Of course, users tend to just append the characters, so brute forcing may take advantage of that, but at that point you're getting away from what a "brute force" attack implies.

Re:Special Characters != More Secure

[YetAnotherDave]

most of the pre-hashed tables for LANMAN passwords that I've seen are just the alphanumerics, so in that sense it can make a big difference (10 hours vs 10 minutes).

The brute force attack is probably offline, so the admin wouldn't necessarily notice. If you have password caching enabled (most windows systems do) and local users have the local admin password (trivially breakable if they aren't given it) then if the domain admin ever logs into their system, a user can break the cached password hash locally, and then run amok through the network with the domain admin's password.

Forcing a policy of disallowing cached passwords is a good start, but for laptops which may be disconnected from the network it's not really viable (and you could probably work around that anyway, after you break the local admin password)

Re:Special Characters != More Secure

[hackstraw]

attacker may be able to send the passwd (hopefully shadow) file

I stopped reading after that. If a computer system doesn't use shadow passwords by now, err, change or upgrade.

Any root compromise is bad enough to assume that ALL accounts and passwords have also been compromised. Its too easy with sniffers, trojened apps, or what have you to obtain a password. This is why I say that passwords are not secure at all, its simply too easy to just give them to someone else.

Re:Special Characters != More Secure

[Azi+Dahaka]

The only problem is that using symbols generally makes it more difficult for users to memorize their passwords. A better way to increase brute-force time is to add one more character.

8 characters results in a huge number, so I'll use 6 as an example. My results assume 62 characters in the no symbols set (letters + numbers) (26 * 2 + 10) and symbols provide an additional 32 characters. (Where I work, the admin tells everyone to use one of the symbols from the number keys, so 32 is far more than the 10 symbols users would choose here.)

6 char, no symbols: 56.800.235.584 combinations
6 char, symbols: 689.869.781.056
7 char, no symbols: 3.521.614.606.208

7 char without symbols has 5 times more combinations than 6 char with symbols.

I'd rather go with a password they can remember, and if paranoid, increase the minimum length by a character. On the other hand, if a user voluntarily uses a symbol, I wouldn't complain. I just feel forcing the use of them makes the password more likely to be written down or forgotten.

Re:Special Characters != More Secure

[Darth_Burrito]

What's really important is that the password draw from different kinds of characters. By including upper and lower case and numbers, you've already got significant potential for complexity.

Also, whether or not symbols are harder to remember than capitalization and numbers is very much dependent on the person and password. Consider whether or not the following uses of symbols are at all unintuitive.

WestWing@9
Db,cfwu. (movie quote: Dogs barking, can't fly without umbrella.)
wvl<WVL (Lesser of two Weevils)

Re:Special Characters != More Secure

[RzUpAnmsCwrds]

An 8-char letters+numbers+ucase password is approximately as secure as an 11-char lowercase only password.

I'd rather remember more lowercase letters, personally.

Of course, if you want security, you should go with tolken-based authentication.

Re:Special Characters != More Secure

Tolken-based authentication?

Is that where your smart-card device is a ring of power? Or where a hobit is required to gain access?

Re:Special Characters != More Secure

[NaDrew]

Of course, if you want security, you should go with tolken-based authentication.

Oooh, I know this one! "Speak 'Friend' and enter"

If the required dongle is a note under your kb...

[FreeUser]

... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.

Yes.

[captnitro]

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

Absolutely it is. This is one of those examples of culture clash: the tech-inclined, and not. Absolutely it's too much to ask, just like asking mom or dad to "just open the command line.. it's so easy!" Yeah, it is too much.

Re:Yes.

[mphase]

I was going to moderate this post but I think I'd rather respond. SARCASM YOU FOOL! The sentence you quote obviosly implies that this is absolutely too much to ask.

Re:Yes.

[Omniscientist]

It contains some sarcasm perhaps, but I think its being serious. To protect the integrity and security of the company that you are working for, it is really not that much to ask for. And with proper training and time put in to make people do this, I think it can be done.

Re:Yes.

If only it were just seven different passwords. For most people it's more like 20 or 25 different ones.

Re:Yes.

[captnitro]

Yah, I know. :) But I've actually heard it before, and even the different password mnemonics (memorize a sentence, use first letter from each) are too much. When entire pages can be written on "password strategy", it's gotten out of control.

Computing's biggest hurdle in the coming years is going to be disappearing entirely. By which I mean, if computers really are a magical black box that makes our lives easier, then things like security shouldn't be taking up chunks of my life. They should take care of themselves. Just, nobody's sure how to do it yet.

Re:Yes.

[theshowmecanuck]

I thought it was sarcasm at first too. But when it was part of a link on how to create a good 8 digit password, I wasn't sure.

Re:Yes.

[Telastyn]

Hell, most tech saavy [and security savvy] people I know won't deal with 7 seperate passwords. If they do, it's because they've generated the passwords somehow, meaning that all of the passwords are compromised if someone figures out the pattern.

Re:Yes.

[blackomegax]

yeh, any pattern on the numpad is uncrackable yet easy to guess... 159753852456 one x, one cross :-p

Re:Yes.

[araemo]

"When entire pages can be written on "password strategy", it's gotten out of control."

17 pages. Yes, 17. Thats how many I had to read and sign that I understood before I could take my last HELPDESK job. And all users on the helpdesk were required to have 14 character passwords.

And I do believe every new employee has to read that 17 page document, but normal employees were only required to have 7 character passwords.

Re:Yes.

[magefile]

Yes, and those god damned car keys are so frickin' easy to lose! When will that be changed?

Re:Yes.

[DShard]

It isn't to much to ask. It is to much to expect though.

Security is not one of those "optional" things that a proper user interface will solve. This is why Windows is by default the most insecure OS out there on the net. You just can't make security convenient for the user, but not the hacker. authentication just doesn't work that way. This is why identy theft is just so simple and devastating, you need to scarcely know aything about someone to accomplish it.

Re:Yes.

[Spudley]

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

Absolutely it is. Just like asking mom or dad to "just open the command line.."

I've got to agree with you there. It is the non-techies that have the most problems with this, but how old is the internet culture among non-techies? Five years? Maybe less? The point is that until the internet made everything accessible from a single computer, you didn't need a dozen different passwords. Before that, the only people who needed to even think about the possibility of keeping multiple passwords were sys admins.

The general public simply isn't comfortable yet either with passwords or computer security in general, and it'll probably take another ten years for it to truly get ingrained. In the meanwhile, the criminally inclined will continue to have an easy time of things.

woa, thanks /.

[xyeeyx]

I almost forgot what a password was

Change 'password'.....

... to 'passphrase'.

Then tell your users to think of a phrase like 'my son's name is Jim', and get them to use it as their password.

Putting in pucntuation makes it harder to crack too. Although it still won't stop social engineering.

Re:Change 'password'.....

here is a good tip on making a good password, many of you probably already know of this...

make up a stupid phrase, for example

"I read slashdot"

Then shift your hands one way or another, then touch type the phrase (no spaces of course). Now it looks like this...

Otrsfd;sdjfpy

Voila! You now have an excellent password that is easy to remember (as long as you can type).

Re:Change 'password'.....

[echocharlie]

I also recommend this method to people. Of course, it requires that you're a touch typist. And as a side effect, you've eliminated a bunch of possible characters. In your particular shift, your password will never contain Q, A, Z, or 1. Still, it produces a pretty secure password.

Re:Change 'password'.....

[hdparm]

Mod this post up, please! Not everybody can afford secure, hardware based ID technology but everybody needs to secure their systems - no matter how little important are they for the rest of the world.

Re:Change 'password'.....

[pthisis]

Most of the password hacking programs have options to try w/ the left and/or right hands shifted 1 or more keys either way (and to use the qwerty row as the home row). I haven't seen any that try this for dvorak layouts yet.

My Password

[Greenisus]

My password is weu@$9JKcpw34.

No one has ever guessed it.

Re:My Password

[Spudley]

I use my dog's name as my password.

My dog is called Pchg65Lb, but he changes his name every few weeks. :-D

Re:My Password

[aurb]

Weee! Let us all reveal our passwords! Here's mine: *******

Re:My Password

[eln]

My password is 12345. I use it because it's easy for me to remember, as it's also the combination to my luggage.

Re:My Password

[Feynman]

Hey, that's mine, too!

Re:My Password

[Surt]

That's a fairly large Picanese hybrid greyhound you've got there.

Re:My Password

[tokul]

> My password is weu@$9JKcpw34. Correction. This was your password.

Re:My Password

[Advocadus+Diaboli]

I use my dog's name as my password. My dog is called Pchg65Lb, but he changes his name every few weeks.

Then your dog must have changed his name right today since I can't login as user "Spudley" with the password "Pchg65Lb"...

Re:My Password

[fdiskne1]

HEY! That's the same password I have on my luggage! That's AMAZING!

Re:My Password

[mre5565]

> I use my dog's name as my password.

> My dog is called Pchg65Lb, but he
> changes his name every few weeks. :-D

Seriously, I read this as

P CHanGe 65 pounds

the attacker would have to know:

- you have a dog
- you weigh your dog every few weeks
- how much the dog weighs (which can vary quite
a bit, depending on the type of dog).

If one is a dog lover, I imagine recalling
its weight would be easy.

So this doesn't seem like a bad approach for
generating an easy to remember, hard to guess,
password.

they way they do it at IU...

[AxemRed]

The password has to be 8 characters, letter and number combo, not in the dictionary, and no repeating patterns. On the plus side, it doesn't expire.

Re:they way they do it at IU...

$20 says that 50% of all passwords at IU are "p4ssw0rd".

Re:they way they do it at IU...

At IU they actually check for things like "p4ssw0rd" and they send you an e-mail alerting you that unless you change it within a given amount of time they will disable your account. They simply made a program that recognizes all characters that can be used as other characters, then used a normal dictionary checking password cracker.

Re:they way they do it at IU...

[lowe0]

...whereas here at Purdue, it doesn't matter what your password is, because someone steals a list of them every other week, forcing you to change them.

Re:they way they do it at IU...

...whereas here at Purdue, it doesn't matter what your password is, because someone steals a list of them every other week, forcing you to change them.

No, all people ever steal from IU are social security numbers!

Sticky Notes?

[Mamoth]

What? Sticky notes with passwords on them aren't secure? Who would have guessed!

Re:Sticky Notes?

I encrypt my stickies by crumpling them up first.

Re:Sticky Notes?

Depends where you stick them.

Re:Sticky Notes?

[glenstar]

Spilling a whole cup of coffee on the post-it works as well.

Biometrics

[nightsweat]

Passwords are always going to be flawed. Biometrics are the wave of the near future/present.

Re:Biometrics

[scoser]

Yeah, it is the wave of the future, but biometric scanners need to be worked on a lot more before they come into common/important use. Most commercial scanners tend to have a significant amount of false positives/negatives and some of them can be easily tricked using simple means.

Re:Biometrics

[wfberg]

Passwords are always going to be flawed. Biometrics are the wave of the near future/present.

Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.

You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).

Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.

(As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)

Re:Biometrics

[Jucius+Maximus]

"Passwords are always going to be flawed. Biometrics are the wave of the near future/present."

There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

Re:Biometrics

[Ced_Ex]

How is biometrics any better? Fingerprint recognition can be messed up if you cut your hand. Retinal scanning is messed up if you happen to develop a retinal tear or a bruised eye. Voice recognition is bungled up when you have laryngitis.

Any security has a flaw because it has a hole in it. Even if you have only one hole which happens to be the authenticated user, who's to say that user is the authentic person?

Re:Biometrics

[bitslinger_42]

In addition to the points of the previous poster, biometrics also introduce new risks. For example, while it is fairly easy to revoke a compromized password, revoking a finger is much more, how shall I say, painful. It also means that a determined attacker will now have to consider physical damage to the user (i.e. the eyeball from Minority Report).

Re:Biometrics

[Haydn+Fenton]

We will still need passwords even if we have biometrics.
Fingers can be cut off (ok, new ones are supposed to detect if there's blood circulating), or you could leave your fingerprint on something, then someone comes along and takes it, wouldn't be too hard to make fake fingertips which you could use. Your retina 'metrics' would be harder to steal, maybe contact lenses, I dunno. But whatever technology we can come up with, crackers can find a way to break or exploit it. Biometrics by themselves are probably far more dangerous than having just passwords, imo at least.
But.. a mix of things;
something you are (biometrics),
something you have (dongle),
something you know (password)
would be a much safer combination.

Re:Biometrics

[Locutus69]

I do agree with this. Perhaps the biometric would be some type of surgically imbedded transmitting chip in the hand that authenticates the user by confirming that a specific DNA type and blood flow of some type are the correct type or pressure. This type of DNA verification would be required to be pre-programmed before surgical insertion into the subject. Then and only then would the chip sample the DNA and then fully activate. Once this chip authenticated that the user was indeed the person that it was supposed to be, a password phrase and standard 8 character password would then be used to complete the logon. However, this itself does indeed have its downfalls also. It is very likely that there will never be a "secure" method/schema for authentication of a user.

Re:Biometrics

Not necessarily true. Some readers are much harder to fool than optical print scanners. Swipe scanners actually read a print by reading the pattern of the electrical signals caused but the way the bumps in a finger print effect the electric field created by living tissue.

They can not be fooled by simply replicating the image or bump pattern of a print. In fact, a severed finger will only continue to be recognized by the scanner for about 15 minutes.

Back on the topic of passwords, I use spatial mnemonics and motor memory for my passwords. Once you are comfortable with the idea it is relatively easy to come up with some rather strong passwords that are pretty easy to remember.

Re:Biometrics

[Mr.+Slippery]

Biometrics are the wave of the near future/present.

Nah. Biometrics are the hype of the recent past/present.

Biometrics are nothing but tokens with the orginals securely attached to the user. They're vulnerable to spoofing and to loss, and just about impossible to repudiate when compromised.

Re:Biometrics

[narl]

I've already heard about a case, in South Africa, I believe, where someone had biometric locks on their car.

So the carjacker just cut off their hand and drove away.

Great, just what I want.

Re:Biometrics

[Roogna]

Human guards better? I wouldn't count on it.
Not to say biometrics are great, but humans aren't actually that hot at it.

At one company I worked we had a security guard who was notoriously bad at remembering anybody. Seriously, the entire staff would discuss this fact. He saw all of us every single day, but damned if he seemed to be able to remember that fact. He also wasn't too hot at comparing IDs and more than once people on the staff would swap IDs just to test this theory. He always let them in.

Plus, above and beyond people who are just bad at facial recognition... you still have the problem that passwords, biometrics, or even human guards with big guns can all be gotten by if the right person is handed a $10 bill. This fact hasn't changed since ancient times and despite all the technology we throw at it, never will.

Re:Biometrics

[Kazoo+the+Clown]

There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

Sure you can-- just record someone else's like was done to you, and use that...

Re:Biometrics

... and the next day he woke up in a bathtub full of ice and his kidney was gone.

Re:Biometrics

[fred+fleenblat]

something you are (biometrics)
I find this part kind of scary. There are a lot of people out there who just would not hesistate to cut off your finger to get your fingerprint or cut out your eye to get the retina if that meant they could authenticate somewhere and get money for it. The last thing I want to do is participate in any authorization scheme that financially rewards criminals for mutilation.

Re:Biometrics

It's not impossible. I had to do it once, when I was on the run for future murder.

Re:Biometrics

[edp927]

Exactly. Hasn't everyone seen Charlie's Angels??

Re:Biometrics

[theLOUDroom]

There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

And then there's also the problem of leaving them on everything you touch.

Fingerprint readers on PCs are hilarious because you've typically got tons of nice fingerprints all over the keyboard, mouse, display, etc.
Biometrics SUCK because the are NOT PRIVATE and they are UNCHANGEABLE.
The only thing they are good for is when people don't want to be identified.

Re:Biometrics

Combine passwords and biometrics and you get something called keystroke dynamics.

Biopassword

Brilliant or hopelessly inaccurate?

Re:Biometrics

[bzipitidoo]

Forget the fingerprints. What's needed is a brainwave scanner. Put on the cap with all the electrodes, think (about who knows what), and done.

Now, someone could steal your brain and transplant it into their body. If that happens to me, I hope the thief has a good healthy handsome young body, to help out with this sweet mystery of life thing.

"What was the name?"
"Abby Normal"
"You gave me a brain that's abnormal?!"

Picking a strong password....

[which+way+is+up]

Here are some good techniques for picking a strong password. It helped me out. http://www.macosxhints.com/article.php?story=20040 920120520528/

Re:Picking a strong password....

That link just redirects to http://www.macosxhints.com/index.php .

It's time...

[Twisted64]

...for biometrics to spread out a bit more. I want a retinal scanner! It protects data, and with any luck, saves my eyesight into the bargain!

Re:It's time...

Believe it or not...a retinal scanner is one of the weakest/most flawed forms of Biometrics. Try an Iris scanner instead.

Stupid rules == stupider passwords

The problem with stupid rules like chars+numbers is that people will still pick something easy to remember.... what movie is out now? "8 characters, needs numbers" oceans11 "8 characteres needs punction and numbers oceans11

Spaceballs Password

[vivin]

Best password/pin ever:

[King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
King Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
King Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
King Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
King Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
King Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!

Re:Spaceballs Password

[root2]

Plus, of course, there's the scene moments later, when Dark Helmet tells President Skroob the password ....

"Good heavens! That's the password I put on my luggage!"

The SlashDot Password Guessin' Game

[oexeo]

(Disclaimer: Please don't play this game!)

1) Take the following five passwords:

- password
- slashdot
- 123456
- password123
- [Username]

2) Attempt to login to as many slashdotters accounts as possible.

3) Post incriminating/stupid/slanderous/troll comments on behalf of users you now 0wn.

4) While the FBI are busy smashing down your door: Take a hammer to your hard-drive's plateaus, and run like a screaming idiot while you think about how stupid you where to follow my instructions.

(Disclaimer: Please don't play this game!)

P.S. If your password was listed above: Change it!

Re:The SlashDot Password Guessin' Game

[mchugh]

One down! :)

(Insert incriminating/stupid/slanderous/troll comments here. Not to mention Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments.)

- notmchugh

Re:The SlashDot Password Guessin' Game

[magefile]

Don't attempt to log in manually. Use pyCurl or something similar to automate it.

Re:The SlashDot Password Guessin' Game

[theLOUDroom]

4) While the FBI are busy smashing down your door: Take a hammer to your hard-drive's plateaus, and run like a screaming idiot while you think about how stupid you where to follow my instructions.

Somehow I don't think the FBI is going to give a shit about your slashdot account. Typically you need to be able to show thousands of dollars in damages before they'll to anything.

They just don't have the resources to go after after every violation.

I noticed that the article mentions...

[gandell]

...the Sarbanes-Oxley act. Many financial institutions required to follow these regulations also are liable for the FFIEC regs. I believe that the FFIEC regs. DO require alphanumeric, 8 digit passwords.

Whether they do or not, the FDIC auditors emphasize this policy strongly. If it's not written in stone yet, it will be.

To be honest, I approve such a measure. It disturbs me to think that our local bank's security policy might be more lax than Yahoo's.

Re:I noticed that the article mentions...

[VE3ECM]

The company I work for had to put in a new password policy in order to comply with Sarbanes-Oxley. They even pushed a global policy to the desktop making all workstations lock after 5 minutes of inactivity. 'Bout time.

Re:I noticed that the article mentions...

[the-banker]

Sarbanes-Oxley is not banking legislation. It is reform of Corporate Governance and SEC reporting reqirements, fraud, etc...and appliens to any corporation. Gramm/Leech/Bailey was the banking/insurance/brokerage bill.

That being said, as the article pointed out, the password requirements are not legislated, they are merely developed by consultants as a "show of controls". In other words, they are there so a company can say, "See - we try and protect our data from fraud."

Also, the FDIC does not audit bank security. That duty falls to the Office of the Comptroller of the Currency and the Federal Reserve System.

Every bank I have ever worked in uses an internal network for their transaction processing systems that is closed to the internet/public. In almost all cases, to compromise a bank network would mean:

1. physical access to a machine on the tx network
2. knowledge of the deposit systems used at that bank (most are custom in-house apps and not intuitive)
3. knowledge of login information and passwords

And even after all that there is a mile long audit trail. Its not like everything is on some linux box where you can delete the syslog. Bank security is had through iots architecture, not through the number of characters in a password.

Re:I noticed that the article mentions...

[gandell]

Also, the FDIC does not audit bank security. That duty falls to the Office of the Comptroller of the Currency and the Federal Reserve System.

You're probably right about that. Nevertheless, whenever the FDIC audits the banks I have worked for, they always have recommendations regarding security.

Every bank I have ever worked in uses an internal network for their transaction processing systems that is closed to the internet/public.

I've had exactly the opposite experience. Many community banks here use Intercept's software such as BancPac. While it's true that the physical data line for transactions is not on the internet, the machines that perform said transactions ARE. And the data line is not encrypted. However, the data is not housed on a local Intercept server...it is sent to Atlanta, where the data is hidden from the net. Yes, it's fairly secure. But there are certain loopholes. You're right when you say that you'd have to have knowledge of the bank to get in, though...most of the banks I've worked with do not use wifi, so all access would have to be remote or directly at a workstation...not simply wardriving.

Re:I noticed that the article mentions...

[Greyfox]

Hmm. How hard to distract watching parties long enough to slap a wifi bug into an open ethernet port? I thoguht a while back that it wouldn't be too hard to turn a modified zaurus into a wifi bug (You'd just need an ethernet slot and a wifi card.) Duct-tape it to the bottom of some desk somewhere and plug it in and it's unlikely that anyone would ever notice it was there, and you could just quietly watch network traffic and passwords and stuff until it came time to make your move.

Of course, I'm not evil (Well, not THAT evil anyway) and don't have the energy to actually design the device, but it's a fun thought experiment isn't it?

Is it hard to make complexe passwords?

[Morgahastu]

Yes.

It is hard.

When you work in an organization when you have 5-10 passwords for different applications such as the network domain (email), web apps, etc; each requiring complexe passwords that expire every 3 months it become VERY hard to keep track of all these passwords and think of something else to replace them all with.

Re:Is it hard to make complexe passwords?

Is it hard to make complexe passwords? -- Yes.

Actually, no. It's actually very easy to make complex, unguessable passwords - just mash a bunch of keys on your keyboard. Or use a random number generator.

It's just that it's just as easy to *forget* complex, unguessable passwords, especially if you don't use them every day.

Re:Is it hard to make complexe passwords?

[gmuslera]

The harder part is when you make a nice algorithm for generating complex and random passwords and gets as result one that coincides with your born date plus your nephew name, or take a easy to remember by you but no for anyone else phrase, i,e, "promise an aniversary so we own real dollars", take the initials of the words and realize that that was a very bad example. A safe way for generating passwords don't mean that it could be trivial to brute force attack it for that particular generated password.

Re:Is it hard to make complexe passwords?

[Smertrios]

Easiest thing to do is remember only one to get into the machine and then have a passphrase for an encrypted spreadsheet or a password safe application. This way you can make your passwords what ever it needs to be without memorizing them but still having them at your fingertips.

Re:Is it hard to make complexe passwords?

Here's one for you... the big problem with passwords is that most americans are not bilingual or multilingual (polyglots, if you prefer). I have found that it incrediby easy to generate complex passwords by simply nesting two words in separate languages... for instance (using English and Spanish)... house/casa becomes:

hcoaussae

That's obviously an extremely simple one. It works better if you can mix several languages, but you get the idea. If Americans, like the rest of the world, COULD do this (most cannot, because they don't know a language other than English and their English is shaky to begin with), passwords wouldn't be so much of an issue - not only do you have to "guess the word I'm thinking of," you also have to "guess which languages I'm thinking of it in" AND "guess which order I'm using those languages in."

The next step, of course, might be to incorporate your own street address number into the password... perhaps you live on 12345 ABC lane. Then the password might become...

hc1oa2us3sa4e5

Still easy to remember because YOUR house is at 12345 ABC lane. Impossible to defeat? No... nothing is impossible to defeat with a bruteforce attack. But it makes for very tough passwords AND they're passwords people can very easily remember (even if they are slow to type).

Alternatively, I guess C++ geeks could use fprint and cout or something...

--AC

Re:Is it hard to make complexe passwords?

[_the_bascule]

make me a password is a pretty good site for these password things.
Though not always within password restrictions, you'll always get something eventually.

Re:Is it hard to make complexe passwords?

[roye]

On Linux(and Unix/OS X I assume) you can use a program called pwgen that generates random and seudo-random passowrds. Its default is to create semi-secure passwords that are pheonetically pronouncable for english like bii9xaiS (bye nine sighs). It can also be set for high security passwords at a specified link.

Re:Is it hard to make complexe passwords?

[lamber45]

That's makepasswd on debian. Or you could do something like

perl -e 'open F,"/dev/urandom"; ' \
-e 'read F,$_,5; ' \
-e 'print substr(lc(pack("u",$_)),1),"\n"'

Password Expired

[Smallest]

Are seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

yes. when you're forced to change them every 30 days, and you can't repeat any of the last five, you quickly run out of things you can easily remember early in the morning.

Re:Password Expired

yes. when you're forced to change them every 30 days, and you can't repeat any of the last five, you quickly run out of things you can easily remember early in the morning.

we have a similar policy where i work, some people i know just append a number 1 through 6 to the end of their password and basically recycle their password every time they are forced to change it.

Re:Password Expired

[Parsec]

500 employees = somewhat less than 500 lists of pets/family members + their birthdays.

Re:Password Expired

[surprise_audit]

I've got one set of over 200 systems, hardly any of which sync passwords between themselves. They don't all have the same password expiry rules (30 - 45 days) and some will allow passwords that other won't. Password Change Day gets to be a real drag. If they go ahead with their plans to merge several sets of support folks, that'll add 300 - 400 more systems with different rules...

It's got to the point where I'm writing a tool that'll log me in, using a locally-stored encrypted password list. When it's done, it'll detect 'password about to expire' messages and change my password to some random string, then update the encrypted list. I only have to remember a couple of passwords - to login to my local system, and to decrypt the list.

What about biometric systems?

If a company is going to invest in a hardware solution like secureid, what about using a biometric solution like fingerprint scanners instead? I know it probably isn't worthwhile if a lot of people are remote, but are the systems secure enough these days for local security?

Re:What about biometric systems?

[dustinbarbour]

No. The systems are not secure. A japanese researcher has shown that fingerprint scanners can be tricked by making fake fingerprints. How do you get the fingerprints of a valid user? Easy! Take them off of the scanner itself!

And then you have iris scanners. The iris is supposed to be more unique than fingerprints. But researchers in Germany have been able to tric kthe iris scanner with a 2048x1536 image of an iris with a hole punched out in the middle for the pupil. Biometrics are not foolproof.

Re:What about biometric systems?

[dsavy86]

Who was the Japanese researcher? We are reviewing bio systems for SSO and IM&A right now and have found a company with a pretty intricate algorithm for matching user fingerprint templates for IT system access.

stick me

form the article:

[...] Mr. Darby says. "I'm thinking that tattoos are the way to go."

nope, but try you could become a password piece of art!

Why should the users be conserned about security.

[jellomizer]

Seriously most uses see computer secuity an IT problem not thears. They just want to get there work done. All the education in the world and all the bickering will not stop them from making stupid easy to guess passwords. Now if IT had the power to fire people who account compimised the corprate system because some hacker guessed there passord and got in. Then maybe it would be different. But IT raily has that power. if 1234 logs them in then they will use it because it is easy to type. If it was up to them they don't even want there login IDs and Many forget theres because they just dont log off there system.

Password expiration

[crow]

This goes along with my other pet peeve--password expiration. Here at work, the Windows passwords must be at least 8 characters, with mixed case and numerals. They expire after 90 days, but can't be changed for at least 10 days when new.

My password is written on my whiteboard.

For serious security, passwords shouldn't expire. They shouldn't even have to be that obscure. The security effort should go into making a brute force attempt impractical.

And the IT department needs to recognize that once someone has physicall access to the network, there's not much left to secure, anyway.

Re:Password expiration

[digid]

yah i hate it too...I just keep the same password but just change the last character in the password to say from 2 to 3 and in 90 days or whatever back from 3 to 2

Re:Password expiration

[0racle]

A password that never expires means that the intruder has access for as long as that account exists, if the intrusion was never detected. That is not serious security. Password expiration IS for serious security, and passwords should expire very frequently. However, that is not very friendly to your users, so the admin has to weigh usability with security A 30-60 day policy seems resonable to me, but it might not to the next guy.

Every organization other then the absolute smallest places should be expiring passwords, or personally I would consider the admin slacking on the job.

Just because when an attacker has physical access all bets are off, doesn't mean that you don't impliment security, otherwise why not just have firewalls and do away with passwords on internal systems completely.

Re:Password expiration

[Coolmoe]

If I had mod points I would mod that post up.

If you do finally memorize 4Fy&x*Gw or better it should last longer than a few months. They can require more but be aware I will write that down somewhere.

Re:Password expiration

[crow]

False.

Most people choose new passwords that are completely predictable based on their old passwords. Hence, once a password is determined, access to the account is available to the intruder indeffinitely.

Now I can accept having some requirements on the passwords themselves. What you want to do is push users into having at least two passwords--one that they use for insecure personal web accounts, and one that they use for corporate accounts.

Ultimately, though, you have to take into account human behaviour in setting your security policies. How will users react to your system? What are the unintended consequences? (e.g., if you block various ports, will users set up proxies that open up new security holes?)

Re:Password expiration

[MadMorf]

For serious security, passwords shouldn't expire. They shouldn't even have to be that obscure. The security effort should go into making a brute force attempt impractical.

This statement show how little you know about the subject.

Without password complexity the only recourse is to lock the account with only a very small number of invalid login attempts, such as 1 or 2.
The first time you come in and fat-finger your password and get locked out for an hour, you'll be screaming at the admins to give you more attempts.

Without password complexity AND short-term expiration times you risk losing everything if your password file (SAM, whatever) is compromised.

Four years ago, during an audit, I cracked nearly every password (over 1,000 users) in an NT Domain, using L0phtCrack, in just under 10 days using a moderately powered laptop. This Domain had no password complexity rules in place.

With what you propose, you might just as well post the passwords on a billboard.

Re:Password expiration

[maximilln]

A password that never expires means that the intruder has access for as long as that account exists, if the intrusion was never detected. That is not serious security. Password expiration IS for serious security, and passwords should expire very frequently

What stops the intruder from changing the password on schedule? If the account has a legit owner, and they call in to say,"My password's been changed", and that user chose a weak password to begin with, they'll probably choose another weak one which can be exploited again.

Passwords are like antibiotics--they're overused and mostly worthless. In all reality, most places probably only require passwords in an obfuscated attempt to give legitimacy and credibility to their demands for a name/address/telephone number/complete CV.

Why does _EVERYTHING_ require an account?

Re:Password expiration

Read the article, at least one business which is in the computer security business does not expire passwords as they have arguments to the contrary of yours.

Re:Password expiration

[nojomofo]

Whether you like it or not, your choices are:
1. Allow simple passwords
2. Require complex passwords, but don't expire them (so that users can memorize them and keep them memorized)
3. Have users write their passwords down

Many users will do number 3 no matter what. But, really, people just aren't going to memorize 8 new random secure passwords every month. It just isn't going to happen. You might want to live in a perfect world where you can implement security rules assuming that the users aren't the weakest link, but this is the real world, and I have news for you: your users are your weakest link.

Re:Password expiration

[Tyranny12]

While I don't necessarily agree with you, that sounds like the minimum requirement from Sarbanes-Oxley. They probably don't have a choice.

Another problem

[rackhamh]

The problem isn't just with remembering a strong password that you use on a daily basis. What about those one-time sign-ups that you have to do from time to time, for example to request a secure email certificate?

Two years down the road, you've changed all your other passwords a dozen times, you get a new laptop, and now you can't remember the password to unlock your certificate -- which means you won't be able to read any encrypted emails people send you anymore, until you get a new certificate and they all accept it.

Asking people to remember a few regularly used passwords may or may not be too much... but asking them to remember infrequently used passwords certainly is.

Re:Another problem

[maximilln]

What about those one-time sign-ups that you have to do from time to time

INDEED.

I don't worry about spam e-mail. The e-mail boxes are all cluttered with kazillions of forgotten password request forms. I even have multiple instances of requests for the same password. Maybe the rest of the world likes to let their web browser remember all of their passwords--I'm not convinced that those mechanisms are secure enough that they can't be mined. Heck. Malware can install itself. What prevents it from mining passwords?

It's really silly the way the corporatization of the internet has made it nearly unusable. You can't even read today's news headlines without some corporate office asking for your complete CV and a 128-bit PGP encrypted .wav file with your vocal signature and a 15 character password with a mandatory inclusion of at least 3 extended ASCII characters.

seven different 8 character passwords

[wiredog]

(with numbers and mixed cases) really too much to ask?

Yes. It is. I'm supposed to remember which password goes with which account/username on which one of 4 systems I may have to access at work, plus root and regular user on the home box? Then there are the user/pass combos for here, k5, husi, tnr, the atlantic, wash post, ny times, salon.com, and a couple of other ones.

That's something like 16-20 user/password combos. Fortunately I can use the same username across multiple sites. But I use different passwords.

Oh, and those passwords are all on different change cycles. Some 3 months, some 6, some never. So not only do I have to remember the old passwords, I have to remember the new ones as well.

Hell yes, I keep a cheat cheet in the wallet.

Re:seven different 8 character passwords

Hell yes, I keep a cheat cheet in the wallet.

Then you should be fired.

Biometric Security

[ukiah]

What do you think of biometric security? Anyone use M$'s "fingerprint reader" Is it secure at all?? http://www.microsoft.com/hardware/mouseandkeyboard /features/fingerprint.mspx

unique

[digid]

my ten unique passwords are on my finger tips...you can even make combinations of fingerprint indentification for added security(user specified combination of fingerprints ex. left index finger + right pinky)

PasswordSafe

[rewt66]

PasswordSafe, from Bruce Schneier's outfit Conterpane Security, is a great help. I can have multiple passwords to different things stored in it; I can even have "secure" machine-generated ones, and I don't have to remember any of them. All I have to remember is one good, solid password - the password to PasswordSafe. (If you will, it's my "root" password.)

Re:PasswordSafe

[redheaded_stepchild]

Thanks! I knew I should've tried that one first...

Seriously, why do you think one unchanging password that protects the rest of them is better? And when someone cracks that, now they'll know your root access as well. Ooops.

Should I try 'root' first or just 'password'?

Re:PasswordSafe

[rewt66]

No, that password is the "root" password to my life, not to my machine. And no, it isn't "root" or "password".

Why is it better? Because I only have to remember one. I can do that. And because I only have to make one secure one. I think I can do that, too (of course, lots of people think that they can, and a number are mistaken...)

My take : three zones

[Ars-Fartsica]

My approach is to separate passwords into three zones: low, medium, high security. I always use an eight char passphrase with numbers and letters mixed. My zones work as follows:

Low: content sites like slashdot. I don't care if you get this passphrase, I will never change it.

Medium: logins for machine accounts, email and online shopping sites. I care somewhat if this is known, and I will change it yearly.

High: financial sites - bank and brokerage. I care deeply that this phrase is secure, and it is changed once a month no matter what.

Re:My take : three zones

[fdicostanzo]

Yeah yeah, same here.

But then you can always forget the password on those sites and it will ask you a simple question before letting you in like your mother's maiden name or the last 4 digits of your SSN (your universal, can't-be-changed password). I would bet a lot of that information is obtainable rendering the whole password scheme meaningless.

Re:My take : three zones

[javatips]

I have a similar system... But I generate random passwords and keep them in an encrypted file on my Palm.

I don't really understand the noise with memorizable passwords. A random 8 characters password with mixed cased and numbers takes me about 4-5 times (number of time I have to enter it) to memorize it.

For those I don't use very often... then my little Palm app will help me remember them.

Re:My take : three zones

Well, then you're foolish. Using the same password for an online shopping site as for your email means one bent admin can read your email and go on a shopping spree on your card whilst deleting the "order confirmation" notices.

You should treat ANY user account that includes your bank details as requiring high security - unique passwords for each; or else the folks at xyzonlineshop can log into your amazon account and get themselves some nice xmas presents.

-J

Re:My take : three zones

[ballpoint]

You can answer these questions with unrelated data, encrypted and kept elsewhere.

Look at it as a backup password, in case the original broke into bits by some strange mishap.

Re:My take : three zones

[Chris+Burke]

I like the sites that ask you to provide a challenge question that they will ask if you forget your password. My question is always "Go fuck yourself" and the response is whatever happens when I smack my palm on the keyboard repeatedly until the character limit is reached. I don't forget my passwords. :)

Of course, then you call up your bank and all they want is your SSN and mailing address... Sheesh.

Re:My take : three zones

[Z00L00K]

So you actually have a normal password when you are doing your bank transaction? If my bank only had that I would change bank directly.

My current bank has a little calculator sized password generator that uses a mathematical algorithm where the bank generates an eight-digit code that I enter into the device, which then calculates a response code of eight digits. I then enter that code and get access to the bank. The code that the bank has generated is only valid for three minutes, which means that even if anybody actually can intercept the codes they are useless fairly soon. (all traffic is of course over https too).

In addition to this the sum of all transactions made during the session with the bank has to be signed too, which means that even if somebody gained access to my bank login they are still not able to transfer any money out of my bank account.

The gadget is protected by a pin code and will lock up after three failed attempts, so in that case it's necessary to beat the PIN code out of me first.

It is a little cumbersome sometimes with this gadget, but to get higher authentication security will probably require something that is even more complicated. Biometrics are out of the question - it's not safe enough (maybe if you can make a challenge/response of brainwave patterns, but who want to have a D-Sub implanted in their skull?)

Other methods are one-time passwords by checking off a list of passcodes, but that is not good enough. Same goes for thoes RSA gadgets with a number generator, the numbers aren't protected, so anybody that can get hold of that gadget is able to do anything.

Re:My take : three zones

[dreamt]

Best bet is to use STRIP -- Secure Tool for Remembering Important Passwords for PalmOS. I've been using it since my PilotPro days. Great tool, keeps everthing encrypted on the palm, has a master password for STRIP, forgets it when palm is turned off or switched to a different app. And its GPLed.

Re:My take : three zones

[lubricated]

amazon won't let you ship to a new address without you reentering your credit card number. Furthermore, credit card companies are more than happy to reverse any charges you claim are fraudulent.

Re:My take : three zones

[javatips]

That's the application I use! Thank's for the link (I was actually too lazy to put a link).

Re:My take : three zones

[pjt33]

Round here banks seem to think that asking you your mother's maiden name is a good way of verifying your identity. Well, can you think of anyone other than yourself who knows it? I simply give them another name, but it does mean I have to remember whom I've told what.

Re:My take : three zones

[pthisis]

A random 8 characters password with mixed cased and numbers

And is only a 48-bit key if anyone ever gets into a situation where they can launch a brute-force attack. Which may or may not be a realistic concern.

Re:My take : three zones

[n0rm]

This is fine until you forget the id you used. I did this with my cell phone provider. I can't remember the account ID which is needed to get the password (which I do remember), but there is no way to retrieve the ID. But since there is already an account for the phone number you can't just set up a new account.

Re:My take : three zones

Call the cell company, fuckwit.

Various passwords

[TheMadRedHatter]

I have about 6 different passwords. My longest, 20 chars, is for root on one of the boxes.

All of them are alpha numeric.

I created a random password generator, wrote them down.... memorized them..... then burned the paper.

-- TheMadRedHatter

Re:Various passwords

I created a random password generator,

Ah, because just using mkpasswd would have been too easy?

Too many morons.

Well, from the WSJ article it wasn't stupid users

[MerlynEmrys67]

From the article (read yesterday in the dead tree edition), one poor woman was required to type 8 passwords to log into the things that she needed to log into. Each password a combination of letters and numbers, and each having to change every 3 months. So that is 32 passwords a year.

Frankly if my work was so dumb - I'd write them down too - or come up with a script that would do all of the logging in after the initial password. This is an IT staff problem, not a user problem... Please, one password is enough

even no password at all

incredible some slashdot users don't even use password

see this anonymous coward, shame on him

Failings of Two-Factor Authentication

[totallygeek]

So, we get issued key fobs for RSA authentication via Cisco VPN and guess what happens: three users have already taped their PIN to the back of the fob so they won't need to remember it. One wrote it with a metallic silver Sharpie!

Math nuts are the worst...

[physicsphairy]

I have a lot of friends who are math people, and they infallible choose mathematical constants for their passwords. Granted, they know these constants to insane decimal places and so, against a brute force crack, their passwords are of the most secure. But if you happen to know them, guessing their password is often as trivial as looking up pi, e, and gamma.

Just something I thought was interesting. . . .

Re:Math nuts are the worst...

[pjt33]

I have a variant on that which is slightly more sophisticated: take two physical constants (e.g. epsilon-0 and mu-0), multiply each by a suitable factor of 10, and take the sum or difference to however many digits you want. As long as you remember which constants you use you can reconstruct it if you forget it (although I tend to remember a password after using it about three times), but it's rather unlikely to be in a dictionary.

Passwords are hard to remember...

[EspressoMachine]

That's why only have one account for everyone where I work. Username: admin Password: admin That way, people never forget!

In case you forget them....

[lukewarmfusion]

...just put them all in an Excel spreadsheet, keep a copy printed out and stored in your filing cabinet under a folder labeled "Passwords" and don't lock the cabinet.

I gave my two weeks' notice and this was the first thing my bosses wanted me to do: write down all the passwords for them so they could keep everything on file.

Fantastic.

Re:In case you forget them....

[evilviper]

and don't lock the cabinet.

I've found that the locks on filing cabinets are the worst locks I've ever seen in serious use... The only locks that are worse are those sold for 25 cents in grocery store vending machines.

Any object vaguely the same size as the key will work... It seems the tumblers have no protection against being pushed too far in, so a blank key of the right type will open them all.

In fact, I find that finger-nail files are the right size, and work in a matter of seconds with a bit of convincing.

Keepass

[Greenspan]

I recently started using Keepass, an open source, encrypted database for storing all your login/password information. Keepass uses AES and Twofish for encryption, and also gives you the ability to generate passwords, based on several criteria (upper/lowercase, special characters, extended ascii characters, etc.) All you need to remember is a "master" key that unlocks the DB.

http://keepass.sourceforge.net/features.php/

My Slashdot password (as if it needed much security), is 101 bits, and I couldn't tell you what it was if I wanted to. I just open up keepass, select "copy to clipboard", and paste the password when prompted for login info. Keepass clears the clipboard after 10 seconds, and stops functioning if you haven't used the program in 30 (?) seconds.

I think it's great. Up until now, I had four fairly insecure passwords that I rotated among dozens of accounts/sites. This is much easier, and MUCH more secure.

Re:Keepass

[xyeeyx]

Keepass uses AES and Twofish for encryption

but ./ doesn't encrypt your pass when you log in.

Re:Keepass

I hope you're using a laptop because that's just incredibly inefficient if you're a mobile user and are using multiple machines depending on where you're located.

Re:Keepass

Er, 101 bits? How'd you pull that off? My computer only letter me use byte-size characters . . . Actually, this says that 101 is prime . . . so either you have made a mistake, or you have a 101 byte password (what?!), or . . . you are just making things up.

Re:Keepass

[Rydian]

This actually looks like a great program, it's just too bad it's not cross-platform.

Re:Keepass

[Greenspan]

It's a small program that requires only one executable, and the DB file. I put it on my USB thumbdrive and have it wherever I go. It's really not that difficult.

Re:Keepass

[Greenspan]

Steps to generate a 101 bit password:

Key length: 16 characters

Include:
Upper alphabetic characters (A, B, C, D)
Lower alphabetic characters (a, b, c, d)
Numerical characters (1,2,3,4... )
Special characters (!, $, %, ^, etc.)

Voila! 101 bit password.

You can further increase it to 117 bits if you include: underline character, minus, space, higher ansi characters, and special brackets.

Security

[SteroidMan]

Breaks down into 3 realms

Something you have, something you know, something you are.

The best systems incorporate a little of each.
For a phone banking application:
A unique transaction number out of a booklet your bank sent you. (something you have)
A voice sample of you saying the numbers (something you are)
Your birthday (something you know)

Even though each of these individually is 95-97% secure at best, the combination is highly secure.

Easy trick...

[GillBates0]

Get someone to kick you in the nuts everytime you forget your password.

You'll be surprised by how dramatically your capacity to remember passwords will improve once this becomes a regular feature of your workday.

For added effect, construct horribly complex and impossible to remember passwords a few times every day. Over time, basic survival instincts and the urge to avoid the inevitable kick in the balls will overcome the limitations posed by your poor memory.

Re:Easy trick...

I'm female, you insensitive clod!

Re:Easy trick...

[Saeed+al-Sahaf]

You'll be surprised by how dramatically your capacity to remember passwords will improve once this becomes a regular feature of your workday.

It sounds like you have personal knowledge of this? Hope you've had all the kids you want!

Re:Easy trick...

But what if you don't have any balls because you're Swiss?

Re:Easy trick...

[RealAlaskan]

Get someone to kick you in the nuts everytime you forget your password.

Ooh! Ooh! Pick me! Pick me! I'll do it!

Seriously, plenty of people will help you do it, but you probably won't have a lot of company in this little self-improvement plan. It will probably work for you, too, as long as your plans don't include breeding.

Re:Easy trick...

This would prevent those people from being able to reproduce. Good Solution!

Re:Easy trick...

[nokiator]

Sounds like you have found the solution to the population explosion problem...

Re:Easy trick...

Actually this could be a GREAT evolutionary feature for humankind, provided that it's required for all males over age 7. Only the men capable of remembering their passwords would manage to reproduce. :) In 100 years, the password memorization problem will be completely solved!

Re:Easy trick...

I forget my password as often as possible. The girl who works the help desk in our IT department is SUPER hot, and loves low cut shirts!!!

Acronym passwords?

[Desco]

How long before people making brute-force dictionary searchers use the internet to find popular phrases and make acronym brute-force guesses?

Single Sign On

Ideally, you have a centralized authentication system like Kerberos, and one password is good for all the network services you need. Also, password storage utilities like Bruce Schneier's Password Safe or Apple's Keychain help a lot, since you can use a single master password to store (in crypted form) all those other passwords you don't want to remember.

No it's not...

nice try

Strong Password Algorithms are a Myth

[tjstork]

Telling people to not use whole words as passwords because they might be included in dictionary searches seems like it might be a good idea, but the problem is that you usually wind up giving people an algorithm for password generation that might actually yield an even worse password. Where I work at, for example, the suggested practice is to use acronyms followed by numbers. You remember a pet phrase and extract out the acronym. "Eagles Will Beat the Cowboys on Sunday" might become ewbtcos42, some random number after that. Sounds good, but what's to stop an attacker from including acronyms based on common english phrases in an attack dictionary?

Re:Strong Password Algorithms are a Myth

[gcaseye6677]

Expand the policy a little further and tell people not to use common sayings to form an acronym. For example, instead of using something common like Thank God It's Friday, use something that nobody would think of, like I Drive A Porsche (especially effective if you don't drive a Porsche). Add some numbers and punctuation after that, and there's no way anybody is guessing it without a brute force character-by-character attack.

Re:Strong Password Algorithms are a Myth

Maybe because there is a huge number of phrases people can come up with, as opposed to a very finite number of words?

Re:Strong Password Algorithms are a Myth

[tjstork]

The real question is, how many effective words does that add to a language? We can, as an attacker, build a grammar generator and acronym extractor.

Let's say you already have a dictionary, as an attacker. You've got all the words already and hopefully you have them coded by part of speech. Then, from there, you can apply some common grammatical rules to generate sentences.

S -> I Verb a Noun
S -> Noun Verb Adverb

This does explode the amount of searching an attacker must do, but the attacker could do some human engineering and weight the search towards common forms first. The resulting attack would be much, much less than just iterating through every combination of character in an 8 character string.

The problem isn't so simple

[Slick_Snake]

Current security models require passwords to be changed every three months or so. On top of that the password cannot be one last 5 or so used. On top of that it must be different than the last password by x number of characters. On top of that the user must remember x number of passwords of which he/she only uses one on a regular basis. To complicate matters the passwords must contain numbers, letters (upper and lower case), and sometimes special characters (but only certain ones). The expectations placed on the worker are unrealistic and that is what leads to poor password management. Simple password with dongle (smart card, usb device, RFID chip, etc...) is a better solution.

Re:The problem isn't so simple

[pjt33]

Not only does it place an unrealistic burder on the user, but any system which can compare passwords with previous ones is storing them in plaintext rather than storing and comparing hashes.

Even "good" passwords are bad

[bitslinger_42]

Between Moore's Law and modern cracking techniques (dictionary attacks, hybrid attacks using both dictionary and brute force, and hash precalculation), nearly any 7-8 character password that will be easy for Joe User to remember is crackable in a very short period of time. Rather than blaming the users for security failure, we should be looking to improving the overall system.

There are a number of things that can be done. First, and most importantly, eliminate the use of protocols that pass usable credentials (password, reversable password hashes, etc.) across the network in the clear. This means no longer using telnet and FTP (except for kerberized versions), doing something with/about Microsoft's NTLM/LanMan hashes, and probably using client certificates as well as server certs for encrypted web traffic.

Beyond that, there are proven techniques that aren't too hard for users to understand. Time sequence tokens (i.e. RSA's SecurID) have been around for a long time and have yet to be broken except for when the attacker has access to the critical seed records. There was an article a while back (sorry, can't remember where) about a bank using a short list of PINs that they mail to the customers. Each time the customer logs in, they use one and cross it off. The system keeps track of it and automatically send a new list before the old one is exhausted.

The point here is that unless we get rid of the users, we will never be able to educate all users all the time. The best way to get the security levels that appear to be needed is to take the human element out of the process as much as possible.

Re:Even "good" passwords are bad

[Remco_B]

There was an article a while back (sorry, can't remember where) about a bank using a short list of PINs that they mail to the customers. Each time the customer logs in, they use one and cross it off. The system keeps track of it and automatically send a new list before the old one is exhausted.

The Dutch Postbank has been doing this for many years for its electronic banking system. You need a username and a password to get into the system and you need one of those PINs every time you want to commit a transaction. Nowadays, they can send you each PIN by SMS when you need it, instead of the paper with 100 PINs that they send by mail.

17 passwords and counting...

I believe people are lazy or can't be bothered. After reading through I've realized that I have more passwords memorized than I care to recognize. All are alpha numeric, some consist of alternate case and a few require the shift + numbers.

1 - domain
2 - email addresses
12 - workstation logins at work
1 - instant messaging
1 - online banking
1 - home pc login

I really see no reason why anyone, through simple repetition of logging in can't remember a password no matter how complex.

Re:17 passwords and counting...

Your a moron for having 12 different passwords for workstations a work. Why the fuck would you need to log onto 12 differnt computers anyway.

Spaceballs

[krygny]

I always keep with the same convention; what's so hard?!

1 2 3 4 ...

Q W E R T Y ...

A S D F G ...

Passwords are passe

[ikewillis]

For a workplace, there's no better solution than single-sign-on (Kerberos or the like) using a SmartCard. People understand how to keep something like a key safe, but keeping a bit of information safe, especially when it's something they have to keep in their head, is considerably more difficult.

I think the best approach is something like a Sun Microsystems Sunray environment where you can stick your SmartCard into any Sunray and instantly pull up your session from the server. Instead of having to "log out" you simply pull your SmartCard out of the Sunray, and that's the end of your session (even though it stays going on the server)

Seven different passwords?

[vaporakula]

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

I hope this is rhetorical. Seriously.

I'm the sort of person who does this; I have many levels of password for different occassions and situations. But that's not the case for most people, especially in business. They don't want to have to jump through hoops to be able to use their machines. It should just work!

It's not about business culture needing to change to understand the importance of digital security; it's about people implementing digital security systems understanding a little bit about people and how they want to use their machines.

Use stuff that everyone is already familiar with, and that doesn't take brainpower to implement! Build one system for the masses who turn up to work, sit at a terminal all day and then leave, and build another system for people who actually need to access their data from off-site. Make the simple system very, very simple - not insecure, just simple - and 80% of this problem goes away.

It really, honestly shouldn't be a requirement for the vast majority of office workers to remember 7 different passwords. That *is* too much to ask.

Oceans 11 Password

[totallygeek]

what movie is out now? "8 characters, needs numbers" oceans11 "8 characteres needs punction and numbers oceans11

That's pretty damn secure! I have been trying own root on your box all morning with "oceans12"....

Obligatory...

[Penguinshit]

Obligatory Spaceballs reference goes here...

Automatic Human pronouncable password generators.

[gokulpod]

Good human pronouncable (thus easy to remember) passwords can be generated using tools like these it is even a part of debian (apt-get install apg). try it out, the generated password are generally very good, mix of cases, numbers etc.

ASCII Characters

Back in the day, my understanding was that an ASCII-based password could not be broken, and I believe that I applied l0phtcrack (and other programs) to test that out. Anyone know if brute force crackers are able to break ASCII-based passwords?

All passwords should be strong

The necessity for the strength of the password is not necessarily relative to the importance of the data you are protecting which the user has access to.

In many cases any account can be used to run an exploit which can "root" the user. Once that's done, the attacker can use this as a jumping off point to get into other systems, get a copy of the registry (which may have domain admin password hashes in it) etc.

Unless you use your computer strictly for gaming, and there are no other computers on your network, a strong password is important.

I'd venture to say that if they don't need to write it down, and put it in their wallet, it isn't strong enough, unless they have the rainman's memory and calculation abilities.

difficult to remember with a wide variety of characters arranged in ways that do not spell or sound like an existing word combination = hard to crack

Too Many Passwords!

[shamowfski]

I work for a health conglomerate. Each one of the specialized programs run at the hospitals requires a seperate username/password. While the inital thought was greater security it has actually backfired in that with a simple perusal of a user's office you can generally fine all of their user names and passwords. That is why single sign-on single password is far superior, because chances are they can handle the one username/password.

Passwords under keyboard ....

...of course not. I keep mine under my phone.

The Impentrable Password

[phobos13013]

qwerty
works everytime. Try to crack THAT one!

Picture Passwords

[spun]

One method I like is to pick a simple figure: a wavy line, a j shape, a box, a star or whatever. Then pick a starting character and 'draw' the password on the keyboard. For example, lets use a wavy line and start on e. Our 8 character pasword would be e4rft6yj. Or a box starting on f: fr456yhg. These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

Re:Picture Passwords

[klang]

...and quick to include in a password guessing algorithm as well.

Re:Picture Passwords

[gowen]

These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

Unfortunately, they're really easy to brute force. 40-odd starting positions, but then a maximum of only 8 directions in which to move for the next letter.

With means the size of the 8-character password space has been reduced by a factor of about 80,000. Yuck.

Re:Picture Passwords

[greed]

Those are great for shoulder-surfing, I can spot a "picture password" from across the room. Or across the Home Depot....

Re:Picture Passwords

[imsabbel]

I heard of another picture password method:
The password is a series of clicks on a picture the user submitted. The challange is viewing the image, and the user does 4 or 5 clicks in the right areas. If the chi^2 of the x/y locations lower than a threshold->passed.
For example, a shot from a concert and the right clicks would be bass drum->face of the singer->tits of chick in the first line->marschall logo on one of the speakers...
Easy to remember, impossible to guess.

Re:Picture Passwords

[RollingThunder]

Until they get a cybernetically boosted dolphin to crack your brain, that is.

Re:Picture Passwords

[rockypg]

u make the life of over-the-shoulder-lookers extremly easy. i have one such guy in the office who look-guesses peoples passwords just for kicks !

Re:Picture Passwords

[cjhuitt]

A variation that will help some of the critiques that others have pointed out would be to utilize touch-typing skills, only intentionally misalign your fingers. For instance, use the word "variation" only move your left hand up one, and your right hand left one. That would give a password of "fq4uq5uib" (if I did it properly). The benefit of this is that the base is still easy to remember, and then you just need to remember the "offset", but the base doesn't have to conform to any well known pattern.

This still leaves you somewhat open to dictionary attacks, of course - if you base your original word on a dictionary word, especially - but it increases the number of variations that need to be checked, as each hand could move in 8 or more different directions independently to produce the password.

Another (somewhat similar) technique would be to learn a different key layout, like dvorak if you usually use querty, and type a word/phrase as you would on the other keyboard layout into the layout being used.

Finally, if someone has 5 or so different tricks similar to this, and varies the tricks as they change their passwords, and most importantly don't tell anyone what trick they are using, it can greatly improve the password security.

Following those lines, none of the techniques I just mentioned are what I use for my passwords right now...

Re:Picture Passwords

[Janek+Kozicki]

and also try using TAB key if possible (sometimes tab is unusable, we know that)

it's very useful when you know that you log only through ssh, for example, and not from web browser.

Re:Picture Passwords

[Sax+Maniac]

Not only that, you can listen to the number of keystroke. Passwords are much easier to guess when you already know the number of characters. (That's why I type mine as blazingly fast as possible.)

My best passphrases are shell command sequences. Something like:

ps -ef | awk '/garble/ { print $3 }'

They're easy to remember too. It's pretty easy to come with new ones.

Re:Picture Passwords

[vinn01]

The secret to picture passwords is speed and diversity. Meaning that you have to type it fast and spread it out all over the keyboard (not just a few adjacent keys).

If you have to hunt and peck the keys, than a shoulder-surfer can get your password easily.

Also, I'd guess that many brute force programs use common picture sequences, like using linear keys.

I use "dual" picture passwords quite a bit. I start with both hands on the touch typist position. The passwords use characters from both the right and left hands. I can blast off my passwords in less than a second.

I have no idea what I'm typing. I just type the sequence.

The thing I hate is passwords that require uppercase letters. That really slows down the password entry. There is no way to precisely time the shift key press in the middle of a typing burst.

That said, I much prefer using an RSA token over any password. I have far too many passwords, especially web passwords.

Re:Picture Passwords

[guyfromindia]

one problem with this.. is that if you change keyboards/work on a different laptop (say dell v/s toshiba) .. there are chances that your password is skewed...

Re:Picture Passwords

[maximilln]

I like this idea and the idea where some guy wrote a perl script to associate each letter of the alphabet with a 2 character combo and then stored the key in his wallet. Common words turned into crypto.

I gave in to the open-air passwords on the notepad a long time ago. Except that I keep a simple crypto algorithm in my head. People who walk past my desk might think I'm leaving my passwords out in the open.

I guess perception is 99% of reality. Maybe that's why I've never gotten a promotion.

Re:Picture Passwords

In North Korea only old people are interested in Farmicon data.

Re:Picture Passwords

[Gyorg_Lavode]

or look at your computer. Plus that seems slightly hard to impliment remotely.

Re:Picture Passwords

[eabell]

Since the vast majority of people use qwerty keyboards, I think picture passwords would work better for the Dvorak users out there.

Re:Picture Passwords

4068?

You call that a good password??

Re:Picture Passwords

I just changed countries, can you tell me what mz password was with a Cyech kezboard ? Thank zou.

Re:Picture Passwords

[Refrozen]

That is REALLY easy for someone to identify however, all they have to do is watch you type it in, and it would be quite clear what your typing.

Re:Picture Passwords

[toddestan]

This works even better on Dvorak boards as the keys are all rearranged, so the passwords really do look like gibberish. The only problem is that I'll be logging into something on a computer with Qwerty and then I'll suddenly realize that I have absolutely no idea what the password actually is.

Re:Picture Passwords

[swiftstream]

A favorite tactic of mine to confuse people who try to do this is to start typing the second half of hte password and then hit the home key to move to the beginning. Backspace a couple times as well. Even funner if you have insert on.

Nobody's ever succeeded in look-guessing my password

It's a no win scenario

[JudgeFurious]

Here we just let users pluck a password out their asses and keep it forever when I started. It had been that way since the dawn of time at this company and nobody wanted to change it. Admittedly we don't have much in the way of truly sensitive information but it was pretty lax.

Finally we said ok, this is going to have to change in some way and we instituted some basic requirements. Minimum number of characters, must contain at least one capital letter and at least one lower case letter. Very simple right? Not much more effective than we had before either. Say a users password had been "austin" before the change. That user simply changed it to "Austin1". I swear I think sometimes every knucklehead working here did that. At one time the support people here (all two of us) knew everyones password by heart. Now when we aren't sure we try the old one with a capital letter at the beginning and the number "1" on the end and it works most of the time. When we get to the point where they have to change it again I'm betting it's going to change to "2".

We've talked about forcing them to get complex but all that's going to do is generate a couple hundred post-it's with passwords written on them at the various desks.

Security Focus

[mslinux]

The whole idea of computer and network security in today's world is fundamentally flawed. Everyone on Slashdot knows that the Internet was not designed to be secure. It was designed to collaborate, share data and to share computing resources.

One cannot turn something into something it was never designed to be. One can only bend and twist the system so far... and the Internet, with all of its on-line commerece and banking, has been bent and twisted to the breaking point. Perhaps a total redesign is in order?

Also, I take issue with all of the "Computer Security Professionals" who attended some week-long (often less) course on network security trying to convince all of their clients they consult with to use 16 char passwords, encrypted file systems, etc. Most Mom-&-Pop businesses do not need CIA-like computer security. They need patches, AV and basic firewalls, nothing more. And all of this frantic, absurd advice only causes lost productivity as it's far to complex and inconvenient for business.

Mail servers used to forward every bit of mail that came their way. It was considered impolite not to. Today, it's considered SPAM to run an open mail realy. What would we all do if routers stopped forwarding packets? See what I mean? The Internet is broken thanks to all of the new "security" threats that used to be considered normal operating procedure.

Re:If the required dongle is a note under your kb.

Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

speak for urself moron i found some sweet stuff on freshmeet so mi laptop is safe no matter what. mb u should try 2 learn about things b4 u talk idoit

Obligatory Lego joke

[LoverOfJoy]

Bah, who needs passwords. I make my security out of legos.

Dilbert knows.

[antoy]

Heh.

My coworkers laughed at me a few days ago

[CrazyJim1]

Them: So what do you want the your password to be? Me: 1

Forgotten passwords

[SteroidMan]

Don't forget that onerous password policies actually make your productivity and security go down. Scenario: New password policy requiring a new password every month and a password with 1 special character, 1 capital letter, 1 lower case letter, 1 number, at least 8 characters no duplicated characters, and not more than 75 percent similar to any of your last 10 passwords. Your salesman is out of the office on a regular basis and needs to download the new data sheet before a customer pitch and can't remember the new password he chose 2 weeks ago and hasn't used since. (Lost productivity/sales) Your help desk agents now get 5X the password reset requests as they normally do on a Monday morning. The call wait times have gone up to as much as an hour. The other job functions they perform get neglected, causing incresed system downtime. (Lost productivity) The harried help desk agents no longer ask all of the verification questions they are required to in order to decrease their call times. Callers outside the bank claim to be harried salesmen in order to get access to confidential documents. (Decreased security) Anyone still think more complicated passwords are the answer? Biometrics (Voice for phone, fingerprint for physical access, and either for data are required to allow improve security without destroying productivity)

Repeat after me...

[Dirtside]

The fundamental maxim of security:

Security is a process, not a product.

Re:Repeat after me...

[Garabito]

Nah, my PC came with this 'Internet Security' thing...

Passphrases vs. passwords

[Skim123]

There was an interesting blog article by a Microsoft PSS employee about his recommendation for choosing passphrases as opposed to passwords. Worth a read. The main problem is a number of online sites don't allow spaces in passwords or limit the password to a short number of characters. For example, I tried to create an iTunes account with a phrase from a Pavement song but it wouldn't let me go over 32 characters or have any spaces in my password.

Bookshelf Steganography

[BurritoJ]

My solution to secure passwords is to look around my office, at my bookshelf, at the documents/notes/references on my desk and pick an unusual set of words, hAx0r the spelling, and mix in some special chars *$&% as appropriate and out comes a secure password, with locational mnemonics if I forget it. If someone manages to brute force 3tt3r_4Tran77 then I have got lots of other problems. Fortran77 w/ Numerical Methods by Etter if you're curious, and no... it's not actually a password in use.

Re:Bookshelf Steganography

[Kiryat+Malachi]

Take a word (for example, the name of your current project at work, etc.). Rearrange the letters into an anagram. Pick a punctuation character. Insert that character every N characters into the anagram. Add a numeric at the end. This scheme will generate a password acceptable to just about every complexity checker, and if you use a memorizable remapping for the anagram (for example, first letter, 3rd letter, 5th letter..., 2nd letter, 4th letter, ....) all you have to remember is a word and a punctuation character.

Example:

I am working on project "fortran". I select a skip-letter remap, and get frrnota. I select * as my punctuation, and decide to add it after 3 characters. frr*not*a. My number is 2. frr*not*a2.

Re:Bookshelf Steganography

[GlobalEcho]

Yeah, I tried that, using the ISBN or some other number on one of my CDs. It worked OK (the two or three times I needed that password) until I switched to MP3s and archived my CDs in a different city. The next time I needed that password, I was screwed.

In retrospect, perhaps I could have found another copy online or at a store. But the moral is the same: it's easy to forget you are treating a book or CD or whatever as a password reference too, and woe betide anyone who loses their passord reference material!

Re:Bookshelf Steganography

[BurritoJ]

Heh... if my office 'gets archived' to another city, I've got much bigger worries than 'What was that pesky password.' Besides after a week, the password is instinctive anyway. The mnemonic is more for when the old password times out on Friday and I have to change it, then go on travel/vacation/whatever the next week, then come back to a new password. It's amazing how the littlest hint can help in that situation.

Monitoring better than Rules

[Java+Ape]

I implement database security for a large company, and work closely with the system adminstrators. We have, per corporate policy, implemented the usual stuff: regular password changes, alphabet-soup requirements, no shared passwords. Highly secure systems also use two or even three factor authentication. We also do password-cracking semi-continously, looking for weak passwords. It was nazi-land.

Predictably, passwords were scrawled on post-it's and under keyboards. It had become a mess, and the users were frustrated. In open disobedience to corporate policies, we've allowed shared passwords*(nobody can remember 75 passwords!), and relaxed the password change interval. Users are happier, and I see fewer post-its on the monitor.

If corporate would listen to us, we'd relax things further. One thing we have done, that works well, is to monitor the devil out of logins. If you're going to hack a password, you'd better guess it correctly the first few times, or the security goons will be heading for your cubicle with a pink slip in hand. An agressive anti-hacking policy and monitoring seems, to me at least, to be a better solution.

*Actually, we can't officially allow shared accounts, but we can break the scripts that check for such things!

PasswordSafe

[Kallahar]

I use the open source PasswordSafe The original was written by Bruce Schneier who worked on an AES finalist and runs CounterPane Security and writes the CryptoGram Newsletter

The program saves all your passwords in an encrypted file, which you then keep on your USB keychain. You only have to remember one password to open the safe, and then you can copy/paste your different username/passwords to the site that needs them. As long as you keep the data file on your keychain (and keep that with you) then you should be fairly secure. You can alse make all your passwords 12 digit random alphanumerics (though some idiotic places limit your password length, never figured that one out...)

Unreasonable Demands

[Moonchen]

The University of Texas at Austin recently implemented an "enhanced" password qualification system for their UTDirect service and required all users to change their passwords. On the surface this looked like a good idea. It required all passwords to include a letter (no requirement for upper/lower case), a number, and a symbol. No part of the password could contain a word from their (very extensive) lexicon.

As I used the system, I discovered that these rules made it almost impossible for me to pick a good password that I can remember. For one, the requirement that no part of the password contain a word meant that the password had to be complete jibberish with symbols. To add to this, the system is not one that someone would use frequently, so by the time I had to use it a second time, I'd have already forgotten my password. In fact, iirc, I've had to reset my password each time I logged into the system. I have already written to the IT department but am still waiting for a response.

As someone who has trouble remember exact phrases, I find that the mnemonic methods that are suggested in the article do not work well for me. I find myself looking around my computer for phrases to use. (The security risk of that is obvious.) In the past, I've always picked a "weak" password and padded it with numbers or characters to make it strong. Can someone tell me why that is a bad thing to do? As a suggestion, I think there should be a password scoring system that rates how long it would take to brute force a user's password using an optimal algorithm, then allow users to incrementally strengthen their passwords until they are acceptable.

Rotating passwords technique

[bigberk]

This is something I recently thought of (while studying human memory in a psychology course, actually). With some effort you can memorize a gibberish string of characters - perhaps to simplify this task you can make the task phenomically easy to repeat in your head - e.g. h@pabl8x... It would not be too difficult to commit a rather long string to long term memory.

Anyway, once you have a well memorized long string, you could "generate" multiple passwords from it by using different parts of the string. Need a "new" password? Pick a different part of the big string, change your offset, substring length, etc.

While I have several passwords, the main thing turning me away from changing passwords is that I will have to commit a new password to memory. With this technique (which I have not yet tried myself) you wouldn't have to really memorize anything new.

Fool

Why don't you have at least an 8 digit password?

good passwords can be memorized

It just takes a little effort. I wrote a short HTML page telling users how to create a good password and then

recommended they keep their password in their wallet

That is, until they had it memorized. Should only be a week of use (with daily login). And then I told them to eat the paper.

The issue of hard-to-crack passwords v. ease-of-use depends on the attack vectors, too. A login that's externally accessible and can be brute-attacked with good speed should be complex.

Oh, and I reminded the users that if their account were compromised because of insecure password, that it could devalue their investment in the company stock.

Re:If the required dongle is a note under your kb.

[magefile]

Not necessarily - if you block off the BIOS (so it can't boot from CD), then physical dismemberment may be required. And that's not hard to watch out for, if people are in the office (compared with a "trusted individual" using Knoppix to access Windows' SAM file).

Re:If the required dongle is a note under your kb.

[Xofer+D]

... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

Unless of course the password is for authentication with some remote server. Maybe the keyboard is at home, and the server is at the bank.

Re:If the required dongle is a note under your kb.

[Wolfger]

Right. Who needs the password under the keyboard. If I'm at the keyboard with a Knoppix disk, I'm in. This is actually a great way to recover data when somebody leaves the company and doesn't pass on knowledge of a computer's usernames/passwords. Get anything valuable off the drive, and reformat.

The article makes a good point:

[RealAlaskan]

The article makes a good point: security has to be designed around the limits of the system. One of the limits of the system is the fallible human memory.

The article said (I read it on paper yesterday) that people can't remember lots of good passwords, and can't even remember one if it changes all the time. Therefore, they choose easy to crack passwords, or write down good passwords.

The article has this quote:

"It is not sensible to force people to change to a unique password every six months. You're inviting disaster," says Allen Gwinn, senior director of technology at the Cox School of Business at Southern Methodist University, who has spoken about security issues at trade shows.

"Better to have a password that's two years old that someone can remember than a password that's just been changed that's been written down that somebody can find," Mr. Gwinn says.

and this one:

"All passwords can be broken within 45 to 60 days," says Carl Herberger, senior director of information security services for SunGard Availability Services. He recommends that companies force employers to change their passwords every month.

The article doesn't take the silly position that the problem is the user, or say that security isn't being taken seriously. It does say that because of the fallible human memory, constant password changes can actually lessen security.

Maybe it's time to give up on the password idea, and go to something else, like a hardware key. Maybe it's time, also, to put airgaps between the internet and computers with sensitive data.

Re:The article makes a good point:

[rjstanford]

...and this one:

"All passwords can be broken within 45 to 60 days," says Carl Herberger, senior director of information security services for SunGard Availability Services. He recommends that companies force employers to change their passwords every month.

Of course, this is predicated on some stupid-ass server being willing to answer the "Is this password correct?" question more than once every, oh, fifteen seconds. Heck, just answering it once per second would still kick that time way, way up. And that's assuming that there's no lockout-trigger.

Personally, I don't see why lockout triggers can't be set at a threshold of, say, 100 consectuive bad attempts (maybe adding a limit of 250/week as well). That's low enough to confound brute force cracks, but high enough that you should never run into it, even if you're logging in while drunk or to report a broken arm to the helpdesk or something.

Re:The article makes a good point:

[RealAlaskan]

I always figured that if you can't get your password right in 5 attempts, you need to sober up and talk to a sysadmin.

Most of the systems I've been on limit logon attempts to 3 to 5 failures. I've never seen a big Unix system which allowed unlimited failed logon attempts (though I'm sure someone could point me to one).

Maybe the question we should be asking is: if there are tens of thousands of failed logon attempts for a single userid over a period of days, why isn't someone noticing and taking action? Why blame it on the user?

Re:The article makes a good point:

[rjstanford]

Most of the systems I've been on limit logon attempts to 3 to 5 failures. I've never seen a big Unix system which allowed unlimited failed logon attempts (though I'm sure someone could point me to one).

I guess my thought here is that if you have a low limit - like five - you will confound an automated attack but the user may still run into the situation. With a higher limit, like 100, you confound the automated attack almost exactly as much, but the user doesn't even know about it.

I guess this would be more susceptible to human-engineering type attacks, like running through your children's names, but a decent (but not sadistic) set of requirements as far as things like alphanumerics should fix this.

I always figured that if you can't get your password right in 5 attempts, you need to sober up and talk to a sysadmin

I would agree with this - if and only if the sysadmin is available 24/7 and willing and able to validate your identity and get you into your account within a very short amount of time. Maybe have a policy of three free counter-resets (requiring no ID process) that would let your road-warrior-with-presentation get back into their system after their nephew locked them out, but would trigger a system watch on that login to make sure that nothing nefarious is going on?

Re: Open source and security

The problem with open source operating systems is that since everybody has the source, anyone can trace passwords whenever programs access them. Is it a wonder that Linux is the most hacked into operating system in the world? I think not.

Re:If the required dongle is a note under your kb.

[Scott+Wood]

Having physical access usually means they can compromise the local machine (though perhaps not without attracting the suspicion of others nearby, if any); it does not necessarily mean they can compromise whatever network account, PGP key, etc. that the post-it under the keyboard might contain a password for.

If passwords absolutely must be written down, a better way might be to keep half of the password at the terminal and the other half in one's wallet, making sure that the password is long enough that neither half is easily guessable. Alternatively, rarely used passwords can be stored someplace that is protected (and preferably encrypted) by passwords which are more commonly used (and thus more easily memorized).

It isn't that difficult to create passwords (for example, by using a pronouncable-password generator, or using the initials of a long-ish phrase (or the phrase itself) that, while not as secure as line-noise-style passwords of equal length, are still substantially more secure than "12345", "letmein", or the name of the company. It helps when the system doesn't impose stupidly low maximum password lengths, of course...

Where are those mod points when I need them?

At work they require us to have those unmemorizable passwords, so I just tatooed it on my cock where it's always 'handy'. Had a bit of trouble when they increased the length from 6 to 8 letters. Those last two letters hurt quite a lot.
This last paragraph is pricless. Albeit, a bit too strong for a public forum.

May I suggest that if you ever choose to follow this same approach for your private PGP key, you downgrade your security to 8 bits?

Too Many Passwords

[acomj]

I have about 5-7 different passwords at work. Unix1/Unix2/windows/Notes
and the web based.payroll/timecard/training/
etc...

The problem is they
1. All have different rules (8+ char upper/lower etc).
2. Have different times to expire
3. Have different cycles (ei can't use last 7...)
4. Have different tolerances on how oftern you can get them wrong

Life was good until step 4 was implimented. Unix machines lock you out after 3 bad attempts.
so you have to call a sys admin

Also implimented on the web based timecard system. Again 4x wrong and a phone call is required. Not fun to be locked out of your timecard.

Its very very frustrating, mostly because I used to be able to cycle through my 8 passwords with relative impunity and not complain.

The company has yet to embrace a consistant password policy.

Yes, 8 characters IS too much to ask...

[grumbel]

Sure you might say that 8 characters are easy to remember and if you form sentences with them you have some good help remembering them. However this is only true if you have to remember few passwords and use them frequently. As soon as you start to have lots of passwords (remember internet, where each and every webforum wants to have a password of its own), some of which you don't use all that frequently, you are basically lost. For sure you will forget at least some of them, people simply arn't build for long term memorizion of long obscure combinations of letters or sentences, simply doesn't work.

The throuble is really that hardware hasn't catched up, or well it has, but not on the common mans computer. Things like HBCI demonstrate that a relativly easy to use secure way to handle logins is possible. Why not have a smartcard to handle all your logins to all webpages and stuff on the internet? Have the smartcard protected with one passphrase, not a different passphrase for each webpage and people would have much less throuble keeping stuff secure. The card would simply something to be carried arround like a key. Sure, you might need a dedicated reader for them to have it really secure (ie. protected against keyloggers), but if produced for the masses it really shouldn't be that difficult to make it rather cheap, with new PCs it could even be build in.

Technically its really not that difficult to allow people to have a secure way to handle logins, the throuble is only that people would need to agree on a standard, which is as always way more difficult then to build such a thing in the first place.

"Any password can be cracked in 45-60 days"

[MntlChaos]

Why do people continue to have this notion that any password can be cracked in a couple months. Adequate lockout techniques along with monitoring of failures means that it could take much, much longer to guess a password.

Re:"Any password can be cracked in 45-60 days"

[2mcm]

Not to mention the fact that if the password is 15 random characters long ( no u/l case or number ) it would take 25^15 or 931322574615478515625 attempts to brute force . Even if it could be done in a single clock cycle at 2GHz it would take .. 931322574615478515625/2000000000 seconds which is about 15000 years.

But this would require a password of decent length ( some of mine are this long ) and a algorithm that is secure. Plus getting access to the hash itself would be a problem.

Re:"Any password can be cracked in 45-60 days"

[lamber45]

There are a lot of factors that one can consider in an argument about "how long it would take" to brute-force a password, and a 15-character random password is not necessarily "stronger" against all attacks considered together than an 8-character one. These include:

• A coworker (for reference to the article) watching over your shoulder as you type;
• A keylogger installed on the machine you're using;
• A sniffer reading unencrypted network traffic;
• The user types the password in cleartext in the "UserID" prompt instead of the "Password" prompt, and a third party sees it;
• A security-camera records you typing your password;
• The application stores passwords in the clear (perhaps for propogation to a single-sign-on system or for checking to make sure passwords aren't reused), and the clear-store gets compromised somehow;
• The application stores hashes of passwords and someone gets a hold of the hashes and does a brute-force offline search;
• An attacker tries random (or guessed) passwords until he gains access

All of these could happen the first day a password is used, or might not happen to a given password over the course of several years. It all depends on a lot of other factors, and ability to respond to a compromised password is equally as important as preventing it in the first place. Here are some ideas for how to make systems safer:

• In new applications, passwords should be stored salted and hashed, and raw access to the password-store should be restricted;
• Login failures should be logged and investigated, and users should have easy (read-only) access to their own login history and other accounting data;
• Timed lockouts should be implemented, so that the number of keys a given attacker can try before being IP-blocked or physically apprehended is less that (say) 10;
• Once the above are in place, a suggestion or requirement that users choose (or use) long, cryptographically-random passwords is perfectly reasonable. Arbitrary tests ostensibly designed to "prevent weak passwords" do not necessarily do so in a cryptographic sense, but have the fringe benefit of preventing some users from using the same password with this organization and another one with competing interests.

I can think of one situation where an organization might want to force password expiry: let's say the organization's accounts are used to control access to some shared resource that is also useful to people outside the organization (like an Internet-dialin mode pool or full-text access to an online journal subscription). An organization-member "helps out" his friend/family-member/roommate/whatever by typing his password in for the other person in Windows Dial-Up Networking or in the "Remember this Password" box of IE or Mozilla. If the password is never changed, the fourth party could still be getting a free ride several years later.

Even if users are sharing their passwords, forcing users to change their passwords doesn't solve the fundamental problem. Sure, the first time such a policy is tried in an organization that's been really lax it might cut recreational use of the modem-pool by 90%, but restricting users to one login at a time on a certain class of resources could do the same thing. It also sounds like the systems mentioned in the article tend to be high-security systems that wouldn't be used for such peripheral functions, anyway. Finally, the idea behind UserID/password authentication systems is that the user is willing to be responsible for the security of his own password; if that's not a valid assumption, the organization should look into physical tokens, biometric identifiers, or old-style non-uid-keyed passwords ("The password for the week is Charlie Seven Foxtrot Niner; write it down!")

Re:Why should the users be conserned about securit

"All the education in the world..."

Dude, you need to get a little slice of that education pie.

SPELLCHECK!

I won't even mention the horrid grammar. Okay, I will.

Admit it...

Admit it, you "forget" your password on purpose sometimes, don't you.

You sick bastard.

Re:Why should the users be conserned about securit

[jimicus]

IMO, it's not an IT problem. It's an information security problem.

The two things are subtly different. It's easy to explain to someone that there may be paper on your desk which has confidential information on it which must be securely disposed of. Failure to keep such information secure can in many businesses lead to disciplinary action. This is something which has been the case for some time, it's why shredders exist.

It's not a great leap to explain that the computer system gives access to equally sensitive information and thus must be similarly protected. The IT department can do some things about this but they can't physically stop you writing down your password on a post-it. Therefore, not only does there need to be a formal security policy, it needs buy-in from management and HR.

To put it another way, if the accounts department thought you were regularly trying to fiddle your expenses, they wouldn't approach you directly. They'd go to your manager, who would speak to HR etc etc. You'd expect management to take such allegations seriously, investigate and take action as appropriate. Similarly, a security policy needs management acceptance so a similar procedure can be followed.

I'm not suggesting you try and get everyone who uses their surname as a password sacked - you'd have nobody left if you did that - but a combination of education together with the ability to back up any statement of company policy regarding secure passwords will help.

Drowning in passwords

[Moosifer]

I perceive part of the problem to be the fact that everything online today requires a password, trivializing the importance of passwords, and forcing people down a path of selecting weak passwords as a result of over-exposure. I've taken to using two classes of passwords: the important stuff (banking, shopping, network authentication, etc.) where identity counts (because there's something of value at stake) gets a strong, unique, rotating password. Everything else (mailing lists, forums, bogus email accounts, etc.) gets the same shared password - easy to remember, nothing valuable lost if its compromised. Please don't capitalize on this confession by tring to steal my valueless identity.

My bank used SSN and last four digits for online..

I couldn't beleive my bank would do such a thing, it was obvious when they asked for my 9 digit account number and then to enter my last four digits of my SSN.

I went in and raised bloody hell, I mentioned every doctor and dentist in town uses SSNs, the Water company wants SSN's it's illegal but they do it anyway because people don't know their rights.

Anyway I told them that no part of a SSN should be used as a account name or password as older folks it's easy to guess based upon where they were born. Plus password crackers can be used to guess people's dumb passwords like Scruffy or 12301978.

So they immediatly made changes and allowed people to change their online account names and passwords at will.

The stupidity of people, especially IT people working at some banks, never ceases to amaze me.

Then they use M$ for their internal banking and ATM machines, just plain STUPID!!

Easy way to make up passwords

[LouCifer]

..that seem randomly-generated to the end luser:

Pick a passphrase, take each letter and then substitute the letter/number immediately above and to the right of it.

In other words,

PASSWORD becomes _WEE305R
Slashdot becomes Epweur06
Goatse becomes Y0w6e4
Tubgirl becomes 68hy95p

etc.

If your passphrase already contains a number, just use the extended character for it ("5" is now "%", etc)

easy to remember != easy to guess

[JavaRob]

I have the same problem with work, in that they require a password change every few months.

Like most people, I have a few passwords I use for everything. My work password goes through 4 different ones (Windows won't let you reuse any of the previous few passwords, but it forgets after 4 and you can restart)... but those are just simple keyboard variations on one char, so I don't get lost.

E.g., if my work password were 1*euFId I'd just revolve through 1*euFOd, 1*euFPd, 1*euF{d (just shifting that one character right-wards on the keyboard IOP{). Then start over.

That takes the memory issue out of it, and I don't have to write down that password anywhere.

My other suggestion is to learn passwords *on the keyboard*. Unless you switch DVORAK-QUERTY for some reason, you can just memorize where your fingers go, and a few simple words -- skewed -- can make a pretty tough password. Something that's part real-word, part keyboard pattern, and with the shift key held down somewhere in there (which has the benefit of turning any numbers into special characters) can work really well but still be easy to remember.

Re:easy to remember != easy to guess

[biglig2]

That's exactly what I do. Pick a random bunch of letters near each other on the keyboard and type it 25 times. My hands know how to type it - although I don't know what it is past the first letter, muscle memory does. Also I can type it in the dark...

Re:easy to remember != easy to guess

[Zuvis]

I just change mine 4 times then and there, and I'm back to my old faithful work password.

Re:easy to remember != easy to guess

[rjstanford]

Same here. Except that at my last company it was ten - they didn't have a minimum change time though. I just did:

password: realPassword
You must change your password!
new password: realPassword0
new password: realPassword1
new password: realPassword2
new password: realPassword3 ...
new password: realPassword

[Sigh]

Re:easy to remember != easy to guess

[magefile]

So? You're saying you can't type arbitrary text in the dark? I typed this without looking at the keyboard, simply by lining my fingers up with the bumps on the f and j (ok, I cheated to check which letters the bumps were on when I typed that last part).

Re:easy to remember != easy to guess

[arminw]

....they require a password change every few months...

I have one single easy to remember alphanumeric password I have used for about 5 years now. I lets me log into my computer, which then unlocks the keychain which contains at least 15 passwords. Whenever I get asked to change some password, I change it in the keychain and on that server/system to some random string of ASCII codes which I never need to remember. For most systems, the keychain supplies the new password when prompted, but for some I have to look it up in the keychain and type or paste it into the login screen. Unless someone would know or guess my master password all password are safe.

Re:easy to remember != easy to guess

[biglig2]

I am aware that there is an invention called touch-typing, yes.

However, like all sysadmins, I take a perverse pride in not using such methods, but instead being able to two-finger type as fast as most touch-typists. Not as elegant as a lightsaber, a clumsy weapon for a more random time...

Actually, I knew a sysadmin once who could touch-type, and it used to scare the bejeesus out of the rest of us when she did.

Re:If the required dongle is a note under your kb.

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a E9 b ?p c &m
d 6K e aY f eP
g !S h gn i D=
j Hd k vw l Cb
m W5 n 4$ o R3
p x% q 7M r NF
s +2 t s* u Ay
v fL w zG x Zu
y cX z Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Learn and use a non-Roman character set!

If you are determined to keep a "cheat sheet" on paper, you can enhance your security immensely if you write in a non-Roman character set, as long as most of the people around you aren't familiar with it.

It's easy enough to remember that in your personal code, the Hebrew "aleph" corresponds to "A" and "beth" to "B". And so on. Just don't try using this technique in Tel Aviv.

Monolingual geeks might prefer to use ASCII or EBCDIC codes instead. If a non-geek sees your piece of paper with "656667" written down, he will probably not figure out that you are coding "ABC". For additional obscurity, you could use octal or hexadecimal ASCII codes.

Yes, it's better to keep it all in your head. But when that's not realistic, it's good to know that you can apply your knowledge of Devanagari or Korean or ASCII to a worthwhile pursuit.

Re:Learn and use a non-Roman character set!

[Heian-794]

My passwords rotate every three weeks, and often I do just what AC above suggests and write my password in an obscure combination of Cyrillic, Arabic, and names of baseball players (position the guy plays = number). The biggest problem I find when your passwords change frequently is that your account will be locked up after THREE errors. Someone running some kind of script would be able to make many more than four attempts; three mis-types does NOT mean you're a nefarious hacker! 1. accidentally using old password 2. recall what you think is the new one, but the system won't accept it; maybe your finger slipped 3. get it right this time, or else! (And in my company, "or else" means asking a logged-in co-worker to go to the intra-company database and let you fill in a form asking for a password reset. This is then printed our and stamped by your immediate boss and the head of the systems department. Given the lost time and productivity for all parties involved, the humiliation is enough to keep people from ever forgetting or mis-typing!)

Why passwords?

[Todd+Knarr]

I guess my question would be, why worry about passwords? Today, if I wanted to gain access to someone's account, I wouldn't bother trying to crack their password. I can get in faster through social engineering (get them to just tell me what their current password is) or, if I don't want to risk direct contact, infecting their computer with malware that lets them enter the password and then uses their current credentials. Note that the latter is even more effective in environments that have gone heavily to Active Directory and single-sign-on, since once I get my program running under the logged-in user account the system itself will handle most of the authentication for me by design.

Not only that

[DaveAtFraud]

All passwords are not created equal but I have yet to find an IT shop that didn't apply the same password policy to everyone. Thus, if I come up with some really hard to guess password that is constructed using typical techniques (e.g., take a phrase, take the first letter from each word in the phrase, substitute numbers and special characters for some of the characters, randomly mix case on the remaining alphabetic characters), I still get my password expired after 30 days the same as some bozo who uses "password" (or their name, or their SO's name, etc.) as their password.

So now multiply that seven different passwords by 12 and then assume that some of the systems won't be accessed as frequently as others ("Now was the mnemonic for the server? 'Mary had a little lamb?' Or was that last month's? Or is that the inventory database? Or was that junior's new password?").

Yes, it is way too much to ask.

Stupid Policies, Not Stupid Users.

[Hank+Reardon]

What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.

For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.

I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.

The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.

What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.

I wish we'd switch to RADIUS.

Re:Stupid Policies, Not Stupid Users.

[jdreed1024]

Amen to that. Now, admittedly, having one password for all your services is kind of bad, since it's a single point of failure. But what's worse is the obscure requirements some websites have. Here's a list of the password requirements for all sites I use ona daily basis:

• 6-8 characters, containing at least 1 number and 1 letter, the number must not be the first or last character. No special characters. Password cannot be the old one if you change it.
• 4 character maximum, only letters and numbers.
• 6 characters, only capital letters and numbers, no lowercase
• 8 characters, may not share any characters with your login id

And that's just the ones I can think of off the top of my head. Of course, my main account that I use daily, uses Kerberos, so I can have passwords up to 255 characters, including punctuation. My bank website also has a sane system that allows me to use my usual password-derivation method (pick interesting phrase or sentence, take first letter of every word, and punctuation marks, and combine with a number.

The thing that really got me was the 4 character password. I called them and they said it was "more secure". Alas it was only a phone droid, so there was no point arguing, but wow.

Of course, the most insecure password for anyone in the US is probably their PIN for their ATM card. It's only 4 digits, each from the set 0-9. That's pretty trivial to brute-force. The only reason not to is because all ATMs have cameras, so the more you visit (most ATMS eat the card after 3-4 incorrect PINs), the more chance you have of being caught on camera. Why we can't move to variable length PIN numbers is beyond me.
<troll> Probably because Diebold is too busy rigging elections to come out with better ATMs </troll>

Re:Stupid Policies, Not Stupid Users.

[mutterc]

There's no good reason to require different passwords for services that are under the same administrative control (such as your company's email and domain).

I like Yaps (Yet Another Password Safe) for the Palm Pilot. All my passwords go there; the db is Blowfish-encrypted, so its passphrase is the only one that I absolutely have to commit to memory.

For one of my Web apps I did a sessionid-generation routine that just alphanumericizes some bytes from /dev/urandom. When I need a new password I just run that and pick the first N or so characters (maybe replacing one or two with puncuation, depending on mood).

Re:Stupid Policies, Not Stupid Users.

Also if the cracker knew that you had that criteria they could just by pass using all combinations that have all lower cases and always include a punctuation mark.

Re:Stupid Policies, Not Stupid Users.

[vinn01]

Watch out if you use long passwords for some accounts.

I used a nice long password/passphrase for a mainframe that I worked one. When it came time to change it 30 days later, I had a very hard time because of a requirment that there be at least 3 characters that were not in the old password. I guess this was to deter people from using only slight variations of their old password.

I had a hell of a time finding 3 characters that I has not used before.

Re:Stupid Policies, Not Stupid Users.

[lucason]

Think of a + twelve letter phrase or word.

Like for instance "welikeslashdot"
It's the 12th month of 2004 so we combine the 12th letter with the 4th "di"

Now u can use "UserID@WebApp-di" en next month you use "UserID@Webapp-wk"

That way others will not be able to guess next months password with quite as much ease.

Ok, maybee it's stupid, but it works for me.

Re:Stupid Policies, Not Stupid Users.

AMEN. Wish I had mod points today.

And not only are there arbitrary restrictions, it is darn near impossible to remember what they are. It's probably wise from a security perspective that the sites don't say, "Wrong password. It must be 6 characters or less with at least one non-alpha." But it makes it REALLY hard to remember the ad-hoc truncated password I came up with. Especially when it's something like my 401k plan, which I check maybe 3x per year (and ALWAYS have to call the provider bc I forgot my password).

Re:Stupid Policies, Not Stupid Users.

[legirons]

"My bank website also has a sane system that allows me to use my usual password-derivation method (pick interesting phrase or sentence, take first letter of every word, and punctuation marks, and combine with a number.

You might want to check those passwords against a cracking dictionary (e.g. elcomsoft.com) before continuing to use them -- lots of common phrases are listed by their initials, and all the "is3scsi" or "tbgwnmhgb"-type passwords should be just as vulnerable as standard english words.

Re:Stupid Policies, Not Stupid Users.

[evilviper]

Of course, the most insecure password for anyone in the US is probably their PIN for their ATM card.

That would be true if:
A) It didn't also require the physical key.
and
B) You could avoid physically entering it.

See, you can't brute-force an ATM.

All online banking (in my experience) requires a lot more than just your PIN number.

With those issues in-place, your PIN number is quite secure.

Re:Stupid Policies, Not Stupid Users.

[Delita]

It's also worth noting that a PIN is not limited to 4 numbers. I'm not sure what the limit is, but I know it's more than four.

Re:Stupid Policies, Not Stupid Users.

Ask the person who created this stupid policy to show you their keychain. Then ask them if all of those keys are less than a month old. If not, point out to them that they should rekey all their locks on a monthly basis in order to be secure. Or more often if the keys are compromised by letting someone with a very good memory see them.

Re:Stupid Policies, Not Stupid Users.

[green1]

my password gripes... for work I have the following passwords to deal with:

first the "normal" ones:
- 4-8 characters, only letters and numbers, never need to change
- 7 character only numbers, changes every 2 months, remembers 4 or 5
- 4-8 characters letters and/or numbers changes every 4 months

then the annoying:
- 4-8 characters, alpha-numeric changes monthly, remembers your last 12(maybe more) (I use this system less than once a month, as a result I have to reset the password every time I log in, and I NEVER remember it)

the bizzare:
- 6-7 characters, the first 4-5 must be letters, the last 2 must be numbers, changes never (this is supposed to be secure... or something...)

the simple, user friendly and reasonably secure ones:
- a secure-id (with 4 digit pin)
- a voice print login (ok, in truth I have no idea how secure this is, but so far I've never managed to authenticate as someone else... (of course I can only authenticate as myself half the time...)

these systems are all related, and all similar, with similar access levels, most of them encompass a few systems, but I suppose it would be too convenient if they got it all under one authentication (I'd even be willing to change the password monthly, or maybe weekly if it meant only one to remember...)

and while we're on the subject, one other one to complain about... I managed to find a bank who's online banking website password must be entirely numeric and exactly 4 digits long (they've now upped it to allow up to 6 for increased security) this makes me a little nervous...

Re:Stupid Policies, Not Stupid Users.

All online banking (in my experience) requires a lot more than just your PIN number.

Not true. The former Fleet Banks' online banking service forces you to use your ATM PIN as your login password for online banking. Four numeric digits gives you full access to your bank account. A hacker's wet dream...

Re:Stupid Policies, Not Stupid Users.

The only reason not to is because all ATMs have cameras, so the more you visit (most ATMS eat the card after 3-4 incorrect PINs), the more chance you have of being caught on camera.

Except that some banks (e.g. Fleet--now Bank of America) force you to use your ATM PIN as your password for online banking.

Re:Stupid Policies, Not Stupid Users.

[srleffler]

Yes, but the number of such combinations greatly exceeds the number of combinations consisting of only lowercase letters. Given that most naive users will, in the absence of a constraint, choose a password of only lowercase letters, this increases security overall. You're trading a small decrease in security for the people who would use all lower case with one punctuation mark regardless of constraints, in exchange for a larger increase in security for the much larger pool of people who would use all lowercase if they could.

Re:Stupid Policies, Not Stupid Users.

[srleffler]

Also, I have run into problems with websites and software that will appear to accept a long password when you are creating it, but internally truncate it to some number of characters (usually eight). When you go to log in, some such sites/programs will only accept the truncated password. Entering the full original password produces a failed login.

I really, really wish this stupid historical 8 character limit on passwords would go away. There is absolutely no reason ever to prevent someone from making a password longer than eight characters. You need some upper limit of course, but why not 20 or 30?

Password Sanity

[neomiasma]

If we want to have password security, it would help to have password sanity.

Password aging.

[Z00L00K]

Another reason for password aging is to be able to lock out users that has ended their employment. I know it's a lazy way to do it, but it is at least catching some cases in a large organization.

In most cases the password aging system is only having a buffer of your five last passwords or so, which means that you can cycle through five dummies and then go back to your pet password again!

Re:Password aging.

I didn't realize the password aging utility made a database call to your employee database to determine whether the employee was employed or not.

Are you kidding? Easy solution here guys...

In Korea, only old people use passwords.

Re:If the required dongle is a note under your kb.

[grimarr]

Having physical access to the machine isn't always enough. Sure, given enough time, you could access anything on it. But you might not get that much time.

Also, doing something like stealing the hard drive, or changing the local admin password, doesn't give the attacker access to the file servers, etc that the workstation is connected to. Only being able to log in to the network can do that.

NO!

[Greyfox]

All biometrics do is give people incetive to steal your body parts! I foresee in the future you'll be standing in line at the grocery store and you'll go to pay for it with the retinia scan, only to find out that someone just made off with your eyeball!

Re: Use BIOMetrics

It would be interesting to mix passwords and biometrics. In medium security settings, you could simply provide the requested information directly using the keyboard.

Linux 2.2 (pts/1)

username: cmdrtaco
cock size: 2inches

Welcome to The Lunix
>

Why write it?

[halcyon1234]

Writting the password down is so arcane. You should put the password on the bottom of your desk... in Braille... with chewed gum.

I don't know a hacker in the world who'd touch other people's chewed gum.

re: password security

[Rage+Maxis]

I gave up on password security after working for a health management company that had name/same name as login and password on the SQL servers on real IP's. "they were behind the firewall!" BUT THE FIREWALL IS FORWARDING ALL THE PACKETS TO THE SQL PORTS!

The best part was after sending a note around on the new policy of 12 digit case sensitive alpha numeric mkpwd (or mkpasswd i forget which one is which) that were FORCED on the user. The 2nd point on the note was that "PASSWORDS ARE NOT TO BE STUCK ONTO MONITORS USING YELLOW STICKIT NOTES."

I found 42 examples of where the note was posted on the bulletin board the password was changed back to flully or dave or whatever typical passwords they usually used, and then that was on the monitor with a message like "Darlene, look at my case files, my password is DAVE" -- even though she can look at them from her user account and thus TRACK CHANGES FOR COURT LIABILITY ... no, instead the password goes on the monitor.

The real kicker was that they worked with a major canadian bank and as such had a Lotus Notes over SHIVA connection into the bank core network. The bank was furious that our insecure network was allowed to connect to their with Shiva being run on the same windows 98 or ME (not my idea to install that, believe me) machines that were running with no admin kits, no policies, no proces watchers or anything else resembling security -- and when I arrived no updated antivirus and no patching.

No wonder, especially since the bank used ultra-hard to remember 6 digit capital-letter + numeric passwords. Once again the 50-something women couldn't remember those so they were on the monitor to.

When they finally did get rooted (and massively I might add, the best was the windows NT 4.0 SP2 unpatched server which had a IP in the external range and an internal IP with routing turned on and telnet with a guest account enabled.) it was because of "evil hackers intent on disrupting legitimate commerce"

In reality the problem is consultants who want to get things rolled out as quickly as possible. The next problem are managers who are more worried about the whining of their staff in regards to the ENSLAVEMENT of having to remember 10+ digit alpha numeric passwords (I have trained myself to do it in 8 looks.) and not be able to run their solitaire web games at lunch and things like that.

The next problem is that even with passwords being there there are countless machines where people just go around the password mechanism using exploits.

Personally I dictate anyone using my personal mailserver, etc. use 12-byte alpha-numeric case-sensitive passwords generated with whatever that app is mkpwd or mkpasswd, I usually hae to type it twice to get the one I want. They work really well and take forever to brute force.

I've tried playing with other mechanisms like finger print ID (at a old venture place I worked at they spent 2 years messing with this) and smart cards and the like. Nothign has really been satisfactory especially when you add any degree of road warrior (which is the place where security of IP and passwords is really important) the solutions are generally worthless as it is VERY expensive and inefficient to give authentication validation hardware to even a road warrior to carry with them.

Also in teh end many of the security validation tools work using internally a hash that is effectively a password anyways. Use the scene in star wars return of the jedi as an example when they are breaking into the power station for the shield. Enough blaster will open anything. Inside most fancy locks is a acuator which if given power will open the door. Thus a however expensive panel with fancy computer inputs and strong passwords can just be torn out and a battery with two wires used from k-mart in its place. Keep this in mind.

Additionally, if you've ever seen the output of dsniff running on mirror channel traffic on a master switch in a large IT shop the passwords just scr

Does anybody crack passwords any more?

[Chemisor]

Is it even possible to crack passwords any more? With shadow passwords, you simply can't get the password string to crack, and you can't just brute force at the login prompt, since it waits five seconds between tries. To get /etc/shadow you have to be root anyway, so what's the big deal with creating "non-guessable" passwords? It's not like any hacker would actually try more than a dozen at the login prompt. If he does, he'll just be locked out and reported. If you look at the descriptions of how computers are hacked these days, it's never by guessing passwords. It's usually done through a poorly written web page, where a buffer overflow can get you in (why don't they run the webserver on a chroot?).

Re:Does anybody crack passwords any more?

[Detritus]

You can get the password file if you can trick a system process running as root to read it and send it to you. This has been a common security exploit for many years.

Re:Does anybody crack passwords any more?

Holy crap! Call up the CIA... this guy is on to something!

Re:Does anybody crack passwords any more?

[jasonbowen]

Sure, get access via other means. Grab the file and crack it via Jon the Ripper on your machine at home. Then put on your best social engineering hat find other accounts of those users and then go to town seeing if their other logins on other machines use the same password or check if their bank login or credit cards use the same password too.

Re:Does anybody crack passwords any more?

[evilviper]

and you can't just brute force at the login prompt, since it waits five seconds between tries.

Well, brute-forcing is impractical in general. A word-list attack however will work in a reasonable amount of time, even with a 5-second delay.

That 5-second limitation only applies if you can open only a single connection to the machine, though... Open a few dozen SSH connections at a time, each with a different password, and the time each session takes to complete isn't much of an issue.

To get /etc/shadow you have to be root anyway

But that doesn't mean there's no benefit to being able to log-in properly. You might get root access through some exploit, but that doesn't tell you the root password... To get that, you'd need to download the file and decrypt it. Plus, getting the passwords of non-root users can be highly useful. If an admin on one machine has a user account on another, it's entirely possible they used the same password for both.

If you look at the descriptions of how computers are hacked these days, it's never by guessing passwords.

On the contrary, it happens a lot. I recall that /. reported Saddam Hussein's e-mail was broken into by someone just guessing the password.

In higher-level breakins, it's usually a matter of breaking in to a low-level computer, and using it to spring to a higher-level computer. That can happen by decrypting the passwords on the current machine, for one.

Another reason it's still around is encrypted network services... If you can do a tcpdump on the network, you can find a LM hash, CHAP packets, etc, ad nauseum. Once you've got those encrypted packets, you need to try wordlists or brute-force attacks to find the password...

Biometric ID for the lUsers

USB thumb-print scanners or voice print is not fool proof but a ton better than user who still use "drowssap"

And it's not like you can leave the caps-lock on. People are stupid, they take lightly computer security, unless there is some IT or IS tyrant around to hound them. The catch is you get to support those that can't keep up. They forget passwords or get them confused. They have to write down login proceedures, or ask their peers. All things that introduce security risks. These sorts of flaws have been here from the start and are the nature of securing access to data.

So how's this for a login proceedure... Put your thumb on the little glass box, get to work.

Re:Biometric ID for the lUsers

[sckienle]

These are good until someone breaks into the security database and finds the poorly protected electronic version of your fingerprint or voice print. They copy that and can pretend to be you to their heart's content and the only option you have is cosmetic surgery to change the biometric value.

You may laugh that no one would build a biometric database which could be so simply hacked into, but didn't they say that about password and credit card number databases? At least I can change those.

Re:Biometric ID for the lUsers

[grumbel]

Why break into a biometric database, I for one leave my finger-prints all over the place, doesn't take much to grab it from the wall.

Biometric solutions might be a nice addition to a pin, ie. both bio and pin must match to get login, but bio alone doesn't help much.

Re:Biometric ID for the lUsers

[IHateSlashDot]

It's pretty easy to tell if the biometric info is a replay or not so the scenario you mention is not a problem.

Of course this works best for guys...

[BrianMarshall]

... but I am sure that the guys will be able to find women willing to help the guys with this technique.

Re:Well, from the WSJ article it wasn't stupid use

[magefile]

Fine. One of us folks who care about security will take your job, then.

Get into the beat ...

[klang]

One guy I know makes drum beats.. something that, by comination of speed and use of both hands on the keyboard makes a nice beat.

No way in hell to reproduce it, even if you hear the beat, as you would have no idea which keys he pushed.

No way of sneaking a peak, as the beat is "up beat", too fast and way too long.

No for everybody though :-)

President Scroob...

[blueZ3]

Is that you?

Just Guessin'...

[Maljin+Jolt]

oexeo's slashdot password is... 12321?

The MasterCard Solution

[Old+VMS+Junkie]

Have people use a credit card for access and you can bet they'll protect it with their lives. Card swipe at your keyboard to log in and youhave instant secruity. Seriously, I visited a company that used badges for data center access. People were constantly losing them, loaning them, or leaving them laying around. They switch to credit cards and all those problems went away.

Re:The MasterCard Solution

[Old+VMS+Junkie]

Gah.... excuse the crappy spelling. I used to be a farmer. Now I are a engineer.

Digital security is no different from physical sec

Sorry..

digital security is no different from physical security. When you feel convinient abought to not lock your door - fine. There have never been break ins in your neighborhood, if there has been, actually nothing except fiew bottles of vodka has never been stolen.

If data is not important enough why should I spend my time or my money to protect it?

too difficult..

[sinner0423]

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

For the average Joe User at his cubicle, Yes.

The Ubergeek will be able to memorize all of them, front to back. Joe User from the advertising department, cannot. Just because you successully memorized 80,000 different acronyms / alphanumeric passwords doesn't mean everyone else can.

Not everyone has a rock solid memory like most IT people do. I believe that's pretty much 95% of why most of us are employed. - not for our stunning good looks, but because we can remember stuff better than other people. Joe user still may be having difficulty memorizing the steps it takes to check his email. Add a password consisting of "$5i5k3LKmb0j" to the equation, and you have a problem on your hands.

I'm not trying to flame this guy, but he really needs to understand how the brain works, and the sheer amount of things regular users have to remember on a daily basis. It can get a little overwhelming some times.

Card reader can be hostile - put PIN-pad on card

[CrystalFalcon]

Even better is to integrate the PIN pad onto the card itself, and use encrypted communication between the card and the authenticating server. The card reader would just see encrypted traffic.

Also works against hostile ATMs.

A solution like this exists, see Cypak PIN-on-Card

Single sign on would help

[phoebe]

I work in a big company and there are so many different systems that require passwords it is beyond a joke. I have twenty different systems providing me with 10 different variations on account name, and numerous limitations on passwords. Some accounts simply have their default password "welcome", some have a random string, some require a new password every month, some remember the last three passwords so you cannot repeat.

So I have given up, I have a big piece of paper taped to the wall with all my accounts and passwords on. Yay! :)

SmartCards and Cost of Wrong Guesses

[redelm]

At work, we use SmartCards -- something you have, in combination with a weakish passwd (something you know).

But the real thing is the cost of wrong guesses. If you get the hash from a conventional /etc/passwd, the cost of a wrong guess is a few dozen CPU cycles (ie, nothing). If there is a holeproof 3-wrong lockout, then the cost of wrong guesses is extremely high, and weak passwds can be tolerated.

This just shows...

[jafiwam]

that users are dumb.

Writing down a password and making that password obvious are not the same thing. Just use inconspicuous information to hold passwords.

For example, on my desk are:

- a plastic cartoon character who's name and gesture is a password
- a post it note with my boss's address which with a small transform is a password
- a password in plain text written on a cable tag, attached to an ethernet cable in the wall

Likewise, one of my ex-girlfriends uses a sheet of plain text phone numbers she doesn't want anybody know she has... all backwards with the dashes in the wrong place and the word "part numbers" on the top.

Anybody that can think for a second or two when they make up passwords or when they have to memorize them can easily do this.

Joe Mitnick isn't going to find them, the CIA might, but they'd have to try a bunch first; and the kid hired to vacuum the floor sure isn't going to figure it out.

Users on my network have to change their passwords every 90 days, unless the complain about it in which case I ask them to make one up that has numbers and letters and they don't have to change it anymore.

If they easy to hack then they be pointless

[gelfling]

Point is it doesn't matter if your password is a randomly generated 18 character string of letters numbers punctuation marks two snaps and twirl if the underlying fapplication is teh shit.

Otherwise just get a good PDA app and store the passwords in for as many as you need. I have hundreds and I don't really care how difficult they are.

Education at fault for all.

[rice_burners_suck]

First of all, people are so freaking stupid. If you're a secretary who works in some company, and eight different applications need to be password protected, then you don't have to be a rocket scientist to figure out that if you set all your applications to the same password, you'll only have to remember that one password.

Users are lusers. Lusers are StupidPeople (tm). StupidPeople are StuplePeopid (tm).

The way I see it, changing a password every month or so isn't too much to ask. Neither is creating a well-chosen password. Neither is remembering it. People don't have such a hard time remembering a locker combination. Nor do they have that much trouble remembering phone numbers, bank account numbers, and all sorts of other stuff. What the hell is so difficult about remembering a password that is a mere several characters long?

You wouldn't hide the key to your house under the doormat just because you might forget your keys somewhere, would you? Or you wouldn't write your home address on your keys, just in case you forget where you live, would you? Why in the phuc would you tape your password under your keyboard, or something stupid like that?

The way I see it, most of the problems in the world stem from the failure of our education system to teach anybody anything. It's not enough to learn reading, writing, and 'rithmetic. You have to learn how to teach yourself things. And schools don't teach anybody how to do that.

My friend is a chef. His employees can't even put food on a plate properly. How many times he has had to explain to them how to put the food on the plate, and they just don't get it.

My other friend works in a machine shop. How many times he has had to explain to his retarded employees that they have to measure and make sure everything is straight before drilling a hole. And they don't get it either.

People are just so stupid because they have gotten by in school, just doing the minimum to barely get by, not learning anything, and allowing their brain to stay dormant. The school system promotes this by allowing students to earn "A" grades for "F" work, and just passing students from one grade to the next, even though they have made NO achievements to show for it.

This continues in the career, where people expect to do shit work, but when June comes around every year, they expect their raise. It's the mentality caused by the failure of the education system.

And this applies to passwords as well. It's not that hard to remember a password. You can decide that certain numbers and symbols mean certain things to you, and then spell a word that only you would understand with those symbols. Then, all you have to do is remember that word. But people are either too dumb, or too lazy, to do even half of that. They'd rather just bitch and moan, because security isn't exactly convenient.

Re:Education at fault for all.

[OldCrasher]

All people are different. Some like symbols, others like patterns, others smells. To say that people who can't remember passwords are stupid, is a sign of limited thinking on your part.

I barely remember peoples names, yet I have met people that have remembered the name of everyone they have ever met.

I once memorized the hex op codes for the 8086 instruction set and could look at a memory dump and generally work out what it did without reference to a manual, or the disassembler. But I can't save multiple passwords in my head for a nanosecond.

There is no one-size-fits-all for human minds.

Re:Education at fault for all.

[n0rm]

People don't have such a hard time remembering a locker combination. Nor do they have that much trouble remembering phone numbers, bank account numbers, and all sorts of other stuff. What the hell is so difficult about remembering a password that is a mere several characters long?

But your talking about short sequences of numbers, which most people are good at remembering. A SSN is 333-22-4444, and a credit card # is broken into 4 digit sets for a reason. It's generally accepted that most people remember sets of 4 characters without much trouble, but have difficulty with anything longer. When it comes to passwords we're not talking several characters. We're talking about a dozen characters times however many systems you need to deal with, along with characters that aren't part of the alphabet (how many non-geeks even know what a tilde is?). My father-in-law has a PHD in clinical chemistry (you can't get much more educated and better at memorizing stuff), and he has trouble with password security.

Re:Education at fault for all.

[rice_burners_suck]

how many non-geeks even know what a tilde is?

People like me who teach Spanish and explain that this thing above the "n" is called a tilde. Not that anybody gives a damn.

True story...

[WIAKywbfatw]

I was contracting for a major services company and popped into another department of the building to visit an old friend who worked their full-time in the IT department. He boasted about how he'd drilled security in the heads of all his users, how they all had secure passwords and how they all locked down their PCs when they stepped away from their desks, etc. So I bet him lunch that I could get into his network in less than five minutes, to which he replied that if I could then he'd be buying lunch all week.

It took me less than sixty seconds to get in. I just walked up to a nearby desk that had a passworded screensaver running, turned to the guy sat at the next desk and said "Hey, I'm from IT and I need to do something on this PC, can you tell me what this guy's password is so I can get it done?", and it was mission accomplished. I wasn't wearing any ID and the guy certainly didn't ask for any either. And that wasn't an average user I was dealing with, that was a security consultant: if those guys can be that sloppy, anyone can.

Science Tables and Lookup Values

[INetEngineer]

Perhaps integrate science table codes into your password or other known reference "codes" to known items (such as dates for historic events). What's the number for Einsteinium? Use that in your password...

For example, the following uses the atomic weight of Einsteinium, year the Human Genome Project completed, traditional formula for Einsteinium (III) iodide, and a hint that the formula both references the III iodide and not II and is not the Hill system formula.
"My252BrainWasMapped2003WithThe3rdColorE SI3NotHill "

Of course, this password is incredibly long, but things like dates, chemical formulas, periodic table mappings, physics formulas, or algebraic formulas, all provide a concise means of generating short passwords that can be looked up if you ever forget them.

Similiar to encryption, you have now encoded your password with keys that are easy to remember, or lookup if you can't remember (Date of Mt. Rushmoore Dedication ceremony + Formula for Benzene).

Re:Science Tables and Lookup Values

[TykeClone]

This guy from Microsoft agrees with you http://blogs.msdn.com/robert_hensing/archive/2004/ 07/28/199610.aspx

Pass phrases are at least easier to remember than long passwords (compare "I am the walrus, koo-koo-kachoo!" to your example) and are long enough to be more problematic for passowrd cracking programs.

Re:Science Tables and Lookup Values

[ifdef]

And what are you going to do when you have to change that password in 4 weeks? Or, if you can come up with an equally good one, what about the time after that? What about the tenth time you have to do it, in less than a year?

And yes, in another thread, people have pointed out that on SOME systems you can just change your password 20 times in a row and get back to the complicated phrase you were using, but on other systems, the server will force you to change your password every 4 weeks, will not let you reuse any of your previous 20 passwords, and will not let you make password changes more often than once per day.

Re:Science Tables and Lookup Values

[Gyorg_Lavode]

Passphrases need to be random though. Lyrics, quotes, and scripts can all be loaded into a passphrase dictionary and used the same way dictionary attacks are used against passwords. If you are going to use non-random passphrases, you need to use dictionary checking to make sure someone didn't use, "I am your father luke"

Re:Science Tables and Lookup Values

[INetEngineer]

The suggested means of creating a password is either for those people who require or desire an ultra-secure password (perhaps for encrypting/decrypting a rotating list of long and random passwords, like for PasswordSafe) or could be for generating short, concise passwords using the formulas.

If the system supports long passwords, then a simple passphrase, like random song lyrics or rare quotes, etc. would be the simple solution, noting that you simply need to change your password before a person could "break" your password using brute force. (as suggested on the Microsoft blog above)

Obviously this doesn't protect you from things like malware or getting tricked into telling someone your password, but that's not what we're discussion at the moment...

Re:Science Tables and Lookup Values

[TykeClone]

But passphrases can actually mean something to a user in such a way that they should have an easier time remembering them - and not writing them down. "I am your father, luke" might not be such a good one, but if you combine that with capitalization and different punctuation, it is made much more difficult to crack and much easier to remember - which is what we should be after.

Re:Science Tables and Lookup Values

[Gyorg_Lavode]

Adding the punctuation and capitalization does make it harder to crack, but also harder to remember. More research needs to be done on 1: exactly how much harder to crack, 2: exactly how much harder to remember, and 3: where's the optimal point between 1 and 2.

Something is wrong...

[djan]

One thing that I think a lot of people are missing is the fact that passwords are not a business enhancement. This is not a productivity booster or natural business flow.

A lot of IT time is wasted on password setup, resetting, etc. including the individual user's time.

Ideally, what should happen is that the user should not have to do anything to start a process, but just start the application and bingo, you're securely logged in. (I am talking about internet and LAN activity, not ATMs). Biometrics are a start, but I think we've a long way to go, but our computers are going to have to recognize us as soon as we approach and adjust our security profiles as needed automatically without any user intervention.

Re:If the required dongle is a note under your kb.

[pthisis]

if you block off the BIOS (so it can't boot from CD), then physical dismemberment may be required

Until someone puts a little PS2 or USB keystroke grabber on the machine.

SecurID

[localman]

Just implemented SecurID at my job and so far it seems to be quite good. We require a username, password, and the token code. It was a little bit annoying at first, but I think people agree it's a lot less annoying than a overly agressive password policy (10 characters! letters numbers and symbols! change every two weeks! never reuse a password!) -- and probably more secure.

Cheers.

Re:SecurID

[finse]

SecurID is a great solution, however it doesnt allways fit the need/budget..
two factor authentican like securID is allways the best way to go.

Scare tactics..

[t_allardyce]

What you need to do if you're the admin at a big company is go around one morning before anyone gets in and have a quick look for post it notes, log in to any account you see and stick a big fat message for them saying "your data has been stolen, you're in deep shit" (oh and take the postit) then sit back and laugh at all the near heart-attacks you create (probably a good idea to clear this with your boss first). Most people will realise what they are doing wrong and stop writing their passwords down. I think in an office environment where people trust eachother and have their own desks you have to accept abit of lax security, aslong as no-one can get into the building its not that big a deal. Passwords for public servers etc should be kept tight though - if someone does get in and steal your customers data you're liable under the Data Protection Act i think..

Re:If the required dongle is a note under your kb.

I give you 3 weeks before you are r00t3d like a dime store hooker.

Easy to Remember Can Be Secure

[kentborg]

To quote myself, when I need a password, I use a utility called
mnencode this way:

$ head -c 4 /dev/random | mnencode

And get three word long results like:

iris-farmer-benny or person-london-multi or jumbo-joker-basil

Reasonably easy to type and remember, yet a significant 32-bits of
entropy--far better than most passwords. (Enough for circumstances
where you don't have a motivated foe with the opportunity to brute
force it--a non-readable /etc/shadow is your friend here.)

To find mnencode see . It is really
a carefully crafted word list and two complementary programs, mnencode
which turns binary data into words intended to be pronouncable,
spellable, and unambiguous, and mndecode which turns those words back
into that exact binary data.

To move offtopic, for really paranoid security, you can do:

$ head -c 16 /dev/random | mnencode

And you get 128-bits worth of entropy as, for example:

algebra-mask-armor--jester-cupid-fossil
secure-detail-barcode--gray-judo-safari

Take out the new line, put in single dashes throughout, and you have a
long passphrase that is really secure. But it turns out that a
passphrase with 128-bits of entropy is pretty unwieldy. It gets hard
to remember (was it jester or joker?, secure or secured?, etc), and it
is suprisingly hard to type blind. I use exactly one such passphrase
(that I don't type on open wires or keyboards I don't control), but I
do use it to encode my other passwords.

-kb

P.S. A passphrase with 128-bits of entropy is enough that even a very
powerful and motivated foe will not be able to bruteforce it any time
soon--if ever--and will instead resort to bugging your keyboard,
hiding a camera over your keyboard, sniffing RF-emissions, rubberhose
cryptanalysis, etc. For example, suppose the NSA really wants your
key and can try a trillion possibilities a second, it would still
take, on average, over 3-months crack a 64-bit passphrase--which is
well within their abilities if they are really interested. However, a
128-bit passphrase is 18,446,744,073,709,551,616 times as difficult as
that, something even the NSA can't accomplish. Note that this is for
a symmetric key, public keys work different and need to be much longer
for equivalent strength. A 4K bit public key can be manipulated
pretty easily by computers these days and is likely extremely
strong--depending upon possible breakthroughs in factoring numbers or
building quantum computers.

Re:Easy to Remember Can Be Secure

[Greyfox]

If your passphrase is hashed with MD5, what are the odds that someone will find a duplicate sequence that will generate the same MD5 checksum? Didn't we just see a story about that a few days ago. Of course, they'd stll have to get your hash to try it.

All of the companies I've worked for place an upper limit on the number of characters you can have in a password and many have demanded special aspects of the password (Need at least one number, demand mixed case, can't reuse X characters from your old password, etc) which makes this sort of thing more difficult.

Re:Easy to Remember Can Be Secure

[kentborg]

If your passphrase is hashed with MD5, what
are the odds that someone will find a duplicate
sequence that will generate the same MD5
checksum?

Slim. md5 has its problems, but in no way is my scheme adds any additional risk.

All of the companies I've worked for place an upper limit on the number of characters you can have in a password and many have demanded special aspects of the password (Need at least one number, demand mixed case, can't reuse X characters from your old password, etc) which makes this sort of thing more difficult.

Silly rules on passwords certainly get in the way of my approach, but
that doesn't mean my approach is in anyway weak. Putting a number or
punctation mark makes it harder to guess a password because you need
to try more combinations. But it is the number of combinations that
counts.

By putting 32-bits of entropy in my password, I have 4 billion
combinations for someone to defeat. It doesn't matter how you get to
the total number of possible combinations, it is the total number of
combinations a foe must try. Instead of a three word combination I
could use something like 1101010110010011101101010100000, and the
result would be just as strong, except there would be no way to
remember it. Isn't the equivalent "sample-formal-milan" much easier
to to remember?

Yes, if your foe knows your technique for generating your password it
makes it easier to break it. But it doesn't matter if the technique
is one like your employer's or like mine, it makes it a smidge easier.
Much more important in the total number of combinations. Making a
password harder for you to remember doesn't make it harder for a foe
to guess. It is the number of combinations you pick from that
matters.

-kb

Re:If the required dongle is a note under your kb.

[99BottlesOfBeerInMyF]

Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Typing really fast, but poorly, with five or six backspaces per password, while working in a dimly lit room, on a terminal with 9 pt font in green on a black background ...is all the security most of us need.

Re:Easy trick... The *REAL* BOFH

[HighOrbit]

I thought our help-desk guy might have been the original BOFH, but I was wrong. Even he wouldn't have thought of that. Man, you are harsh.

[Suddenly the phone rings, disturbing the BOFH's game of Half-Life]

[random_user]Hello Help Desk? I forgot my password. I have to print a powerpoint document for a briefing I am giving in 5 minutes so I need my password reset right now!

[BOFH] Oh....let me check...we can only reset passwords once a day between 6AM & 7AM because it affects the user settings and we can do that after the server's been initialized. Otherwise the server might malfunction and several random files could be deleted from your home directory. Are you sure you can't wait until later?

[random_user][pauses]yes, I need it NOW. I'm briefing our department VP in 5 minutes.

[BOFH]ok... you're the boss...I'm resetting it to "12345678"...try loging on in a few minutes [while typing "del /users/random_user/*.ppt"]

Me too, but post-it required

[thpr]

You see, while I agree with the zones idea (and do that myself; though I have a 4th 'work' zone, too, since the admins can probably get to my password on some of the systems), I have a problem. Here at work, I have [grabs post-it note] a whopping 20 userid/password combinations. So I promise if you get to my desk [which, BTW, is through the badged doorway and the lock on my door] you find a post-it note in the drawer... with a key of 'x*[y|n]' indicating the password for each system.

X is a letter of the alphabet. The y or n indicates whether I have done substitution (zero for o, etc) in the password. The letter tells me the first letter of the password, the * tells me the # of characters (almost always forced to 8). So you can get a hint, and it provides a small limit on the number of passwords (can't have two the same length with the same start letter). It's the best I can do to balance security with my inability to remember so many userid/password combinations. If you can guess the password before the system locks you out (the important ones only give you 3 tries), you deserve the reward.

My secure ('high') passwords? Good luck. I've been accused of making passwords where I was accused of "banging my head on the keyboard and using the result."

How do you change a biometric password?

[Mal+Reynolds]

The scenario is simple and inevitable. A hacker will steal a database full of biometric data and all those passwords will be compromised, forever!
Ordinarily, when a password is compromised, the user just changes the password. But how are users going to change a compromised fingerprint? How will they change a compromised retina pattern? Or with the biometric data planned for new US Passports, how will users change a compromised face?
Another little tidbit biometric security proponents usually overlook is the ease with which many systems can be hacked. $30 worth of drugstore purchases can create false fingerprint overlays able to fool nearly every fingerprint scanner on the market.
Biometric security sounds nice in theory, but like many failed technologies, it doesn't pass the field test. The liabilities it introduces greatly outweigh any advantages.
The only way to prevent biometric identity theft victims from becoming permanent financial outcasts is never to allow biometric security to become the norm. Don't let corporations or governments use your biometric data as routine passwords.

Re:How do you change a biometric password?

[UrlorJkron]

Want to change a biometric password? Use a series of fingerprints. It wouldn't be too hard to remember what order you scanned your fingers.

Re:How do you change a biometric password?

[Mal+Reynolds]

A series of fingerprints?
So people have to label their fingers 1 to 10 and use them in specific orders? Don't you think that's just a little bit silly?
Because we're assuming their fingerprints have been compromised, as such, offering no additional security. In such a case, tapping out fingers in order would be no more secure than using a simple memorized numeric password.
Biometric security is an oxymoron.

password safe

[anonymous_wombat]

Check out http://passwordsafe.sourceforge.net. You can use this program with one good password and then look up all of your other passwords, which can then look like ^73k3E!F;=

This program was originally devloped by CounterPane Internet Security, where Bruce Schneier is the security expert. It is now an open-source project. The only downside is that it only claims to run on M@cr@$@ft. Someone should port to Linux.

Re:password safe

Password safe is awesome. The only problem is when I'm not on my laptop and home PC, and I have to install password safe and open up the database stored on my USB keychain just to log in to some website.

Re:If the required dongle is a note under your kb.

[pdiaz]

Nice idea. I'm going to use it for services for which I can't control the auth method used. For services that I host on my server I use one time passwords and a PAM module that I wrote (see sig)

Password security is EASY

[alc6379]

Come on now... what's with the fuss?

rosebud is a great password, nobody will ever guess that!

Oh bash.org, how do I love thee...

[BlueCodeWarrior]

#136524
Raven - I tried setting my hotmail password to penis.
Raven - It said my password wasn't long enough. :(


#10846
Saccy - My password is alpha numeric.
Strife - Well mine's a mixture of numbers ANDletters.


#198764
Death - Hey, Jeff, how do you kill someone when they're on your nick?
Jeff - Oh, easy /ns ghost nick password
Death - Thanks.
Death - Die.
*** Signoff: Jeff (Killed (NickServ (GHOST command used by Death)))

But first...

[siskbc]

...you'd have to crack the scheme. Harder. A wavy line isn't an obvious thing, especially if you dress it up as, say, art from your kid tacked up in your cube. Draw an appropriate wavy line, then let your kid go nuts with the crayons and such.

Re:But first...

[Saucepan]

You missed his point. It's not important to guess the scheme -- a brute force cracking program will include all variations of "adjacent keys" schemes and dozens of other common schemes as well and still only need to try a tiny fraction of a percent of theoretical 2^56 search space before finding your password.

It's equivalent using a 10-digit combination lock but then choosing combinations that only ever differ in the initial digit.

Re:But first...

[Gyorg_Lavode]

All you would need is a brute force program that had a physical layout module. It would have to check less 8^6*46=77,262,336 combinations, (though we can start signifigantly reducing that since many of those keys do not border 6 characters). At 3,000,000 checks/second (a number I saw somewhere, probably for checking LM Hashes though), thats less than 26 seconds.

Re:But first...

[siskbc]

You missed his point. It's not important to guess the scheme -- a brute force cracking program will include all variations of "adjacent keys" schemes and dozens of other common schemes as well and still only need to try a tiny fraction of a percent of theoretical 2^56 search space before finding your password.

No, I got it - part of the cracking is that youd have to know, somehow, that it is an adjacent key scheme. It wouldn't be obvious that it is. Also, it wouldn't be hard to modify so it's not an adjacent key method.

It's equivalent using a 10-digit combination lock but then choosing combinations that only ever differ in the initial digit.

To an extent, yes - but again, how would a cracker know?

A very good (and humorous) article on the subject

[dracvl]

Bruce Tognazzini (of Macintosh and Nielsen Norman Group fame) has an excellent article where he contrasts *actual* security with perceived security here. Well worth a read, and one the pages I most frequently refer to.

Stupid IT dept.... is the problem.

[DarthVain]

The main reason I think that passwords have a security risk (other than personal ones your don't really care that much about anyway), in the corporate world is stupid low level IT people (Network Help/Admin or High level + managers depending on how decisions get made). Take this example (where I got very pissed off):

First some people in IT get this crazy idea... Our login names fit the pretty much standard firstletter.lastname (which it has been ever since I can remember, all my accounts, we are talking a large number here, that i didn't pick my own user name it always had that format... anyway) format. Anyway in their great univeral wisdom, they decided it would be better if they changed all the login standards to lastname.first_two_letters_of_firstname. So a Bob Lambert formerly BLAMBERT, is now LAMBERTBO. Now do this to a couple thousand employee's most of which are not Tech savvy to begin with... that is the start of our troubles.

Next a month later reset the standards for passwords (as if people are not confused enough trying to login). It was a simple password standard, must be at least 6 (maybe 8 not sure) chara long, and must change password every 30 days. Most people usually had two or three and simply rotated them every 30 days... no big deal. The new standard? How does this sound? Must be 12 Char long. Must have both upper and lower case letters. Must have a number. Must have a special chara (!@#$%^&*, etc...). Must not have a previous password in it (history of 12), and must change every 30 days. (Which means that you can use one of the same passwords in about a year) Does this seem even remotly reasonable to anyway? Am I just ranting for no reason? I can't wait to forget my password and have some IT Help Winnie look up my password to find "DumbestPassWordEver#1".

Personally I think they did it for job security. Can you even imagine how many passwords get forgotten and people have to call IT for their Username and password.

I also wonder if these IT idiots ever had a meeting about this. Did no one speak up and say, 'hey this may not be a good idea' or 'gee this might be counter productive to security as EVERYONE is gonna write it on a sticky note and put it on their computer!'.... Not mention the IT phones ringing off the hook and perhaps it happening so often that they become complacent to the point where they wil give usernames and passwords to any smuck to calls....

I am no network security specialist, but even I can see that simply making more complex passwords does not necessarily make you more secure.

Problem

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

Yeah that is too much to ask for in some scenarios. I have a standard password made up of a bunch of things. This is something I'll use on all the websites and trivial programs. But now a certain website doesn't allow '. Another one doesn't allow !. Each website will have it's own rules of how many non-alpha character should there be. This forces people to use variants. And makes it hard to remember. So most, then, just simply go for "johny" because that's their first pet's name.

That doesn't describe the behavior of all people. Just my opinion on the ones that have good passwords but constantly keep getting rejected at different sites for different reasons.

I love acronym passwords BTW. If it involves a lot of Ws and Qs, you can even tell it to people and most won't remember it a second later. Of course this doesn't mean that you should tell people the password.

Musical passwords

[bleeware]

For the guitarists in the crowd, think of each row of keys as a guitar string. Pretend you are playing a lick. Left hand fretting and if you want to get fancy, mix in right hand plucking. What you then remember it the lick (and where you place your fingers to start).

Re:Musical passwords

[Firefly1]

I seem to recall that Drax' nerve gas lab in Venice (yep, Moonraker reference) was secured with a musical password - each key corresponded to a note, and you needed the correct string of four to open the door. While it's not clear from the footage, it's quite probable that the keys aren't labeled, requiring those with access privileges to memorize the correct sequence.

Re:Musical passwords

[finse]

Dont forget about the Goonies. There was a musical password to unlock the way to One Eyed Willy's treasure..

Once Upon A Time...

[Maljin+Jolt]

...I worked at mainframe datacenter (running cute Sperry+Univac U90/30 and big U90/60). Using a four digit employee number in place of password for terminal login was a duty written in employee contract.

When we got some first IBM XT Personal Computer, our boss was very concerned about not having a proper employee number login. So I wrote my first DOS application, 5 lines of basic code, sticked it at end of autoexec.bat and got some xmass premium for solving "serious security issue".

Different passwords

[Jesus+IS+the+Devil]

To be truly secure, you'd want to use different usernames and passwords for every single item that requires it, except for those non-important throw-away accounts.

This is where things get messy. I literally have over 50 different logins. Good luck remembering them all!

Finally, a l3g!t1m473 use for 1337

I'm serious. I've found randomly mixing and matching different variations on 1337 5p34|< has made it simple to come up with relatively secure passwords that still make sense to me, and hence are mnemonic, and hence are easily remembered.

Re:If the required dongle is a note under your kb.

[nizo]

Hey now this looks cool, I may have to play around with this :-) I always wanted to setup one time passwords on our incoming ssh server.

Use phrases.

[Reeses]

I don't understand why we need to constantly hash the password down to 8 characters. In the old days, when disk space was at a premium, and every byte counted, it was important. Now that I can carry 1GB of disk space on my keychain (jump drives), I think the 8 character limit needs to be lifted. Why? So we can use phrases.

Everyone has movie lines that they remember, and people remember sentences pretty easily. So make phrase-based authentication.

Instead of making me remember:

wRn?m@9m

Let me remember:

It was a dark night.

Or:

Shall I compare thee to a summer's day?

The biggest advantage is that you can get a long password that people can remember. And you can get punctuation.

Make the max length for a password be 256 characters, and give us something we can remember. Brute force attacks, or password dictionaries against something like this would be impractical, because there would be too many combinations to sort through.

A nice side benefit is that people can write it down, and it just looks like a line of text, not something that screams "password here!"

Re:Use phrases.

[praxis]

If you use English (or other language of choice) for your passphrases, the number of combinations can be greatly reduced by applying filters based on grammatical and n-gram probabilities.

I would use English (or other language of choice) as starting point for my passphrase, but then alter certain characters by including numbers, symbols, mispellings, and grammatical mistakes.

Re:Use phrases.

[Reeses]

Yes, it could be reduced, but I still imagine that the total set of possible passwords is still larger than the total set of passwords contrained by the ~200 easily typed characters possbile for each of the eight character positions.

And that's assuming that people don't use nonsense phrases, like their first child's first sentence or something.

Though, adding the l33ting of characters to the sentence would help make it harder to crack.

Re:If the required dongle is a note under your kb.

[grumbel]

To improve security even more I recomment to put the password not under the keyboard but in your wallet. If somebody gets access to your wallet you are screwed quite a bit anyway (money, creditcards, idcards, driverlicense, etc.). Its of course a bit less convinient then under the keyboard, but quite a bit more secure for sure.

Re:Card reader can be hostile - put PIN-pad on car

[shepd]

It's nice but it still won't win on the hostile ATM. Most ATMs have a camera built in. I think you could be assured a hostile ATM taking cards like these would not have the camera focused in on the user instead of the pin pad... :-D

RTFA?

[m.h.2]

Do we even need to RTFA?

Passwords are nothing new. The concept of using longer, stronger passwords(phrases) is not new.

We have Security Policies, Acceptable Use Policies, User training... Where have we gotten? In my 15 years in the IT field, I have tried to remain a proponent of user education, but I've recently thrown up my hands. Users are STUPID! Most of the people to whom I've provided service over the past decade can't remember not to take a bath with their hair dryer, let alone 7 unique, strong passwords (or one good password, for that matter).

Wrong kind of physical access

[Stephen+Samuel]

... then at least a person has to gain physical access to the machine before they can compromise your account.

There are different kinds of physical access. One is physical access to a desktop box which should, at most, give you access to stuff stored locally on the box. Often this should be roughly nothing, since everything is (or should be) stored on the central server (with backups, etc).

It's the central server that you're probably trying to secure with often-changed passwords, and access to a desktop box is not the same as getting into the server room without anybody noticing.

pseudo 2-factor passwords

[firewood]

On one system, I stick a post-it note with my password right on the monitor (plus maybe a copy in an encrypted file sent to gmail). It's a random number which gets changed quite often. Won't do anybody any good though, since it needs to be (pre|post|reverse) appended to a passphrase which I've memorized. The sysadmin can't bust me, because if he/she tries it, it's not the full password.

This is psuedo 2-factor authentication: something I know, plus the number on the post-it which I probably won't memorize before I change have to change it.

Re:If the required dongle is a note under your kb.

[WinterSolstice]

Right. Let's assume you don't work for the company (since anyone who worked for the company I work for would be axed for doing what you just did, and wouldn't need to anyway.)

Ok, so let's take of most important corporate apps, our desktop machines, and your Knoppix disk/whatever disk for a test, shall we?

1) You have obtained physical access to the workplace, and ample time.

2) You attempt to use knoppix. Ok, first problem: We don't install or allow CD drives in 99% of our desktops. No problem for you, you have a floppy too, right?

3) You boot the machine from floppy into your OS of choice. DHCP works properly, and gives you an IP, DNS, etc. Too bad that sniffing the network doesn't give you much! Our NIS team designed most of our subnets with zombies and sniffers in mind. Private VLANs, reverse-proxies, multiple firewalls, SSH, SSL, etc. To get anything good, you would need to compromise an actual server floor network, and that would be a bit harder.

4) You look on the local drive. Unfortunately, there is nothing there except for a tiny Win2K NTFS partition. Ok, Second problem: NTFS. No problem for you, since you have an NTFS 5 reader on floppy!

5) Once able to access this disk, you find that there are only a few directories. Windows, Apps, Program Files, Temp. Hmmm. With some smarts, you install a keystroke logger/ICQ bot/VNC/what-have-you (for future use). That is nice, but it won't actually run when the user returns... more on that later. You find our Reflection app (and know what it is and how to use it). Of course, there are no host shortcuts or session logs.

6) You go through the IE cookies and temp info, to learn a little about the habits of this individual. Third problem: nothing older than about 5 days... bummer.

Summary)
To compromise our environment you need a full list of hosts, usernames, passwords, and a pretty good working knowledge of our apps. Our desktops are locked down to the point of being useless, and are designed to be useless if taken. Users are not even allowed to run the executables needed to double-click on a file. If you actually worked here, you would never need to recover data from a person's computer. They can't store anything on it. Laptops here are almost a joke, since for the people outside of IT, they are practically paperweights.

Also, as a final note, we are a host-heavy environment. All data, all apps, all tools are host-centric. This does not make it impossible to breach, just more complicated.

My whole point is that physical access to a machine on modern secured network is not the keys to kingdom it used to be. You need to have a lot more now than just a system and a few minutes.

-WS

A Strong Password? No, its not too much to ask but

[Cassanova]

>Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

No. Its asking for a similarly strong kind of password in twent five different websites that eventually becomes the overkill. And people slack out and try to use whatever they can remember easily.

Re:If the required dongle is a note under your kb.

[Gyorg_Lavode]

Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

Depends what your goal is. In a situation where the workstations are in a secure area, (guards at the front desk, etc), for user passwords, (non system accounts and non-hardware passwords), the goal would be an audit trail linking traffic back to a certain person, not the saving of the machine or securing of the machine from compromise.

Re:If the required dongle is a note under your kb.

[pdiaz]

So, I like your method and you like mine ;-). Nice

anyways, I mainly use One Time Passwords when I'm outside home, like in a cybecafe or something like that. In that places encryption (SSL,SSH) prevents password sniffing, but not keylogging at the machine. OTP is a good solution for these situations. And of course, there is the geek factor of taking out your password list in front of everybody else ;-)

Passwords

[MarkedMan]

One definition of insanity is doing the same thing over and over while expecting a different result. Continuing to pretend passwords are the answer, and that somehow user education is going to finally do the trick this time, is insanity.

We have a known quantity: human beings using computers. We have experimented with passwords on the computer for going on five decades. For any large subset of our known quantity (>25), passwords have failed to remain secure. Over and over and over. People have been threatened, coaxed, fired, and bribed. It still hasn't worked.

To continue to debate this is a huge waste of time. (On the other hand, me saying this to the slashdot community is a huge waste of time. It WILL be debated, over and over and over again.) It is time to move on. Physical security is worth a look. We need to see how that pans out.

BTW, this insecure password thing goes way back before computers. In the fairly recent past, take Feynman's description of how he and a janitor broke into the safes (substitute combination for password) at Los Alamos during WWII, the safes which contained the secrets to the nuclear bomb. Combinations written down on little notes, set to people's birthdays, set to the year it was installed, never changed from the factory default: does this sound familiar?

Stupidity finds a way

[jdfox]

I used to be on the networks team at a very large corporation, where we implemented SecurID and PIN for offsite dial-in.

We did everything right, got the clock sync working, got all the managers to buy lots of pricey SecurID cards, found and forcibly removed insecure dial-in boxes scattered around, did all the right audit and test of firewalls, etc.

But the sales group had a bunch of pooled laptops, which sales people used to take out to customer sites. So they would store a SecurID card in the bag, along with a yellow PostIt note showing the PIN code for that SecurID.

That way, not only was the SecurID compromised, but since they were effectively using shared SecurIDs and PINs, we wouldn't even know which idjit sales droid had compromised it.
Doooo, ya stupid idjit rabbit!

State-of-the art tech is no match for the apparently limitless stupidity of users.

In the end, we did the only sensible thing, and revoked offsite dial-in for that group.

Re:Stupidity finds a way

[superpulpsicle]

I always thought SecurID was the most inconvenient but effective system ever devised. That clocksync key chain was mind boggling.

We need to find the way.. not normal users

[dukenuke123]

The basic problem lies with the fact that the normal user is still not going to care about remembering 8 passwords, no matter how much you educate him. What we need to do is find a better way. How about having a program (freeware) that will use a well-known hash-generating technique to generate 8 passwords using the 1 password the user remembers as a key. This is in no-way a complete solution, but for people who have and use exactly 1 PC, they can have this program installed, and then the program can generate 8 passwords and the user will just use the correct one: The program can say: Yahoo Mail - 0nfdsa235wsac Bank of - c3234ea23asa -- -- -- Then of course.. there is a problem of the password used to access this program.. if the user just uses his "the one" password for this program, then again our purpose is defeated. Oh well..

Don't forget "admin"

[argent]

It's the default password on all kinds of home-office routers/firewalls/etc...

Misunderstood concept

[Stephen+Samuel]

Often changing a password is a good idea where that password is used in an automated process (eg. for nightly backups). Such passwords get used often, are probably stored somewhere and it's not going to mess up most users when they get changed (( this also applies to RSA keys, etc.)

The hardest thing with multiple passwords is that it's hardest when you start up into the system. I can probably memorize one or two passwords a month, but forcing me to change 8-19 passwords every month would drive me absolutely nuts.

Use Phrases as passwords...

[anubi]

My favorite technique for passwords is one has to use a phrase.

What my end does is take the phrase, convert all to lower case, and strip out everything but alphanumerics... then run an MD5 on it so in the end I get a clean fixed-length password.

In my case, I wanted 'lost password' recoverability, so I will also allow logon with the direct MD5, as I am willing to take the security hit in exchange for being able to recover. However, in light of recent events of being able to recover colliding MD5 input streams ( strings of alphanumerics that also produce identical MD5 hashes ), I will probably delete that capability, and in the event of lost password, I will run the MD5 through the collision synthesizer and tell them to logon with this "special password", then have them immediately change their passphrase to something more memorable.

The idea is to spare humans from having to memorize whether or not they put spaces in the phrase or capitalized certain letters.

I get the idea that "bob's dog chucked a hairball under my couch", which is just as good as "Bobsdog chucked a hair ball under m ycouch", would still be very hard for anyone to crack, yet very easy for someone to remember. Its those little persnikety things that annoy the living shit out of us humans.

Yep. Same here.

[Greyfox]

I maintain accounts on about 30 UNIX servers all which expire passwords randomly every month or two. Apparently this is mandated by Italian law and thanks to this company doing business in Italy, the entire company gets to conform to that. So I cycle through a bunch of trivial passwords rather than use the the bigger passphrases that I use at home. The company doesn't even support passphrases. At LEAST they FINALLY got it down to me having to change the passwords on a couple of web pages rather than having to log in to each machine separately (expectTCL was pretty good for that though.)

In my contracting company, I have 2 or 3 separate passwords that access different services that I only use about once every 6 months. So they're inevitably expired or forgotten by the time I have to use them again. Nice going guys, I'm SURE that me calling support to reset the password EVERY time I want to access the service is WAY more secure than letting me use my passphrase there.

So far the most together company I've seen for this is Sun -- they use NIS internally, which means if I set my password somewhere, it gets set everywhere, and all their home directories are on NFS so you can log in to your environment from anywhere in the company. NIS is hella-insecure, but there are more secure directory-based authentication schemes available if I'm not mistaken. So far I've yet to run across a company that has enough of a clue to actually implement those.

Popular passwords...

[__aaclcg7560]

Here are some passwords that I keep finding at different companies.

hockey (don't ask me why)
yousuck (only on Windows machines)
password (which everyone's account had)

One company set up everyone's email account password to be first-intial, last-initial, last-initial, and first-initial (e.g., crrc). They changed that in hurry when one guy got fired on a Monday and used the upper management email accounts to send out email to everyone about how great the sex was that management was having with each other. Those emails were downright funny and everyone was laughing for the rest of the week (except management).

Re:Popular passwords...

[OldCrasher]

Worked at UPS in New Jersey back in 1993. One particularly ugly morning - there were many ugly days aqt UPS - the automatic password expiration process kicked in. It threw me off my session and demanded that I change my password. I myself was in an ugly mood, so selected as my password "fu*kyou". This seemed appropriate for a place like UPS, at that time. I logged back on and continued to do my work.

Within an hour I was kicked off again, and couldn't log back on. I called systems and they told me the account was disabled and I should talk to my manager. My Manager? I saw the manager and he called, they said they needed his authorization to re-enable my account...

I called systems again. This time they were a bit more willing to talk. It turns out the passwords were held by the UPS mainframe in clear text... and monitored. The sys admin girl seemed a little shocked on accessing my account. I asked, "Was it the password?" "Oh! Yes!" was the reply.

So, security be damned.

I have to say, I have never again used that password!

Re:Popular passwords...

[buckeyeguy]

At a previous job, the security admin ran a cracker against the passwords periodically, to see if people were using 'easy' passwords. Certain patterns emerged:

Kid, wife and pet names were widely used. Nothing new there.

The entire company used f*ck and s*ck in combination with the company's name.

The employees at the Dutch subsidiary included 'sex' in their password so frequently that the 'sex' count became a running gag with this procedure.

And there are just some things you don't want to put in your password. A husband and wife worked at the main location, and while the hubbie's pwd didn't say much, the wife's basically read "123byebyehubby". Wonder if they're still together, hehe.

Anyone else use STRIP?

[DerficusRex]

It's a GPL utility for PalmOS that stores your pw list encrypted with 256 bit AES. It's also got a decent password generator, and can do S/Key OTPs. Here's the site.

Easy to get in

[Safety+Cap]

With some smarts, you install a keystroke logger/ICQ bot/VNC/what-have-you (for future use). That is nice, but it won't actually run when the user returns...

I think you're wrong about that.

So, I install a KL on the CFO's machine, grab your acutal SOX docs (not the "doctored" ones you want to release) and send them to the feds. Your key people go to jail for flagrant violations, and then I move in, install my own people into key positions and wait...

Re:Easy to get in

[WinterSolstice]

Well, that is a very nice device, and it comes under this part:

To compromise our environment you need a full list of hosts, usernames, passwords, and a pretty good working knowledge of our apps. (snip) Also, as a final note, we are a host-heavy environment. All data, all apps, all tools are host-centric. This does not make it impossible to breach, just more complicated.

So, this keylogger (which is quite cool) would, upon your return, allow you to have the userids and passwords. I assume it would be in some useable form.

You still wouldn't have entire documents, hostnames, or things of that nature. Those are all mouse based, or display only. You would have the CFO's password and username, and be able to view the network as they see it. Therefore, you could go through their email, network drives, etc.

Definately an issue, and I think it is one worth mentioning to our security team :). I think we need to switch to USB keyboards now.

-WS

RSA &co

[oliverthered]

don't relly on passwords use things like RSA secureid cards.

The basicly generate a new psudo random number every 20 seconds, you login with your id, your 'password' and the random number.

That way users can pick weak passwords, backed up with one that changes every 20 seconds.

That's why I just use 'password'

[banausikos]

Oops, probably shouldn't have admitted that.

Easy obscure passwords

[caryw]

I use passwords that I do not consciously remember, but manage to do it very easily.

Instead of basing a password on a word, I base passwords on keyboard finger patterns.

For example, one of my passwords might be "pqlsnv" or maybe "ju7ft6la"

Open notepad and type one of them out. Go on, try it.

Note the alternating finger pattern.

You can create very complex passwords with this method that are virtually impervious to dictionary based password crackers.

Definitely a novelty in having a password that my fingers know by heart but my mouth couldn't recite if my life depended on it.

- Cary
Tell the FCC you demand broadband choice!"
Fairfax Underground, where Fairfax County comes out to play

Re:Easy obscure passwords

[acceleriter]

Just stay away from Dvorak keyboards!

dictionary words

For years, I've obfuscated dictionary words enough that I think they are pretty damn strong passwords. For one, my PWs are never less than 12 characters. I ALWAYS use symbols, upper and lower case letters and numbers... the trick to obfuscating a word so that it can not be cracked with a dictionary is to use two symbols, or a number and a letter or some such to represent a single letter of a word...it doesn't even have to LOOK like the letter being represented, as long as you can associate the letter with the characters you've chosen, you're golden... good luck friends, keep biometrics at bay. (Gattica is not where I'd like to go).

P.S. one more thing, physical memory of a password is really good too. if you're a touch typist, just type your password a whole bunch of times, saying the characters to yourself as you do, and after a while it just kind of flows.

Re:Card reader can be hostile - put PIN-pad on car

Doesn't matter since the PIN-on-Card scheme uses a challenge/response. You need the physical card and its PIN; you can't swipe the magstripe like today's hostile ATMs and make a copy of the card.

So you need to take the physical card, at which point you might as well take the money instead. The owner will know and will block the card immediately.

fun with truncated passwords

[agw]

I rember a company which had most of their UNIX passwords set to the machines hostname + a secret number.

Unfortunately they had machine names longer than 8 characters und their passwords were only veryfied on the first 8 characters. Go figure.

Daily password changes

[snuf23]

I once worked for a company where the insane CEO (dotcom era) decided to get serious about security by requiring daily password changes.
The cool thing was that they never implemented any restriction on what the passwords could be.
I think the most common passwords that resulted were Monday, Tuesday, Wednesday etc.

Teaching users.

[Stephen+Samuel]

I have a page that I direct most of my students to when trying to teach them passwords. It's changed slowly over time, but it tries to teach them the passphrase method. (it was originally based on the problem that, until recently, Solaris has been limited to 8 character passwords).

Getting users to use secure passwords is a serious problem. For classes, I've gotten to the point of giving them my treatise, letting them set their passwords and then using something like John-the-ripper to crack people who choose bad passwords. Doing it in front of them and getting a handfull of passwords in under a minute will generally get the attention of at least some of them.

One thing to note about the 'change the password every few weeks' approach is that it presumes that an intruder has access to the encrypted password file. Given current security systems, it's now rare that you have access to the encrypted password unless you've already gotten admin access -- at that point you can expect that your security is hosed, anyways.

Rather than just not suggesting that sites use the 'change every 6 months' rule, it should be explicitly discouraged unless you have seriously elite users with the cycles to spare for repeated memorization.

Re: Use BIOMetrics

[Porn+Whitelist]

username: cmdrtaco
cock size: 2inches

We have the technology to fix that ... at least that's what the 9326 spam I see every day claim.

The problem with changing passwords regularly

[TheLink]

IMO the problem is I don't think most people's memories are good at holding something as very important and THE THING to remember, then after 3 months it's something else to remember.

I believe most peoples memories work such that if something is of great interest you remember it for a very long time AND it's usually contextual.

E.g. You press this button to do this, you use this tool for this job, you use this berry to dye stuff this colour, this leaf tastes like this and produces this effect, etc. And human memories work fine if these contexts/links don't change every 3 months.

After changing passwords every 3 months after 5 years even if you can remember those passwords, your memory might be associating ALL those 20 passwords with the "access"/application and you might not know which password is the one out of 20 that's linked to the stuff you want to "unlock" with the password.

If there's a lockout after 3 tries that makes it even more fun. In which case you ALSO have to remember that previous passwords are no longer valid as well, rather than just try all of them ;).

I wonder if it could work if you carry around a coloured pattern (or some other mnemonic/symbol/picture) that you change each time your password has to change. That way you are cued to remember the right password. And you associate the pattern with the password, and not the access/application with the password (which is probably what most people do).

Scents could produce very strong cues since scents can be tied strongly to memories, but you could run out of distinct scents pretty rapidly.

Maybe one could make a software/device that generates and stores passwords.

First you enter the context, it supplies the symbol and/or musical tones AND password. You associate the mnemonic (symbol and/or musical tones) with the password.

When you want to use it, you enter then context or select the context from a list of contexts, then the mnemonic is displayed/played. Hopefully this cues you to remember the right password.

The passwords could be encrypted and stored in the device too. If you use public key encryption then you can have it so that the passwords can only be unlocked with a key/associated device that's stored in a safe place elsewhere.

You could store the password in the secured device, but that means you need to take out the secured device everytime you make a new password.

A good way would be to have the passwords encrypted on the carried device, and copied to the secured device whenever you connect the two together.

Don't think there's big money in this. All that tech and the user's brain still needs to work ;).

I'll wait for auxiliary digital brains. Then you can shove the problem under a different carpet...

Re:The problem with changing passwords regularly

[maximilln]

IMO the problem is I don't think most people's memories are good at holding something as very important and THE THING to remember, then after 3 months it's something else to remember

Agreed. It's also that passwords are overused. People, at first, balked about filling out online registration forms for every site they wanted to access. When the tout changed to signing up for an account, well, that made everything better.

After changing passwords every 3 months after 5 years even if you can remember those passwords, your memory might be associating ALL those 20 passwords

I've noticed that certain character combinations tend to recur in my passwords. For example, "nP", 'rQ", and 'e4" are common. When I remember my passwords, especially early in the morning or late at night, I may end up mixing portions of a password together.

eg. root on (one of) my home systems is "tTe4mRxC7". A password for (one of) my common Hotmail account is "e4gUmC2p". When checking Hotmail early in the morning, sometimes I'll end up with "e4mRxC2p".

Ugh.

My pet peeve: Exactly eight

[cfalcon]

One of my biggest gripes is the "exactly" requirement that some places have. Your password must have at least one number, at least one special character, at least one lowercase, at least one uppercase, and be EXACTLY eight characters long.

Lame-O!

So now it isn't "think of something secure" (which I'm ok at), it's "think of a phrase with eight words, or a thing with eight letters, or have something longer and stop typing when you hit eight characters.

Because what I wanted was a poetry contest.

Sheesh.

8?! I wish.

[Derekloffin]

I had about 8 passwords when I first entered college. I'd guess I'm way over that now, nevermind the obscure user names on top of these.

I mean, let's just see:

At Work:

general network, 1 email, 5 account passwords.

At Home:

1 email, about 3 one's for various online games, and 2 for instant messaging programs.

Online:

About 4 for various online vendors, 1 for a website I commonly goto, and probably another dozen I just got along the line for sites I rarely vist.

Out and about:

Can't forget that pin number

I'm not a school anymore, but when I was:

1 network

3 computer science account passwords

1 library

So, what's that, 20+? I'm not even a heavy online shopper so I could expect many other people to easily break 30+. And again, this doesn't consider that many sites demand some cryptic username too, and stupid security protocals that demand you change your password every other week.

No shit!

[lorcha]

I know the feeling. I just started a new job and I needed to come up with a login password. The password I wanted to choose was a pretty-much unguessable 'wkxudf1'.

But nooooooo that was not acceptable. It needed a capital letter and a special character. By the time I was done fighting with the password change program, my password was 'Abcdef-1'. Take a wild guess what my password will be when I have to change it next month?

Totally insecure, but at least I can fucking remember it. And if I ever forget, I can just look at my /. comment history!

Re:No shit!

[evilviper]

pretty-much unguessable 'wkxudf1'

Highly insecure I'm afraid. Throwing special characters into the mix is an absolute must with a short password like yours, and mixed-case makes things MUCH harder as well. If your password was 20 characters long, I'd be agreeing with you, but 6 letters followed by a number could be broken in no-time flat.

Wouldn't it be better...

[Spy+der+Mann]

to allow 24 or 32 character passPHRASES ?

"I had a doll dressed in blue".
Or, the 1337 version:
"I 0wn3d a d011 dr3553d 1n b1u3".

Try bruteforcing THAT.

Re:Wouldn't it be better...

most systems will ignore the strings after the 8th or the 11th character. Just test it...

Or just use a Palm Pilot

[Dr.+Manhattan]

There are tons of encrypting password apps for handhelds. At various times I've used:

• Strip
• Keyring
• Cryptopad

Lots easier to work with multiple places (home, work, web, etc.)

Re:Or just use a Palm Pilot

[wfberg]

Using an encrypted password list on your palm or pocketpc (or even mobile phone..) is a good idea to patch up problems with the current situation.
However, as tokens, they're not so hot.

Because the secrets aren't stored in a tamper-resistant chip, the file containing the password list is subject to brute force decryption attempts, whereas a smartcard blocks after 3 tries. So, the strength of your password list depends on the strength of your master password (assuming the hash and encryption algorithms are sound).
With a 3-try-PIN brute forcing is impossible; the odds are always 1000:3 of an attacker getting it right.

So it's no replacement for suitably secure tokens.
Also not that tokens can also provide 2 factors of identification, while a password list still only provides the one.

Re:If the required dongle is a note under your kb.

Win2K NTFS partition

Dude, why didn't you start out by saying you guys use windows.

In that case, you don't even need to jump through the hoops; a simple email titled anna kornukova nakid will compromise 90% of your systems.

Just set up a clients email system

[foniksonik]

And they requested that all email accounts use 1234 as the password... ;-p

One person said "i don't really need email, you can skip me."

Amazing!

Common Passwords

Come on I mean everyone knows the most common passwords...love, sex, secret, and god

Wait what happened...i blacked out there for a moment...i didn't say anything stupid did i?

Password hashing has implications too

[uqbar]

I have similar categorizations for passwords, but where a password sits also varies on how secure it is. If it's a site that clearly doesn't hash the password (i.e. they can email your password to you), then I work under the assumption that this password could be compromised by an insider at the website. As painful as it is, these sites get their own passwords, unless the password is my low security, "I don't care if you know" password. I don't want some insider taking this password and from some shopping site and using it to try to use my Amazon account, for example.

Companies have gone overboard!

The password rules and frequency of needing to have them changed have created a situation where people that should know better, make a deliberate decision to bypass the password rules.. I for one use root to temporarily change my user settings so I can re-use a passed over and over again.

Why can't the security teams in big companies do the smart thing and concentrate on preventing hackers from getting to a login prompt rather then pissing off there employees!!!!!!

I guess they find it easier to make rules and bitch at employees then do anything useful!

I don't even bother...

[crovira]

I just call the help desk for a new password whenever I have to log onto these damn sites.

I have a fingerprint reader on my desktop and until they wake the fsck up and get their systems to use that, I deal with the help desk.

I think the reader would be a much better solution and tell them every time I get the chance to, once a month for every damn system :-)

One word

[oliverthered]

Keyboard logger, anyone who could get that close to you could put an in-line keyboard logger on you pc and get you password that way.

Failing that I'm sure you can measure inductance in the wiring that makes up a keyboard, every time a key is pressed you'll get a different amount of induction because of the longer and shorter circuits.

Re:One word

FYI:
"Keyboard logger" is actually two words because there is a space between the letters.

And no one is talking about keyboard loggers. They're talking about insecure passwords created by obnoxious users.
Thanks

Re:One word

[risinganger]

At that point as long as the security measure being used is based on any form of password then it doesn't matter how complex or simple the password is.

This doesn't in any way break the parents solution based on its own merits but rather any solution based on passord entry and also places you on far more dodgy ground than managing to guess somebodies password I would say.

Re:One word

[oliverthered]

Ah.. I see we have a 10year old genius.
Keyboard logger as a noun could be one word.
Keyboard logger as a job would be two.

Re:One word

[oliverthered]

Wrong, havn't you read anything on this story.
1: SecureId, the password changes every few seconds making logging pointless.
2: Biometrics, biometric data changes all the time so an exact copy won't work as a password.You could probably use HMM and try and put some natural looking vatiation into the data.

Re:My pet peeve: Exactly eight

[OldCrasher]

"Lame-O!"

Error. Password Invalid.
Only seven charaters. Must be 8.

Re:If the required dongle is a note under your kb.

[TheMadRedHatter]

>a E9 b ?p c &m
>d 6K e aY f eP
>g !S h gn i D=
>j Hd k vw l Cb
>m W5 n 4$ o R3
>p x% q 7M r NF
>s +2 t s* u Ay
>v fL w zG x Zu
>y cX z Qr

So what does the output of that Perl script look like? ;-)

-- TheMadRedHatter

How about a fingerprint?

[crovira]

I've got a reader here.

Now if I can just get them to upgrade their systems to friggin' well USE them, that will get rid of one call per month per system...

Some password policies are just braindead

[rongage]

My current employer has a very strict password policy in place - minimum 8 characters long, numbers in the middle, no numbers at the beginning or end. Password aging is set for 180 days. At least on their main systems, you get to pick your own password. This is all well and good until...

On their wireless devices, we aren't so lucky. The passwords are system generated and change every 30 days. Yes, of course the passwords here are complete random and are always 6 characters long. When the password changes, you get a total of 60 seconds to memorize it. As with any other security aware company, you are not supposed to write your passwords down anywhere.

Let's see, random non-user generated password, 30 day password life, 60 seconds to commit to memory, can't write it down. I wonder how well this works in real life (wish I had access to the number of password reset calls this policy generates).

You've posted this before

[5n3ak3rp1mp]

I've definitely seen this exact post before. I know because I ended up using a similar method to create a lookup table that I keep in my wallet!

Re:You've posted this before

[nizo]

Yes, and this time I saved the text so the next time a "don't write your passwords down" article comes up I can just paste it in for an instant +5 informative :-)

Re:If the required dongle is a note under your kb.

[jabuzz]

That is just 358800 possible 8 character passwords, which is in the realms of being brute forced. Better than having the password actually written down but not secure by any means.

what about session passwords ?

There are password generators available which calculate session passwords against a user name in combination of a password. If you want to login you get a passphrase which has to be put into a session password calculator whithin 30 seconds. Otherwise the session password is denied by the system. On the other hand using a different user administration (like LDAP) than system default in combination to a hardened system (like Trusted Solaris) makes it more secure against hackers. Such a system uses role based access to the system. Even the root user doesn't have rights to access user directories of other users on that system.

"shocking nonsense"

[madrivertech.com]

The best easily used technique for inventing passwords is "shocking nonsense."
Passphrase FAQ
2 October 1993

'"PGP," warns Dorothy Denning, a Georgetown University professor who has worked closely with the National Security Agency, "could potentially become a widespread problem.' -- (E. Dexheimer)

Comments to: Grady Ward, 1GOTO1@gmail.com

FAQ: How do I choose a good password or phrase? ANS: Shocking nonsense makes the most sense
With the intrinsic strength of some of the modern encryption, authentication, and message digest algorithms such as RSA, MD5, SHS and IDEA the user password or phrase is becoming more and more the focus of vulnerability.

For example, Deputy Ponder with the Los Angeles County Sheriff's Department admitted in early 1993 that both they and the FBI despaired of breaking the PGP 1.0 system except through a successful dictionary attack (trying many possible passwords or phrases from lists of probable choices and their variations) rather than "breaking" the underlying cryptographic algorithm mathematically.

The fundamental reason why attacking or trying to guess the user's password or phrase will increasingly be the focus of cryptanalysis is that the user's choice of password may represent a much simpler cryptographic key than optimal for the encryption algorithm being used. This weakness of the user's password choice provides the potential cryptanalytic wedge.

For example, suppose a user chooses the password 'david.' On the surface the entropy of this key (or the number of different equiprobable key states) appears to be five characters chosen from a set of twenty-six with replacements: 26^5 or 1.188 x 10^7. But since the user is apparently biased toward common given names, which a majority appear in lists numbering only 6,000-7,000 entries, the true entropy is undoubtedly much closer to 6.5 x 10^3, or about four orders of magnitude smaller than the raw length might suggest. (In fact this password probably possesses a much smaller entropy than even this for the very common name "david" would be one of the first names to be checked by an optimized dictionary attack program.)

In other words the "entropy" of a keyspace is not a fixed physical quantity: the cryptanalyst can exploit whole cultural biases and contexts, not just byte frequencies, digraphs, or even whole-word correlations to reduce the key space he or she is trying to explore.

To thwart this avenue of attack we would like to discover a method of selecting passwords or phrases that have at least as many bits of entropy (or "hard-to-guessness") as the entropy of the cryptographic key of the underlying algorithm being used.

To compare, DES (Data Encryption Standard) is believed to have about 54-55 bits (~4 x 10 ^16) of entropy while the IDEA algorithm is believed to have about 128 bits (~3.5 x 10^38) of entropy. The closer the entropy of the user's password or phrase is to the intrinsic entropy of the cryptographic key of the underlying algorithm being used, the more likely an attacker would need to search a substantially larger portion of the algorithm's key space in order to rediscover the key.

Unfortunately many documents suggest choosing passwords or phrases that are distinctly inferior to the latest method. For example, one white paper widely archived on the internet suggests selecting an original password by constructing an acronym from a popular song lyric or from a line of script from, for example, the SF movie "Star Wars". Both of these ideas turn out to be weak because both the entire script to Stars Wars and entire sets of song lyrics to thousands of popular songs are available on-line to everyone and, in some cases, are already embedded into "crack" dictionary attack programs (See ftp.uwp.edu).

However, the conflict between choosing an easy-to-remember key and choosing a key with a high level of entropy is not a hopeless task if we exploit mnemonic devices that have been used for a long time outside the field of c

Game the system

[nsayer]

Schemes like this are easy to defeat: Put the calendar month and year in your passphrase. A password scheme that requires upper and lower case letters, special characters, numbers and must be between 6 and 12 characters, and must be changed every 30 days can be

Dec,04

this month. I'm sure you can guess what it will be next month.

Lousy password, sure, but that just points out how easy rule-based schemes can be thoroughly gamed.

Re: password security

[djmurdoch]

The best part was after sending a note around on the new policy of 12 digit case sensitive alpha numeric mkpwd (or mkpasswd i forget which one is which)

and then later ...

The next problem are managers who are more worried about the whining of their staff in regards to the ENSLAVEMENT of having to remember 10+ digit alpha numeric passwords (I have trained myself to do it in 8 looks.)

So you can memorize 10 digit alpha numeric passwords in 8 looks, but can't remember whether it's mkpwd or mkpasswd? How many tries do you need on those passwords?

Re:If the required dongle is a note under your kb.

What about the password taped to the monitor?

Hey,I have given up. I just make my passwords up as I go long. If I remember them when I need to no problem. If not I just click on the "I forgot my password link"

This has been the best reading in a long time.

Re:If the required dongle is a note under your kb.

[Cryptnotic]

while(1)
{

}

Ah, the story of life.

Actually, I think you mean something like:

while (!dead) {
/* TODO: add something useful here */
}

Yes, I think it is too much to ask

I was talking to my co-worker (C++ programmers, good one, high exp point). I told them I wrote a prog for my PDA such that I could generate password (mixed case, numeric only, 6-12 characters, because some site has those un-reasonable restriction) base on a pass phase and the link (beginning part of the URL). Both said I am nuts, and paranoid almost immediately.

I think this is age gap thing (they look older than I am, but in fact, I am not much younger than they are).

The problem is system wide

No one complains about one password but the security "experts" are being myopic. They are not taking into account the myrid of passwords we have at work and the even great batch outside of work. Constantly having to change all of them given their different requirements (and lets not forget all the usernames y ou have in addition to passwords.)

When systems fail broadly it is not the users, it is the system.

Password Programs and Patterned Passwords

[death00]

I use two schemes to help me out. First, I use Whisper to store my passwords. It's fairly secure, requiring a password to access, though I suppose it can be opened using various attacks on the MS Access database file password storage. Second, I use the password generator in Whisper to create patterned passwords. My employer requires 10-digit passwords with at least one number and a combination of upper and lower case. From Whisper, I use the pattern cvcvcvcV## ("c"onsonent, "v"owel, capital "V"owel and two numerals). This gives me a password which is easy to remember because it can be pronounced. Alternating consonents and vowels generally makes a pseudo-word, for example: romabuL45. You can "say" this better than qt1l#Gikx at least in my opinion.

Re:If the required dongle is a note under your kb.

[Kazoo+the+Clown]

So, if someone finds your paper, all they have to do is try guessing simple words like "bank," "ebay," etc., or bruteforce a batch of dictionary words...

"New Password Every n Days" == t3h lame

At my job as a DoD contractor on an Army post, we recently had to start using DoD's new uber-leet password schema, as seen on the Army webmail site--(at least) two upper, two lower, two numeric, two alpha, two punctuation--and change them every 90 days. Guess how we've been told to do it? Have the two numeric at the end, and increment them. (posting A/C for obvious reasons)

Re:If the required dongle is a note under your kb.

[MBGMorden]

You seem to be taking some offensive tone as if he worked at *your* company. Not everywhere is setup like you are. You do realize that just because what he said wouldn't work on your network doesn't invalidate his claim?

My password is Pi

[Archangel+Michael]

I just won't tell you the starting offset. :D

I always imagined that Pi or one of the other irrational numbers would be a great encryption hash. Easy to gererate, remember etc, but hard to hack, since we don't know the starting offset.

It could be a nonrepeating hash or even a repeating one. All you would need to know is the starting offset, you could encrypt a very long document, with a singular and easy to remember hash point, ie Pi x 259313 r1024 would mean Pi hash starting at 259313 repeating 1024 numbers.

I am sure that some pointy head math wizard will explain why this will not work.

Re:My password is Pi

[AlephNot]

Despite my nick, I'm not a "pointy head math wizard", but I'll take a stab at why it might not be as secure as you think:

The whole point in making passwords as convoluted as possible is to minimize brute-forceability. If someone knew you used pi for your passwords (and you just told all of Slashdot, so there you go :-), then all that would be needed would be the starting offset. The offset you give is less than a million, so assuming all the offsets you use are less than a million, that gives a dictionary of a million offsets to brute-force--very easy by modern standards.

As far as the repetition period goes, once the offset is known, all the attacker would have to do is start brute-forcing the repetition periods to get the rest of the encrypted document. Sorry to bust your bubble. :-)

Re:My password is Pi

[c4ffeine]

I'm probably missing something here, so please correct me if I'm wrong. But you seem to forget that the attacker doesn't know the length of the password. So, your method wouldn't work- there's much more than a million offsets.

OK, this doesn't sound right, but I can't see why, so I'll post it and let a better math wizard correct me.

Just don't have passwords at all.

[gilgongo]

It's always bothered me that authentication is the default condition for systems when in so many cases just a simple user name would do. firstame.lastname, hit enter and get in.

Why do you need to demand a password from every user that, say, wants to edit a document on the file server? Why does a VPN need a login as well as a password to see the file servers after that? Why do I need a password to get to the timesheet application on the intranet when I'm ON the network already? What's wrong with just giving it my name? Even worse, why do all these systems require a different pattern of login? Even if I wanted to use my super-secret, 8-character password for the VPN, I can't bacause it wants a 10-character password with at least three numbers in it. So I reach for the stickynotes.

If authenticaion was NOT the norm, perhaps people would THINK about whether there was anything important they wanted to protect, and then ask their admins to protect it with massive encryped highly-authenticted logins.

As it is, the current situation stifles that mentality. It's literally a false sense of security. "It's all passworded up to the eyeballs every whick way you can imagine - everything must be secure!" Then they wonder why users write stuff down on sticky notes...

I realise that if you don't know what's secret then you have no choice to protect it all, but jesus, the current situation is just nuts.

Re:If the required dongle is a note under your kb.

[nizo]

Yeah I actually thought of that, which is why I typically use longer words (say maybe "mybank") for the memory word, or extra "secure bits" that I tack onto any password I care about. I have also thought about modifying this to include control characters for extra secure goodness.

Re:If the required dongle is a note under your kb.

[shis-ka-bob]

what dime store do you go to? I must have been a lot racier than the one in my neigborhood. The dime store is gone, another WalMart victim.

We're not all nerds, you know.

Sometimes Slashdotter's aren't acknowledging a very simple fact: Not everyone cares about computers and computing as much as we do. Therefore, the short answer is, yes, it *REALLY IS* difficult to ask people to create a password using a, "...combination of alpha-numeric characters". Most people don't think in the abstract. So it's hard for some people to form an abstract password. And if they DO create an alpha-numeric password, they'll forget it, or fail to write it down, or think they can remember it because they... well, they just will.

So stop treating everyone on Earth like they SHOULD know how to use a computer the right way, or grasps concepts as easily as we do here. Give people credit: Some of them are hard working BLUE collar people with no care for computers. They just want to go to work, be entertained, and go to sleep. That's it.

Re:If the required dongle is a note under your kb.

[glenstar]

Actually that is a perl interpreter in obsfucated brainfuck... and if you couldn't tell that then you are *obviously* not a real programmer.

Re:If the required dongle is a note under your kb.

I have a method just as good. The subway map for London is on my wall. The station names make great passwords, and there's plenty of them, and all i have to do is lookup to find the right one. The great thing about is that they're all in plain view for everyone to see. All anyone thinks is "hey that's a cool looking map".

Re:If the required dongle is a note under your kb.

[jmole]

What happens if you lose the paper? That means you lost your password. So how are you supposed to change it?

Re:If the required dongle is a note under your kb.

[damiam]

It's a lot easier for me to see your password on your monitor and remember it than to buy and install a $100 keylogger (and that's for PS/2, USB keyloggers are pretty much impossible to find).

Yes, people can crack your machine even if you don't flaunt your passwords, but it's much simpler (and hence more likely) when you do.

Re:If the required dongle is a note under your kb.

[damiam]

Rerun the perl script.

Worse security post-Sarbanes-Oxley

[wsanders]

One of the minor points in the article is that S-O empowers PHBs everywhere to think up even more ridiculous password policies that end up making everyone write their passwords down on paper. A typical post-S-O Domain password policy is to implement changes every three months that reuse no part of the original password. When you have 10+ passwords all with slightly different length and funny-character requirements you are just going to write them down.

Another example of a failed attempt to micro-regulate technology.

If you really wanted to get people's attention: A weekend spent picking up litter on the highway wearing an orange vest with "SOMEBODY GUESSED MY WEAK PASSWORD" on the back.

Re:If the required dongle is a note under your kb.

[jmole]

He said it randomly generates though. If it randomly generates it will not generate the same matrix again.

Re:If the required dongle is a note under your kb.

[shis-ka-bob]

Where are you getting that? If he chooses a 4 letter word to encode, then there are at most 26^4 = 456,976 combination. Most of those are not easy to remember words. So this will only generate a relatively small number of distinct passwords. If the code sheet is comprimised, then this isn't very good. If the original 4 letter word is easy to guess and the sheet is lost, this method is very weak.

If we assume that the code sheet is a secret, then this becomes a much stronger way to generate passwords. Lets say I correctly guess that his password is 'bank', but I don't have his cheat sheet. There are (26+26+10+10)^2 = 5184 possible symbols for each letter, assuming that we use only 10 special characters. If we have 4 of these symbols, that gives 5184^4 = 722,204,136,308,736 combinations. This is pretty good.

Am I missing something? Whete did you get 358800?

Broken passwords in 45 to 60 days?

[bored]

If someone cah crack your password in 45 to 60 days then you probably need better security rather than having your users change the password every month. That guy is full of shit, and i hate "experts" who are full of shit. If the average is 45 to 60 days there is a good chance that the password will be found in the month between password changes.

If its accually possible for their system to be broken in 45 days then the real problem is probalby the people who are allowing the password hashes to be published, or who are allowing the failed password attempt timeouts to be to short. Without the password hash, it should be pretty much impossible with a 30 second bad password delay and a 30 minuite delay if entered 3 times incorrectly to break that password any time in the near future using brute force methods. Especially if the user id list isn't published. Not only that if your system admin doesn't notice the constant failed password attempts then its even worse. I would be far more concerned about home users computers being comprimized with key loggers, plaintext internal protocols, and users who are using the same password for intranet as well as internet sites masked as intranet sites (The company I work for uses a number of internet sites masked as intranet sites).

I don't have a clue where that 45 day number came from, sounds like something that got pulled out of someones ass. I have a friend who has a reverse password hash running on his machine with a few hundred gigs of storage, given a standard unix password file with weak passwords it can generally find a few matches in a matter of seconds. The moral of the story is keep the hashes and the user id's secret, changing passwords every month or so just sounds like its inviting more people to write their passwords down.

I was bored...

[Cryptnotic]

I was bored and I hadn't written any perl in a while, so I implemented your script:

#!/usr/bin/perl
@chars = qw( a b c d e f g h i j k l m n o p q r s t u v w x y z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 ! @ # $ % ^ & * );
@keys = a..z;
$cnt=0;
foreach $x (@keys)
{
print "$x ";
print $chars[rand($#chars)];
print $chars[rand($#chars)];
$cnt++;
if ($cnt == 3) {
print "\n";
$cnt = 0;
}
else {
print " ";
}
}
if ($cnt != 3) {
print "\n";
}

I had to remove whitespace to fix Slashdot's "Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted." filter. Reformat according to taste.

Re:I was bored...

[nizo]

My code is too crappy to post, but some things it does that yours doesn't seem to:
- Tosses out some characters (number one and little letter L for example) since they can be hard to tell apart. Anyone know of a decent font that makes ALL of the characters look different? (zero and big letter o, eight and big letter B, etc)
- Makes sure none of the two characters associated with any letter are the same

Thanks for the code btw, when I rewrite mine I will use chunks of yours that look nicer :-)

Re:I was bored...

[Lehk228]

I have found the TI-86PC font for the Texas Instruments graph link software is very good for that, the '1' is different from 'I' and different from 'l' as well as having the slash through the '0'

Re:I was bored...

[BandwidthHog]

Any OCR font (like what's printed at the bottom of a check) should do the trick.

Re:If the required dongle is a note under your kb.

[theLOUDroom]

I have a method just as good. The subway map for London is on my wall. The station names make great passwords, and there's plenty of them, and all i have to do is lookup to find the right one. The great thing about is that they're all in plain view for everyone to see. All anyone thinks is "hey that's a cool looking map".

Actually that's not a very good idea.
It's pretty much one step away from a note under your keyboard or your mother's maiden name.
Any text readable from your chair is an OBVIOUS password. It's also going to be part of a dictionary atteck, unlike "?pE94$vw".

Re:If the required dongle is a note under your kb.

[fubar1971]

This is actually a great way to recover data when somebody leaves the company and doesn't pass on knowledge of a computer's usernames/passwords.

I actually have a better one than that. I found a floppy distro that will boot and then prompt you to change Admin password on any NT/2000 server or workstation. It will even tell you the Admin name if it has been changed. It has saved my arse a many of time. You can find it here here

Here comes the science...

[Ryan+C.]

Sorry, but your Abcdef-1 password is far more secure than wkxudf1. Nobody brute forces passwords by sitting down and typing in random stuff. They use offline dictionary and brute force attacks on hashes that leak out such as in challenge response network logins.

Abcdef-1 looks like an easy pattern to you, but it's not to a cracking algorithm. A cracking program would have to use the pattern space A-Z,a-z,0-9,and at least 20 or so symbols. so 82^8 = 2 quadrillion possible combinations. wkxudf1 uses the pattern space a-z,0-9 and 7 characters, thus 36^7 = 78 billion combinations. So if it took a program 10 minutes to brute force your original password, it would take the same program 6 months to get your new one.

Re:Here comes the science...

[Percy_Blakeney]

Abcdef-1 looks like an easy pattern to you, but it's not to a cracking algorithm.

It depends on the cracking algorithm, now doesn't it? If you have a semi-intelligent algorithm that would guess several thousand easy passwords first, then his 'wkxudf1' password would be much more resistant to cracking than the 'Abcdef-1' password.

wkxudf1 uses the pattern space a-z,0-9 and 7 characters

No it doesn't. Just because YOU know that his password doesn't contain any uppercase letters doesn't mean the cracking program knows it; a brute-force approach would still need to check the entire A-Z space, as well as the 20-or-so symbols that you referred to. In addition, the cracking program wouldn't know the length of the password and thus would need to check the range from the minimum allowed length to the maximum allowed length.

So, you'll realize that the password does not define the pattern space, the constraints do. Thus, theoretically, by enforcing tighter contraints you are actually decreasing the number of possible password combinations that a brute-force algorithm would need to try. In practice, this isn't necessarily always true due to the aforementioned semi-intelligent crackers.

I think it would be a interesting experiment to analyze passwords on a system that said it required at least 1 symbol and 1 uppercase letter. I'm willing to bet that the vast majority of the passwords end up having EXACTLY 1 symbol and 1 uppercase letter. By stating a necessary condition, you're almost guaranteeing that people exactly satisfy that condition.

Re:Here comes the science...

[srleffler]

Your argument would be true, except that in the absence of constraints, a semi-intelligent cracking program is going to try all-lowercase passwords first, since that is what most users will use if nothing forces them to do otherwise. If it doesn't crack the account, the next thing to try would be strings consisting of 7 or so lowercase letters followed by a number. I agree with you that the cracking program doesn't "know" the password is all lowercase, but the cracker is free to "guess" that all-lowercase passwords are more likely given human nature. Forcing mixed cases, etc. makes the users who would use those features anyway slightly less secure for the reasons you noted, but increases overall security by removing an obvious first-guess pattern.

this is the DUMBEST "security" idea ever

[SpecialAgentXXX]

We have this shit at work. My login password for dev environment #1, dev env #2, Q/A, prod, timesheet, human resources, etc. is different and I am forced to change it every 30 days. To keep it easy, I would always use my favorite beers as passwords. They then also added that you can't use the most recent 3 passwords, an if you enter 3 bad passwords, the system locks you out, plus it has to be alphanumeric. So there goes my beer names! I end up writing all of my passwords on a Post-It note stuck of my monitor.

This is yet another example of know-nothing management making an executive decision to fool their shareholders (and themselves) that our systems are now more secure from hackers. In fact, we even had started to share the same user accounts because it makes it simpler to remember passwords instead of each one forgetting it once a week or sooner.

Re:If the required dongle is a note under your kb.

Simple. Keep a copy of the paper under your keyboard.

'Easy to remember' random passwords

[Flinx_ca]

2 - The third (pick a 'number number') number of your zip code: 90210-1234
r - The second (from the 2) letter of your boss' name: Francis Drake
7 - The third (your 'number number') digit of your cell number: 707-555-1212
o - The seventh (from the 7) letter of your home town: Toronto Ontario
6 - the third (your 'number number') digit of your sister's street address: Apt#666-1234 Yonge Street
y - The third (from the 3) letter of your car: Toyota Echo
4 - the third (your 'number number') digit of your visa: 4444 1234 1234 1234
c - the fourth (from the 4) letter of your father-in-law's name: Bruce Smith

you can generate 7 (666-1234 is the shortest) different effectively random 8 digit passwords from the above.

Programmed password

[ShecoDu]

The other day I was thinking about a dynamic programable password, instead of a plain static password, so you can create a password that would change everyday based on the output of some tasks, for example, you could create a password using the current time, date, temperature, number of apps open, a boolean comparison (whether or not some app is currently running) or stuff like that, people would have to crack the pattern cause even if they sniffed your password, the second they try it, it wouldnt match.

Re:Integrate the pin with SafeWord

[Accipitradea]

Secure Computing offers tokens that use that "best password schema" mentioned by the parent. They call 'em "SafeWord Tokens".

no need to memorize.

[twitter]

Shoulder surfing doesn't work too well either, unless you can memorize the whole card

Or take a picture with their cell phone.

Re:no need to memorize.

[nizo]

Hmm, well I think I am safe because I use a pretty damn small font. But I will keep an eye out for people behind me with cell phones :-)

Re:If the required dongle is a note under your kb.

[WinterSolstice]

Pretty funny, but we don't use Outlook, and, like I said, users can't run any executables at all.

-WS

Re:If the required dongle is a note under your kb.

[WinterSolstice]

I apologize if the tone seemed offensive, it was probably a residual of the DoD bend-over fest we had recently :)

My whole point was that physical access is once again able to be well armored. The world has gone from the VT220 era through the PC and out the other side. The poster's point seemed to be that PCs are a huge vulnerability, while mine was the opposite.

I am arguing that the real vulnerability is the User, not the machine.

-WS

Convienience the weakest link

[jago25_98]

I am a very forgetful person.

But I know an excellent method of remembering passwords.

I could tell you,
but I'd have to kill you.

Why is it with all our progress we can't get the convienience side of security right

- it's important... more important than the engineer will acknowledge.

Re:If the required dongle is a note under your kb.

[nizo]

Thats why I keep a second copy somewhere else safe (at home, in a safe or whatever).

Re:If the required dongle is a note under your kb.

[fubar1971]

oops,

forgot the link here

Schemes that fail

[perlchild]

Let's take a random, faceless group of people.
It's human nature that if someone can be blamed, instead of taking an inconvenient action, one will try to blame the "other", especially in a group where anonymity is high.
It's rather intuitive that a place with a password policy has "some form" of security officer.
It's also intuitive that this some form of security officer is somehow responsible for security at some degree.
It's seldom happened that the rule "you share your password with someone you're both responsible for whatever happens with that password" was applied.
This a) encourages convenient, insecure, anonymity-fostering "I'm lending you my password while on vacation" and "I forgot to change my password when I came back from vacation"
b) Depending on mental discipline, 3 8 letter passwords might be too much to ask of a person to dedicate to just their job(considering most people will spend about half their "memory budget" on work applications, if that much)
c) The security officer is likely to be blamed, simply because in an anonymous group, whoever shared their passwords just decreased their chances of getting caught, not increased them
d) Two-token authentication and other methods have not gotten enough mindshare yet to be considered "easy"
e) This kind of discussion on slashdot and other places often starts on the premise of "why can't people who don't understand the distinction between authentication and authorization act in a secure manner". It's been my experience that until someone understands the difference between the two, security is very hard to come by. An example:
Marissa is going on vacation next week
Marissa gives her password(authentication) to Joey, so joey can do payroll while Marissa is on vacation
Marissa doesn't understand that she should have called it, and told them to authorize Joey for her tasks, for the duration of the vacation. She may or may not remember to reset her password after. m She might also know that she should call IT, but IT will require she list everything she wants to authorize Joey for, instead of copying her privileges(there might be technical reasons behind this, or they just might not have a trustee system of sufficient power to do it).
This means that for a while, Joey can do things, and safely think the waters are muddled, it's hard to prove Marissa didn't do it. If Joey happens to be a good enough actor, he could say he shared the password with someone else, and that someone else would get the blame. If there is some other security event, involving the outside world, after Marissa's return, so much the better.

Now this will seem like killing baby seals, or something equally cruel, but the only real security response to this, is to punish equally everyone involved in the "password trade" since you can't prove, after the fact, what in fact occured.

Most security policies assume you can outline a procedure to follow, about passwords, without outlining this kind of consequence, and without spending sufficient effort making sure people understand the issues involved.

This makes the environment ripe for anonymity(which is good, when you are in a group with equal responsabilities, like the Internet, but bad, when you're in an environment where someone authorized a money transfer to an employee's spouse's third cousin's bank account in switzerland in an untraceable, anonymous manner).

In the absence of traceability, public opinion will impute blame to the most visible level of responsability. Hence the security officer will be reprimanded(but perhaps not fired), for three employees sharing a password, since firing all three would be inconvenient to the company, and politically unsound in some places as well.

I do not have access to a computer...

[freedom_india]

I do NOT have access to a computer YOU Insensitive Clod !

Wrong

[mark-t]

Your station could simply be a dumb X terminal, with the actual computer in a more physically secure location. Security of the computer isn't inherently compromised just because someone has access to a mouse, keyboard, and a monitor.

false security

in general, password based identification is an obsolete form of authentication. it doesn't stand a chance, regardless of how perfectly unguessable your *JWe-SP#@)@jiJgl!)@^#..; password is. password generation algorithms are being quietly cracked. passwords are being sniffed, keylogged, obtained through numerous forms of social engineering or being forgotten. all this will change but not too soon.

there are many ongoing approaches to avoid password usage. e.g. key-based authentication, certificate based authentication, eye (retina) or visual heat recognition, fingerprint/voice authentication, magnetic field based identification, etc.

stay tuned.

Re:If the required dongle is a note under your kb.

[jabuzz]

Selecting four letters from 26 where order is important is 26 permutation 4. Where a nPr is
defined as n!/(n-r!). Clearly you skipped the probablity and statistics classes in your maths leasons!

However you are right there are lot less than this that are valid words, which weakens the method considerably further. I never suggested that an uncompromised code sheet resulted in weak passwords.

PalmPilot as password vault

[f_g_goss]

I use my M500 with a password vault app to store my logins/passwords. I only have to remember one password to access them (and remember to have my Palm handy ;) )

The WSJ knows whereof they speak...

[3l1za]

After all a few years ago, the WSJ used to use crypt() with input == username || server_secret (where || means concatenation) to create a user's cookie (for access to the subscription-only portions of the site).

And crypt() only takes 8 chars of input; so if the username was longer than 8 chars then the server_secret was not used and if two usernames were identical in the first 8 chars (not prohibited by the WSJ system), then the two would have the same hashed value.

And the cookie consisted of: username || output_of_crypt (as above); so one could forge a cookie for any user (and thereby have access to that user's account info... and use that user's credit card info (if stored as part of the user's account)

So the adversary only needs to know a username to log in as a user (and can discover a username by trying to register one and IF registration fails (b/c "that username is not available") -- bam! you've got access).

Anyway, it was pretty easy to recover the server_secret because of this... which by the way was a value that could have been recovered via a dictionary attack anyway (IIRC, it was the original release date of the system).

Want the dets? Look here (*.pdf) -- "Dos and Don'ts of Client Auth on the Web" by Fu/Sit/Smith/Feamster.

Rhythmic Passwords

[SlickMcSly]

A great way to build a strong password is by using a numerical password on your numpad and memorizing the rhythm of you hand movements. Although the password will only be comprised of numbers you can make them MUCH longer than 8 chars and you can type them in plain site with ppl watching and they won't catch on even after several times.

With a 8 char password using 1-10, a-z, and A-Z, you get approx. 48 bit encryption for an 8-12 stroke password that takes approx. 1-2 sec to type across a wide field ppl can easily see.

With a rhythmic password using only the numpad you need about 14 chars for the same, but with the mnemonic of how 3 fingers (i use my thumb, index, and middle fingers) tap around a 3x3+1 box, you can type it in just as quickly. Also, with your hand and fingers obscuring the pad, shoulder surfing is much harder.

The real advantage to rhythmic numpad passwords is that the mnemoni is much more reliable across longer passwords. After some practice, I memorized two 15 char passwords and combined them into one 30 char password. I type one 15 char string, pause, then type the other in 5 sec total. That's approx 100 bit random encryption by hand.

btw:
Regarding approx. bit protection:
2^(log((# possibilities per char)^(password length))/log(2)) = (# possibilities per char)^(password length)
log((# possibilities per char)^(password length))/log(2) = equivalent bit protection
It seems pretty clear cut, but I'd appreciate any input into why I should change my root password.

hallelujia!! Re:I only have 2 passwords

[swschrad]

finally, a sensible comment on passwords.

ONE good password that I can use across all the platforms, change-controlled when I want to, and no silly C3 limit of 11 months before your old passwords drop off the list, and I don't need two sheets of cribs.

besides, I've already used up all the good Cu55w0rd$...

Readable version

http://shit.slashdot.org/article.pl?sid=04/12/10/1 644233

Re:If the required dongle is a note under your kb.

[Aewyn]

First of all, nPr = n!/(n-r)!, but I guess that was just a typo, since you got the result right.

Second, you are using the wrong formula. A letter can be used more than once in the same word. Each of the four letters then have 26 possible values, which yields 26*26*26*26 = 26^4, not 26*25*24*23 = 26P4.

Re:If the required dongle is a note under your kb.

[jafac]

This is a pretty neat idea.

From a crypto point of view though, isn't this easily distinguishable? I mean, each pair of characters would maintain the same level of entropy as a standard 1-to-1 character map. Maybe it would require a bit more sophistication than a straight dictionary attack, but isn't this just less secure than a full-on random password?

I'm interested in using this

[Polarism]

I've never really done anything with Perl before though, just limited php/html, not a programming type.

Would appreciate help/guidance.

Re:I'm interested in using this

[Cryptnotic]

1. Install Perl.
2. Copy the perl program code into a file called whatever.pl.
3. From a command prompt in the directory where the script file is located, execute perl whatever.pl.

You could also probably do it in PHP if you wanted. It would be very similar, though I don't know PHP so I couldn't help you with that.

Re:I'm interested in using this

[Polarism]

Thanks, yeah i'm not a real big "original" person. My slant is more of the "phpBB install/modification" avenue, rather than core PHP itself..

So I can read code just fine, i've just never cared to spare the time to actually learn it.

Re:I'm interested in using this

[Cryptnotic]

Code usually isn't hard. Most programming languages are meant to be human readable as well as machine readable. There are exceptions, of course.

Actually, before I went to university, my main programming experience was extensive BBS hacking/rewriting.

Re:I'm interested in using this

[Polarism]

Yeah, i've just never been interested in writing any code whatsoever. I'm an EE guy at heart, which is already enough crap flooding my brain. ;)

Re:If the required dongle is a note under your kb.

[markandrew]

so, picture the scene... an average joe walking along the street finds a wallet with such a piece of paper in it, and thinks: "aha, this is obviously a password cipher for online passwords - sucker! now i just need to guess where his accounts are, guess his username for each one, and guess his four-letter passphrase! now all your information is belong to me! muahahaha!"

seriously! it ain't gonna happen.

this is just the sort of obtuse thinking that mystifies me - why do you presume someone finding that paper is somehow divinely aware of it's purpose? or any of the related information needed to make use of it? realistically, someone finding that paper would either a) ignore it, and throw it away or b) look at it for 3 seconds, and throw it away.

it's security through misdirection - theoretically it might not be perfect, but in practice it works very well. in fact, just having a paper with a list of 20 passwords on them, and nothing else, would work far better than you might think - as long as it wasn't titled 'my passwords, by bill freeman' and was cross referenced by a list of username and account details. of course, keeping that piece of paper next to a computer would make it more obvious, but then that's hardly what he suggested, is it?

Reusing passwords

[lamber45]

Reusing passwords is a reasonable way to save frustration and memory-capacity from time to time; you just have to be smart about it. Of course I wouldn't use the same password for my primary e-mail account as for some random resume-listing service I had never heard of before, but (just as an example - I don't actually use Hotmail) I might use the same password for hotmail.com and AOL, with different user IDs.

When I'm adding a test account to a network server for short-term use, I might only use a four- or five-character password, since I'll disable the account soon anyway. My own passwords are longer, and several of them were generated by rolling dice. I hope I never work at a place with mandatory monthly password-changes, because those dice get lost all the time...

Re:If the required dongle is a note under your kb.

[surprise_audit]

Where I work, old desktops are being upgraded to laptops, which we're expected to take home. So, if I were to leave a note of my password under my keyboard at work, the system won't be there for anyone to try it on... I can keep an encrypted file on the laptop with all my other passwords.

in the DoD too!

[Horkdoom]

The DoD is just as bad. Their password policy just to get onto AKO (Army Knowledge Online; has almost nil personal info) is to require a password no longer than 12 and must include 2 caps, 2 lowercase, 2 special symbols (but many are not allowed) and 2 numbers. Also the username is often not in the same syntax for each person, at least 5 different syntaxes that I know of, even more for names like Smith. I never had any problems remembering my password before and it was easy enough for me to remember a relatively complex password (that is no longer allowed due to above restrictions). I changed it and immediately forgot it, despite it being as similar to my last password as I would make it.

Re:If the required dongle is a note under your kb.

[elemental23]

hello world

Password selection

[bgspence]

All the password selection schemes described by the power users here are simply variations on security by obscurity. These same power users would never accept a security system based on security by obscurity. So, why suggest that passwords be chosen that way?

A good password is a long string of random letters and numbers. People are not very good at picking random sequences. And, random sequences are hard to remember.

Passwords should be changed periodically. This makes remembering them even harder.

The only realistic password scheme is one based on an automatic password generator for the password and some form of 'keychain' to hold these passwords which can be secured by a simpler combination of user selected pin/password. Higher levels of security can be achieved by making the 'keychain' physically external to the computer.

Security 'experts' need to get their own act together if they want to deliver secure systems. It is their responsibility to make sure that they do not allow their users to become their the weakest link. It is a question of design, not one of education. Or, if it is a question of education, it is the security 'experts' who need educating.

Drop Password from the dictionary now!

[8026mn]

Passphrases make a lot of sense, every new piece of software should subsitute password for passphrase. Even if users only use 4-5 characters, the fact that the word is different perhaps may get them to think of a longer word or set of words to authenticate with which couldn't hurt could it?

Here's what I'd like to try

Set up a popular web site, requesting users to register with an email address and a password of their own choosing.

Have 100 000 users or so sign up, and then try to log into all yahoo and hotmail email accounts with the exact same passwd the user submitted.

Sell the info to spammers...

...profit!?!

Yes, it would require some creativity.

Hm. Judging by your language and sentence construction, I'd say you were in Marketing. Well, I'm sure you'll be out of a job before me, so, ta! Have a nice day!!

Oh please

You can always spot the Marketing people - 'This is too hard! Wah!' These are same fatuous pinheads who can't come up with clear requirements for projects because they simply have no vision or creativity. Making up a new password every 60 days takes me all of 1 minute. Of course that's one minute that a suit-wearing, frustrated pretty-boy quarterback wannabe could be looking at ESPN or porn. THE HUMANITY!!!!!!! KILL THE IT GEEKS!!!!

Grow up. Use your shriveled little brains for something other than cooking up schemes to screw your coworkers.

You l-users sicken me when you come crawling for help after your pathetic passwords get cracked and you've exposed the company's valuable data.

You're idiots and should simply be 'negatively employed', to use one of -your- phrases.

Don't blame IT because YOU can't think in sentences longer than three words.

Is it time.... HELL YES

"Or is it that the entire business culture needs to change from within to take digital security seriously?"

Yes, corporations need to stop promoting/hiring people because of how pretty they are or who they're related to.

Daily I meet people who obviously lied on their resumes. Questions in an angry tone like 'What's a URL??' are the first clue.

You're instantly obvious and you're not fooling anyone. You don't like technology? RESIGN. NOW.

Use non-printable characters ...

[Bazouel]

When possible, I use non printable characters such as #1-27, #255, etc.

I have yet to see a brute force program which takes those into account. 255^8 is quite a number. I say 255 because #0 isn't possible usually.

That way, you can have stupid passwords which are still a beast to get.

Wow

OK, we got a bunch of people here pretty upset that stupid people can't remember their passwords. This is really ridiculous. I can remember my passwords if I choose them. No problem. But do I wanna remember 2 jingillion passwords? Simple answer, no?

Oh the stupid should use their brains to remember the passwords. Well why don't some of the "non-stupid" people use _their_ brains to come up with better security schemes. Plus not everything needs a password.

Chaning password every so often on something where system administration is out of your control is a good thing. But if it's a system admin that requires password changes simply because that's what they read in the latest Dr. Dobb's then that system admin should be taken out back behind the building and giving a good lecture with a baseball bat. Once every six months is fine. If a user is stupid and shares a password, requiring them to change it every 45 days is not going to help you. It's only going to make sure that they bug you with lost password complaints. At the end of the day, they won't get in trouble for not remembering it but you might for not helping if you're the sysadmin/tech support.

At corporate level where we have a dedicated sys admin or a team of them, I expect them to tighten the system instead of blaming the user for petty things. Dude, if they could keep it secure, you wouldn't be there.

Just my $0.02. And I'm a developer not the marketing type. In other words, this is from a geek point of view. You have to fix the user-error. The user won't.

Pick a theme

[foniksonik]

I like to pick a theme every three months, flowers, mythical creatures, LOTR characters, Comic books, States, etc.

Then I use a consistent character replacement system.

No I won't tell you what it is.. but it makes for a reasonably good method both for remembering them and for security.

I do record the theme on a paper calendar at home, I don't change every password I've ever created so I need a clue to jog my memory. It's just vague enough to be both confusing for someone not familiar with the method and precise enough to help me guestimate what I'd used within two tries. Imagine finding a Picasso Calendar with the word 'flowers' written on the second tuesday, the word 'Comicx' written on the first thursday, etc, etc. - it would take some Watson like insight to put the clues together.. and you're only halfway there.

Other ideas were song lyrics and book meta data... ie: book: page, paragraph, word... ala 4665Brightblade, where of course i would underline the word.. this way I could keep the books around for reference if needed, maybe with a bookmark at the right page.

Anyways, there are lots of good and practical methodologies for picking secure passwords... just be creative.

Best password? BIOMETRICS

[Cervantes]

Biometrics, my friends, it's the way to go.

Not for research labs. Not for government agencies. Not for nuclear wessels or the CIA.

No, it's for the other 80% of the users. Bob in Accounting, Sally in Finance, Anne, who currently is working hard under Bobs desk. These are the raving morons who write down their passwords, who pick really dumb easy ones, who cause grief.

It's the dumb salespeople and the drooling managers who cost us the most money and the most time. THESE are the accounts that biometrics are best for. My pref is for fingerprint pads, because (a) they're unobtrusive (b) they're easy to use and (c) they have a 'cool' factor.

These are the accounts that have a low tech factor, but can hose us if someone gets access.

Yes, yes, someone can hack a fingerprint with some candy and a little time... but this is no different than anything else. Social engineering got me more passwords than hacking ever did. And, really, if Bobs password is his fingerprint, he's not likely to get hacked from outside. If his password is "annesass", someone will get that.

At our org, most of our passwords are still "321" from when we changed domains and reset all user accounts. It hurts me, it does, to see such idiocy. Knowing that a little stupid pad and a secure server would be 8x more secure than our existing (nonexistant) policy toasts my grits. It's about "bang for the buck", and how likely said account is to be nailed... and biometrics is easy to use, relatively more secure than text passwords, and can't be written down, or told to someone on the phone. It's almost impervious to general, not-on-site social engineering.

I had an (ex) manager who I once convinced of the wonders of heavy passwords. 12 chars, changed 6x annually, nonalphanumeric requirements, dictionary challenged... he wanted security, I gave him what I could at the time. Everyone obeyed policy, didn't write it down, worked hard to remember it. Said manager got a call one day... "Hi, this is Dave with Telus, I'm just running some maintenance on our DSL accounts. Could you please tell me your username/password?"

Said company was underbid on every contract for the next 6 mos, and folded.

That's my rant. Users are dumb. They will take the easiest route to get to something, no matter what the possible consequences are, and they will claim innocence and ignorance when they fsck everything up. We must get around the users brain... fingerprints are the best way to do this.

And cattleprods. Used as anal probes. After hi-octane enemas. I like this plan...

Damn users.

Real men...

[feargal]

Real men don't remember passwords - they upload them via ftp and let the world remember...

Re:Suggestion...

[symbolic]

Why don't you just switch back and forth between two sets of imaginative, more sucure passwords each month?

No supprice here.

[krischik]

Did not supprise me. I know lots of people who just increment the two numerics.

It was always my belive that if you make a password scheme to strict it becomes insecure because people cannot or don't want to remember a compilcated new password every x days.

As the old saying for screws goes: after very tight comes very looses. {For those not firm with mechanics: if you tighten an screw too much it will break}

no calls at all

[krischik]

Because everybody will write the password down as soon as nobody looks.

I lasted 6 months

[cjb110]

I started a new job in jan this year, and the main password used some of these rules, mixed case, numbers >8 chars etc

I lasted 6 months before I went to a password that I increment each time.

I think the problem was not that needed to come up with a new password each time, but the fact that I had around 8 different passwords to change (with different rules as well!) making the entire process a pain in the arse.

I want to go to work to work, not change passwords.

Three month ago...

I started to write down passwords every time I had trouble remembering one I should use. I store them in my cell phone in a dedicated area where they are "protected" by the phone pin code. (I have no idea how much protection that actually is.) I haven't written down the pin code for my credit card, the password for my netbank, the password for my government sponsored digital signature, or the phone pin code itself (doh!). But everything else I have used the last three months are there.

Last week, we discussed passwords, and I counted how many was on my phone. There were 28 passwords. Now good passwords should be at least 7 characters long, contain numbers, letters, and special characters so they can't be cracked easily by brute force. They should all be unique, so compromising one won't compromise all. And they should never be written down, so a simple thief may get access to them.

Now, I can rememeber one good password. I can even remember two good passwords, and two pin codes as I have decided to do, but there is no fucking way I'm going to remember 28 (+4) of them.

So I hope sites like /. (yes, I have a /. login but don't want to broadcast where I'm storing my passwords to every half-witted google user out there) will start using some kind of identity server (like MS passport or whatever the Sun/Oracle alternative is called, or for national sites the government id I mentioned earlier), rather than keep inventing their own.

Easy and secure passwords

[dmhayden]

Compuserve used to have a great password generation mechanism. They used two common words separated by a punctuation mark, like "sofa'cloud" or "mouse=light". They sent me my password, I read it once, and never forgot it.

How bad can dumb password policies get?

At my last job I had 28 passwords ranging from the Lucent Navis password that gave total control over the SE US ATM network (which was left for years as the manufacturer's default password, shared with hundreds of users- though lately changed. Anybody who felt like it could have shut down virtually the whole Southeast's data network in under a minute.) to that eldrich horror, COSMOS/FOMS which holds all the region's central office wiring records and orders. The latter constantly changed passwords with rigid policies for format. I can tell you that security through obsurity does have its points - no one ever wanted to use the damn thing, it was so picky - it only runs on Amdahl hardware that perfectly replicates its 30+ -year-old IBM environment. It can only be accessed through Wang teminal emuation programs with curious settings- the ones we used for all our other mainframe apps wouldn't have anything to do with it, and even with the right software it cared which "enter" key you pressed - had to be the one on the keypad. The system documentation was primarily oral tradition, jealously guarded for the sake of job security by the paranoid elder union gnomes.

Anyway, there is no human way to remember 28 passwords which all change on different schedules, have different rules and cover wildly differing systems that may require logging in 25 times a day or once every 2 months. All 250+ techs recorded their passwords, most both on paper, on their local drive and on their space on the Windows network drives.

Also, there is no way that anyone who has to do 50-100 assorted logins per day will not script their logins if there is any way they can. Virually all our mainframe and *NIX shell access stuff was scripted, against company policy - but if management had cracked down, productivity would have dropped at least 25%.

You cannot get better security by having more than four of five good passwords for a person in the whole of their personal and professional life at any given time, and people cannot come up with good new ones all that often. Trying to use more passwords is just counterproductive. The psychological factors overwhelm the theoretical advantages.

The best real-world compromise I have found is the encrypted keyring, but most companies still don't make high-level encryption part of their standard desktop install. Encrypting the keys to your multibillion-dollar network in MS Word is sad, but is actually better than the average practice of no encryption at all.

Re:If the required dongle is a note under your kb.

[Jouster]

Well, if they compromise the matrix, you're looking at two and a half bits of entropy per character, or approximately 1,000 attempts before they brute-force the password. Additionally, if someone is shoulder-surfing, they only need to pay attention to every other letter. Admittedly, choices like "u" or "e" (which utilize the same starting letter in their corresponding letter-tuple) insert a single bit of entropy, but given the choice between "team" and "tuam", I think most people wouldn't even have to brute-force it.

If someone doesn't compromise the matrix, but is able to analyse a large number of these generated passwords, he or she can come up with the complete set of codes pretty quickly, and then you're back to the 1,000 attempts or so.

In the final situation, however, someone with no knowledge of your scheme is confronted with one of your passwords and challenged to find another. In that circumstance, your scheme is indeed a good way to generate eight-character, random- looking passwords out of normal, four-character words.

Jouster

Why 8 passwords?

[jotaeleemeese]

Every time you need to change one password, change them all to the same thing....

Er... all that is configurable.

[jotaeleemeese]

If the different departments in your firm don't talk to each other and there is no guiding IT central authotiry, well....

Re:Why should the users be conserned about securit

Christ man... you can plead laziness or dyslexia or whatever excuse you want, but reading your comment makes me think a retarded 3rd grader could do better. LEARN TO FUCKING SPELL. /wipes the vomit off monitor

Best passwords without secureid

Remember to not to count the numbers. like 5. In the above post.

PHP Version

[Hallow]

I've got a PHP version, which is a bit different. Code's public domain, do with it what you will.

Try it:
http://webmages.com/misc/passkey.php

Grab the source:
http://webmages.com/misc/passkey.phps

Re:Well, from the WSJ article it wasn't stupid use

[MerlynEmrys67]

And this is why security never works... If it is unimplementable no one will use it.

If you really, REALLY care about security - you make it transparent and simple... Frankly 8 distinct passwords, OUCH