Password Security Not Easy
mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...
Asking users to learn to create and manage complex passwords is not realistic; user education and/or "awareness" just isn't all that viable. The way the password problem is going to be solved is very simple - they aren't going to be used anymore.
Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.
dmiessler.com -- grep understanding knowledge
No matter how complex our security systems get, no matter how secure we can encrypt passwords to prevent brute force cracking of them, there will always be that human element of weakness. There will always be that one person who can be easily tricked over the phone to give out a password. There will always be that one person who will use their first name and last initial (ahem...half life 2 forum admin) as their password. So we really can't get top notch security without excellent education to these people on what to do in these situations.
I can't remember how may IT admins thought by requiring a password with special characters and numbers would make the system more secure. Sure it will add an extra 12 hours on a brute force attack, but if you don't notice a 8 hour running brute force attack you really are not a good admin.
... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.
It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.
The Future of Human Evolution: Autonomy
I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.
Passwords are always going to be flawed. Biometrics are the wave of the near future/present.
Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.
You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).
Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.
(As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)
SCO employee? Check out the bounty
There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.
The problem is caused by a complete and utter lack of grip on reality. A total inability to understand human nature, and worse, expect people to bend to the system, rather than designing the system to facilitate its use by people.
Ill say this in capital letters so you get it this time.
CHANGING PASSWORDS EVERY 60 DAYS IS TOO HARD YOU DICKFUCK!
And if you arsehole IT fucks cant get your brains around that, and design a system the recognises that fact then you shoudl really get a job shovelling manure or something.
If you really think that something is easy, merely because its easy to write an algorithm to solve it, you need help. People are not computers, and something as trivial as generating a password becomes an onerously difficult task when asked to perform repeatedly.
Rather than cursing the l-users, get off your fat arse, and start doign your Job - provide them with the tools to do their jobs.
When I read this, I seriously started thinking this was great sarcasm.
Unfortunately I've since changed my mind.
There has been a lot of research in the area of password usability here is a short summary:
Fact 1: human memory is fallible
Fact 2: people cannot forget on demand
Fact 3: non meaningful things (i.e. random) are amongst the hardest things to remember
Fact 4: items in human memory interfere with each other making 100% recall very hard
Fact 5: unaided (no prompts) recall is much harder than providing prompts (which becomes a recognition exercise - passfaces is an interesting technology for example)
Fact 6: ambushing a user to change their passwords stops them from doing their work (which they get paid for) and encourages them to bypass the system as quickly as possible - i.e. write the password down
CONGRATULATIONS you are following rules which were laid out in the original FIPS guidelines (1985) for password management... Maybe you ought to revisit their document, they have updated it and it makes a LOT more sense now (check out FIPSPUB112)... I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.