Slashdot Mirror


Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

4 of 674 comments (clear)

  1. If the required dongle is a note under your kb... by FreeUser · · Score: 4, Insightful

    ... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

    It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.

    --
    The Future of Human Evolution: Autonomy
  2. Re:I only have 2 passwords by ifdef · · Score: 5, Insightful

    I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

  3. Re:Biometrics by Jucius+Maximus · · Score: 4, Insightful
    "Passwords are always going to be flawed. Biometrics are the wave of the near future/present."

    There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

  4. Re:I only have 2 passwords by ifoxtrot · · Score: 4, Insightful
    That is why my organisation has implemeted password policies require at least 8 characters, at least 1 uppercase letter, 1 number, and one special character, or it will not let you change it, and will lock out your account. We then run security audits to ferret out the l-users like you that make them to simple. If we find a password that is to simple, or easy to crack, we force you to change it. If you do not, then your account will be locked out.

    When I read this, I seriously started thinking this was great sarcasm.
    Unfortunately I've since changed my mind.

    There has been a lot of research in the area of password usability here is a short summary:
    Fact 1: human memory is fallible
    Fact 2: people cannot forget on demand
    Fact 3: non meaningful things (i.e. random) are amongst the hardest things to remember
    Fact 4: items in human memory interfere with each other making 100% recall very hard
    Fact 5: unaided (no prompts) recall is much harder than providing prompts (which becomes a recognition exercise - passfaces is an interesting technology for example)
    Fact 6: ambushing a user to change their passwords stops them from doing their work (which they get paid for) and encourages them to bypass the system as quickly as possible - i.e. write the password down

    CONGRATULATIONS you are following rules which were laid out in the original FIPS guidelines (1985) for password management... Maybe you ought to revisit their document, they have updated it and it makes a LOT more sense now (check out FIPSPUB112)... I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.