Password Security Not Easy

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

Integrate the pin with securid

[stecoop]

required dongle is a note under your keyboard

There are more advanced security schemas. I know some places I have worked use securids where if you get possession of the key chain and know their userid, then you can become them. This isn't any good.

A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

The best password schema I have seen so far is where the securid and pin are integrated so that the seed in the random number generator for synced securids is the pin - the securids are just random numbers where the next number is based on some fixed patter and the number is only good for 60 seconds. But this still this has a few holes, I could figure out the pattern in securid and brute force the pin then re-add the pin as the seed. But for nowadays, this is best I have.

Re:Integrate the pin with securid

[wfberg]

The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.

Re:Integrate the pin with securid

[Longstaff]

... I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

SecurID's are not limited to a 4 digit PIN. I have to use them to log into various client machines and my PINs are always 7+ chars that are alpha/numeric. You type in the PIN - which is really a password at this point - and follow it with the 6 digit number on the SecurID.

Re:Integrate the pin with securid

[Z00L00K]

I have also been working some with different security systems, and I have found a device that is fairly nice to have and fits onto your keyring. It is the Aladdin eToken. The only disadvantage I have found this far is that Windows XP doesn't support it with device drivers automatically. You need to install from a CD. It's somewhat annoying for something that is supposed to be a key to the system.

This token allows you to use a full password, not only a PIN code as most smartcards do, and you can install your own certificates on it.

For the security paranoid, the maximum key size is only 1024 bits, which may be considered a little low in some applications.

Re:Integrate the pin with securid

[gioan]

Your example has to be the worst use of SecurID (if you're referring to the RSA product) imaginable. Whoever paid for that equipment and implemented it so poorly should be fired for spending money and achieving no benefit.

The whole point to SecurIDs is that they provide you with easily manageable two-factor security, including for legacy applications without needing a hardware re-outfit of biometrics, smart cards, redesigning custom prompts, readers, etc. They have agents for most popular things you'll integrate to it if Radius or native SecurID isn't compatible. They have a stable, documented API.

You do however need to use your brain while deploying it. Specifically, you must inform the user they should pick a unique pin/password (which the admin has no access to by the way) to use with the code on the card that changes every 60 seconds. This ensures anyone logging in has either PIN+card code, or Pin + live video feed to fob, (insert other unrealistic scenarios here). The fact the PIN doesn't require frequent/regular changes allows the user to actually use something complex that they end up remembering.

For what it's worth, the system is based on public/private key encryption and timesyncs between the servers and fobs. No, you can't hack it, not unless you have access to the SecurID server and then your actions are likely to be more obvious. There is no realistic server-side known exploit for it that doesn't involve somehow stealing the fob keys from the server, then guessing the user's pin in order to make a similar one-way hash and response to the challenge from the system requesting login validation. Finding a card/fob gives you access to nothing. Keylogging the pin is useless without stealing the card. It's secure. It's easy to use. It does require work on the admin's side to integrate various authentication systems to the SecurID architecture, but then that's a lot more fun than complaining about users, right? There is a reason it's been used in the banking industry for a long time.

Of course, if the admin does the right thing, it also assumes the user isn't stupid enough to put their username, login URL (or relevant), and Pin on a Postit note on the back of the SecurID fob. But then, that's what HR departments and involuntary separations are for.

And no, I (no longer) sell the stuff. Simply a knowledgeable user.

I only have 2 passwords

[xyeeyx]

2 passwords, none of them are words, easy to remember. anyone else have a few standard passwords?

Re:I only have 2 passwords

[Kiryat+Malachi]

I have 5, now. Each time I rotate passwords (once per year, usually), the highest security one moves down a notch, and everything below it gets bumped down by one.

Re:I only have 2 passwords

[ifdef]

I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

Re:I only have 2 passwords

[maskedbishounen]

Yes. :)

I have two different sets. One specifically for online site like PayPal, my bank, etc. The other is for generic internet thing.

The important stuff set is then further split into one of two passwords, chosen depending upon how "important" the site is. So my Amazon account won't use the same as my bank, and such.

The generic set is split into three, or occassionally four, also based on importance.

The rare fourth is my root password, the third my normal login, second for general web usage, and last for throw away usage.

I tend to use the throwaway one a lot. /., IRC, Gmail. In fact, all my friends know it, and I'd yet to have them play around with my stuff. YMMV, and you should still rotate passwords every so often . . . or so I'm told.

Re:I only have 2 passwords

[Profane+MuthaFucka]

My luggage is 1, 2, 3, 4, 5. Probably your luggage too.

Actually, I have my luggage combination written in sharpie on the outsize, right next to the lock. It's 0-0-0-0. That's so the TSA can open it up if the numbers happen to get bumped away from 0-0-0-0.

Online I have an easy password, which is used everywhere unimportant; a medium password, which is used on sites that I would not want to lose the account for; a hard password used on sites with sensitive and personal information; and a secure password which is used on sites with direct access into my bank account, such as bill pay sites.

At work they require us to have those unmemorizable passwords, so I just tatooed it on my cock where it's always 'handy'. Had a bit of trouble when they increased the length from 6 to 8 letters. Those last two letters hurt quite a lot.

Re:I only have 2 passwords

[99BottlesOfBeerInMyF]

anyone else have a few standard passwords?

For low security operations, like your online accounts, using a standard password is not too unreasonable. With just a hair more effort, however, you can use a standard password scheme. For example, instead of using "8dogs8food" as your password for all of the random online accounts you have, prepend or append the first letter of the web site you are accessing. For Amazon.com you can have "a8dogs8food" and for slashdot you can have "s8dogs8food." This gives you a better idea if your password is leaked, and keeps insiders from using your userid/passwd on other consumer sites. I think that a password scheme like this strikes a good balance of security and ease of use.

Re:I only have 2 passwords

Tell me about it, just the other day I rooted some guy who used aaaaaaaa and goatse911 for everything. Poor sucker probably doesn't even realize he's been rooted yet.

Re:I only have 2 passwords

[prgrmr]

I've successfully fought against mandatory password changes at my company, but it rears its head again every few months, as some bright spark in management (usually in our parent company) thinks it would be a good idea

Of course it's a good idea. But like everything else in life, it, too, is subject to the "Too Much of a Good Thing" syndrome. The trick is to change passwords often enough to maintain security and protect against those who will, inevitably, give-away there passwords in exchange for trinkets or favors, and to balance that against not making the change so often as to be more trouble than it is worth. Depending on the environment, 2-5 times a year is sufficient.

Remember, a login/password scheme is there to ensure limited access to a limited number of systems (usually one) is granted to a known, limited number of individuals (usually just one per login). As soon as you don't have this, you don't have security. The best firewall in the world won't save you from the dumbass user who calls the vendor directly and gives their login & password to the tech support drone on the phone.

Re:I only have 2 passwords

[Not_Wiggins]

We have a similar policy at work... and it is applied (with random expire times) on over 40 different server boxes.

Since our dev environment is on a Windows platform, I use Password Safe and have it generate/store new passwords for me for all of the production machines.

Sure, it is a pain because I have to fire it up and put in my one secure password to get to the other passwords. But, at least it limits my security exposure to one bastion host (the shared drive on the LAN, so my encrypted password database is backed-up).

Re:I only have 2 passwords

[Lumpy]

no kidding....

the IT gurus that pide themselves at security at the HQ were bragging that most of our company users were using good passwords.

I suggested they let me have a crack at it.

I broke over 40% of the passwords by simply adding the YYMM as in last 2 digits of the year and the month as digits to the end of every password tried from the dictionary.

they were suprised and I said, "your fault for forcing 30 day password expiration on the domain."

this was 1 year ago.

they still have not changed their policies, and now want everyone to have their last 4 social security number in their username..

now i can spoof tech support easily as they ask you for validating who you are.....

the last 4 of your Social security number.

we have complete morons running our IT department.

Re:I only have 2 passwords

[baadfood]

See, its twits like fubar1971 that demonstrate why we are in this situation.

The problem is caused by a complete and utter lack of grip on reality. A total inability to understand human nature, and worse, expect people to bend to the system, rather than designing the system to facilitate its use by people.

Ill say this in capital letters so you get it this time.

CHANGING PASSWORDS EVERY 60 DAYS IS TOO HARD YOU DICKFUCK!

And if you arsehole IT fucks cant get your brains around that, and design a system the recognises that fact then you shoudl really get a job shovelling manure or something.

If you really think that something is easy, merely because its easy to write an algorithm to solve it, you need help. People are not computers, and something as trivial as generating a password becomes an onerously difficult task when asked to perform repeatedly.

Rather than cursing the l-users, get off your fat arse, and start doign your Job - provide them with the tools to do their jobs.

Re:I only have 2 passwords

[ifoxtrot]

That is why my organisation has implemeted password policies require at least 8 characters, at least 1 uppercase letter, 1 number, and one special character, or it will not let you change it, and will lock out your account. We then run security audits to ferret out the l-users like you that make them to simple. If we find a password that is to simple, or easy to crack, we force you to change it. If you do not, then your account will be locked out.

When I read this, I seriously started thinking this was great sarcasm.
Unfortunately I've since changed my mind.

There has been a lot of research in the area of password usability here is a short summary:
Fact 1: human memory is fallible
Fact 2: people cannot forget on demand
Fact 3: non meaningful things (i.e. random) are amongst the hardest things to remember
Fact 4: items in human memory interfere with each other making 100% recall very hard
Fact 5: unaided (no prompts) recall is much harder than providing prompts (which becomes a recognition exercise - passfaces is an interesting technology for example)
Fact 6: ambushing a user to change their passwords stops them from doing their work (which they get paid for) and encourages them to bypass the system as quickly as possible - i.e. write the password down

CONGRATULATIONS you are following rules which were laid out in the original FIPS guidelines (1985) for password management... Maybe you ought to revisit their document, they have updated it and it makes a LOT more sense now (check out FIPSPUB112)... I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.

Just get rid of them...

[danielrm26]

Asking users to learn to create and manage complex passwords is not realistic; user education and/or "awareness" just isn't all that viable. The way the password problem is going to be solved is very simple - they aren't going to be used anymore.

Using SecureID or another similar solution is the "no-brainer" solution that todays users need. This way they don't have to remember anything other than a simple pin - which, luckily, is just about the limit of most peoples' powers in this arena.

Re:Just get rid of them...

[Neil+Watson]

Jane: 1111
John: 0000

If there is a easy way they will take it.

Re:Just get rid of them...

[Desert+Raven]

Yeah, no kidding. A junior manager in a company I worked as IT manager for got all pissed off because I required minimum 8-char passwords, so he set it to FFFFFFFF.

Imagine his surprise when he found himself locked out of the system the next morning. Seems he didn't know I ran a password cracker against the password database every morning. 'course, he also didn't know I had caller-id. It took him until mid-afternoon to finally get hold of me, and only then because he got off his fat butt to physically track me down.

He tried to threaten me by saying he'd report me to the company owner. Seems he also didn't know that the company web proxy kept logs of all activity. :) Funny part was, he also didn't know that the company owner had a much better catalog of porn links than he did...

I kinda miss that job.

As an admin...

[0racle]

I hate people that put their password under their keyboard. Like damn people, on the underside of the desk, is that so much to ask.

Re:As an admin...

[maskedbishounen]

Pfft.

We all know "real" men just kick down the door after they lock themselves outside.

And real geeks lock themselves inside. ;)

Re:As an admin...

[Barlo_Mung_42]

I write mine on the yellow note paper taped to the pull out section above the top right drawer.
I change it every week. This week it is 'Pencil'. Don't tell anyone though.

Known for quite some time...

[Omniscientist]

No matter how complex our security systems get, no matter how secure we can encrypt passwords to prevent brute force cracking of them, there will always be that human element of weakness. There will always be that one person who can be easily tricked over the phone to give out a password. There will always be that one person who will use their first name and last initial (ahem...half life 2 forum admin) as their password. So we really can't get top notch security without excellent education to these people on what to do in these situations.

Re:Known for quite some time...

[savagedome]

There will always be that one person who will use their first name and last initial

Yeah. Bunch of idiots. That's why I drop the last initial.

Special Characters != More Secure

I can't remember how may IT admins thought by requiring a password with special characters and numbers would make the system more secure. Sure it will add an extra 12 hours on a brute force attack, but if you don't notice a 8 hour running brute force attack you really are not a good admin.

Re:Special Characters != More Secure

[jdunn14]

Note that not all brute force attacks take place against the online system. Through a bug in some service, a poorly configured database, or a single compromised username (plus a privalege escalation) an attacker may be able to send the passwd (hopefully shadow) file to another machine where they can brute force at their leisure. Much smaller chance of detection this way.

Also note that requiring special characters does far more than add "an extra 12 hours". In most cases the brute force attack would be many *times* longer when you increase the possible characters by 1, let alone a bunch of special characters. Of course, users tend to just append the characters, so brute forcing may take advantage of that, but at that point you're getting away from what a "brute force" attack implies.

If the required dongle is a note under your kb...

[FreeUser]

... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.

Yes.

[captnitro]

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

Absolutely it is. This is one of those examples of culture clash: the tech-inclined, and not. Absolutely it's too much to ask, just like asking mom or dad to "just open the command line.. it's so easy!" Yeah, it is too much.

Re:Yes.

[Spudley]

Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask?

Absolutely it is. Just like asking mom or dad to "just open the command line.."

I've got to agree with you there. It is the non-techies that have the most problems with this, but how old is the internet culture among non-techies? Five years? Maybe less? The point is that until the internet made everything accessible from a single computer, you didn't need a dozen different passwords. Before that, the only people who needed to even think about the possibility of keeping multiple passwords were sys admins.

The general public simply isn't comfortable yet either with passwords or computer security in general, and it'll probably take another ten years for it to truly get ingrained. In the meanwhile, the criminally inclined will continue to have an easy time of things.

Change 'password'.....

... to 'passphrase'.

Then tell your users to think of a phrase like 'my son's name is Jim', and get them to use it as their password.

Putting in pucntuation makes it harder to crack too. Although it still won't stop social engineering.

My Password

[Greenisus]

My password is weu@$9JKcpw34.

No one has ever guessed it.

Re:My Password

[Spudley]

I use my dog's name as my password.

My dog is called Pchg65Lb, but he changes his name every few weeks. :-D

Re:My Password

[Feynman]

Hey, that's mine, too!

Re:My Password

[Surt]

That's a fairly large Picanese hybrid greyhound you've got there.

Picking a strong password....

[which+way+is+up]

Here are some good techniques for picking a strong password. It helped me out. http://www.macosxhints.com/article.php?story=20040 920120520528/

Spaceballs Password

[vivin]

Best password/pin ever:

[King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
King Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
King Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
King Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
King Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
King Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!

The SlashDot Password Guessin' Game

[oexeo]

(Disclaimer: Please don't play this game!)

1) Take the following five passwords:

- password
- slashdot
- 123456
- password123
- [Username]

2) Attempt to login to as many slashdotters accounts as possible.

3) Post incriminating/stupid/slanderous/troll comments on behalf of users you now 0wn.

4) While the FBI are busy smashing down your door: Take a hammer to your hard-drive's plateaus, and run like a screaming idiot while you think about how stupid you where to follow my instructions.

(Disclaimer: Please don't play this game!)

P.S. If your password was listed above: Change it!

Re:The SlashDot Password Guessin' Game

[mchugh]

One down! :)

(Insert incriminating/stupid/slanderous/troll comments here. Not to mention Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments.)

- notmchugh

I noticed that the article mentions...

[gandell]

...the Sarbanes-Oxley act. Many financial institutions required to follow these regulations also are liable for the FFIEC regs. I believe that the FFIEC regs. DO require alphanumeric, 8 digit passwords.

Whether they do or not, the FDIC auditors emphasize this policy strongly. If it's not written in stone yet, it will be.

To be honest, I approve such a measure. It disturbs me to think that our local bank's security policy might be more lax than Yahoo's.

Password expiration

[crow]

This goes along with my other pet peeve--password expiration. Here at work, the Windows passwords must be at least 8 characters, with mixed case and numerals. They expire after 90 days, but can't be changed for at least 10 days when new.

My password is written on my whiteboard.

For serious security, passwords shouldn't expire. They shouldn't even have to be that obscure. The security effort should go into making a brute force attempt impractical.

And the IT department needs to recognize that once someone has physicall access to the network, there's not much left to secure, anyway.

My take : three zones

[Ars-Fartsica]

My approach is to separate passwords into three zones: low, medium, high security. I always use an eight char passphrase with numbers and letters mixed. My zones work as follows:

Low: content sites like slashdot. I don't care if you get this passphrase, I will never change it.

Medium: logins for machine accounts, email and online shopping sites. I care somewhat if this is known, and I will change it yearly.

High: financial sites - bank and brokerage. I care deeply that this phrase is secure, and it is changed once a month no matter what.

Re:My take : three zones

[ballpoint]

You can answer these questions with unrelated data, encrypted and kept elsewhere.

Look at it as a backup password, in case the original broke into bits by some strange mishap.

Re:My take : three zones

[Chris+Burke]

I like the sites that ask you to provide a challenge question that they will ask if you forget your password. My question is always "Go fuck yourself" and the response is whatever happens when I smack my palm on the keyboard repeatedly until the character limit is reached. I don't forget my passwords. :)

Of course, then you call up your bank and all they want is your SSN and mailing address... Sheesh.

In case you forget them....

[lukewarmfusion]

...just put them all in an Excel spreadsheet, keep a copy printed out and stored in your filing cabinet under a folder labeled "Passwords" and don't lock the cabinet.

I gave my two weeks' notice and this was the first thing my bosses wanted me to do: write down all the passwords for them so they could keep everything on file.

Fantastic.

Easy trick...

[GillBates0]

Get someone to kick you in the nuts everytime you forget your password.

You'll be surprised by how dramatically your capacity to remember passwords will improve once this becomes a regular feature of your workday.

For added effect, construct horribly complex and impossible to remember passwords a few times every day. Over time, basic survival instincts and the urge to avoid the inevitable kick in the balls will overcome the limitations posed by your poor memory.

The problem isn't so simple

[Slick_Snake]

Current security models require passwords to be changed every three months or so. On top of that the password cannot be one last 5 or so used. On top of that it must be different than the last password by x number of characters. On top of that the user must remember x number of passwords of which he/she only uses one on a regular basis. To complicate matters the passwords must contain numbers, letters (upper and lower case), and sometimes special characters (but only certain ones). The expectations placed on the worker are unrealistic and that is what leads to poor password management. Simple password with dongle (smart card, usb device, RFID chip, etc...) is a better solution.

Even "good" passwords are bad

[bitslinger_42]

Between Moore's Law and modern cracking techniques (dictionary attacks, hybrid attacks using both dictionary and brute force, and hash precalculation), nearly any 7-8 character password that will be easy for Joe User to remember is crackable in a very short period of time. Rather than blaming the users for security failure, we should be looking to improving the overall system.

There are a number of things that can be done. First, and most importantly, eliminate the use of protocols that pass usable credentials (password, reversable password hashes, etc.) across the network in the clear. This means no longer using telnet and FTP (except for kerberized versions), doing something with/about Microsoft's NTLM/LanMan hashes, and probably using client certificates as well as server certs for encrypted web traffic.

Beyond that, there are proven techniques that aren't too hard for users to understand. Time sequence tokens (i.e. RSA's SecurID) have been around for a long time and have yet to be broken except for when the attacker has access to the critical seed records. There was an article a while back (sorry, can't remember where) about a bank using a short list of PINs that they mail to the customers. Each time the customer logs in, they use one and cross it off. The system keeps track of it and automatically send a new list before the old one is exhausted.

The point here is that unless we get rid of the users, we will never be able to educate all users all the time. The best way to get the security levels that appear to be needed is to take the human element out of the process as much as possible.

Re:Biometrics

[wfberg]

Passwords are always going to be flawed. Biometrics are the wave of the near future/present.

Yeah. Unlike password biometrics are resistant to, what, 10 replay attacks? Unless you're using iris-scans, then you've got 2 passwords, maximum.

You are aware that most fingerprinting gear is resistant to the dreaded Gummy Bear attack? (That's where they us a copy of your prints - lifted off of a glass you used for example - mad out of Gummy Bear candies).

Biometrics are useless unless the biometric-taking hardware is physically secured by human guards checking to make sure you're not palming any Gummy Bears.

(As a cost-cutting measure, notice how human guards are much better at facial recognition than computers, and just issue photo-IDs..)

Re:Biometrics

[Jucius+Maximus]

"Passwords are always going to be flawed. Biometrics are the wave of the near future/present."

There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

Picture Passwords

[spun]

One method I like is to pick a simple figure: a wavy line, a j shape, a box, a star or whatever. Then pick a starting character and 'draw' the password on the keyboard. For example, lets use a wavy line and start on e. Our 8 character pasword would be e4rft6yj. Or a box starting on f: fr456yhg. These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

Re:Picture Passwords

[gowen]

These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

Unfortunately, they're really easy to brute force. 40-odd starting positions, but then a maximum of only 8 directions in which to move for the next letter.

With means the size of the 8-character password space has been reduced by a factor of about 80,000. Yuck.

Re:Picture Passwords

[greed]

Those are great for shoulder-surfing, I can spot a "picture password" from across the room. Or across the Home Depot....

Re:Biometrics

[Haydn+Fenton]

We will still need passwords even if we have biometrics.
Fingers can be cut off (ok, new ones are supposed to detect if there's blood circulating), or you could leave your fingerprint on something, then someone comes along and takes it, wouldn't be too hard to make fake fingertips which you could use. Your retina 'metrics' would be harder to steal, maybe contact lenses, I dunno. But whatever technology we can come up with, crackers can find a way to break or exploit it. Biometrics by themselves are probably far more dangerous than having just passwords, imo at least.
But.. a mix of things;
something you are (biometrics),
something you have (dongle),
something you know (password)
would be a much safer combination.

Bookshelf Steganography

[BurritoJ]

My solution to secure passwords is to look around my office, at my bookshelf, at the documents/notes/references on my desk and pick an unusual set of words, hAx0r the spelling, and mix in some special chars *$&% as appropriate and out comes a secure password, with locational mnemonics if I forget it. If someone manages to brute force 3tt3r_4Tran77 then I have got lots of other problems. Fortran77 w/ Numerical Methods by Etter if you're curious, and no... it's not actually a password in use.

Re:If the required dongle is a note under your kb.

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a E9 b ?p c &m
d 6K e aY f eP
g !S h gn i D=
j Hd k vw l Cb
m W5 n 4$ o R3
p x% q 7M r NF
s +2 t s* u Ay
v fL w zG x Zu
y cX z Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Stupid Policies, Not Stupid Users.

[Hank+Reardon]

What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.

For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.

I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.

The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.

What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.

I wish we'd switch to RADIUS.

Re:Stupid Policies, Not Stupid Users.

[jdreed1024]

Amen to that. Now, admittedly, having one password for all your services is kind of bad, since it's a single point of failure. But what's worse is the obscure requirements some websites have. Here's a list of the password requirements for all sites I use ona daily basis:

• 6-8 characters, containing at least 1 number and 1 letter, the number must not be the first or last character. No special characters. Password cannot be the old one if you change it.
• 4 character maximum, only letters and numbers.
• 6 characters, only capital letters and numbers, no lowercase
• 8 characters, may not share any characters with your login id

And that's just the ones I can think of off the top of my head. Of course, my main account that I use daily, uses Kerberos, so I can have passwords up to 255 characters, including punctuation. My bank website also has a sane system that allows me to use my usual password-derivation method (pick interesting phrase or sentence, take first letter of every word, and punctuation marks, and combine with a number.

The thing that really got me was the 4 character password. I called them and they said it was "more secure". Alas it was only a phone droid, so there was no point arguing, but wow.

Of course, the most insecure password for anyone in the US is probably their PIN for their ATM card. It's only 4 digits, each from the set 0-9. That's pretty trivial to brute-force. The only reason not to is because all ATMs have cameras, so the more you visit (most ATMS eat the card after 3-4 incorrect PINs), the more chance you have of being caught on camera. Why we can't move to variable length PIN numbers is beyond me.
<troll> Probably because Diebold is too busy rigging elections to come out with better ATMs </troll>

re: password security

[Rage+Maxis]

I gave up on password security after working for a health management company that had name/same name as login and password on the SQL servers on real IP's. "they were behind the firewall!" BUT THE FIREWALL IS FORWARDING ALL THE PACKETS TO THE SQL PORTS!

The best part was after sending a note around on the new policy of 12 digit case sensitive alpha numeric mkpwd (or mkpasswd i forget which one is which) that were FORCED on the user. The 2nd point on the note was that "PASSWORDS ARE NOT TO BE STUCK ONTO MONITORS USING YELLOW STICKIT NOTES."

I found 42 examples of where the note was posted on the bulletin board the password was changed back to flully or dave or whatever typical passwords they usually used, and then that was on the monitor with a message like "Darlene, look at my case files, my password is DAVE" -- even though she can look at them from her user account and thus TRACK CHANGES FOR COURT LIABILITY ... no, instead the password goes on the monitor.

The real kicker was that they worked with a major canadian bank and as such had a Lotus Notes over SHIVA connection into the bank core network. The bank was furious that our insecure network was allowed to connect to their with Shiva being run on the same windows 98 or ME (not my idea to install that, believe me) machines that were running with no admin kits, no policies, no proces watchers or anything else resembling security -- and when I arrived no updated antivirus and no patching.

No wonder, especially since the bank used ultra-hard to remember 6 digit capital-letter + numeric passwords. Once again the 50-something women couldn't remember those so they were on the monitor to.

When they finally did get rooted (and massively I might add, the best was the windows NT 4.0 SP2 unpatched server which had a IP in the external range and an internal IP with routing turned on and telnet with a guest account enabled.) it was because of "evil hackers intent on disrupting legitimate commerce"

In reality the problem is consultants who want to get things rolled out as quickly as possible. The next problem are managers who are more worried about the whining of their staff in regards to the ENSLAVEMENT of having to remember 10+ digit alpha numeric passwords (I have trained myself to do it in 8 looks.) and not be able to run their solitaire web games at lunch and things like that.

The next problem is that even with passwords being there there are countless machines where people just go around the password mechanism using exploits.

Personally I dictate anyone using my personal mailserver, etc. use 12-byte alpha-numeric case-sensitive passwords generated with whatever that app is mkpwd or mkpasswd, I usually hae to type it twice to get the one I want. They work really well and take forever to brute force.

I've tried playing with other mechanisms like finger print ID (at a old venture place I worked at they spent 2 years messing with this) and smart cards and the like. Nothign has really been satisfactory especially when you add any degree of road warrior (which is the place where security of IP and passwords is really important) the solutions are generally worthless as it is VERY expensive and inefficient to give authentication validation hardware to even a road warrior to carry with them.

Also in teh end many of the security validation tools work using internally a hash that is effectively a password anyways. Use the scene in star wars return of the jedi as an example when they are breaking into the power station for the shield. Enough blaster will open anything. Inside most fancy locks is a acuator which if given power will open the door. Thus a however expensive panel with fancy computer inputs and strong passwords can just be torn out and a battery with two wires used from k-mart in its place. Keep this in mind.

Additionally, if you've ever seen the output of dsniff running on mirror channel traffic on a master switch in a large IT shop the passwords just scr

Does anybody crack passwords any more?

[Chemisor]

Is it even possible to crack passwords any more? With shadow passwords, you simply can't get the password string to crack, and you can't just brute force at the login prompt, since it waits five seconds between tries. To get /etc/shadow you have to be root anyway, so what's the big deal with creating "non-guessable" passwords? It's not like any hacker would actually try more than a dozen at the login prompt. If he does, he'll just be locked out and reported. If you look at the descriptions of how computers are hacked these days, it's never by guessing passwords. It's usually done through a poorly written web page, where a buffer overflow can get you in (why don't they run the webserver on a chroot?).

President Scroob...

[blueZ3]

Is that you?

Card reader can be hostile - put PIN-pad on card

[CrystalFalcon]

Even better is to integrate the PIN pad onto the card itself, and use encrypted communication between the card and the authenticating server. The card reader would just see encrypted traffic.

Also works against hostile ATMs.

A solution like this exists, see Cypak PIN-on-Card

Science Tables and Lookup Values

[INetEngineer]

Perhaps integrate science table codes into your password or other known reference "codes" to known items (such as dates for historic events). What's the number for Einsteinium? Use that in your password...

For example, the following uses the atomic weight of Einsteinium, year the Human Genome Project completed, traditional formula for Einsteinium (III) iodide, and a hint that the formula both references the III iodide and not II and is not the Hill system formula.
"My252BrainWasMapped2003WithThe3rdColorE SI3NotHill "

Of course, this password is incredibly long, but things like dates, chemical formulas, periodic table mappings, physics formulas, or algebraic formulas, all provide a concise means of generating short passwords that can be looked up if you ever forget them.

Similiar to encryption, you have now encoded your password with keys that are easy to remember, or lookup if you can't remember (Date of Mt. Rushmoore Dedication ceremony + Formula for Benzene).

Re:Science Tables and Lookup Values

[TykeClone]

This guy from Microsoft agrees with you http://blogs.msdn.com/robert_hensing/archive/2004/ 07/28/199610.aspx

Pass phrases are at least easier to remember than long passwords (compare "I am the walrus, koo-koo-kachoo!" to your example) and are long enough to be more problematic for passowrd cracking programs.

Re:Science Tables and Lookup Values

[Gyorg_Lavode]

Passphrases need to be random though. Lyrics, quotes, and scripts can all be loaded into a passphrase dictionary and used the same way dictionary attacks are used against passwords. If you are going to use non-random passphrases, you need to use dictionary checking to make sure someone didn't use, "I am your father luke"

Re:Easy trick... The *REAL* BOFH

[HighOrbit]

I thought our help-desk guy might have been the original BOFH, but I was wrong. Even he wouldn't have thought of that. Man, you are harsh.

[Suddenly the phone rings, disturbing the BOFH's game of Half-Life]

[random_user]Hello Help Desk? I forgot my password. I have to print a powerpoint document for a briefing I am giving in 5 minutes so I need my password reset right now!

[BOFH] Oh....let me check...we can only reset passwords once a day between 6AM & 7AM because it affects the user settings and we can do that after the server's been initialized. Otherwise the server might malfunction and several random files could be deleted from your home directory. Are you sure you can't wait until later?

[random_user][pauses]yes, I need it NOW. I'm briefing our department VP in 5 minutes.

[BOFH]ok... you're the boss...I'm resetting it to "12345678"...try loging on in a few minutes [while typing "del /users/random_user/*.ppt"]

Stupidity finds a way

[jdfox]

I used to be on the networks team at a very large corporation, where we implemented SecurID and PIN for offsite dial-in.

We did everything right, got the clock sync working, got all the managers to buy lots of pricey SecurID cards, found and forcibly removed insecure dial-in boxes scattered around, did all the right audit and test of firewalls, etc.

But the sales group had a bunch of pooled laptops, which sales people used to take out to customer sites. So they would store a SecurID card in the bag, along with a yellow PostIt note showing the PIN code for that SecurID.

That way, not only was the SecurID compromised, but since they were effectively using shared SecurIDs and PINs, we wouldn't even know which idjit sales droid had compromised it.
Doooo, ya stupid idjit rabbit!

State-of-the art tech is no match for the apparently limitless stupidity of users.

In the end, we did the only sensible thing, and revoked offsite dial-in for that group.

Anyone else use STRIP?

[DerficusRex]

It's a GPL utility for PalmOS that stores your pw list encrypted with 256 bit AES. It's also got a decent password generator, and can do S/Key OTPs. Here's the site.

Daily password changes

[snuf23]

I once worked for a company where the insane CEO (dotcom era) decided to get serious about security by requiring daily password changes.
The cool thing was that they never implemented any restriction on what the passwords could be.
I think the most common passwords that resulted were Monday, Tuesday, Wednesday etc.

8?! I wish.

[Derekloffin]

I had about 8 passwords when I first entered college. I'd guess I'm way over that now, nevermind the obscure user names on top of these.

I mean, let's just see:

At Work:

general network, 1 email, 5 account passwords.

At Home:

1 email, about 3 one's for various online games, and 2 for instant messaging programs.

Online:

About 4 for various online vendors, 1 for a website I commonly goto, and probably another dozen I just got along the line for sites I rarely vist.

Out and about:

Can't forget that pin number

I'm not a school anymore, but when I was:

1 network

3 computer science account passwords

1 library

So, what's that, 20+? I'm not even a heavy online shopper so I could expect many other people to easily break 30+. And again, this doesn't consider that many sites demand some cryptic username too, and stupid security protocals that demand you change your password every other week.

No shit!

[lorcha]

I know the feeling. I just started a new job and I needed to come up with a login password. The password I wanted to choose was a pretty-much unguessable 'wkxudf1'.

But nooooooo that was not acceptable. It needed a capital letter and a special character. By the time I was done fighting with the password change program, my password was 'Abcdef-1'. Take a wild guess what my password will be when I have to change it next month?

Totally insecure, but at least I can fucking remember it. And if I ever forget, I can just look at my /. comment history!

Or just use a Palm Pilot

[Dr.+Manhattan]

There are tons of encrypting password apps for handhelds. At various times I've used:

• Strip
• Keyring
• Cryptopad

Lots easier to work with multiple places (home, work, web, etc.)

Re:If the required dongle is a note under your kb.

[TheMadRedHatter]

>a E9 b ?p c &m
>d 6K e aY f eP
>g !S h gn i D=
>j Hd k vw l Cb
>m W5 n 4$ o R3
>p x% q 7M r NF
>s +2 t s* u Ay
>v fL w zG x Zu
>y cX z Qr

So what does the output of that Perl script look like? ;-)

-- TheMadRedHatter

Re:Biometrics

[Roogna]

Human guards better? I wouldn't count on it.
Not to say biometrics are great, but humans aren't actually that hot at it.

At one company I worked we had a security guard who was notoriously bad at remembering anybody. Seriously, the entire staff would discuss this fact. He saw all of us every single day, but damned if he seemed to be able to remember that fact. He also wasn't too hot at comparing IDs and more than once people on the staff would swap IDs just to test this theory. He always let them in.

Plus, above and beyond people who are just bad at facial recognition... you still have the problem that passwords, biometrics, or even human guards with big guns can all be gotten by if the right person is handed a $10 bill. This fact hasn't changed since ancient times and despite all the technology we throw at it, never will.

My password is Pi

[Archangel+Michael]

I just won't tell you the starting offset. :D

I always imagined that Pi or one of the other irrational numbers would be a great encryption hash. Easy to gererate, remember etc, but hard to hack, since we don't know the starting offset.

It could be a nonrepeating hash or even a repeating one. All you would need to know is the starting offset, you could encrypt a very long document, with a singular and easy to remember hash point, ie Pi x 259313 r1024 would mean Pi hash starting at 259313 repeating 1024 numbers.

I am sure that some pointy head math wizard will explain why this will not work.

Re:Easy obscure passwords

[acceleriter]

Just stay away from Dvorak keyboards!