Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Security Not Easy

Posted by michael on from the duh dept.

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

15 of 674 comments (clear)

  1. Integrate the pin with securid by stecoop · · Score: 4, Interesting

    required dongle is a note under your keyboard

    There are more advanced security schemas. I know some places I have worked use securids where if you get possession of the key chain and know their userid, then you can become them. This isn't any good.

    A little bit better solution is having a securid login with a pin code - still not quite there as I only have to get your login name, secuid key chain and guess what your 4 digit pin is.

    The best password schema I have seen so far is where the securid and pin are integrated so that the seed in the random number generator for synced securids is the pin - the securids are just random numbers where the next number is based on some fixed patter and the number is only good for 60 seconds. But this still this has a few holes, I could figure out the pattern in securid and brute force the pin then re-add the pin as the seed. But for nowadays, this is best I have.

    1. Re:Integrate the pin with securid by wfberg · · Score: 5, Interesting

      The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

      The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

      My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.

      --
      SCO employee? Check out the bounty
  2. As an admin... by 0racle · · Score: 5, Funny

    I hate people that put their password under their keyboard. Like damn people, on the underside of the desk, is that so much to ask.

    --
    "I use a Mac because I'm just better than you are."
  3. If the required dongle is a note under your kb... by FreeUser · · Score: 4, Insightful

    ... then at least a person has to gain physical access to the machine before they can compromise your account. Of course, we all know that once a person has physical access to the machine, all bets are off anyway.

    It isn't as good as memorizing the password, but it's a hell of a lot better than having a weak password that is trivial to guess and compromise via the Internet.

    --
    The Future of Human Evolution: Autonomy
  4. Re:I only have 2 passwords by ifdef · · Score: 5, Insightful

    I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

  5. Re:My Password by Spudley · · Score: 4, Funny

    I use my dog's name as my password.

    My dog is called Pchg65Lb, but he changes his name every few weeks. :-D

    --
    (Spudley Strikes Again!)
  6. My take : three zones by Ars-Fartsica · · Score: 4, Interesting
    My approach is to separate passwords into three zones: low, medium, high security. I always use an eight char passphrase with numbers and letters mixed. My zones work as follows:

    Low: content sites like slashdot. I don't care if you get this passphrase, I will never change it.

    Medium: logins for machine accounts, email and online shopping sites. I care somewhat if this is known, and I will change it yearly.

    High: financial sites - bank and brokerage. I care deeply that this phrase is secure, and it is changed once a month no matter what.

  7. Easy trick... by GillBates0 · · Score: 4, Funny
    Get someone to kick you in the nuts everytime you forget your password.

    You'll be surprised by how dramatically your capacity to remember passwords will improve once this becomes a regular feature of your workday.

    For added effect, construct horribly complex and impossible to remember passwords a few times every day. Over time, basic survival instincts and the urge to avoid the inevitable kick in the balls will overcome the limitations posed by your poor memory.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  8. Re:Biometrics by Jucius+Maximus · · Score: 4, Insightful
    "Passwords are always going to be flawed. Biometrics are the wave of the near future/present."

    There should be some feature in slashcode to remind people who inevitably try to post this that as soon as someone can fake your fingerprint or retinal scan, you are forked for life because you can never change those things.

  9. Picture Passwords by spun · · Score: 4, Interesting

    One method I like is to pick a simple figure: a wavy line, a j shape, a box, a star or whatever. Then pick a starting character and 'draw' the password on the keyboard. For example, lets use a wavy line and start on e. Our 8 character pasword would be e4rft6yj. Or a box starting on f: fr456yhg. These passwords are hard to guess, easy to remember, easy to make memorable variants of, and quick to type.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  10. Re:If the required dongle is a note under your kb. by nizo · · Score: 5, Interesting
    Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:
    a E9 b ?p c &m
    d 6K e aY f eP
    g !S h gn i D=
    j Hd k vw l Cb
    m W5 n 4$ o R3
    p x% q 7M r NF
    s +2 t s* u Ay
    v fL w zG x Zu
    y cX z Qr
    I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
    Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).
    --
    I Am My Own Worst Enemy
  11. Stupid Policies, Not Stupid Users. by Hank+Reardon · · Score: 4, Informative

    What I've noticed lately is that it's stupid policies rather than stupid users that cause the problems.

    For example, my current employer requires a monthly password change, minimum of 8 characters, one must be in caps, at least one number and one punctuation mark. 13 months worth of history is also kept.

    I have 4 strong passwords that I use regularly (and I come up with new ones every year or so), each consisting of 16-25 random characters, numbers and punctuation (think pound the keyboard and select a bunch of characters from the result). I can't use them because they repeat too often.

    The policies also prohibit using the same password multiple services like email, NT Domain logins, *nix servers, web applications and the like. The result is that I have to generate some 20 passwords per month.

    What this does is force me to use stuff like "WebApp-01!", "NTLogin-01!" just to be able to remember everything.

    I wish we'd switch to RADIUS.

    --
    There's so little difference between politics and jihad lately...
  12. Stupidity finds a way by jdfox · · Score: 4, Interesting

    I used to be on the networks team at a very large corporation, where we implemented SecurID and PIN for offsite dial-in.

    We did everything right, got the clock sync working, got all the managers to buy lots of pricey SecurID cards, found and forcibly removed insecure dial-in boxes scattered around, did all the right audit and test of firewalls, etc.

    But the sales group had a bunch of pooled laptops, which sales people used to take out to customer sites. So they would store a SecurID card in the bag, along with a yellow PostIt note showing the PIN code for that SecurID.

    That way, not only was the SecurID compromised, but since they were effectively using shared SecurIDs and PINs, we wouldn't even know which idjit sales droid had compromised it.
    Doooo, ya stupid idjit rabbit!

    State-of-the art tech is no match for the apparently limitless stupidity of users.

    In the end, we did the only sensible thing, and revoked offsite dial-in for that group.

  13. Re:If the required dongle is a note under your kb. by TheMadRedHatter · · Score: 4, Funny

    >a E9 b ?p c &m
    >d 6K e aY f eP
    >g !S h gn i D=
    >j Hd k vw l Cb
    >m W5 n 4$ o R3
    >p x% q 7M r NF
    >s +2 t s* u Ay
    >v fL w zG x Zu
    >y cX z Qr

    So what does the output of that Perl script look like? ;-)

    -- TheMadRedHatter

    --

    while(1)
    {

    }

    Ah, the story of life.
  14. Re:I only have 2 passwords by ifoxtrot · · Score: 4, Insightful
    That is why my organisation has implemeted password policies require at least 8 characters, at least 1 uppercase letter, 1 number, and one special character, or it will not let you change it, and will lock out your account. We then run security audits to ferret out the l-users like you that make them to simple. If we find a password that is to simple, or easy to crack, we force you to change it. If you do not, then your account will be locked out.

    When I read this, I seriously started thinking this was great sarcasm.
    Unfortunately I've since changed my mind.

    There has been a lot of research in the area of password usability here is a short summary:
    Fact 1: human memory is fallible
    Fact 2: people cannot forget on demand
    Fact 3: non meaningful things (i.e. random) are amongst the hardest things to remember
    Fact 4: items in human memory interfere with each other making 100% recall very hard
    Fact 5: unaided (no prompts) recall is much harder than providing prompts (which becomes a recognition exercise - passfaces is an interesting technology for example)
    Fact 6: ambushing a user to change their passwords stops them from doing their work (which they get paid for) and encourages them to bypass the system as quickly as possible - i.e. write the password down

    CONGRATULATIONS you are following rules which were laid out in the original FIPS guidelines (1985) for password management... Maybe you ought to revisit their document, they have updated it and it makes a LOT more sense now (check out FIPSPUB112)... I just wanted to let you know that pretty much everything you describe decreases the security of your organisation.