Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Security Not Easy

Posted by michael on from the duh dept.

mekkab writes "The Wall Street Journal reports (yet again) that despite knowing better, users do dumb things to compromise security. Is seven different 8 character passwords (with numbers and mixed cases) really too much to ask? Do people need training on how to make well known phrase (to them) into a perfect password acronym, or other memory boosting techniques? Or is it that the entire business culture needs to change from within to take digital security seriously?" If you require unmemorizable passwords, you've effectively changed the security requirement from "something you know" to "something you have", and if the required dongle is a note under your keyboard...

4 of 674 comments (clear)

  1. As an admin... by 0racle · · Score: 5, Funny

    I hate people that put their password under their keyboard. Like damn people, on the underside of the desk, is that so much to ask.

    --
    "I use a Mac because I'm just better than you are."
  2. Re:I only have 2 passwords by ifdef · · Score: 5, Insightful

    I have about 4, EXCEPT FOR WORK. At work, they require changing passwords every month or so. So now, having used up all my imaginative ones, I use fairly easy-to-remember (and so easy-to-guess) passwords at work. Somehow, they don't seem to realize that by forcing me into the situation where I *can't* have a password that is both obscure and easy for me to remember, they are making the system LESS secure, rather than nore secure.

  3. Re:Integrate the pin with securid by wfberg · · Score: 5, Interesting

    The best scheme is a smart device (such as a smart-card with standalone(!) cardreader), that lets you physically enter a PIN into it, which then unlocks a securid or challenge/response scheme.

    The (embedded) chip is tamper-resistant (quite possibly erases the secrets inside when opened) and only lets you try 3 pins. The challenge/response scheme can then be as convoluted as you like, perhaps based on public/private key.

    My bank uses the chip embedded on my regular ATM card, and a card reader with a keypad and integrated LCD readout. When logging on to e-banking, I enter a PIN, enter a challenge on-screen, and then enter the response from the LCD readout into my browser.

    --
    SCO employee? Check out the bounty
  4. Re:If the required dongle is a note under your kb. by nizo · · Score: 5, Interesting
    Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:
    a E9 b ?p c &m
    d 6K e aY f eP
    g !S h gn i D=
    j Hd k vw l Cb
    m W5 n 4$ o R3
    p x% q 7M r NF
    s +2 t s* u Ay
    v fL w zG x Zu
    y cX z Qr
    I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
    Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).
    --
    I Am My Own Worst Enemy