Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are Often-Changed Long Passwords Really Secure?

Posted by Cliff on from the as-long-as-you-don't-write-the-on-stickies dept.

Zweistein_42 asks: "I work at a large, navy-coloured IT corporation. A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*, with standard checks for non-repetitiveness, dictionary, uniqueness, etc. Is there any research to support whether such requirements actually increase security?" "I have almost a dozen applications I use daily (e-mail, VPN, Windows login, intranet, FTP, etc), plus 20-30 I access 'occasionally', and their passwords have to be unique - and change at different times. I usually take the trouble to memorize random alphanumeric, un-guessable combinations; but even I won't bother memorizing an average of 2 random strings a week. Eventually, won't most people use their pets names (fuzzy1cat, fuzzy2cat, etc) and start writing passwords on a note on their screen?

Every time I see such a policy, I strongly believe it makes *my* passwords less secure. What is the average user's reaction? What about lost & support time trying to regain forgotten passwords?"

8 of 233 comments (clear)

  1. This is the reason by popeyethesailor · · Score: 4, Interesting

    things like SecurID were invented.. 2-factor authentification eliminates most of these special requirements.

    1. Re:This is the reason by Bastian · · Score: 5, Interesting

      I hacked my own together with a USB key containing an encrypted keychain and encrypted copies of my SSH key files. (Granted, I have no idea if a PC equivalent exists - my office lives in Mac-and-Unix-Land.) The keychain is backed up to another secure location every time I add or change a password, because the passwords I use look like what you get when you fall asleep on the keyboard. The USB key comes with me when I leave the computer, and the keychain get's locked automatically after 10 minutes in case I forget.

      Not perfect, but it's better than post-it notes, and it does implement its own version of the "something you have and something you know" philosophy.

    2. Re:This is the reason by Ararat · · Score: 5, Interesting

      Well, one of the reasons. Two-factor authentication was defined (as I recall, by the US Bureau of Standards in the mid-70s) as any AAA system that requires presentation of two of the three factors (something held, something known, something one is), but there was originally an additional requirement: one of those factors must be resistant to replay, dynamic.

      Sniff and replay were then, and in many places still are today, a prominent security threat -- and that threat grew exponentially with the evolution of local nets, and then exploded in scale and volume with the Internet.
      The SecurID, or any One-time Password (OTP) used to provide "strong authentication," does indeed obviate the need for all the Draconian rules now used to buttress the static reusable password or passphrase. In '87, however, as the SecurID was first brought to market, we never thought the static password would survive, no matter how complex it became, because it had none of the inherent resistance to eavesdroppers provided by a dynamic password.

      We never dreamed that -- to save, per user, the price of a keyboard -- the corporate bean counters would stay committed to static reusable passwords for another 20 years, using these increasingly painful routines to make those passwords more resistant to guessing, dictionary, and now pre-computed hash attacks. Nor did we expect that the market would consistantly undervalue one of the token's core virtues: its resistance to sniff and replay.

      We thought it was obvious that a password, however strong, could never be enough.

  2. Password Safe by MaccaUK · · Score: 5, Interesting
    Funnily enough, the use of a password safe - an app that keeps track of multiple passwords, similar to Apple's Keychain - is available (even encouraged) in that blue company :-)

    Of course, it's kind of a single point of failure in terms of security, if you don't take into account the need to use a boot password and Windows login. Also, if your laptop dies... and you haven't backed up the password file...

  3. Long passwords by Masa · · Score: 4, Interesting

    "A new, more secured password policy has just taken effect and will be strictly enforced: 8 characters alphanumeric, changed *every 90 days*"

    So? In the company I'm working for, we have a policy that the password has to be at least 10 characters long, alphanumeric mixed case and it will change *every 30 days*. And the new password can't be the same as 10 last ones.

    I have solved the problem of memorizing these passwords by using source code as a password. For example: "printf("Hello, World!");" should be complex enough and it is relatively easy to remember.

    To your question: No, I don't know if the longer, more complex passwords are actually more secure / cost efficient than shorter ones, because of the side effects caused by difficult to remember passwords. But at least this kind of policy prevents the most trivial dictionary attacks. It's a completely different story, how else the security is taken care of (ie. educating the personnel, so there will not be any post-it notes laying around and other forms of security, because it's all about layers).

  4. Security D'ohLTs by paol · · Score: 4, Interesting

    Bruce Tognazzini has covered this kind of stupidity before.

    "I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.
    (...)
    My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!"

    Read it: http://asktog.com/columns/058SecurityD'ohlts.html. Better yet, have the people who are implementing this policy read it. Point out it's by one of the leading usability experts in the world. Odds are it won't change anything, but hey at least you tried...

  5. or you comply and store all passwords encrypted... by hankwang · · Score: 4, Interesting
    I have stored all my passwords encrypted, with a script to easily access them... The essential part is:
    stty -echo
    read pw
    stty echo
    echo $pw |
    gpg --no-secmem-warning --decrypt --passphrase-fd 0 $pwf.gpg |
    perl -ne "if (/^$1/)"' { s|\[([^ ]+)\]|[\033[40;30m$1\033[0m]|; print; }' |
    less -r
    The passwords are enclosed in [] and the script displays the password in "black-on-black", so that you can copy-paste it without anybody looking over your shoulders seeing it, or you remembering it.

    And the master password to this file hasn't ever changed... heh

    --
    Avantslash: low-bandwidth mobile slashdot.
  6. Re:passwords.... by BlueTooth · · Score: 4, Interesting

    I compartmentalize my passwords. And I rotate what password fits into any given compartment.

    So the compartments, from most to least secure:
    -root on a machine (different for every account)
    -user accounts (for the Windows and *NIX machines I log onto)
    -email systems
    -financial sites
    -shopping sites (i.e. that store credit cards)
    -forums, etc... (sites for which I assume the jow schmoe admin can see my password in cleartext)

    I generally rotate in a new password every year or two. So even if you r00t me, you still can't get into my bank account...for that you need to r00t my bank ;)

    --
    SPAM