Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Security Panned

Posted by CmdrTaco on from the trustno1-is-a-bad-password dept.

museumpeace writes "Considering we just discussed passwords yesterday, is an uncanny coincidence that Technology Review runs an article today in which Michael Schrage quotes a couple of security experts as being of the opinion that passwords are useless, with many negatives [the tougher rules only make them harder for users to remember, not harder for hackers to guess] But Shrage's suggestion that passwords are a weak bandage where system security admins and developers need to institute deeper security mechanisms such as "suspicion engines" has problems too. Any hidden filter meant to compare traffic on your account against profile of "normal" usage strikes me as both an invasion of privacy and a sure fire way to multiply calls to the help desks when a false alarm tosses out a legitimate user."

2 of 387 comments (clear)

  1. Re:can you elaborate? by rackhamh · · Score: 5, Interesting

    In order to compare current usage against "normal" usage, the system has to record what "normal" usage is.

    So, if you habitually browse armadillo porn, the system will know about it. And if you go a day *without* browsing armadillo porn, the system will think something's up and lock you out.

    But do you really want the system to record the fact that you browse armadillo porn?

  2. Re:Surely... by tdemark · · Score: 5, Interesting

    My biggest beef with passwords is the myriad of different "rules" as to what makes a valid password at different sites.

    I have a few great passwords ... no one is going to get them short of brute forcing (or, God forbid, key logging). However, every site seems to have different (read: REDICULOUS) parameters for passwords:

    - must not start with a number
    - must have both letters and numbers (symbols don't count)
    - can only be [a-z][A-Z][0-9]

    I would love to meet the asshats that come up with these randomly applied "rules" just so I could kick them squarely in the nuts.

    I used to only need two passwords for EVERYTHING (one "weak" password for discussion sites (eg - Slashdot) and one "strong" password for the important stuff). Alas, that was too easy. Now I have to maintain around 10 passwords that, IMNSHO, are far weaker that the ones they replaced (not by my choice).

    For example, one large credit card company recently changed its password policy. Since my old password didn't "fit" in their new policy, they simply set it to something else without telling me. Mind you, the new password I had to choose is orders of magnitude easier to crack than the old password because they removed a number of possible characters.

    Which brings up a point, what's the point in LIMITING the characters that can be used in passwords? How horrible are these designers that their apps choke on '&Dkf*l,@a', but 'b4dp4ass' is OK? What could they be doing that would disallow a number as the first character?

    In close, if you have anything to do with the authentication process of a website, before you start throwing on random rules for passwords, do us all a favor and DON'T.

    - Tony