Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Employee Calls for No More Passwords

Posted by Zonk on from the wise-man-in-a-unique-position dept.

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

28 of 614 comments (clear)

  1. Excellent! by PedanticSpellingTrol · · Score: 5, Funny

    Now replacing my brute force wordlists with "He's dead, Jim", "In soviet russia, passphrases validate YOU" and "passwords are for old korean people" will allow root access to 90% of the internet.

    1. Re:Excellent! by jayloden · · Score: 2, Funny

      You forgot "My voice is my passport, verify me"

      -Jay

  2. In other news Microsoft is waaayy ahead of him... by rune2 · · Score: 1, Funny

    With all of the vulnerabilities and exploits in Windows who needs a password anyways? ;-)

  3. password vs. passphrase by CoolCash · · Score: 2, Funny

    So when the user creates there password it will be: "This is my passphrase" instead of "password"

    1. Re:password vs. passphrase by Anonymous Coward · · Score: 1, Funny
      No my passphrase is this:

      Microsoft sux0rs really bad!

      Which is just slightly harder to guess than "password".

  4. Only a few thousand years behind... by physicsphairy · · Score: 4, Funny

    And I quote, "Open Sesame!"

    --
    When things get complex, multiply by the complex conjugate.
  5. My passphrase... by Noryungi · · Score: 4, Funny
    In many companies where I worked, for kind of reason, my passphrase always ended up as:

    • [name_of_boss]isabloodyidiot


    or

    • whatabloodyidiot[name_of_boss]is


    Make of that what you want, but:

    • it's always accepted by whatever program is in charge of checking password
    • it's easy to remember, yet hard to crack (unless you know me and the bloody^W... er... boss...
    • it always made me smile as this was the first thing I had to type in the morning


    Of course, I changed the password to something more politically correct before leaving the companies....
    --
    The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  6. Re:Biometrics by Qzukk · · Score: 2, Funny

    Biometrics, on the other hand, requires that you only have your body present at the time!

    Or that someone else has your body present. Or just search google for jelly fingerprint to see how to duplicate other people's prints for fun and profit.

    Biometrics is bound to stick around for a while, but the fad will hopefully fade before all my bank and credit card accounts get tied to my fingerprint and I have to have new prints carved into my fingers to replace the ones that some identity thief lifted off the scanner.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  7. No one will ever break my password! by Nova+Express · · Score: 4, Funny
    It's the inscription on the One Ring, translated into Klingon, then rendered in l337! Three levels of Ubergeek encryption ensures maxiumum security!

    --
    Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)

    http://www.lawrenceperson.com/

    1. Re:No one will ever break my password! by Tenebrious1 · · Score: 3, Funny

      Crap... now I gotta go change all my passwords.

      --
      -- If god wanted me to have a sig, he'd have given me a sense of humor.
  8. Auto-completion by sammyo · · Score: 1, Funny

    ba ding :-)

    1. Re:Auto-completion by craXORjack · · Score: 2, Funny

      Or since it is Microsoft we are talking about:
      [] Check this box to remember password

      --
      Liberals call everyone Nazis yet they are the closest thing to it.
  9. Re:Biometrics by ScrewMaster · · Score: 3, Funny

    because if you use a salted hash (chosen by the server)

    That's true ... when I stop by our local Denny's for breakfast I let the waitress decide whether I get corned or roast beef with my eggs.

    --
    The higher the technology, the sharper that two-edged sword.
  10. Re:Biometrics by DrMrLordX · · Score: 5, Funny

    You don't need to make gloves with someone else's fingerprints. All you need are gummy bears.

    Gummy Bears! Bouncing here and there and everywhere! Foiling security beyond compare! They are the Gummy Bearrrrrrrrrrrs.

  11. Re:One Question by ftgow · · Score: 1, Funny

    I'll stick my penis in a hole at the atm to take out 60 bucks, hell I usually pay someone ELSE 'quick cash' for the privledge.

    (just kidding, im a sexually frustrated computer nerd like the rest of you.

  12. question by Anonymous Coward · · Score: 1, Funny

    Suppose I make fake finger prints of "Carrot Top" or some other annoying guy and then wear glove and rob Fort Knox. While there I leave Carrot Top's fake finger prints all over everything.

    Will Carrot Top go to jail?

    1. Re:question by Anonymous Coward · · Score: 2, Funny

      > Will Carrot Top go to jail?

      Let's hope so!

  13. This fella will probably suffer for disclosing by melted · · Score: 2, Funny

    that he's an MS empoyee, because what he suggested is stupid. People's vocabularies are not that extensive, so passphrases are easier to crack than they seem.

    Multifactor auth is the only cure. I wish there was something available to implement it besides smartcards. Something that doesn't require a smart card reader and works everywhere, preferably something wireless within a few feet. You could do three-factor auth, even. This "something", pin code and biometric (fingerprint). That would be pretty darn cool.

  14. Re:Biometrics by darkpixel2k · · Score: 5, Funny

    Biometric authentication can't be changed. I can change a password, but I can't change my fingerprints.

    Ooh...yea--that'll be the downfall of biometric authentication. Someone steals my retina and then all my accounts are 0wned for ever and ever...

    --
    There's no place like ::1 (I've completed my transition to IPv6)
  15. Re:Biometrics by darkpixel2k · · Score: 4, Funny

    Besides, it IS possible even today to change the pattern of blood vessels on the retina using lasers - this is done all the time to treat diabetic retinopathy.

    Good point, but anyone who wants to go through all that trouble is welcome to my slashdot account. ;)

    --
    There's no place like ::1 (I've completed my transition to IPv6)
  16. Re:Passphrases are MUCH easier by Anonymous Coward · · Score: 2, Funny

    Dude, you pretty much figured out how to sell this, you just didn't put two and two together... you need to spread it around that PASSWORD length = PENIS length. Make sure the hot chicks in accounting are informed.

  17. Re:Biometrics by Anonymous Coward · · Score: 5, Funny

    Indeed, that's all the security I need.

    Something I have... Smith and Wesson.

    Something I know... How to freaking shoot.

    Something I am... Bad MotherFucker.

  18. *gets notepad* by PsiPsiStar · · Score: 2, Funny

    Loftcrack, you said?

    Thanks. :)

    --

    ___
    It's the end of my comment as I know it and I feel fine.
  19. Re:Passphrases are MUCH easier by rolling_or_jaded · · Score: 2, Funny

    "You mean we're going to have to add an 's' to the end of 'http', do you really expect 100 people to change their bookmarks! They've been using those bookmarks all year!" Insight from other admins very welcome. Ummm... a HTTP redirect to the new HTTPS URL? :)

  20. Re:Biometrics by Anonymous Coward · · Score: 1, Funny

    Biometrics sounds good. We already know that people like to hop on to the Xerox machine and photocopy their butt. This could be promising.

  21. Typical Microsoft-style innovation by Dwonis · · Score: 2, Funny
    We have created a great innovation: the abolishment of passwords. In their place, we introduce the new Windows Active DRM Passphrases.NET XP (TM) web service.

    Patents pending.

  22. Gummy bears?!? by game+kid · · Score: 2, Funny

    You mean etching the fingerprints on those poor (but yummy) souls? My WTF-0-meter explodes at the very thought...

    --
    You can hold down the "B" button for continuous firing.
  23. I totally agree with them by RealBorg · · Score: 2, Funny

    using any passwords with Microsoft products is futile. Passphrases cannot change that. Use any system designed with security in mind if you care.