Slashdot Mirror
Enforcing Crytographically Strong Passwords
Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"
No-one will ever guess my super-secret password: GOD
To Terminate, or not to Terminate, that's the question - SCSIROB
We faced the same problem when generating random passwords for users and decided that the best method was to generate two short (4-6 characters) english words with a number at the end. This creates passwords such as swimeasy12, turnright62, sidedoor81, etc. These proved to be very easy to rememeber and we only had one complaint: A secretary had her random password set to fatgirl13 and was really not happy, even after we expained the random process.
Input error. Replace user and press any key to continue.
I'm just a *nix and Windows luser. After struggling with tens of passwords for years, keeping them (relatively) secure, difficult to guess, etc., my employer is starting to press hard on even more regulations and ended up changing my password cycles. I can't keep up any more. I've had to get passwords reset monthly for about 6 months so far because I get locked out due to bad password entries. I just had to ask for advice on keeping them straight.
Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user. So, I'll have to compromise security in order to comply with guidelines.
Yes, I have a suggestion. Don't force people to use stronger passwords. If they choose to use a weak one then when it is cracked, that'll be their fault. In either case, how many of us actually have to worry about someone breaking our passwords?
The whole point of passwords are to deter regular joe from from gaining access. Yet anyone with enough time and commitment can and will break any password or encryption method ever created.
I always use one word, or more shorter words cat together, or a word+number, and so on, but all of them written in l33t. This, combined with an occasional small/caps letters IMO is a good way. You avoid dictionary words, but still can think out stuff you can remember easily. Then again "easily" is not the same for everyone. My ones are usually quite scrambled pieces, but I never had trouble memorizing them (around 10 different, used for dozens of places, boxes, sites, servers, etc.).
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Stop posting my password on Slashdot, Zonk!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
you are a dipshit.
And that is to hire a bunch of Goons to threaten to break the users kneecaps if they don't , short of that nothing will change the way the average user will choose passwords. .
People like the easy life , and they hate passwords they can never remember(think they can never remember).
Pass-ages would be better like for example "This is Grettas house , it has 100 cats in it. They like milk and beer and when you stroke them they go "Meow"
Easy to remember , though a tad long
The only things certain in war are Propaganda and Death. You can never be sure which is which though
Either use single sign on or an honest assessment of whether or not every f-ing application and web site in the intranet needs it's own f-ing password. Some things are just not so important that they need a password especially if they are already relatively safe within the corporate intranet.
To use the example above, I'd be more than willing to think up and use a long, randomized password if it was the only one I had to remember to do my job and I only had to change it once every 90 days or so.
Waltz, nymph, for quick jigs vex Bud.
I use password safe to keep all my passwords. I used to have password overload and ended up using the same password for tons of sites. I eventually came to the decision this was a really dumb idea and shopped around for a solution. Now I just use password safe to generate proper random passwords for all my web sites and accounts. All you have to remember is one master password.
The only problem is that it is not very portable in that if I am not on my own computer I don't have access to the password data base.
The bikini - security through obscurity since 1943
Did I just stumble out of my time machine and fall into the early 1980's. This is an example of just how bad the industry is at learning from itself, and how every app, OS, or system vendor believes they can learn nothing from the rest. Ive got 3 words for you. SET PASSWORD/GENERATE The SET PASSWORD example is as follows. $ SET PASS /GENERATE
Old password: YOUR_OLD_PASSWORD (actually not visible )
infrka
hewsed
iddege
saubcp
patlzu
Choose a password from this list, or press RETURN to get a new list
New password: patlzu (actually not visible )
Verification: patlzu (actually not visible )
$
For the more important stuff (like my credit card details) I use a random generated password 10 characters long, mixing normal letters, capitals and numbers. But if I had to use several of these, I would have to start writing them down (I am in my mid twenties, recently graduated from a medical school, so I like to think my memory is quite good).
:)
Forcing an average user to use a difficult random password is like asking them to write it down on their monitor (I've seen this done more often than I can remember - and don't forget my memory is good
Wouldn't a non-random but still difficult to guess password be more secure?
Using the method mentioned in the article (e.g. t7p4i0t1 for combining a phrase a and a number) is OK until you are forced to change the password too often. Was it "pearl in the river" and my birthay or was that last time and now it is "lorem ipsum dolor" and my wife's birthday?
Seems to me that forcing too secure passwords unto yours users is bound to be insecure in the end.
If you make passwords the users can't remember they will just write them down. If they're pronounceable that helps, but only so much. Lists like this help, but ultimately you just have to tell your users to use the best passwords they can and hope that's good enough. Making them use passwords too "secure" will hurt you more.
I am trolling
I concur...
Troll, yes (an excellent troll at that), but it's quite relevant.
I thought this discussion is long over. Everybode knows that there are two possible solutions to theis problem.
A) Either use a passsentence instead of just a word, most modern systems allow for rather long passwords. Since the sentence makes sense it is easy to remember. Since the sentence has many characters, it is pretty hard to crack with current tools. Dictionary tools may change this, put place a few strange names or made-up words in the sentence and you are much saver as any 8 char password today.
B) If stuck with old systems, I usually recommend the secretaries to write their passwords down. YES! Comparing the risk that one of the ~250 daily stupid attemps to guess passwords from random idiots succeeds is MUCH larger if people are told to remember their passwords. They'll automatically choose simple ones. I guess about two or three passwords in our own system per week. If they choose a very complicated passwd and write it down, then an attacker needs to be physically in the office to steel it. If the guy is physically in the secretaries office, he has no problem getting everywehere anyway and we have much bigger problems.
Cheers
KdenLive/PIAVE - non-linear video editing
AFAIK, the current thinking among those to have to enforce strict security is to use phrases
Most modern password systems allow an almost arbitrary length password, and randomly generated passwords are not working - people simply write them down in order to remember them.
Take a phrase that is meaningful to the user, say, 'My car is a red Ford' and add some simpleobfuscation 'My c@r is a red-F0rd!', and you have a phrase that is not only easy to remember, but is going to take a lot of effort to brute-force.
wtf
People can invent stories to go with even totally random strings of uncommon words, like what you get from http://www.diceware.com.
I keep wanting to write a variant on Diceware that builds grammatical sentences by taking a valid syntax and plugging in random verbs, nouns and adjectives in the right places.
I like to pick a pattern on the keyboard, and then use that, alternating shift. If you were to ask me what my password is, I really wouldnt know unless I'm sitting at the keyboard.
:LKPOI)(*890iopkl;
Now, this is NOT my password, but it may have been at some point, but for example
As you can see, that password would be difficult to guess and crack, since it contains number, symbols, upper and lower case, 18 characters, and has no dictionary words in it.
Try and type that password and you'll see how easy it is to remember.
Don't Tread on Me
Why not use a question-reply type system. You know like in all of the old spy movies.
Spy1: Can i borrow your car?
Spy2: Only on Mondays?
Spy1: What day is today?
Spy2: Tuesday.
You get the idea? Could be a conversation from a favourite scene from a film. How many nerds can recite entire scenes from monty python or the simpsons? Although they may be too obviousto other nerds.
1. Wasn't there a thread about two factor authentication replacing passwords a short while back?
2. Microsoft Research came up with an inkblot authentication scheme which appears to have solved this problem.
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
Mag strips!
Put 32 random bytes on a magstrip and hand it to your user. Oh but Tom, what if they lose the card or it's stolen? Yeah simple plan for that.
USER: "Yeah hello sysadmin? I lost my card."
ADMIN: "Ok. Your account has been temporarily deactivated please pick up a new card."
If you're a company/group/etc that is worried about security you can afford a keyboard with a magstrip reader (they're not that expensive).
Tom
Someday, I'll have a real sig.
This subject comes up a lot. It's been on /. in various forms in the past. In fact, I think I'll just cut n paste a previous comment of mine :)
----
I'm sure I'm not the only one who occassionally uses keyboard patterns for passwords. I'm not talking qwertyuiop or asdfg (obvious, no randomization/separation of key sequences) but things like !@()ZX>? or QW./>?wq
Hell, half the time I remember friend's phone numbers by the way you punch in the numbers. Sometimes when asked what a number is I'll even do the "phantom phone dial finger wiggle" so I can recite the damned thing.
Looking at the above example it appears to be a password which follows the "strong password" methodology but have there been any studies on the effectiveness of using such a method? I know there are dictionary-based attacks which have some of the obvious patterns (qwerty, poiuy etc) but is such a method random *enough* to be feasible?
It seems to me that it would be much easier to train users to use a muscle-memory-like password than picking some word out of their ass. The human brain has one seriously developed pattern recognition/matching capability... why not use it?
Do not taunt Happy-Fun Ball
My passwords are typically 10-12 characters (a-z,A-Z,0-9) long randomly generated strings. I don't learn or remember them in the sense that I could write them on paper or spell them out. Instead, my fingers learn them. Each password has a specific feel, rhythm or a sequence of finger movements to it and as long as I can remember which sequence belonged to which account, there's no problem.
The owls are not what they seem
To paraphrase: pick a simple phrase that is silly, such as "green fruit stink" or "toadies are easy". Further "...a longer passphrase of a limited character set is stronger than a shorter passphrase of a larger character set...".
Its secure, easy to remember and robust against dictionary attacks. Just takes a little longer to type. And if you are using old LM on NT where only the first 8 letters are used and this is useless, you deserve everything you get.
The current standard is to force users to regularly change their passwords.
I understand that this might help expose a compromised account - the person wrongfully using it would not know the new password.
But assuming the account has not yet been compromised, does it help at all?
I know that the requirements of my workplace that a password never be reused has led to me (and, I suspect, many others) just incrementing a number on the end.
This procedure is particularly annoying when our PR database has no passwords at all, and our main data repositry has a single password shared amongst all users.
You, yes you IT guy/gal, why do you not start solving this first?
isn't it about time we realize that if users do things like sequencing or recycling, the password is no more secure than if users were allowed to keep using the same original "secure" password to begin with?
Because people are always willing and able to report loss/theft the instant it happens it happens.
I use APG (http://www.adel.nursat.kz/apg/) to generate passwords that are fairly strong and easy to remember. You can decide for pronouncability (weaker) or more random characters (stronger) by command line switches. I highly recommend it.
I find that test/test works fine for my root login...
So yeah, if systems are used to generate passwords using words that use commonly used words, people are bound not to change those which gives better security all around.
more and more people use txt spk and have various codes for words e.g. ROTFLMAO, so why not put some of these in passwords?
the user knows what it is yet its gibberish looking at it and if you have secret text words between friends, even better (as long as said friend is not looking to hack your account)
Are there any projects / discussions regarding password expirations linked to password complexities?
If I chose a password of "random", the computer could reject it and now allow me to use it.
If I chose a password of "r4nd0m11" it may allow me to use it for a month due to it being complex.
If a chose a password of "1tst00b4dth4t1c4ntyp3l33tsp3aks0w311", it may allow me to use it for 3 months.
All of this could be controlled by a policy created/configured by the system administrator and could include things like:
- Does the password have letters and numbers
- Does the password contain non-numerical/alpha numbers (!@#$%^& etc)
- Does the password contain more than X characters
So on and so forth. Based on that criteria, it would then set the expiration on that password to the sysadmin configured timeframe.
Just a though.
I know this can't work in the comercial / industial enviroment. But for the general home user its fine...
My friend once had a problem that he was worried about having his car stolen (who doesn't) and instead of taking the normal security mesures, he did some weird ass electronics under the hood and rewired shit. Strangely enough to start his car he now takes the front of his radio and there is a button there. The key infact does nothing but unlock the doors.
Hes had quite a few people break into the car, but never once has anyone managed to drive it away =D
If only we could place this into our pcs somehow? A card we needed to plug in, a swipe card that works by being near the pc? Both of these could be stolen though.
Why not use the same system as pin numbers, enter it wrong 3 times and the machine shuts down, until you go and find that magic cd rom which is hidden in a locked box, with a REAL lock and REAL key?
Ok its an annoyance for the adverage user, but then they only need to remmber a fairly simple password, and 99% of the time it WONT be cracked in the first 3 attempts (i hope!). As long as it obeys the normal rules.
8 letters or more, numbers, blah blah
- http://www.milkme.co.uk
And users will write them on postit which will be on a monitor anyway...
One that hath name thou can not otter
The hardest obstacle in securing your network is the human factor. This book describes methods for dealing with the problem very efficiently:
x .html
http://bofhcam.org/co-larters/lart-reference/inde
My uncle runs a small medical company. I do most of their PC and Networking. After informing my uncle that his car make wasn't a good password, I informed him of using a random passwords for his transactions and records. He agreed and I went back in to fix a problem a few months later and found that file on his desktop. NOT_MY_COMPUTER_AND_INTERNET_PASSWORDS.txt I just looked at him thinking this was a joke. He said he couldn't remember all the random words and letter so now he just opened that up and copied and pasted what he needed. I thanked god my father was adopted into this family.
What I do for passwords is to sing a song lyric, and use the first letter of each word.
For example,
"When I was younger, so much younger than today,"
"I never needed anybody's help in any way"
wiwysmytt
Innahiaw
Mix in a couple leetspeak characters or other subsitutes, and its more or less random gibberish thats easy to remember. Sing the song in your head every time you type it in, and you can associate certain songs with certain systems, and then if you have your password expire, you can do another line from the song.
Its easy to remember songs.
They combine the power of using easy-to-remember phrases with compatability with most systems.
tp!nh2r!yt0tp
"this password is not hard to remember if you think of this phrase"
Weak passwords are a reality. In my current job, I've got eleven different systems that require a password. If you think I'm going to selct and memorize a cryptograhically correct password for each and every one of them every three months when the passwords are set to expire, you're insane.
The more important and sensitive systems get strong passwords. The web-based tool I use to diagnore hardware issues in equipment that isn't even online? It gets something easy to remember.
For non-technical users, the situation is worse. If you get too psychotic in your password policies, they're just going to write them down on a post-it they stick to the underside of their mousepad if they're bing circumspect, and right to the monitor if they're not.
If you're dumb enough to run a system so braindamaged that it allows brute-force attacks and so insecure that running a decrypt on a password file gives the bad guys the keys to your palace, you need a strong password policy. You will also deserve to be mocked when a soceng hack allows someone into the building to look closely at any monitors bearing post-it notes.
Password security is the last refuge of the incompetent sysadmin or web developer. Careful separation of user roles and discouraging escalation of priveleges is more important than someone using gpe~9u?bi4 as their password for this week.
SoupIsGood Food
I seem to remember from some old hacker's manual I read when I was younger, that a goverment agency did just what was told in the article.
The problem with the pronouncable passwords was, that with the given guidelines, there were only few million (or something like that) possible passwords, and the redudancy was so great that you could zip 'em all into a one nice 4MB tarball and cracking the passwords was very easy for hackers.
So while easy-to-pronounce passwords may be a good thing, the length of the password need to be increased significantly to compensate the narrowed-down search space needed.
http://codeandlife.com
In a lot of cases, cryptographically strong passwords are not really required.
It's always amused me that online access to my credit card account requires an unmemorable 8 digit number, a username and a password. However, the *worst* thing anyone gaining access to that account could do (apart from see how I've been spending my money) is to pay my bills for me. I really don't think much protection is required to stop people doing that.
Most of the things that I might reasonably want to protect are in my house. My house does not have cryptographically-strong access protection, it has a key someone could take and copy if they wished and a lock that could be picked. Several people other than myself have keys. It is also not immune to access via brute-force algorithms - and indeed someone did once manage to split the front door in two in the course of a burglary.
In most cases what is required are "reasonable" checks to make sure that unauthorised access is not trivial, "reasonable" deniability that the user is responsible for any loss arising from unauthorised access, and "reasonable" insurance to pay for the damage. Focusing simply on the first of these may obscure the issue.
Easy-to-crack passwords are probably the cause (at least initially) of most hackings, attacks, etc. Enforcing good, strong passwords doesn't just make sense in the sense of computers; it also makes sense in the business world.
Show this to your friends and family that don't know what a real hacker is
The best way to enforce good passwords are not to have any passwords. Use certificates instead. That way you only have to remember a single password (The one for the certificate).
The posting is steganographic. Dumb message, but still clever.
I still say that using one's spouse's name as the password is best.
If you think it's a weak policy for your organization, then your employees aren't changing their spouses fast enough....
One way for computer-generated strong password to be used is to have the computer generate maybe 5 - and have the user select the one he (ok - or she) finds most appealing.
For what it's worth, after you are assigned passwords on a few systems this way, it can be almost impossible to keep them straight in your head. If you're only dealing with users with accounts on one system - this isn't too bad.
Other options include things like (radius?)server systems - where you carry a dongle around which always spits out numbers every x seconds. The system maintains a similar, running count. What makes this system work is that these numbers are pseudo-random, with a good measure of randomness. When you login, you must also supply the number. Unless the device is stolen, your login can't be used.
Another option is through the use of programs like OPIE - One Time Passwords in Everything - a one-time password list can be generated for users. One a user uses a password, it gets crossed off the list, and the user goes to the next password. Even if the user is shoulder-surfed or the connection is sniffed, it doesn't help someone else get access to the account. Of course, the downside is if the list gets lost or left behind somewhere...
When banks hand out PIN codes to credit/debit cards here, they offer a piece of paper with a coloured matrix on it, each cell containing a different number and a different colour. You can then replace your very complicated four-digit number with a combination of colour and (relative) location.
The matrix would have to be more complicated to contain a bigger character table, but as long as it fits in your pocket, right? The trick is to make your helping system appear random, i.e. not just highlight the ones that make out your password, but for instance pick the ones that share a colour, in your mind.
Take off every 'ZIG' !!
Force users to remember password that are cryptographically strong? Impossible.
Having an 8 characters long password with letters was ok in 1995 or so, when computer power was unable to decrypt password by brute force.
Today, cryptographically strong means : with lower and upper case letters, with numbers and special characters, and long enough (at least 16 characters).
How the f*** do you want someone to remember that kind of password (I do, but I don't expect Joe User to do it).
The future is not in longer passwords or passphrases, but other cryptographic means.
The guys from the article should think of something else. The future is about biometrics or 256 bits keys embedded in small cards.
The password era is almost over dudes, let's get used to it.
OTP protocol ("One Time Password") use a dictionnary (from the S/Key protocol) to convert 64bit password into 6 pronounceable words.
This dictionnary could be a way of generating 64bits random password that could be easily remembered by your users by giving them this "6 words" version.
Anyway, always remember that your password may be "cryptographically strong" enough, but will never be "chocolatelly strong" enough...
A USB thumb drive key thing that goes into USB ports, which I believe most computers pretty much have.
Additionally, start building keyboards with biometric fingerprint pads you could use.
The USB thumb drive key thing would have a list of all of one's passwords. But to unlock it, it would not only require your fingerprints (biometrics), but it would also require let's say an 8 to 16 character typed password when attempting to unlock it.
This way, it's as simple as plugging the USB thumb drive key thing into the USB port, pushing down one's finger on the keyboard, then type in an 8 to 16 character password, and there you go.
TYPE-BORDER anyone?
Prosperity is only an instrument to be used, not a deity to be worshipped. Calvin Coolidge
Just use RSA SecurID and forget about it. Only problem is changing codes every thirty seconds is just too much time. I mean I can almost get all 20 numbers in just before it changes. Thats way too convenient.
UNIX: A set of Linux-like operating systems that grew out of an original version written by some guys at a phone company
Here's a little trick I've been using recently, I don't remember a password, I remember a phrase. Such as Ten and twenty blackbirds baked in a pie, boiled down to create 10&20bbb1@p. It looks pretty random to the average person, but a lot easier to remember than pure randomness.
Perhaps instead of offering people simply randomly generated numbers and letters, or even pronounceable versions thereof, why not offer a variety of phrases along with the resulting hash after filtering it through 'leet' speek?
By the way, I did not RTFA, so I apologize if this is -1 Redundant
bend like the reed
No wonder people write down their passwords on postit notes stuck on their monitors.
Engineering is the art of compromise.
Get a palm pilot and download a copy of YAPS (Yet Another Password Safe). Create a very strong password that you don't change. Nobody can snoop or keylog your login (without installing to it), because it is happening on a palm pilot. I recommend using a random series of letters that you can recreate by dragging the pen across the keyboard. My password is over 30 characters long, and enterable in about 2 seconds.
Keep all of your passwords in YAPS. Whenever you need to login, you can look back at YAPS. This not only goes for your corporate intranet, but also for everything from your Credit Card information (like who to call when lost) to your routing / checking account number. Now your passwords are far more secure than with a plaintext doc, and the unencrypted password never appears on your potentially compromised desktop machine. And all of your necessary data is at your fingertips.
The ______ Agenda
For stupid web sites and unimportant stuff, I use a standard set of passwords that are relatively simple and easy to remember, usually throwing in a random capital letter and/or number. But for financial stuff or very personal stuff, I use a slice password - that is, a password taken from the first letter of a 7-10 word phrase (or the second letter or whatever). I can then use some l33t translation, too, and capitals, etc. This is still very easy for ME to remember, but to anyone else would look totally random.
I am a bit curious about what kind of attacks we really have to worry about. I suppose it depends on who we work for: college personnel have to worry about students hacking in and changing their marks, hi-tech personnel have to worry about trade secrets being stolen, bank personnel have to worry about money. In all three cases, the attackers could well be highly skilled and highly motivated.
What I wonder about, and why I agree with you, is how much more protection a good password gives you. I thought dictionary attacks were effectively thwarted by permitting only three tries before locking an account. Given a random set of four letters, you get a certain number of possibilities. If those four letters are arranged as words, the number of possibilities is greatly reduced but it is still a very large number. The chances of someone hacking in before being detected (by lots of irate people complaining about being locked out) would seem to be quite small. I think that if I wanted access to a system, I would try a more fruitful approach.
As an SF fan I just make up some race.
ex: Kanarian
Then add a few touches to "alien it up a bit"
ex: !K@N@rI@n!
Then when I need to change the password, I just make up a member to the race, and do the same changes to it.
ex: !B@ThooS@n!
Fairly easy to remember, and doesn't matter if the names are stupid, nobody's supposed to see them anyway.
The U.S. really needs an English to Wisdom dictionary.
Complete and utter bullocks!
And because it's already rated so low (-1) I'm not even going to justify my reply any further than to say:
Yes, IAATM (ie. I am a Theoretical Mathematician)
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
Users gets a message suggesting that they change to a new password which you supply ...
This is somewhat easier than the usual exploit because you don't have to decrypt the results of the users' keyboard entries.
Simply do a letter-count to enforce minimum length, and use regexes to check that letter, numbers and puntuation are all present.
Kinda looks like .. um, goatse
I always recommend users consider a password comprised largely of profanity. This has proven to have several benefits: 1. It's makes passwords "sticky" and easier to remember, so you can make them arbitrarily long. It's easy for your password to be 1Mg\/\/v when it stands for "lick my gibbering whale vulva." 2. Because these passwords are potentially embarassing, users are much less likely to write them down in any conspicuous place (like the sticky note on the monitor). 3. An additional benefit of the embarassment factor, users are less likely to give their password out to others, thus protecting against social engineering attacks.
This generates strong passwords, and you don't have to remember or type them even once: http://passwordsafe.sourceforge.net/
Single sign on and single login are very important if you are going to attempt to enforce strong passwords. People will simply write their multiple strong passwords down along with helpful hints on what they are for.
The corollary of this is that if you do have single sign on and/or single login then you should be enforcing strong passwords as a weak password provides access to everything.
BTW, at the moment, the closest thing to single sign on is Kerberos.
Deleted
It works like this:This has been in VMS since the mid 80-ies. The sysadmin can also mandate SET PASS/GEN and set a maximum password lifetime (after which the user has to set a new password before logging in).
This concept could be easily modernized with non-alphabetical characters and longer passwords.
)9TSS
1) Let the choose their own.
2) Have them enter it into an asterisk-only field to protect from shoulder surfing.
3) If it fails your automated security test (dictionary attack, etc..) pop up dialogue telling them that the password is not secure enough (and why) and then go back to step 1).
I don't agree with the people saying 'let the user choose an insecure password then blame them if it gets cracked'. Whilst that approach my appeal to bad-tempered, lazy sysadmins, to those of us who take pride in our work, it's obvious that such an approach is of no use when the single 'incompetant' user has significant data or access rights in their account.
You guys should be _greatful_ that most people aren't IT professionals. It's what keeps you in work. As IT professionals it's our job to make it easy for our users to use the systems we run in a secure way.
I used to work in a military environment wher people were serious about computer security. The administrators there were forbidden to enable password expiry, because it was deemed to promote unsafe practices instead of secure ones.
Oh well, in some places there's now way getting around having to manage multiple passwords. I keep a password file for my private accounts, but I keep it in a 'password safe' on my PDA. It's not completely safe, but hard enough to thwart all but the most determined hackers, and certainly better than a plaintext file on the computer or a sticky note in a desk drawer.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
I swear, there's got to be a web comic for every situation: http://www.galactanet.com/comic/284.htm
http://www.balorn.net/
?
...issues pointed with this concept, were Shoulder surfing and the...
Can people PLEASE start checking their shit for grammatical correctness? Hell, even the editors should catch that one!
Let a machine within your premisses generate and issue certificates every so much time. Stop bothering people with these tasks. When more than one person needs to work on a certain machine then issue a certificate on a chip card and have people renew them once per xxx time by having them insert that card in a special issuer machine(s).
That's such a good idea, it's already been done. One example is:
Password Helper
Use the Password Helper panel to pick a secure password.
From mac os X 10.4.
"Cryptographically strong" refers to properties of functions (usually one-way functions) and makes a statement about how difficult certain computations involving them; it has nothing to do with the quality of passwords.
You can try to force users to use "strong passwords" or "good passwords", but passwords can't be "cryptographically strong".
Okay. I'm a Security Engineer by day. I've seen a lot of ways to come up with strong passwords, but one of my favorite methods to come up with relatively strong passwords that are unlikely to be shared. Try the following algorithm...
;-)
1. Come up with a phrase that is meaningful only to you -- not a quote from a book or movie. For example, lets say that your first dog's name was Samael and that you have never told anyone that you thought Samael was a reincarnation the infamous hell-hound Kerberos. Yes, he was a bastard!
2. So a sample phrase might be:
"Samael, Vigilant Guardian of the Gates of Hell"
Take the first character of each word.
'svgotgoh'
Not a bad start. You have eight characters there.
3. Now you want to make sure that you never share this password with anyone, or if you do it should look sufficiently random that they couldn't remember it after using it once. Only you remember it because you have the generating phrase.
How do we do that? Take the previous phrase and make it obscene nonsense. That means introduce some strange and fantastically improbable obscene twist to it. Something that you would never tell your friend or cubemate. Try this on for size.
"Samael, Vigilant Guardian F***s Me Silly At The Gates of Hell!"
That gives us:
SVGFMSATGOH, an 11 character passphrase, much better.
4. Okay, so I used all caps there for a reason. Feel free to intermix capitals, that will increase entropy by selecting from a larger character set. Come up with an easy rule like capitalizing the first letter in the subject and object of the sentence. So 'S' in Samael and the the 'F' from, well, this is a family geek site
That leaves us with 'SvgFmsatgoh'. Looking pretty entropic.
5. Feel free to add entropy by including special symbols in your password. An easy way to do that is to convert the obvious characters to hacker symbols. 5's for S's. 0's for O's. etc...
5vgFmsatg0h
6. Now you have a damnned fine password of relatively high entropy. '5vgFmsatg0h'
Please, please don't use this example password on your site. Everyone who reads Slashdot may try it.
7. Do a sanity check on your password. Avoid strings of words that begin with the same character. Avoid obvious patterns like abcdefghi etc.
8. A real problem with most institutions these days is that they force you to change your password every 30 days. Good for security, but bad for passwords. Many don't allow you to recycle the last ten passwords or use a password sufficiently like the previous one (or ten).
So after designing a really nice password like this you are forced to toss it after 30 days. What's a good geek to do?
I'd come up with a high-quality password like this and only use it as a 'passphrase'. Something that protects your SSH keys or the contents of your flash drive.
9. I'm a big proponent of SSH RSA/DH login instead of anything that uses passwords anymore. Passwords suck. Use the above algorithm as a passphrase that encrypts your flash drive collection of private ssh keys. Use ssh-agent.
10. If you must use passwords, have a little proggy on your flash drive that generates relatively secure ones quickly and easily. Something like . It's not great, but then I believe I said passwords suck.
Good Luck.
This tape will self-destruct in 5 seconds.
This entire discussion is somewhat moot because it's like trying to figure out the meaning of life. Everyone has different ideas on it, and none is truly "right", but many are right for that person at that particular time.
This reminds me of an episode of Get Smart years ago. Agent 99 was locking herself into her apartment because a Kaos agent had chased her home. She locked this column of strong deadbolts running up and down the length of the door. The Kaos agent proceeded to punch through the wall next to the door and get right in.
The point is, many, if not most, of the major 'hacks' you hear about on the news are not the result of some magic password-cracking algorithim or some super-programmer's deep knowledge of low-level machine language that enabled him to get in. It's usually something simple like a disgruntled employee accepting some cash (there aren't any disgruntled, underpaid network admins out there, are there??) for his or someone else's password, or some other 'side door'.
If your data is so important that you're going to make it so diffucult for all your users to remember some ridiculous password for every task they do at work, then your data is worth some hacker finding some other, easier way in--just as the Kaos agent did. --timmy
"...use a passsentence instead of just a word..."
I propose a library which automatically selects a pass-sentence randomly from an unreferenced disk sector. The calling program presents this sentence to the user and gets him/her/it to type the first character of each word of the sentence. If he/she/it gets it right, that is their new password, and the program calls erase_sentence() to overwrite the sentence in the unreferenced disk sector with zeroes.
int find_sentence() : Read a random sentence on the unreferenced sectors and return a handle to that sentence.
char * get_sentence(int handle) : Return the null-terminated sentence from the given handle.
void erase_sentence(int handle) : Overwrite and erase the sentence on the unreferenced sector.
Once more unto the breach, dear friends, once more, Or close the wall up with our American dead!
Most people are used to remembering phone numbers.
It's ralatively to remember a name. An imaginary person with an imaginary phone number then makes for a long, easy to remember password. If a portion of the name or number is chosen in a way that relates to something memorable about the account, then it's pretty easy to remember.
For example. Say you want to remember the password for your commodities trading account. Back when you were a kid you rode a school bus. The bus driver always smelled like bacon. Her name was Shirley. She was also a somewhat superstitious fundamentalist Christian with a nice figure. Your password becomes ShirleyBus4428360666.
Easy to remember. Related to the account. Yes, it's four dictionary terms but it's still gonna take a machine a long time to guess as the machine will have no context.
uraf8b8tch
READY.
PRINT ""+-0
I can't see why cryptographers and security experts attempts, again and again, to higher the number of significant bits per character in passwords for humans, while human language naturally has a high redundancy. Why force people to remember random garbage like /56Ss4.,&XXy when they will just write it down? Why not allow humans to use human language?
/56Ss4.,&XXy.
If I remember correctly, human language has about two bits of information per character at average. So if you want a cryptographically strong 128bit password, just enforce a 64 character long human passphrase, with no limitations on used charcters or whatever. I bet people will come up with and remember such passphrases much more easily than e.g.
--The knowledge that you are an idiot, is what distinguishes you from one.
this way the password gets quite long, making it harder to bruteforce crack it without much arder to remember.
for my customers i like to add the postal code behind one or two dictionart words, often combined with a _ i.e. londonberry_14253 - it's at least more secure than the usual year (i.e. londonberry2005)
furthermore i have a 3-level passwor system:
level one - a password for forums and other unimportant sites. if i have to tell it to someone - no problem, nothing to hide there..
level two - a password for servers and other important logins but which i have to share in emergencies ("please soft reboot the server, root pw is..") - it's fairly complicated
level three - a password for banking, credit cards etc. i will never ever give away. wha is important is, that i don't protect a level two site with the level one password, compromising it..
PAT
SEO Test: TIGI und SEBASTIAN - Online Shop - V
Studies have shown that when you FORCE joe user to use a random alpha numeric with special charachters password and in some places change it every 90 days requiring that it be different by 3 charachters you get the following.
1. Stickies with passwords attached to monitors, underneath keyboards ect...
2. The SAME password used everywhere (web, work..ect..).
Passwords have finally reached the end of their life. Smart Cards, SecurID's....biometric are a MUCH better choice.
I find a usefull utility is Xyxxy http://www.haxial.com/products/xyzzy/. It produces passwords which are fairly random yet are somewhat still pronouncable, making them easier to remember. This isn't the only utility to do this (there are numerous for linux), and there has apparently been some research into using such techniques. Xyxxy is just the program I know.
maybe taken from a comedy, or a series of names of people in a certain order, or perhaps a quotation from a movie.
.2 eurocents
of course this won't have to be repeated every few minutes, but could work as a "master password" to unlock all the other password a user need.
in cases where only short passwords can be used, let the computer chose one, and save it into the password keyring.
just my
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
Passwords are still useful. What is absolutely required though, is to detect and block brute force attempts.
/etc/passwd (or equivalent) file, but its been that way for a long long time.
Yes, computers are fast enough to geuss 10 million combinations within minutes and break into your system. Thats why you cannot let somebody make more than a few geusses without locking them out. Don't let somebody keep hammering away with geusses.
You're screwed if they get your
This is dumb. You submitted a story of a mailing list thread started by a cocky newb with an attitude who knows nothing about security or system administration, and who has suggested a scheme to secure a system? And that suggestion has fundamental flaws? And the editors actually accepted it?
I have a list of 500 adjectives & another list of 500 nouns. I randomly grab an adjective and a noun and slap a 2-digit number in between them. The result looks like this: "blue48fish".
Assuming that somebody knew a valid username AND that they knew all of the adjectives/nouns in my lists, they would still have 25 million combinations to wade through. Using a 3-4 digit number would provide increased complexity.
The end result is a fairly memorable (and sometimes quite comical) password (for instance "hot69pants" was one of my faviorites!).
If you have a process that locks an account when it is not logged into sucessfully more than n times.
...) We are not supposed to use words in the dictionary, because even if we put @ for a - leet dictionaries have this combination. Insert numbers. No use two words combined with a number. No use the first letter from each word in a pass phrase...
The arguement for having strong passwords almost always goes: "There are 200,000 words in the english language. A computer can test all of those words within seconds: Therefore it is necessary to have strong passwords."
Then we get recommendations on how to make a password secure (and yet, it's not to use a secure ID token with it). To avoid a brute force attack make the minimum size of passwords over 7. (No, wait, computers are now faster - make that over 8, 9, 10,
I'll Pass. My users get locked out for 15 minutes if they do not log in correctly three times within a few minutes. Now instead of being able to check all the words in the english language in minutes, it takes only. ((200,000 / 3) * 15 minutes * 1/60* 1/24 ~= 694 days. Have fun;)
Disclaimer: This is not true for the Admin account, which cannot be locked out.
I work for a large ISP, and if I log into one of our authentication servers and run something like this:
...to get our top 100 passwords, you tend to find that the most popular password (letmein) is used by about 5% of the users.
SELECT COUNT(*) AS numof, password FROM users GROUP BY password ORDER BY numof DESC LIMIT 100
The rest of the top 100 are mostly kids or pets names or soccer teams. The most prominent are ones like 'harry', 'katie', 'arsenal', 'david' or, one of the all-time l8m3r passwords like 'computer' or 'internet'.
Like tinyurl, but one letter less! http://qurl.co.uk/
If people could use sentences instead of words, dictionary attacks would become obsolete.
Like with PGP.
Just require a minimum number of blanks and a minimum number of characters to assure that a sentence-like construction is being used.
Put a whatever password in the usual /etc/shadow. Usually a weak but easy to remember one.
When this password is accepted, put the user to a strong quarantine jail with a sh environment that can only be used to enter a second layer passphrase or any other custom authentication method.
The second layer authentication can be a long but easy to remember phrase, enforced using a simple custom shell script. I myself am using interactive methods which is even stronger: even if my ssh line is cracked, the password is not leaked.
Until this article got posted on ./, that is.
Ladies and gentlemen, buckle your seatbelts. The signal to noice ratio will be soon be approaching zero.
What about using RSA Securid?
http://www.rsasecurity.com/node.asp?id=1157
Then the first half of your password can be whatever, but the second half always changes. Plus I think I even saw tokens that were also calculators. They also have USB Authenticators as well. Granted, this would not work for some companies, but for many it would be fine.It could even work if you have to have a vendor go into your system to look at something. You could keept that signon's fob and when they need access you call and have them log in while your on the phone.
Password security is never easy to enforce. It's even worse in some industries. The VENDORS IDIOTIC programmers make thier programs have a default password or thier stuff does not work! In some places of business, the IT department does not have the choice in the system that is purchased. We may have a hand in it, but if the majority of the comittee is not IT and they all like it, your stuck.
Gorkman
"Rather than insisting on a long password from the user, programs that ask for passwords should increase the amount of work the computer has to do to check whether a password is correct."
Beginner's Guide to Computer Security
http://www.millstream.com/secure.html
Just add more rounds to the password file encryption algorithm until it takes the required amount of time to test a password.
Level 1 is a short, meaningless, alphanumeric, never changed, applied to 100's of internet sites (e.g. (but not) sivckhd3e)
Level 2 is a mneumonic, changed about once a year, based on a phrase from a book I've read recently, applied to around 5 accounts, including work (e.g. (but not) sygigh1 - "screw you guys, I'm going home")
Level 3 is a mneumonic based on a really long phrase that contains meaningful dates etc. Applied to no more than 2 accounts. (e.g. (but not) asistht8pmtwbjf "and so I said to her, Thursday? 8pm? That would be just fine")
Difficult to dictionary attack. Managable.There's been a PAM module around for ages that generates a set of random passwords to pick from, each containing pronounceable components. The idea being it's still pretty random, but easier to remember.
:)
sorta like OwaTagooSiam02
but that would not be a good choice
As other posters say, I think that security books for years have said password rotation just forces users to pick insecure passwords.
Better would be to have one really good one and don't rotate it much/ever.
I've been involved in hundreds of password management system
..."
t ml
deployments, so perhaps I can make some helpful observations:
* Users who are required to comply with a strong password
policy, and must change their password often, will sometimes
be unable to think of a new, compliant password, and will
appreciate the random passwords offered.
* Randomly-generated passwords should be pronounceable, to help
users remember them. Otherwise, you're just asking for sticky notes.
* There are good random number generators in all modern OSes.
These take entropy inputs from the network, keyboard, etc. and
are basically impossible to defeat. "Randomness" is not a
realistic problem.
* If users will have to choose strong passwords, and to change their
passwords often (all good things), then the requirements should
be clearly communicated, both ahead of time and when the user
must choose a password. Don't tell the user "pick a hard to guess
password" -- tell him "pick a password with minimum N chars,
including letters, digits and punctuation marks, mixed case, that
is not derived from a dictionary word or an old password,
* Do require periodic password changes -- this is your only defence
against compromised passwords and weak password stores.
* You can see some of these features here (Flash demo):
http://psynch.com/overview/presentation-demo/04.h
Cheers,
-- Idan
I've been very busy recently installing smart card based single sign on at various companies. You have to remember one password, to open your smartcard. This can be combined with a biometric if you like. The smart card stores and manages all the rest of your passwords, which can be randomized if you like. So users don't even know their passwords, and the passwords are truely random gibberish. Storing the passwords on the smart card gives extra security.
Lasers Controlled Games!
I create all my passwords by hashing a master password with the name of the site I log into. The hash is something that I can count on my fingers, and I have a few variations so that I can produce a password with or without numbers, special characters, and case. This way I can remember any password, yet they are all different, and they are all mostly random.
Example: Select a master password of "foobar" then log in to Slashdot. Maybe you would take foobar, interleave the letters of Slashdot, then add the number of vowels to get: fSoloabsahrdot2.
If it is something I log onto often, I memorize it. If it is something rare, then I may have to sit there for a moment and figure it out.
Actually, YAATMWOASH :))
(You Are A Theoretical Mathematician Without a Sense Of Humour
This is a great way to make the users write down their passwords in plain text.
Realistically, one can expect users to have more than one password that they need to remember these days, and they're either going to want to passwords that are easy to remember, or even use the same password for each one.
In short; this idea won't work. I much rather prefer the idea of using very long passwords that make out phrases or sentences, such as: "This is my super-secret passphrase for logging on to Slashdot".
My former boss had a neat password system he had developed himself...
:)
The login app displays a screenful of 2-digit numbers, organized in a kind of table. The table changes each time in a random fashion. Your password consists of 6 numbers, not quite arbitrary. You find column containing to the first two, row containing the second two, then the number at cross-section of the row and column, modulo-add the third number and some kind of digest of current date, then enter the result.
2-digit password isn't really strong when it comes to brute-forcing, but with basic blocking mechanism (i.e. 15 minutes after 3 failures) it still would take days to crack. And of course implementation that would be much harder to crack, based on similar idea is possible. Shoulder-looking is useless, because the number you enter is different each time. It would be awfully hard to recover the "source digit" given a number of screens and associated keystrokes - if you would be able to remember the screens in the first place...
The idea isn't all that novel - target system sends a random crypto challenge to the source system, the source system decrypts it and sends the decrypted result back. Intercepting the communication is pretty much worthless. The novel part is that the decrypting system is our own brain
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
That they will get hacked and their lives will be ruined unless they choose good passwords. And, if they choose a bad one, break it, fakely ruin their life so they understand the seriousness of it. Done. It won't ever happen again.
The Cryptography Forum is new and needs help
That goes without saying, right?
Let's face it, 99% of the time when one requires a strong password, the device used to access is a near-constant. I never access my corporate network except from my laptop - period. I never access resources on that network that require a password without already having logged in off said laptop.
So, just authenticate the HARDWARE and the USER once, then ping the hardware for its continued presence. After all, your laptop is a pretty damn big token to misplace - and you are going to be beating on your IT department the nanosecond it's stolen anyway.
I generally advise people to use mnemonic passwords, mixing numbers for letters and never consisting of a complete word within the password. Additionally, setup a theme for the mnemonics used based on the category of server. Of course you can't 'publish' what that theme would be either.
Example
Theme is Led Zeppelin song lyrics for a tier of servers
There's a lady who's sure all that glitters is gold
becomes +4lw5a+gig
All the user has to do is come up with their own system of transposing characters for letters and maybe mixing case as well, say, all vowels are capitalized.
For instance, I'd remember the word alphanumerics as a password, but use a password like @lph@num3r!cs. This is not uncrackable, but dictionary style pw searching is not going to find it.
There are alternative solutions to the unauthorized user problem, starting with turnkey systems which embed cryptographically impeccable digital keys in cd's, dongles and flash memory. Sheesh! How long does it take before the glaze over normal users' eyes causes someone to notice there's a different way to fry this popsicle stick??!
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
if you were a fish, the hook would be through your nose by now.
..is that it's a terrible model to support when it comes to randomly-challenged humans. The move needs to be away from passwords (especially randomly-generated) and towards passphrases -- still randomly generated, but using pronouncable/easily remembered combinations of words in the user's native language. (Diceware has some good background on the why passphrases are more secure than passwords.)
Before spouting off why you think (erroneously) that "easily-remembered" passphrases can't possibly be more secure than randomly-generated passwords, please read the FAQs at the Diceware site first.
Password management is like the spam problem: it's too complicated to come up with a solution that works because there are, unfortunately, humans involved.
The only "policy" I know of that stands any chance of working in the long term is NOT TO HAVE PASSWORDS.
Far too many systems demand passwords when they don't need them. All applications should be written that assume authentication is managed elsewhere - and only fall back to "local" authentication if the environment they're in doesn't have such a system.
OK maybe this is just summed up by "single sign on" but it's a bit more than that - a shift in attitude perhaps.
"And the meaning of words; when they cease to function; when will it start worrying you?"
Here's a Python script for generating passwords from pseudo-words that sound like real words plus random digits.
Fairly easy to remember and not vulnerable to dictionary cracks.
I find completely random passwords easier to remember than those based on something. If there is nothing in my brain associated with 56vam%20#@Ee aside from it being my password, it is much easier to remember than if my password were "Scruffy"
That's just me, though
They can be written down.
The same password can be used on a secure system, and some trojan web site.
They can be collected with keyloggers.
They can be told to other people.
They are less memorable, which means more password resets. Password resets will always be a weak point in the system.
For high security AND a large number of users, you HAVE to have two factor authentication.
I heard many people complaining about password being stupid but the stupid here is the system that lets somebody try to enter the password more than 5 times.
How about debit card PINs? They are only 4 digits... They seem to be adequately secure.
NO SYSTEM SHOULD ALLOW ANYONE TO TRY TO ENTER A PASSWORD MORE THAN 5 TIMES.
Problem solved!
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
At work I have, literally, dozens of passwords, all required to be unique. This one has to be six characters. This one has to be eight. This one has to be greater than eight. A random mash of letters I can remember, invulnerable to any meaningful attack? NOPE, sorry, we need a number and a symbol. Within the first four characters. This is stupid, stupid, shit. I remember some, and others need to be reset constantly. Others? Well, they remember what they can and write down the rest. It's really, really, dumb. Asinine password schemes anger me to no end. If all my passwords were randomly generated, I would simply have a big list of all my passwords. Make the consequences for doing that dire enough, and I would simply never remember a password past a couple of days. Such stupid shit.
Never, repeat NEVER post your password on
:-)
a sticky note next to your monitor !!!!!
Put it under the keyboard where it belongs
Two years ago I coadministered the Linux boxes in our faculty. :-)
Once my boss changed root passwords to a sequence he remembered from a Windows serial code he used often.
I and the webmaster (who mantained Apache and MySQL by himself) cursed him badly those days
Got Pike?
Strong passwords will be a necessary evil for the forseeable future. How many phones, public/coffee terminals, and home computers have biometric authentication gadgets? How many of these gimicks work together? My users need the ability to access nearly everything on our systems, from anywhere. This includes our WAP portal, email from their phone, our various web-apps, SSH/terminal servers, and their IMAP/SMTP email clients. How many of these systems could even possibly function with anything but passwords. Take the IMAP/SMTP system for example, how would you tie biometic authentication into standard SMTP AUTH? How about a web app - how is a fingerprint entered there? Or consider our WAP gateway, how are users going to enter a fingerprint on their phones?
We cant just mandate users access our systems from "approved" sources - that flys in the face of what management is asking for: A system accessible anywhere, with reasonable security percautions in effect.
Though centralized authentiation schemes like LDAP are working well for us, "legacy systems" (ie: accounting, payroll, and factory/inventory management) dont integrate with central authentication systems. Meaning that's yet another password to remember...
With users accessing our systems from so many sources, strong and frequently changed (90-180 days) passwords are a necessity. Though they need the ability to save them:
1) How important is the data in your wallet/purse. Why not just write the passwords down, store them in your wallet/purse, and then manage that. After-all, if your wallet/purse has been stolen or rumaged through, there's a good chance you'll know.
2) Consider this two-factor authentication system:
Something you have: cell phone
Something you know: password to program
How many folks now have MIDP/Java enabled phones. Why not provide them with an app to securely save their passwords on their phone? With a tool like FreeSafe They could not only store all their passwords on their cell phone, they can generate both random new passwords, and One Time Password hashes.
Now if FreeSafe could only store notes, and have some sort of backup capability (which the developer says he's working on)...
that I saw the best combination of user utility and strength:
Have a short physical list of pw-useable characters in your wallet, and letters of the alphabet as a xref.
So when you log onto your work computer you can use "workcomp" as your password, but xref'd it comes out as $1efG3h4.
And if someone finds your list, it doesn't get them anywhere unless they know what systems you're on and then guess the pw's anyway.
-Styopa
I can memorize a 20 digit hex password in three minutes. I have a ph.. pho.. phot.. dang. some kind of memory.
Note: I'm the project's admin on SourceForge.
Ubi dubium ibi libertas: Where there is doubt, there is freedom.
One thing that I've started doing is using having users figure out a real world hash for what they would normally write. That way, they can just use something they -will- remember, and then mentally encrypt it with a methodology they can also remember. So for example, take the password you would type on a qwerty keyboard, and instead, type it as you would in Dvorak. I think I stole this idea from Blake Ross' crypto research, though. If the biggest problem is network hackers, shouldn't it be possible to have computers develop their own hashing methodologies so that users don't have to rack their brains trying to think of something convoluted? Second method: Wasn't there a slashdot story a while ago on using phrases rather than single words? Password: "Let me in, you idiot!"
G4fhub1 <-- My acronym password taken from a famous sci-fi horror movie starring Sigourney Weaver.
Or how about this Charlemagne?
Lm4b7r47747bf75
Now that I think about it... isn't the real reason for poor passwords, the poor imagination of the users?
Any thoughts from slashdotters?
Sorry, no.Here is a description of how to guess pronouncable passwords. http://www.cs.stevens.edu/~mdemare/docs/passwdV2.p df
-Mike
If you want to generate cryptographically strong passwords, see http://www.diceware.com/,
How would/could I use two-way security for a web-based application?
The only thing I can think of is to do something fancy and painful with javascript... any ideas?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Use a mnemonic phrase--it will be as strong as a random password and a lot more memorable. See
The problem isn't any 1 single password, it is the dozens and dozens people have to remember. I alone have about 7 at work alone, and god knows how many online ones. You try to keep these secure, but when there are that many it's almost inevidable that you'll resort to something to simplify matters.
Do not use the name of a friend or relative as your password, unless their name contains non-alphanumeric characters.
English is easier said than done.
I think this was something Mitnik suggested not sure. I've used it and it seems pretty good.
Just randomly pick alternating consanants and vowels. You end up with passwords like "kebilo" or "modawil". Wile this seems stupid and no one likes a random password, it also produces a pronouncable "word", which is much easier to remember than random garbage.
What bothers me these days is that people do not realize that passphrases are indeed simply easier to memorize and more secure. Why is everyone using a mnemonic sentence to remember some cryptic string of characters? This is not more secure than the mnemonic itself! And don't go arguing that you could easily make a dictionary program to try and crack it either. There are easily more than 500,000 words in the English dictionary. This makes any particular word more time consuming to guess than any of the 100 some characters you can choose from on a keyboard. Unless your system has a relatively short password length, and I know for some of you it does, there is no reason to be doing it the other way.
s es+password+%2Bsecure&btnG=Search
obligatory google link: http://www.google.com/search?hl=en&lr=&q=passphra
Non sequitur: Your facts are uncoordinated.
After 20 years of working around this problem, and we still have not figured it out yet.
Any cryptosystem that depends on the human ability to remember multiple passwords consisting of more than 8 random characters is broken. It's about time we realized this and moved on to thinking about alternatives.
I teach this method to students, and then I run john the ripper on the results. I found one of two results -- either they completely ignored my teachings and came up with passswords like '123456', or I didn't guess their passwords in days of running ripper.
I think that forcing 'safe' passwords on people is a bad idea.. this problem was addressed on slashdot a couple of years ago, and what they found was that 'random' passwords usually resulted in people writing down their passwords and keeping them in places like their wallets or taped to their keyboard (!).
Far better is to periodically run a password checker on people's accounts.. If you find a password, change their password, and/or send them an email telling them that their password has been guessed, and they need to come up with something secure (and somp pointers to ideas on how to create a 'good' password).
Sooner or later, they'll come up with a password that at least you can't guess, which is as good a heuristic I can come up with.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Personally, I think they should make their password more difficult depending on their location. If they are at work, using a work computer with a lot of data stored, they are probably going to want a password of random numbers and letters all mixed into each other. But the fact of the matter is that a lot of people actually do this... but either A) Forget the password or B) Leave the password on a Post It note somewhere near by so that they can physically access it (when not all hackers have to remotely access the computer). The reason for this is that it is much more of a threat if they lose their files and they would be more of a target. But for home users, they shouldn't really have to worry as much, unless they carry a mass amount of important data on their computers (such as a programmer and his shell scripts and source codes). They are much less of a target, especially if no one knows them. This is not to say that they should make an easy one word password, because they shouldn't, but they should not need a encrypted password... some type of alphanumeric password would suffice.
"Instant gratification takes too long." - Carrie Fisher
Instead of randomly producing strings of "245o2nroh4ijio2s" for users to remember as passwords (which all they'll do is write on the bottom of their keyboard, or on a post-it note stuck to the side of their monitor, or tattooed on their butt), why not produce passphrases that are complete sentences, produced by random, but nonetheless complete, that make some amount of sense. For example, a passphrase might be something like, "Joe's girlfriend screwed Joe's friend Bob." Now who in the "F" word is going to guess a password like that? It contains only letters, true, but it is long enough that it will take approximately n! computations to figure it out. If you'd like, you can make a passphrase like, "fuc|{ thoze damm y4nk33z, muthufucku!!!1111" or "Thoze RAIDERS r tha suxx0rzzzzzz!!!!!11111" That wouldn't be too difficult to remember, and if would survive any dictionary attack.
I'm not sure how well this would work out in practice, but, if the ToS stipulate that you waive any right to a lawsuit if you don't choose a proper password would probably get the attention of those who refuse to memorize a good one real quick.
We need someone like M$ to build a hook into the OS to allow the use of tokens like RSA's, but made by any vendor so that anyone can sell them. That's the only way I see tokens being added to wallets and keychains of everyone. And I don't want more than one token either. Carrying one token for my smith barney account, another for my ebay stuff, and a third for my regular checking account does not appeal to me on any level.
I haven't read through all the comments, so this may have already been posted, but what about using the first letter of each word in a phrase / song lyrics / poem? So, say for example, if I love Gangsta Rap, I could quote a line from Snoop Dogg's 'Gin and Juice'. My password would be:
kcuwfaslesd
which would stand for the line in the song 'Keep Comin' Up With Funky As* Sh*t Like Every Single Day'. This accomplishes two things - somewhat cryptographically strong and easy to remember passwords. Your comments?
I bought some d30 alphabet dice from these folks
Along with some d10's, you can generate some pretty random passwords.
Chip H.
For the curious, a d30 has A..Z, plus 2 "wild" and 2 "vowel" sides. When I get one of those, I'll usually just re-roll that die.
Can't believe it, this u/p is so weak at easynews.com
Take two words you can easily remember and concatenate them (that squares the size of the dictionary to exhaust).
Substitute a digit for a letter, i.e. 1 for l. (that increases the work factor by a few multiples depending upon the digit-letter combos and it guarantees neither word occurs in any dictionary.)
Intentionally mispell one of the words. I wonder how many times some geek type has used the password "sourceror"?
This is a very strong password because no dictionary attack (except a dictionary of every phrase in the language) will ever guess it, yet it is easy to remember because it is actually a phrase.
Hint: do not use "Ilhfs2m" as your password now.
(That shows up as "*****" for you, right?)
"It's All Over But The Crying." [29 characters, title of a song by the band Garbage]
No password generator is going to guess that.
This reminds me, what is the point of password engines denying special characters? I can understand certain limitations. I have seen numerous engines that disallow spaces, *'s, @'s, etc. Why? That simply makes passwords easier to guess.
YHBT YHL HAND. By the way, this is a hilarious troll. It's so stupid that only a complete dipshit would fall for it.
Do it like this, If it's a gamer, the user to say; get something pretty easy.. and mix it with known-gamer-lamer shit. for example; moron password > m00rn p4zzwwurd
;)
:P
It should work, better then something like "password" for say
Atleast what i think
In the Soviet Union, signatures writes you!
And what do you propose to use for the 10 different login systems I have to work with? And some of them need passwords >= 6 chars length and others = 8. Some need to change after 6 weeks and others not. Also I we have to use 2 different RSA code keys (for different systems). One with pin and one without. Would you blame me for writing down my passwords?
Just asking, after all my karma went positive and I have to do something about it.
I use the Model designations for Military hardware as passwords and keep photos of those I'm currently using on the wall near my monitor. Someone would have to recognise the equipment AND know the correct designation and even then they would have no way to link a picture to a site or file. There are hundreds of them *already loaded* so why not get some use from that, and some of the British Mark designations use special characters in addition to being seriously weird.
Thelma, I'm not making ANY deals.
Don't use passwords. Use physical keys (USB Stick, Keycard) and biometrics instead.
Just say no to passwords.
http://pixelcort.com/
Let the user create their own password, but make sure it passes a software test first. Firefox has something like that when you create a password manager-password. It gives you a rating of how strong it thinks your password is. Just create something like this, and require users' passwords to be at a certain minimum strength level.
Anyone should first understand why we need passwords. Enforced passwords are used as a means to deliver an environment in which: - it should be reasonably ensured that any service is used by only the correct person - and any person should be reasonably ensured that what its owns in this infrastructure is only validly used by him (and/or others if expressly arranged for) Passwords get useless if they are easily guessed (by programs or by looking over the shoulder). But passwords are also useless if people are 'enforced' to write them down in order to remember. The IT Security dept. should thus set rules for the password engine which the user enforces to create SAFE passwords. But leave it to the user! Here my educational guesses for a secure password environment: - a dictionary check should be or might be part of the password engine - any user-created password should be at least 12 characters - any user-created password should contain at least one digit - any user-created password should contain at least one non-alphabetic character And if the engine allows for it: - any user-created password should contain at least one space, allowing for passphrases But anyway, the user should still be able to create its own passwords. And of course, anyone should have preferably only one password for its complete corporate envronment (single sign-on).
This method is pretty good - it's not one I use, but it's one I've heard other people mention elsewhere.
Say you like pizza and Pepsi. Take those two words and interleave them to get "pPiezpzsai". Adjust for something easy for you to remember (perhaps your dog's name and your car model, or whatever).
Using this method, you get cryptographically fairly strong passwords that are pretty easy to remember as long as you can remember the component parts. Of course, you can do the usual replacing letters with numbers ("S" becomes "5" and so on) and alter the method a bit to make it even stronger, but on the basic level this method still makes pretty strong passwords.
I guess you can't force users to use it (although checking password strength should enforce something) but you can suggest it to them as a good method of coming up with a strong password that is easier to remember than a totally random password - it's a nice tradeoff.
Just my 2p...
Organic free-range music... yum!
i used to use 6uldvnce as a password and nick in some chat rooms. You wouldn't belive how many poeple din't get it. Imagination Is at a loss.
http://shit.slashdot.org/article.pl?sid=05/04/24/0 338228
TFA gave a Dept. Defence example of password security, showing how to make a 7-odd character alpha-numeric password but mentioning that it would take 60 days or so to crack, so change it that often.
The question is, if my password is something like "Peter P!per p!cked a packet of green frankfurts - p!ckled peppers were out of stock" how long between password changes?
Well, I always use patterns on the keyboard. They are very easy to remember. For instance I can easily remember every password I have used for the last 5 years. By pattern I mean something like this: xdrfvgy, or cfvghnjm, or azsdcfgbhjmkl anyway, this seems to work well because when our sysads run their password cracking stuff to check that people are using good passwords mine is always the last one to get cracked, sometimes by up to 40 hours.
Just place your finger on the scanner and you're in. Unless they cut off your finger, there's no way they can hack your password... Hmmmm, wait a sec, I suppose that could be considered a disadvantage. ;-)
Seriously though, you can get a fingerprint reader for less than $50 and no more memorizingf passwords is needed.
Years ago I heard about a concept called "Single Sign-on" (by Novell) and I suppose other technologies have something similar.
I didn't however see anyone bring this up as a possible solution for the end-users. (Admin gods and godesses still have all those servers to deal with).
The idea was that the end-user signed on with one secure password, which authentics them to all their applications for that session. No more passwords to remember for the various apps, just one main password, that can be strong.
Seems like a reasonable idea - one strong password to rule them all, one strong password to bind them.
The user then has to deal with only one password, and if and when they leave employment access to ALL applications the user formerly had access to are deactivated from that one strong password.
I would be interested in what any thinks about this idea? Is it even possible on non-Novell or mixed networks?
*click**beep**beep* Scotty, One to Mod up!
This perl-module is a random word Generator for pronounceable passwords -
Crypt::RandPasswd
Very usefull for me. Because I wanted to use this algo where perl is not suitable, I ported it to java and from there to C# RandPassword
Verizon won't let me use SPA to login and get my mail having a secure account for the internet is moot. I have now had 4 broadband providers and none of them would allow Secure Password Authentication. What's the point of trying to come up with good passwords when your ISP forces you to sent them in plaintext.
"Be kind, for everyone you meet is facing a great battle." - Philo of Alexandria -
I find that forgetting passwords is not a problem if you never logout. :)
"i used to use 6uldvnce as a password and nick in some chat rooms. You wouldn't belive how many poeple din't get it. Imagination Is at a loss."
You mean like your imaginative captalization?
Also, I don't get your password, either, and I'm very imaginative. Does it mean "six old vance"? "bull dunce"? "bald ones"? "six underlined five NCE"? "culled events"? "gull dance"? I'm like a felled tree ("stumped").
Remember .Net Passport (there getting rid of it). The idea was good, shame M$ fucked it up
Maybe because you aren't familiar with sex that much. here it is spelled out. sexual deviance.
I bet you still don't get it so i will place the pronaouncments close for you. 6ul = sexual (6=sex ul=ual) dvnce = deviance (dv =dev nce =iance) . Now like saying a cheer, let put it all to gether "sexual deviance".