Slashdot Mirror
Enforcing Crytographically Strong Passwords
Saqib Ali writes "The WebAppSec mailing list at SecurityFocus is currently having an interesting discussion on how to force users to use cryptographically strong passwords. The original poster suggested displaying a list of randomly generated password for the user to choose from. Two issues pointed with this concept, were Shoulder surfing and the fact that a bunch of randomly generated passwords are hard to remember. A counter proposal was to use pronounceable but randomly generated password. A full summary of this discussion is available. Any thoughts from slashdotters?"
No-one will ever guess my super-secret password: GOD
To Terminate, or not to Terminate, that's the question - SCSIROB
We faced the same problem when generating random passwords for users and decided that the best method was to generate two short (4-6 characters) english words with a number at the end. This creates passwords such as swimeasy12, turnright62, sidedoor81, etc. These proved to be very easy to rememeber and we only had one complaint: A secretary had her random password set to fatgirl13 and was really not happy, even after we expained the random process.
Input error. Replace user and press any key to continue.
I'm just a *nix and Windows luser. After struggling with tens of passwords for years, keeping them (relatively) secure, difficult to guess, etc., my employer is starting to press hard on even more regulations and ended up changing my password cycles. I can't keep up any more. I've had to get passwords reset monthly for about 6 months so far because I get locked out due to bad password entries. I just had to ask for advice on keeping them straight.
Per advice, I have begun to keep a plaintext file on my desktop computer with all my passwords in it and when they expire. My corporate IT guidelines are too secure for me, a legit user. So, I'll have to compromise security in order to comply with guidelines.
Yes, I have a suggestion. Don't force people to use stronger passwords. If they choose to use a weak one then when it is cracked, that'll be their fault. In either case, how many of us actually have to worry about someone breaking our passwords?
The whole point of passwords are to deter regular joe from from gaining access. Yet anyone with enough time and commitment can and will break any password or encryption method ever created.
Stop posting my password on Slashdot, Zonk!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Either use single sign on or an honest assessment of whether or not every f-ing application and web site in the intranet needs it's own f-ing password. Some things are just not so important that they need a password especially if they are already relatively safe within the corporate intranet.
To use the example above, I'd be more than willing to think up and use a long, randomized password if it was the only one I had to remember to do my job and I only had to change it once every 90 days or so.
Waltz, nymph, for quick jigs vex Bud.
For the more important stuff (like my credit card details) I use a random generated password 10 characters long, mixing normal letters, capitals and numbers. But if I had to use several of these, I would have to start writing them down (I am in my mid twenties, recently graduated from a medical school, so I like to think my memory is quite good).
:)
Forcing an average user to use a difficult random password is like asking them to write it down on their monitor (I've seen this done more often than I can remember - and don't forget my memory is good
Wouldn't a non-random but still difficult to guess password be more secure?
Using the method mentioned in the article (e.g. t7p4i0t1 for combining a phrase a and a number) is OK until you are forced to change the password too often. Was it "pearl in the river" and my birthay or was that last time and now it is "lorem ipsum dolor" and my wife's birthday?
Seems to me that forcing too secure passwords unto yours users is bound to be insecure in the end.
I thought this discussion is long over. Everybode knows that there are two possible solutions to theis problem.
A) Either use a passsentence instead of just a word, most modern systems allow for rather long passwords. Since the sentence makes sense it is easy to remember. Since the sentence has many characters, it is pretty hard to crack with current tools. Dictionary tools may change this, put place a few strange names or made-up words in the sentence and you are much saver as any 8 char password today.
B) If stuck with old systems, I usually recommend the secretaries to write their passwords down. YES! Comparing the risk that one of the ~250 daily stupid attemps to guess passwords from random idiots succeeds is MUCH larger if people are told to remember their passwords. They'll automatically choose simple ones. I guess about two or three passwords in our own system per week. If they choose a very complicated passwd and write it down, then an attacker needs to be physically in the office to steel it. If the guy is physically in the secretaries office, he has no problem getting everywehere anyway and we have much bigger problems.
Cheers
KdenLive/PIAVE - non-linear video editing
I like to pick a pattern on the keyboard, and then use that, alternating shift. If you were to ask me what my password is, I really wouldnt know unless I'm sitting at the keyboard.
:LKPOI)(*890iopkl;
Now, this is NOT my password, but it may have been at some point, but for example
As you can see, that password would be difficult to guess and crack, since it contains number, symbols, upper and lower case, 18 characters, and has no dictionary words in it.
Try and type that password and you'll see how easy it is to remember.
Don't Tread on Me
Weak passwords are a reality. In my current job, I've got eleven different systems that require a password. If you think I'm going to selct and memorize a cryptograhically correct password for each and every one of them every three months when the passwords are set to expire, you're insane.
The more important and sensitive systems get strong passwords. The web-based tool I use to diagnore hardware issues in equipment that isn't even online? It gets something easy to remember.
For non-technical users, the situation is worse. If you get too psychotic in your password policies, they're just going to write them down on a post-it they stick to the underside of their mousepad if they're bing circumspect, and right to the monitor if they're not.
If you're dumb enough to run a system so braindamaged that it allows brute-force attacks and so insecure that running a decrypt on a password file gives the bad guys the keys to your palace, you need a strong password policy. You will also deserve to be mocked when a soceng hack allows someone into the building to look closely at any monitors bearing post-it notes.
Password security is the last refuge of the incompetent sysadmin or web developer. Careful separation of user roles and discouraging escalation of priveleges is more important than someone using gpe~9u?bi4 as their password for this week.
SoupIsGood Food
I still say that using one's spouse's name as the password is best.
If you think it's a weak policy for your organization, then your employees aren't changing their spouses fast enough....
No wonder people write down their passwords on postit notes stuck on their monitors.
Engineering is the art of compromise.
I always recommend users consider a password comprised largely of profanity. This has proven to have several benefits: 1. It's makes passwords "sticky" and easier to remember, so you can make them arbitrarily long. It's easy for your password to be 1Mg\/\/v when it stands for "lick my gibbering whale vulva." 2. Because these passwords are potentially embarassing, users are much less likely to write them down in any conspicuous place (like the sticky note on the monitor). 3. An additional benefit of the embarassment factor, users are less likely to give their password out to others, thus protecting against social engineering attacks.
That's such a good idea, it's already been done. One example is:
Password Helper
Use the Password Helper panel to pick a secure password.
From mac os X 10.4.
that builds grammatical sentences by taking a valid syntax and plugging in random verbs, nouns and adjectives in the right places.
Or I could just send you the documentation we got back with the last project we outsourced to India.
Glonoinha the MebiByte Slayer