Too Many Passwords

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

I know how it feels...

[XXIstCenturyBoy]

I have a very very clever comment to add to that thread, but I forgot my password :(

Re:I know how it feels...

[AKAImBatman]

No kidding. Someone should invent a special "web token" of sorts that would keep you logged in. You know, it would be transmitted everytime you access the site. It wouldn't have to be very big, maybe a maximum of 4KB.

You know, I better go patent this idea before someone else thinks of it! :-P

Re:I know how it feels...

[Fulcrum+of+Evil]

Someone should invent a special "web token" of sorts that would keep you logged in.

Tried that. Turns out, nobody wants all their online identities to merge together.

Re:I know how it feels...

[19thNervousBreakdown]

He's talking about cookies, dumbasses.

Re:I know how it feels...

[JoeBar]

Fabulous idea. I propose we call it a "cracker"!!

Re:I know how it feels...

>He's talking about cookies, dumbasses.

wow how smart are you ! People would of been taking the piss for hours if you hadn't told us.

Re:I know how it feels...

Biometerics is the way to go. But since there no standards so no one is willing to invest in this. But I worry if someone "steals" you biometeric indenty what will happen. Better laws and methods needs to created for this. Also no one should put all of their data at one spot so it can be stolen.

Re:I know how it feels...

[BRUTICUS]

There's one called ROBOFORM. Im quite sure it has its own self serving implementations in the software. I installed it and it annoyed me to no end until I uninstalled it.

www.roboform.com

but yeah, a free one, that only manages passwords would be quite useful.

Re:I know how it feels...

[edalytical]

Ha! My implementation will call it a "biscuit."

Re:I know how it feels...

[eneville]

Isn't that the idea behind MSN passport?

I resist thinsg like this. I really don't want someone gathering more information about me.

Re:I know how it feels...

[Tony+Hoyle]

There's always PwdHash.. unfortunately:

- It only works on certain sites - javascript confuses it completely
- They keep changing the f***ing algorythm, so next time you install it none of your passwords work!
- If you're working on another machine you can't log in anywhere.

I gave up on it.. something like that shipped with the browser would probably work though.

Re:I know how it feels...

[Moofie]

That's my cat's name, you pervert.

Re:I know how it feels...

[Metostopholes]

But... Crackers are neither delicious nor delicacies. :(

Re:I know how it feels...

[E8086]

a cookie is just a cookie, but a Newton is fruit and cake

Re:I know how it feels...

[Mechcozmo]

OS X's Keychain seems to have attracted a fair number of users... I don't know what most of my passwords are-- my Mac does however. AES-128 encrypted and backed up whenever I want to to another Mac. :-)

Re:I know how it feels...

[askegg]

There are standards to achieve this - SAML, Liberty, Passport, Oasis, etc. The problem is the great unwashed masses are not ready for it yet - they do not see the value.

Microsoft's solution (Passport) requires the user to submit all their information and trust M$ to do the right thing. Suprisingly, many people don't like this idea.

Another way is to federate your identity between systems, so no single system knows all your details but they know enough to identify you. You get to specify the information that is shared between any two systems. There is a chicken and egg problem here - most companies have yet to roll out such solutions as customers don't seem to want it (or don't know it exists) and customers won't start using it until most of the sites they visit support it.

None of these solutions address the issue of graded authentication in a satisfactory manner. Right now it is easier to either remember/record a few usernames and passwords, or use the one set across all systems. Neither is good from an identity or security point of view.

Re:I know how it feels...

[Martin+Blank]

Imagine if Google implemented GooglePass, though. Everyone would jump on it as the best thing ever!

Of course, it would probably also be done a lot better, but it would still have the issues of a hidden method of implementation and central storage of credentials. The latter part of that sentence would be ignored by a lot of people, though.

Re:I know how it feels...

[theotherlight]

I tried Roboform as well. And, of course, was annoyed to it as well.

Since then I've written my own program to store and encrypt my passwords. I can't be bothered to write it as a IE/Firefox/[broswer here] plugin, but it works perfectly fine for me. Also, since it's not just a browser plugin, I store my POP3 info, FTP info, etc. in it.

Re:I know how it feels...

[andreyw]

Time for a very-carefully planted plug: on linux, you don't need a password to login and can use any USB mass-storage as an auth token, provided you're willing to brave alpha-quality software ;-).

http://sourceforge.net/projects/pampka

Re:I know how it feels...

[Lesrahpem]

I think it's just because nobody takes computer security seriously. People can remember phone numbers, addresses, their SSN, and all sorts of other information they take seriously, but not passwords?

Re:I know how it feels...

[jd0g85]

" I have a very very clever comment to add to that thread, but I forgot my password :(" - by XXIstCenturyBoy (617054)

You did? Gee Whiz. You seem logged in to me!

Re:I know how it feels...

[Sevidrac]

My SSN has never changed. I have had the same phone number for several years as do most people I call on a frequent basis, otherwise I look up thier number in the cell phone's directory. My 7 passwords I remember for my company change at different times. The NT/Email main password changes every 60 days. Another password for the Time and Attendance system never seems to expire. Another password for logging into the Support system changes every 90 days. Yet another password expires after 120 days.

So, I cannot just have one password and increment (i.e. Football1, Football2, etc), because then I run into the problem of remembering which iteration is where. X number of failed logins result in the account being shutdown for 2 hours at first, then eventually requires a call to IT Support to unlock your account.

Re:I know how it feels...

[Jafar00]

Someone should invent a special "web token" of sorts

What about using ssh certificates?

Re:I know how it feels...

[ultranova]

There are standards to achieve this - SAML, Liberty, Passport, Oasis, etc. The problem is the great unwashed masses are not ready for it yet - they do not see the value.

Unwashed masses are correct in their belief, for once. There is no value for me to use a single user profile for all the sites I frequent - and therefore let all those sites to know everything I do on the Internet. And if I just don't care, I can just use a single login/password for all those sites. The only ones who stand anything to benefit from this kind of scheme are advertisers and intelligence agencies, neither of whom I'd want watching my every step.

Re:I know how it feels...

Who you callin' a cracker?!

Re:I know how it feels...

I've said it before, and I'll say it again:

Google = 1984

Can't remember already...

[richdun]

Nothing for you to see here. Please move along.

Crap, what was the password to view /. stories?

Better than post-it notes

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:Better than post-it notes

[richdun]

(maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

So could you please elaborate on this and also tell us how you remember other pieces of information, say, like, I don't know, just for example, your PIN, account number, and which bank you use? Just curious...

Re:Better than post-it notes

I'd be interested to see how you get that password from that matrix for the word bank...

seems like an interesting system.

Re:Better than post-it notes

[cavemanf16]

Damn, that's way too much work! (And what about me and my 30-40 passwords... that's a BIG piece of paper!) Just GPG one file full of passwords, and remember your GPG key.

Re:Better than post-it notes

To steal an old post to an old comment -- that's a very interesting perl program...could you post the output instead of the well-written perl code, though?

Re:Better than post-it notes

[AKAImBatman]

It took me a moment, but I figured out the system. The letters before the dash are the key, the letters to the right are the parts that are used in the password. So for "bank" you have:

b-?p
a-E9
n-4$
k-vw

He actually did make it a bit easier to read, but he forgot to use the ecode tags. Try this version:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

Re:Better than post-it notes

[tajmorton]

Look at the first line:

a-E9 b-?p c-&m

That tells you substitute b with ?p, a with E9, etc etc.

So, b (?p) a (E9) n (4$) k (vw) equals a password of ?pE94$vw. Make sense?

Taj

Re:Better than post-it notes

> I then print this, laminate it, and put it in my wallet

With all my passwords, that would hurt my butt.

Re:Better than post-it notes

[RDFozz]

On those occasions where I had to write down a password, I would use a trivial ciphering mechanism: for example, move the first character to the end of the password (obviously, this works far better with random passwords than human-readable ones).

Re:Better than post-it notes

From the matrix...
b=?p
a=E9
n=4$
k=vw
so bank = ?pE94$vw
It is simple substitution, 2 chars for every letter of the alphabet

Re:Better than post-it notes

ePAy&mvw cXR3Ay

Re:Better than post-it notes

There's 26 groupings - one for each letter of the alphabet. The first letter group (for "a") is "E9". "b" = "?p", "c" = &m", and so on. His keyword is "bank". So simply take the character pair for b, a, n, and k and concatenate them.

Re:Better than post-it notes

[AKAImBatman]

Just GPG one file full of passwords, and remember your GPG key.

That's more or less what he did. Look again. The table isn't a list of passwords, rather, it's a standard substitution cipher. For each of the letters, he simply looks up the value to produce the password. The scheme is reversable as well, so you can retrieve the keyword from the password.

Here's an article on substitution ciphers.

Re:Better than post-it notes

[Canadian_Daemon]

You really don't understand how his system works, it isn't that each password is 'coded' onto the paper, but each letter gets replaced by a value. So all the paper has to have is 26 fields with 26 values.

Re:Better than post-it notes

[interiot]

So what do you do for all the stupid places that:

a) require you to use numbers only for your ATM PIN

b) require you to use no special symbols (I wince in pain every time I see this one)

c) REQUIRE you to have at least one number, or one upper + one lower case, or one symbol (not every string in the table above has a number, or a symbol, etc)

I have four basic passwords, but then I have multiple variants of them for various password requirements that various entities force upon me.

Re:Better than post-it notes

[Urban+Garlic]

This can fail to comply with password rules -- the password for, e.g.,
your web-request-line account for WXKE radio, zGZuvwaY, doesn't have any
numeric or punctuation characters.

I think a lot of people fail to distinguish between cases where strong
passwords are needed, and where they aren't. For Amazon.com, with its
stored credit-card data, and PayPal, and my bank, and my user account
at work, obviously strong passwords are a good idea. But for slashdot,
nytimes.com, and other sites that just require them for your user-state
info, crappy passwords that never change are just fine, and putting those
on post-it notes on the monitor is also fine.

Re:Better than post-it notes

[shis-ka-bob]

The whole point is that you can can be using 'hard' passwords that look like Jibberish(TM), but are easy to remember. You can even do things like build a seperate cheat card for each month and then keep the same mnomonic but have the password change. (This has its own drawbacks - you need to keep 'last month's' card around long enough to change all of your passwords.) It isn't hard to remember 'a few' passwords, but it gets pretty hard when dozens of groups want you to have passwords and everybody warns you that is it bad form to use a single password more than once.

One thing that I did find to be a signficant drawback to this is that some companies are demanding an upper case letter, a lower case letter, a number and a funny character. It is quite possible that the transform of an easy to remember work will not happen to have all of these. One solution, that actually makes this less secure, would be to have all vowels contain a lowercase letter and a funny character and have each consonant contain an uppercase letter and a digit. This really reduces the number of potential passwords, but such is the cost of making the 'powers that be' happy.

Re:Better than post-it notes

[SatanicPuppy]

I tend to use some kind of hash on a phrase...For example, the previous sentence would leave me with: It2usko#oap, and then just use a word or two from the phrase as a mnemonic.

Leaves room for long passwords, and keeps them from making you insane.

Re:Better than post-it notes

[vondo]

Interesting, but not useful for me, in my experience. Various e-commerce sites have various restrictions. Some you can only use letters and numbers, other's force you to to use symbols in the password. Some ban only certain symbols. You can't come up with a scheme to deal with every case. It's all very annoying.

Me, I keep a wallet of passwords on firefox and my PDA, both of which are encrypted. Fortunately, I only have one password that "times out."

Re:Better than post-it notes

[Ed+Avis]

Or better, just use your GPG keypair to identify yourself to start with. For example, when you register on a website you could paste in your GPG public key. Then to authenticate, the website encrypts a word with that key and shows it on a page; you decrypt it and enter the original word. So - no need to remember a password for this website, and if the website is cracked or just plain evil, they still can't do anything to access other sites since all they have is your public key.

The browser could automate this pretty easily, of course

Re:Better than post-it notes

[shis-ka-bob]

You don't seem to get it. you have to remember a simple password. You then use the card to map each letter of your simple password into two chacters of Jibberish.

Re:Better than post-it notes

[nizo]

Or what I often do is have some short random string (for example "C@5") which I could prepend before all passwords. The upside is even if someone gets the card, and by some miracle they figure out what it is, they still don't have my passwords. Unless they can read my mind, in which case they will also realize I have a negative bank balance and will go find someone else to steal money from.

Re:Better than post-it notes

[misterpies]

Your method would be great except that it relies on you carrying around and frequently consulting a piece of paper in your wallet. As such it's only marginally less secure than just carrying around a note of your passwords in the first place.

How long would it take someone observing you to figure out what you were doing and swipe your wallet? (In an office it would probably be easy for a thief to xerox your codesheet). Then they just need a few guesses for your trivial "unencrypted" password and they're in.

Not my idea of great security.

Re:Better than post-it notes

[cavemanf16]

Oh, but I do get it, and I'm far lazier than that. You see, if he has say... 5 different passwords... fine, that works great. But if he has... say 40 ... like I do, then there comes a time where you can't even remember the password to that one system that you hardly ever use, but still need to update the password periodically due to system admin's annoying tendency for "security." ;)

So it's not just about generating random passwords for systems. It's about remembering which passwords go to which systems, and what the passwords are. (And when you're not allowed to use any of the last 12 passwords, and you are forced to update your passwords on that system every month, trying to remember the right one becomes quite the task. That's why I resorted to using an encrypted spreadsheet to store all that info.)

Re:Better than post-it notes

[AKAImBatman]

Certainly not insurmountable problems:

a) require you to use numbers only for your ATM PIN

Have a "numbers only" card.

b) require you to use no special symbols (I wince in pain every time I see this one)

Have a "letters and numbers only" card.

c) REQUIRE you to have at least one number, or one upper + one lower case, or one symbol (not every string in the table above has a number, or a symbol, etc)

Pick a good keyword. :-) Actually, this is a minor problem since he seems to have a good distribution of letters, numbers, and special characters. It would be hard to pick a password that wouldn't meet even the most stringent requirements.

Re:Better than post-it notes

[shis-ka-bob]

There are solutions to your issues. In the perl/python script, map each vowel to an uppercase letter and a funny character. Map each vowel to a lowercase letter and a digit. Restrict your passwords to words with vowels and consonants. You can even have a 'static' card and a 'monthly' card. Then you can use the monthly card to change your cheat sheet and you can keep the same nmenomic.

Re:Better than post-it notes

that's a very interesting perl program...could you post the output instead of the well-written perl code, though?

Damn, that's the funniest thing I've seen on Slashdot in quite some time.

(and I would be posting this under my own account if I could remember the password....)

Re:Better than post-it notes

> I then print this, laminate it, and put it in my wallet
With all my passwords, that would hurt my butt.

It only requires one sheet of paper no matter how many passwords you have, and you don't have to put the paper up your butt.

Re:Better than post-it notes

[stinkbomb]

Part of the point is the fact that the code is derived from a keyword. Without that keyword, the code-sheet is useless.

Re:Better than post-it notes

Security through obfuscation is not security.

Re:Better than post-it notes

Hey! thats my password!
Oops

Re:Better than post-it notes

[TheRaven64]

Rather than a PGP key, why not a personal SSL client certificate? Support is already integrated into most browsers, and organisations such as CACert issue them for free.

Re:Better than post-it notes

[Kent+Recal]

Great ideas, both of you.
Now, who is gonna back it up with a Firefox plugin?

I think this would catch on pretty damn quickly...

Re:Better than post-it notes

[Doctor+Memory]

I hate strong-but-lame passwords. One site I have to use requires a password at least eight characters long, and you must have at least one digit and one uppercase character, but you can't use any non-alphanumeric characters. Why would anyone restrict the search space like that? Unless they're validating using javascript and can't be arsed to come up with a sufficiently capable RE.

If it were up to me, a password field would accept everything except enter and escape. Enter would process the password, and escape would reset the field. Anything else is fair game. Control characters, characters with accents/umlauts/cedilles, go for it. It would also be cool to have the ability to C&P images into the field, but I doubt that's of widespread usefulness. Still, how many people are going to have that picture of your dog handy to use to access your account?

Re:Better than post-it notes

[99BottlesOfBeerInMyF]

That is a pretty good idea for strong, hard to guess passwords, but most people only have a few of those, while they have many passwords where only a trivial attempt at security is needed. Using a single generic password for many purposes is one way to go, but is a little too insecure for my comfort. I usually choose a happy medium of convenience and security with the following scheme:

Make up a fairly strong password that should work in any environment (numbers, letters, special characters, no spaces, about six characters long). Use this password for all logins, but append or prepend a standard feature from the website or system in question. For example, use the password "W3%wr!" as your base password. When you login to Slashdot prepend "Sl" to have the password "SlW3%wr!" while for gmail your password is GmW3%wr!" and for the New York Times your password is "NyW3%wr!"

In this way, automated scripts run on compromised account data and then applied to popular sites will fail, but you still only need to remember one password. Sure if someone were to acquire information from several compromised accounts they could figure out the scheme and get into yet more accounts, but with all the low-hanging fruit out there that is pretty unlikely. This is not as secure as your system, but also does not require me to carry a reference card everywhere.

Re:Better than post-it notes

[soft_guy]

I have heard that 2 short unrelated words with a number in between them that is not 2 or 4 is pretty secure against dictionary attacks and much more easy to remember than giberish.

Re:Better than post-it notes

[shis-ka-bob]

It is certainly true that the vulnerablity of this is that sombody that has your cheat sheet only has to guess 'dictionary' words (and start with common 3-5 letters ones first). The drawback of yours is that a 'bad guy' that convinces you set up a password on his site will be able to look at your password and he might figure out what your rule is. ( e.g., if one were to use C@5tits on a porn site, a shady porn site operator could simply read the password and guess the rule.) He can then do the dictionary attack against anyone else that you have an account with.

Re:Better than post-it notes

Evil sites *could* still cause harm. Think about a man in the middle attack:

1. you got to evilsite.com, and enter your public key
2. evilsite.com automatically connects to bank.com, and enters your public key
3. bank.com encryptes some string, and sends it to evilsite.com
4. evilsite.com sends the encrypted password to you
5. you decrypt the data, and enter that info to evilsite.com
6. evilsite.com forwards the data to bank.com

Now, while you play on evilsite.com, evilsite.com empties your bank account. Not likely? What if you went to evilsite.com by following a link in an email that looks like it came from bank.com, and where you have a bank account? And don't think like someone who knows better. Think like your grandmother.

Re:Better than post-it notes

[gbjbaanb]

There is something similar..ish - Keepass from sourceforge. It's a secure repository for your passwords, and will happily encrypt them as you create new ones.

Ue it to store passwords and urls, (and usernames), and with a little cut and paste you don;t have any more problems with remembering those little used passwords.

Re:Better than post-it notes

[sploxx]

Yes, that would be nice... but thanks to competition in software standards there are probably at leas a hundred system like your GPG form. And they all work as well. But because they are different, you still need many different passwords.

Re:Better than post-it notes

[nizo]

..you don't have to put the paper up your butt.

That would probably keep anyone from stealing the paper however. Plus reaching down your pants to get the paper would be a great way to get people to avert their gaze while you type in your password.

Re:Better than post-it notes

[pcraven]

Too slow.

Use a phrase, like: SlashDot Keeps Posting The Same Thing Over And Over
Use the first letters: sdkptstoao
Modify it a bit: SDkptst0a0

You just remember the phrase and you are good to go!

Re:Better than post-it notes

[Yaztromo]

Thanks for that nizo. Using this information, I should have your /. login cracked within the next half hour :).

The big problem I see with this is that technically you're actually making the cracking easier by halving the actual number of possible keys that will fit into a given password size. If you're on a system with an enforced 8-character password, we now know what your password is in fact four pairs selected from 26 posssible pairs. If my combinatorics are correct, for a fixed 8 character password system, your password is now only one posssibility out of 14950 character pairs. If anyone gets hold of your matrix, you're dead -- a computer can run through those possibilities exceedingly quickly, and won't even have to go through all of them if you use a dictionary-atttack against the unencoded password (in your example, "bank").

Even deconstructing your matrix from a few known passwords wouldn't be all that hard, as presumably the words you're selecting don't use an even distribution of the letters. How many of them use Q, X, or Z, compared to, say, A, E and T?

And we now also know that all of your passwords (in encoded form) are an even number of characters in length -- which in and of itself is enough to half the search space.

Admittedly, you're system is better than that of many people I know. It's protected from basic dictionary attacks (or just simple guessing) -- but all in all, it's not really that secure.

Yaz.

Re:Better than post-it notes

Then why isn't your /. password +2CbE9+2gn6KR3s* you tard?

Re:Better than post-it notes

[gfody]

What about when you need to login at a public terminal or from a friends house? You need to have your private key memorized or on a usb keychain?

Re:Better than post-it notes

So your slashdot password is +2CbE9+26KR3s* ?

Re:Better than post-it notes

[tuggy]

if you are tired of remembering passwords.. maybe you should forget them!!
try this: http://www.givemethekey.com

Re:Better than post-it notes

[krazykit]

You want to post the perl script?

Re:Better than post-it notes

[InvalidError]

I would personally prefer applying arbitrary arithmetic to a string pair. This would produce a stream of garbage that could later be encoded in base-10/16/26/36/52/62/etc. With this, the first string could be stored as plain-text in publically accessible user profiles. Until someone figures out both the arbitrary function and the secret string, the passwords will remain reasonably safe.

Re:Better than post-it notes

[zaphod_es]

This is an actual case which was explained to me in some detail by someone who was quite convinced he had beaten the system

a) require you to use numbers only for your ATM PIN

Have a "numbers only" card.

1234

b) require you to use no special symbols (I wince in pain every time I see this one)
Have a "letters and numbers only" card.

Password1

c) REQUIRE you to have at least one number, or one upper + one lower case, or one symbol (not every string in the table above has a number, or a symbol, etc)
Password1

Pick a good keyword. :-)

Password1

And where a cunning designer insists on a special character he uses Password1+

He continued to explain how his bank insists on a monthly change of password and that they store the last three to make sure that you do not just rotate them. At the end of the month he changes it to Password2, then Password3 then Password4 and back to Password1

There is no security system that I have seen that cannot be broken by stupitdity.

Re:Better than post-it notes

[ajs]

That's not a bad system, but suffers from the problem that the passwords are all written down. In some environments this is fine, in some it's tragic. Granted, your scheme still has a secondary key, but given your primary key only (the cheat card), writing code to search every simple word as transformed by the matrix would be easy. Again, your system is better than most.

The real pain comes in when you need to generate passwords for people in advance and, for whatever reason, the "change it the first time you use it" suggestion isn't enforcable (e.g. they're using a system that can do so, but don't use that feature or the system is incapable of that feature).

When this happens, I use http://www.ajs.com/~ajs/mkpasswd. I also use it to generate my own passwords. You can use it to generate passwords that are impossible to crack other than by brute force (mkpasswd -r --strict, which is a random sequence, but filtered for dictionary words); a password that is a simple dictionary word (mkpasswd -p 'W8-12') and just about any level security/memorability trade-off in between. By default (mkpasswd -r -5 --max 12 --non-word) a set of pre-defined password patterns are consulted. After permutation of various parameters, there are about 270 patterns to choose from, each producing a fairly reasonable number of possible passwords, though some patterns are better than others. This is not the strength of the program, however.

The strength of the program lies in the fact that it is capable of parsing a pattern provided by the user which defines their desired password in whatever way they like. One such description might be "x3-5n2WJ4n1" which translates as: "a 3-5 letter pseudo-word (pronouncable random letters), a 2-digit number, a 4 character "join word" (two dictionary words that overlap, forming a 4 character result) and a single digit". If I were to hand out passwords to all of my users of this form, it would be a tragically weak scheme (the search space is very small), but if one of my users chooses this as the scheme for their current password, the result would be quite reasonable.

The program has some experimental features too, like the "--easy" flag which tells the program to find a password that alternates sides of the keyboard for each keystroke (QWERTY only). This currently only works for most of the pattern types, but as an example, it does a great job on mkpasswd -5 -p 'xT9-12' --easy

Re:Better than post-it notes

[TheRaven64]

I think you are missing the point. This doesn't need a Firefox plugin. It is already present in IE, Firefox and Safari (maybe Opera - I've not checked). All you need to do is add a client certificate. Then, the first time you establish an SSL connection to a server which requests it, they will get a copy of the signed data, which they can log. Any further attempt to use that site can do the same authentication, completely transparently.

Re:Better than post-it notes

[slashnik]

"Without that keyword, the code-sheet is useless."

But having the code-sheet would make it trivial to brute force the passwords.

Re:Better than post-it notes

[Hrodvitnir]

How long would it take someone observing you to figure out what you were doing and swipe your wallet?

Considering he said he has a perl script to generate the card randomly, I'm guessing he replaces it and changes his password, considerably increasing the security.

Not my idea of great security.

It would be more helpful if you offered your idea of great security rather than just bashing someone else's.

Re:Better than post-it notes

[jonadab]

> To authenticate, the website encrypts a word with [your public] key and shows it
> on a page; you decrypt it and enter the original word.

Right, so every computer you ever need to use to access a website (the one at home, the one at work, the one at the library, the one at your brother's place, ...) needs the cryptography software (yeah, just *try* talking the IT deparment into *that* one) and *potentially* might obtain a copy of your private key.

This *might* work for people who carry around a PDA, because they could do the encryption/decryption on the PDA. Then as long as you don't lose the PDA, your private key can remain secure.

I think the real problem is the burning need people feel to protect *everything* with the same level of security. I mean, really, does your account with every web forum or online retailer you ever visit *really* need a unique, secure password? Couldn't 99% of them use the same password? Seriously, save your memory for *important* stuff, like your bank password, your ssh account on the server at work, and so forth.

Granted, some of us have jobs that by their nature mean a larger number of secure passwords needed, but that's mostly IT professionals -- system administrators and the like. Ordinary end users don't need so many. Ask yourself, "What are the consequences if a criminal gets this password?" If the answer is something like, "I might have to create a new neopets account, if I still want to play these cheesy games", then by all means, use the same lame password you use for everything else that doesn't matter. If the answer is more like, "I could lose thousands of dollars", then spend the time you need to generate and memorize a unique secure password.

Re:Better than post-it notes

[Toadius]

What a great idea!

Just write your passwords on the other side of the card and you've got a complete solution you can use anywhere.

[C'mon, you *know* that your mom or dad would do just that....]

Re:Better than post-it notes

what?!

how does that apply here?

"security through obfuscation is not security" seems like a nice phrase you are bandying about beyond its intended usage.

what is encryption, after all, if not obfuscation?

p.s. I think the phrase you are looking for is security through obscurity. Also, as noted in the link, obscurity + security is better than just security.

Re:Better than post-it notes

Thats all well and good....but I want to know what happened to the biometrics that were supposed to be everywhere by 2005. I would love to use my fingerprint as a master password for everything!

Re:Better than post-it notes

[autophile]

The scheme is reversable as well, so you can retrieve the keyword from the password.

For those pesky times when he doesn't know what site he's on, but the password is right there, in plain sight!

--Rob

Re:Better than post-it notes

ePAy&mvm cXR3Ay!!!

(just couldnt resist...)

Re:Better than post-it notes

[Asgard]

Keepass can also auto-type the username and password for you, so copy / paste isn't even necessary.

Re:Better than post-it notes

[milimetric]

lol, not only does slashdot have dupe stories but now people are dupe posting too!!

I saw this the first time you said it, and I'll dupe my answer as well:

you don't need to get that complicated. Just come up with a jibberish word like shuntalize and pick a symbol like $ and then all your passwords can be like:

shuntalize$ebay
shutanlize$email
shuntalize$visa5578

it's simple to remember, hard to crack. Contrary to what the parent is, that scheme seems to me really easy to crack. Maybe that's just me though.

Re:Better than post-it notes

[lcde]

I wrote one too. (probably from your suggestion :) ) But I added a seeding process in so i can regenerate the hash table 'just in case'.
Pros: Can regenerate.
Cons: There is a password for my password table :)

In Python:
choose2 = str(raw_input("Enter specific seed or None: "))
if choose2 == 'none' or choose2 == 'NONE' or choose2 == 'None':
        random.seed
else:
        seedkey = binascii.b2a_hex(choose2)
        random.seed(seedkey)

Re:Better than post-it notes

[syncomm]

Oddly enough, I have been doing something very similar. This should generate a key for you:

perl -e 'foreach $x(A..Z) { print "$x: ".chr(int(rand 94)+33).chr(int(rand 94)+33)."\n"}'

Re:Better than post-it notes

[robertjw]

I think a lot of people fail to distinguish between cases where strong passwords are needed, and where they aren't.

That is my biggest complaint. For things that are critical I have a (relatively) strong password scheme, for non-critical things I have one or two passwords I use. What irritates me is when a website I would consider low risk has a bunch of password rules (numbers, non-alphanumeric characters, a length requirement longer than 6 characters). The funniest to me are companies like the electricity or trash pickup. Why do I care if someone breaks into these? What are they going to do, pay my bill? Most sites that are any either don't keep payment info, or won't display it, so where's the risk?

Re:Better than post-it notes

[penguinoid]

Security through obfuscation is not security.

Really? Care to give me your password?

PS: damn anonymous cowards.

Re:Better than post-it notes

[Malyven]

I have wanted something like this since I first heard about it. The pocket vault http://www.chameleonnetwork.com/index.html is a brilliant idea for a biometric portable storage unit (don't I sound intelligent), Wish they would finally release it so I could check it out.

Re:Better than post-it notes

[Noah773]

Another method I have used is to have a password template that I then change based on the website's URL. For example:

If my template is my birthday month: "january" Then I will make the last letter of the password the same as the last letter of the domain name at the site. "january" at SlashDot becomes "januart"

If I need a unique character I will designate a letter to be exchanged with a number. Let's say the "n" always becomes a "4". The result is "ja4uart"

If Amazon needed a unique character and a capitol letter "january" would become: "ja4Uarn"

I recomend using multiple numbers and changing multiple charcters based on the URL to make your template unrecognizable.

Nothing to remember. Just follow the formula.

Of course if evilsite.com figures out your template and your method you have a problem. But in any security situation if someone is trying to screw you they can always find a way. This just provides a simple way to create a complex password.

Noah

Re:Better than post-it notes

[JasonTik]

The site should make you GPG sign your session id and the date/time.

Re:Better than post-it notes

[Jesus+2.0]

Just come up with a jibberish word like shuntalize and pick a symbol like $ and then all your passwords can be like:

shuntalize$ebay

That's only trivially better than making all of your passwords "shuntalize".

Let's say someone cracks your ebay account, and sees that its password is "shuntalize$ebay".

Exactly how long do you think it's going to take him to figure out that your Citibank account's password is "shuntalize$citibank"?

Re:Better than post-it notes

[Ed+Avis]

You are quite right. The random word generated by a site would need to be salted with the site's name. So evilsite.com would be allowed to generate 'evilsite123' or 'evilsite456', encrypt that string with your public key and send it to you. The bank site would use 'bank1234' etc. On decrypting you'd check that the site name matches before sending the plaintext back.

Could you trust grandma with this? No. If the bank always used a random string of the form 'bankXXX', you'd hope that the user would notice when pasting this text into evilsite.com - hmm, why does it say 'bank'? - but it would be unwise to rely on user intelligence. I suggest this manual system of GPG encrypting and decrypting more as a thought experiment. Obviously for widespread use you'd want the web browser to take care of the details. So the browser would check the salt on the plaintext string.

Re:Better than post-it notes

[thetaco82]

Sure, using a painfully obvious word to generate a strong password sounds great, but then you still have to protect the card like you would any other written record of your passwords. Assume somebody steals your wallet and gains access to your laminated card. Now it's easy for them to either guess your passwords, or even write a program to brute force using the rules on your card...

My solution is a little more secure. I just remember my passwords, which is a skill that just takes a little bit of practice. I generate a 10-12 character password such as U8#.eb_2vcEm and after even after only typing it four or five times, I am able to recall it quickly using my muscle memory. I can't recite a single one of my passwords verbally, but my fingers will type all of them perfectly every time.

It's not like I'm some kind of password-savant; it's just conditioning. I'm one of the people that actually practices good password security instead of crying about it. Because of this, my personal security policy is stronger than the company that I work for, and I have to simplify my passwords for work. (What kind of tech company limits you to ten characters??)

Re:Better than post-it notes

[TCM]

I do it in a similar way, just non-reversable. For each site/service/forum/etc I make up a user name and a domain name. In the normal case, the user name actually is the login and the domain is the site where to enter it.

Now I have one password that's both strong, easy to remember and not stored anywhere except my head. (For the curious: http://world.std.com/~reinhold/diceware.html)

I enter this master password on a non-connected machine and a little script basically hashes the string "${USER}:${DOMAIN}:${ITERATION}:${MASTERPASS}" into a binary hash. This binary hash gets run through a base64 encode, all non-alphanumeric characters are stripped (this is the lowest common denominator since some sites only allow letters and numbers), and the first 16 characters from the left are output as the resulting password. $ITERATION normally is 1. If I want to change a single password I don't have to change the master password, just increase the iteration.

In case I forget _where_ I actually signed up, all user names, domains and iterations are stored in a text file. This actually happens with dozens of forums, vendor sites that require logins for support files, etc. etc.

Re:Better than post-it notes

[Ed+Avis]

Good point - what if you don't trust the local machine running your web browser? At least with the current multi-password setup you can log into Slashdot on a public terminal without also giving that machine access to the key for your bank account. I don't know if this circle can be squared: if you as the user want to provide enough information to the PC to let it access Slashdot but not the bank then the secret information for Slashdot and for the bank must be different - in other words separate passwords, which is what we were trying to avoid.

Similar to other applications of public/private keypairs, you could tell a website to accept other public keys. I am thinking here of what you do with ssh, when you can add as many keys as you like to your ~/.ssh/authorized_keys file. You could generate a 'low-security' keypair to carry on your USB storage device, and upload its public key to Slashdot and other unimportant websites but not to Paypal.

Re:Better than post-it notes

[MsGeek]

A PDA is as mortal as any electronic device. PDA breaks...you are screwed.

Re:Better than post-it notes

[Canadian_Daemon]

If you do have to use 40 passwords, then yes, and encrypted file would be best. ( USB thumb drive perhaps?)

Re:Better than post-it notes

[uberdave]

c) REQUIRE you to have at least one number, or one upper + one lower case, or one symbol (not every string in the table above has a number, or a symbol, etc)

That's fairly easy. Have each of the consonants have an uppercase and a number, and every vowel a lowercase and a symbol. Then every keyword will generate a password consisting of upper and lower case letters, plus numbers and symbols.

Re:Better than post-it notes

[Ryan+Amos]

You mean like SSL?

Re:Better than post-it notes

[00110011]

What if you remember only part of the phrase when it comes time to type out the password or if a synonym of a word you used pops up when you think of the phrase? "Hmm. Did I use 'SlashDot Keeps Posting The Same Thing Over And Over' (sdkptstoao) or '/. Keeps RePosting The Same Thing Over And Over' (/.krptstoao) or 'SlashDot Keeps Duping Articles Over And Over'(sdkdaoao)"?

Re:Better than post-it notes

[girish]

I don't remember who the original poster is, but the credit should goto that person. I just have the pl file with me without a credit.
Here is the code from the original post:

#!/usr/bin/perl
@chars = qw( a b c d e f g h i j k l m n o p q r s t u v w x y z
                        A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
                        0 1 2 3 4 5 6 7 8 9 ! @ # $ % ^ & * );
@keys = a..z;
$cnt=0;
foreach $x (@keys)
{
print "$x ";
print $chars[rand($#chars)];
print $chars[rand($#chars)];
$cnt++;
if ($cnt == 3) {
    print "\n";
    $cnt = 0;
    }
else {
    print " ";
}
}
if ($cnt != 3) {
    print "\n";
}

Re:Better than post-it notes

[killa62]

This method of making passwords was mentioned on the Security Now podcast by steve gibson, (grc.com)

Here's the link
http://www.grc.com/securitynow.htm

Re:Better than post-it notes

[gcauthon]

Where would you store the certificates? What would keep malware from stealing your client certificates and impersonating you? You can't restrict to IP because a lot of people use DHCP. To me, it seems like a client certificate with no pass-phrase is like a plain-text file containing your passwords. If you think password files should be encrypted then why would you like client certificates? And if you require a pass-phrase on your client certificates then we're back where we started. How do you remember those passwords?

Re:Better than post-it notes

[baadger]

Do you think we will see a time when there are so many restrictions on passwords that the actual dictionary size on a dictionary attack can be reduced and not enlarged? It's very easy for a restrictive system to become counter productive.

Dictionary attacks should be made moot on any important system by limiting the number of login attempts with time. What is the point?

What authentication needs is to layoff the password restrictions (except for MAYBE a minimum length, because somebody typing 'a' is extremely easy to spot even from metres away), persistantly remind users not to use their date of birth or nick name and for implementions to take more responsibility in keeping crackers out.

Re:Better than post-it notes

[naChoZ]

I use vim with a combination of the Viki plugin and GPG. Not too tough. Just make sure you've got the modeline set in your encrypted file: # vim: nobackup nowritebackup noswapfile bufhidden=wipe

Then a few auto commands in your .vimrc and you're good to go. I just press enter on my password file.gpg link and hit enter, vim takes care of allowing gpg to prompt for my passphrase and everything.

Re:Better than post-it notes

Last time I checked in my dictionary obfuscation was "confusion resulting from failure to understand". If you are obfuscating something and then relying on just that to protect your information then you are a fool. It is just a matter of time until someone figures
out your "secret algorithm" and follows the same procedure to get the same results.

Modern encryption is not about obfuscating things, it's about precise mathematical
formulas and prime factorization among other things. The difficulty lies not in knowing the algorithm used to transform the data set ( algorithms are actually usually widely published ) but in being able to break the algorithm when you do know it. This is most *definately* not the case with obfuscation. So please before you speak next time, do
know what you are talking about.

Re:Better than post-it notes

[sik0fewl]

I do something similar, but I use a simpler matrix:

a - a b - b c - c
d - d e - e f - f
g - g h - h i - i
j - j k - k l - l
m - m n - n o - o
p - p q - q r - r
s - s t - t u - u
v - v w - w x - x
y - y z - z

So my bank password would map to "bank" and my slashdot password would map to "slashdot".

Re:Better than post-it notes

What about when you need to login at a public terminal or from a friends house?

Don't. You have to assume that whoever's computer that is, they've told it to record everything you do, copy all inserted media, etc. It amuses me when someone ssh's into their account from my machine to check their mail and then get all secretive as they type their password. How do you know my ssh client isn't logging your keystrokes? (My computer isn't doing that, but why take my word for that?)

What it really comes down to, is that you can't ever use someone else's computer when working with your secrets. You have to bring your own.

Re:Better than post-it notes

[saskboy]

I don't use my "secure" passwords on certain systems. Any bulletin board for example is not a secure use, so it gets a basic password, and if I don't trust the site admin I make up a completely new password for it only so if he tries to log in other places with my info, it won't work.

My more secure passwords are reserved for things like financially linked sites.

Re:Better than post-it notes

[gfody]

what if your private key is stored in a little bluetooth keychain that never actually emits the raw key but instead answers requests to decrypt strings. then the only thing a public computer could capture is the decrypted string, but that should only be good for as long as the session.. or, since its happening behind the scenes anyways maybe it actually hits your bluetooth decrypter every few seconds with a new string so it knows when to end the session.

Re:Better than post-it notes

[d34thm0nk3y]

No form of password protection will defend against this though.

Re:Better than post-it notes

Where is the source code?

Re:Better than post-it notes

[John+Straffin]

Here's what I sent to Steve regarding his info. He replied:

Unfortunately we have pretty much beaten the topic to death now, or I would *definitely* mention your thoughts. Every point you make is very good and very "real world" as you say.

What do you think?

In response to your last two episodes on passwords, I feel strongly that you need to be a little more realistic. I support PCs at a major university where just about every PC is an Internet-facing PC (no hardware firewalls). Here's what I tell my users:

- Longer is better = using 14 lowercase letters, it will take a brute force attack of one million attempts per second over two million years to go through all possible combinations. Start your password with a late-in-the-alphabet letter to put it at the end of those attempts.
- Dictionary words are fine, as long as you use more than one or two = a dictionary attack of one million attempts per second using a 350,000 word dictionary would take almost 1,360 years to go through all possible combinations of a three word phrase. Put in a single number, symbol, or intentional misspelling and you increase the difficulty of cracking your password immeasurably.
- In the real world, it's not about *you*. Almost no hacker is looking for what's on Joe User's PC. They're looking for what's *not* on the PC: the unused space on the hard drive (for warez storage) and the unused CPU cycles (for zombie attacks). The vast majority of password attacks on a single PC are going to be brief automated attacks using a dictionary of 100 or so of the most likely passwords, then moving on to the next target.
- Regarding web site passwords, I agree that you should have a "throw-away" password for sites like nytimes.com and separate passwords for truly secured sites, but even those don't have to be as hard as you made them last week. Nobody is going to sit there trying to brute force or dictionary attack a web site that allows (at most due to the unavoidable lag of http communications) *one* attempt per second. They're going to either (a) attack the web site in ways that are out of your control and get your info without your password, or (b) try a few basic passwords, hoping that you're dumb enough to use something like "password" or "topsecret".

So, even though something like "mystr0ngpasswerd" (or even "mystrongpassword") doesn't look very strong to our human eyes, it's actually very strong to a computer and stronger than something like "x2&e1B9$o" simply due to its length. It's also fairly easy to remember, which the other is certainly not.

A University Security Officer I know said this about it:

"Regarding password strength, the method of comparing differing authentication methods that I am trying to promote is the concept of bits of entropy. This has a very firm foundation in information theory and can yield some very interesting results. For your specific comparison ("mystrongpassword" vs "x2&e1B9$o"), I believe that given a 100k dictionary (sorry, don't believe that most ppl's vocabulary is larger than this) that "mystrongpassword" contains about 50 bits of entropy (250 possible randomly distributed combinations). "x2&e1B9$o" which is 9 characters drawn randomly from a set of ~90 characters has 58 bits of entropy and so is somewhat larger. So both of these compare roughly to the goverment's deprecated 56 bit encryption mechanism: DES.

That said, for anything above ~30 bits of entropy, the difference is mostly academic. Password guessing attempts aren't going to try more than a few thousand combinations."

Re:Better than post-it notes

[MacGod]

Personally, I think the best method is to make sentences. For example, you could use the fairly indecipherable password 1Cps2PtS3?4P! which looks like nothing but gibberish

However, it is in reality, an acronym for the classic Slashdot joke:
1) Create password scheme
2) Post to Slashdot
3) ?
4) Profit!

The result is a mixed-case, alphanumeric password that's nigh-impossible to guess randomly, but is easy enough to remember and I don't need to carry around a card for it. Even simple sentences ("My birthday is July 26") can become decent passwords ("MbdiJ26")

Re:Better than post-it notes

[Lord+Ender]

Is what you posted the matrix or the perl source code?

Re:Better than post-it notes

[Ernesto+Alvarez]

You're right, Mr AC.

If you don't trust you terminal you should always assume the worst. You can apply some measures to minimize the exposure, though.

In my case I've set up my server to require SSH public keys for external logins and OPIE for root access everywhere except in the console. In the unfortunate event that the terminal I'm using is compromised, at most the intruders will get to the non-root account (if they manage to copy my private key and passphrase, nothing if they don't). They won't get root because a one time password can't be reused (and it is calculated on my PDA). That of course unless the terminal hijacks my session, so the best defense is not to use an unknown terminal if possible.

That means that I need a SSH key available at the terminal and my PDA on me whenever I need access. Then again, if those conditions are not met, it's usually because I shouldn't be logging in from there.

Yes, I'm pretty paranoid. I carry enough crypto in my PDA for World War III (Hey, crypto is a munition, go ask the USA).

Re:Better than post-it notes

[vox_gabrieli]

Even if different sites require different CAs, you don't need multiple private keys. You don't need to protect your multiple public certificates, so it's not an issue.

Re:Better than post-it notes

Yes, I'm an anonymous coward. I think you would agree that this should NOT be associated w/ any slashdot login.

I will in fact reuse my passwords on many many systems. One-way encryption is your friend.

Oh, and yes I did have a password in use for a dozen systems compromised once. It worked out well enough because the attacker couldn't figure out *which* other systems had the same password (I don't use the same password on every system).

Re:Better than post-it notes

[Heian-794]

If you speak any foreign languages, make use of all of them. Then, only people who know all the languages you know will be able to crack your password.

Here in Japan everyone knows Japanese characters plus the Roman alphabet, so you need to be creative. Right now I've got a post-it note on my desk containing very sloppily-written Cyrillic for the letters and Arabic and Gujarati for the numbers. When the times comes to change the password again, I'll use Tibetan for the letters and then the surnames of various baseball players for the numbers (just remember what position they play).

Just make sure to write messy enough so that people can't identify what language it is unless they can actually read it. And if some of these foreign alphabet characters look like different characters (for example, Latin "R" looks like a P in Russian), you can lead hackers on the wrong trail. All respect to the OP, but with this system, even if someone steals your card with this stuff written on it, they'll never figure it out.

Re:Better than post-it notes

[arminw]

....figure out what you were doing and swipe your wallet....

If someone swipes my wallet I'd have bigger problems than a few compromised passwords. A number of credit cards and the drivers license loss for starters.

One thing my bank does is to prominently display on the screen when my account was last logged into. If that showed a date and time when I knew I did NOT log in, I'd know someone has my password. This should be part of every login procedure. The Mac OSX keychain is a rather easy way to deal with passwords, since the user only has to remember the one login password. This of course is not too helpful for someone who must log in from various public computers. Any of those could have a key logger installed.

Re:Better than post-it notes

[SoloFlyer2]

We need to set up a simple open client server protocol where username@authserver.com you punch in a password the site you are accessing hashes the password using a challenge packet given by the authserver and sends it to the authserver for verification.

The auth server can be setup so that depending on the site requesting, the passwords can be different.

I.e. password 9 if request comes from site Y, password 3 if request comes from site Z

When you visit a website for the first time you have a button that says register the server then sends a registration packet to you auth server. you then connect to your authserver and punch in the password hey presto quick and easy registration with a centralized database for you passwords you update your passwords on the server and can delete accounts when they are no longer need you can even keep track of attempts to login using your accounts by other people...

If you forget a password you can easily change it so long as you remember the master password...

For the paranoid among us (This is Slashdot after all) we can run our own auth server rather than relying on other service providers

I'm sure that this could be done without writing any new protocols or by simply tweaking existing ones.

once the protocol is set out the interfaces can be heavily modified and still retain compatability... Even a possible firefox plugin :)

Eagerly awaiting holes to be poked in my idea :)

Re:Better than post-it notes

[iivel]

Code again in from my implementation. I don't remember where I picked up the original as it wasn't commented, but credit should go to whomever wrote it in the first place. We use numeric versions of this for some digital cipher locks.

#BEGIN
';
        foreach ($keys as $x)
        {
                print '' . $x . '';
                $rand_keys = array_rand($chars, 2);
                print '' . $chars[$rand_keys[0]] . $chars[$rand_keys[1]] . "";
                if ($cnt %2) {
                        print '';
                }

                $cnt++;
        }
        print '';
?>
Chars and keys are of course whatever you want to use in them. I know my server is going to burn for giving a link on /. , but here it goes:
The output is here http://www.levii.com/cipher.php

Re:Better than post-it notes

[dcam]

Having just broken my PDA, there are solutions.

I use keyring. There is also a tool to read the passwords on windows (See the links in the site). As I understand it, this is integrated into KPilot.

Re:Better than post-it notes

[coralsaw]

Just GPG one file full of passwords, and remember your GPG key. I use one .gpg file per password (ascii armored), its filename being descriptive to the password eg: amazon-login.gpg. Even if the plaintext file gets forgotten behind or gets intercepted, you only lose one password. All files are encrypted to 2 gpg keys, the backup one being printed and stored permanently in a safe place in case I forget my primary one. Neither gpg key is kept online ever. Secure enough for the collective value of my secrets. /coralsaw

Re:Better than post-it notes

[Shano]

Making the function a random permutation of the ASCII code gives more (theoretical) security than a simple password - there 72! permutations of just alphanumeric characters. The disadvantage is that if you have some passwords you may be able to reconstruct enough of the function to crack others.

Some sort of hash function would help here. Obviously, hash -> permute doesn't help much, as it's vulnerable to the same attack. But would permute -> hash -> permute work? The first "permutation" can be any function (256^256 to choose from), and the second is a mapping to the target character set (say, 72^256).

In this case, the two permutations become the key, and passwords can be generated from any old rubbish - such as a website name, maybe with a couple of salt characters (indeed, that would increase security against just hash -> permute). I don't know enough about hash functions to say whether there are trivial attacks against it, though.

As for my passwords, I just generate them randomly and have them encrypted on a PDA. I remember 5 or 6 that I use regularly, and look up the rest.

Re:Better than post-it notes

[Shano]

Except that the table is secret. At least, I'm assuming he didn't post the real thing.

If you have a large enough sample of passwords generated using the table, then there's a threat. Otherwise, it isn't significantly worse than any other method.

Having the table stolen is certainly a risk (and having it "borrowed" and copied without your knowledge even more so), but if it's treated as part of the secret key, and kept in a wallet, then it's considerably better than post-it notes.

Re:Better than post-it notes

[Shano]

Security through obfuscation of algorithms is not security. Obfuscation of keys is security. The whole point of a key is that it's obfuscated (hidden, kept secret).

A good security system has an algorithm, and a key. It should be possible to reveal the algorithm in detail, without compromising security. If the key is revealed, then obviously you're screwed.

The table is part of the key. The table he posted is an example, not the real thing (I hope). There are risks associated with this method, but it isn't particularly bad unless you have some sample passwords and know the words that they encode.

Re:Better than post-it notes

[Pieroxy]

While this is good in theory, this is utterly useless for anything else as virtually no website uses this.

That would be the way of course.

One problem, though is how can you keep track of key revocations through this system?

Re:Better than post-it notes

[corneliusagain]

I do something similar - having my passwords formed by a set of rules that I've developed over the years, and noting down in my palm a word which leads me to the password.

It actually takes a while to come up with new passwords to add to the repertoire, because they have to fit the system, but I have over a dozen, I guess, with some of the older ones reused and the newer ones used where I need more security.

Re:Better than post-it notes

[Onewheel]

I don't see where the security is. Especially after telling your method (now everybody knows what this piece of paper is).

With your piece of paper, I just have to guess a 4 letters password with no funny characters. Lot more easier than the 8 one. Thanks!

Re:Better than post-it notes

[Ed+Avis]

Perhaps you could use existing GPG key revocation mechanisms, though I'm not much clued up about what those are.

Re:Better than post-it notes

[Pieroxy]

The GP was assuming that his method would be universal and as such would grant you the right of authenticating with the same key on every website. I, for one, don't use the same uid/pw on my bank account and on random websites I need to register to.

Re:Better than post-it notes

[milimetric]

dude, that's the whole point. They can't crack that password, it's complex and it has non dictionary words and symbols. In practice, I actually use different symbols for different things. Like I might use & for banks instead of $. In any case, that little card that the parent showed, if someone cracks one thing it'd be SUPER easy with a dictionary attack to crack literally everything he has.

Re:Better than post-it notes

[InvalidError]

I did say any arithmetic function... well-known hashes are only one well-documented class of arbitrary arithmetic functions.

What I had in mind was to hash the secret, specific phrases and the two combined then do arbitrary arithmetic with those five components to produce arbitrary length passwords. The secret phrase protects against algorithm exposure and the hashes protect against all but the most awful scrambler algorithms: those that tend to undo themselves. Basically, the secret phrase is the password, the public site-specific text (to which some undocumented rules may need to be applied first) is the salt and the result is the site-specific password.

BTW, A-Za-z0-9 = 62 alphanumeric characters... add the other standard english keyboard characters (punctuations, brackets, etc.) and you get at least 94.

Re:Better than post-it notes

[lliinnuuxxlover]

Unless you have a three digit UID. That is more precious than any bank password.
(sadly I am not one)

Re:Better than post-it notes

[Retric]

You would need to recall your public key (which is long and random so it's going to be hard for most people) and a single key logger would compromise all your passwords. So it's not really much better than having software keep a listing of all your passwords. At which point it's going to work on all sights not just ones that implement your system.

Re:Better than post-it notes

Hey nizo,

I thought I remembered someone else using this same system, but it turns out it was just you back in June making the same comment.

Funny story, eh?

Re:Better than post-it notes

[Syberghost]

I have heard that 2 short unrelated words with a number in between them that is not 2 or 4 is pretty secure against dictionary attacks and much more easy to remember than giberish.

No offense, but get better sources. Checking for two dictionary words with a number or special character between them is standard, and in fact limiting it to 8 possibilities instead of 10 makes it less secure, albeit imperceptibly so.

Re:Better than post-it notes

[jouva]

Actually I find yours to be more obfuscated. But that's my opinion.

Re:Better than post-it notes

[nine-times]

Was some of the code lost on this post?

Re:Better than post-it notes

[iivel]

Yeah ... I can't seem to get around the lameness filter.

Re:Better than post-it notes

[iivel]

I put the code at http://levii.com/cipher.php

Re:Better than post-it notes

[nine-times]

gee, thanks. I might actually use this.

Re:Better than post-it notes

[rew]

In cryptography (and that's what you're doing) you should assume that the adversary knows the "algorithms" involved, just the "key" is the think he doesn't know.

In this case, there are two keys: In your example: "bank" (too easy to guess) and the laminated card. The laminated card is easy to get hold of "offline".

Frustration

[mysqlrocks]

This frustration is leading to behaviors that could jeopardize IT security, as well as compliance initiatives.

Any good sysadmin knows that if you make the password policy to strick you could actually be worsening your security situation. People will start sticking their passwords under their keyboards or on their monitors.

Re:Frustration

[L0C0loco]

Ooh! under the keyboard - cool, I'll have to try that. Really, I gave up long ago with trying to keep track of my passwords at work since they change every 90 days. Now I just keep a file named PassWords.txt on my computer virtual desktop and remember my login password. Of course that is just for work. At home I get to manage my own password policies and do not have this problem.

Re:Frustration

[porkThreeWays]

This is going to happen regardless...

Another admin and I were trying to figure out good passwords for 4 users for sensitive data. We spent a good 20 minutes figuring out memorable passwords that were secure and had meaning. They very easy to remember because they all had meaning to that individual person.
Well... a few weeks later I'm in that dept. helping pull cable. Sure enough on a monitor is a yellow post-it with site address, username, and password. Right there on the monitor. We could have just as well made it gobbly-goo because they are gonna stick it on the monitor regardless.

Re:Frustration

[lucabrasi999]

People will start sticking their passwords under their keyboards or on their monitors.

And we know where that leads:

Joshua: Shall we play a game?
David Lightman: Oh!
Jennifer: I think it missed him.
David Lightman: Yeah. Weird isn't it? Love to. How about Global Thermonuclear War.
Joshua: Wouldn't you perfer a nice game of chess?
David Lightman: Later. Right now lets play Global Thermonuclear War.
Joshua: Fine.

as usual, blame the users for trying

[yagu]

(BTW, this is basically a dupe from about four or five years ago...)

From the article (and the post):

The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are)...

First, I can't let this pass. I was on the IT team for a large company that had the described oodles of systems and oodles of passwords dilemma. And I'd been out on the floor where our users had to use these systems. The last thing in the world someone should be saying to them is, "You know how you are", as if these people are doing some wrong. Their jobs of dealing with the consumer public is hard enough without having to genuflect to the "security" (inconsistent, obfuscated, inane, ineffective, and myriad) measures of the systems from which they are supposed to server the consumers. I never had to deal with as many passwords as they did, but had I had to, I'd have been tempted to do the same thing.

As for the dilemma of too many passwords... yeah, there are too many passwords. And the funny thing about that is, they (in my opinion) provide little to no security and may even subtract from the overall security of the network. Especially in a closed access building (which these users were), passwords were and are a hindrance, not an enabler. I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building. Most stolen and broken passwords are via social engineering, and half the social engineering is just gaining access.

In the personal computing arena, I'd be awfully surprised if even 10% of the problems occur because of too many passwords. More likely it's because of incorrectly configured access levels for general users.

I'm guessing the world of passwords will never go away, but in settings where users have to deal with many (in the case described above, literally hundreds) of systems and their various password paradigms, passwords SHOULD go away (NOTE: the use of the plural... I'd be okay with somehow consolidating total access down to ONE password). Somehow it must be comforting to PHB's to know their universe is multiply protected by multiple schema, whether or not it affords any protection.

Re:as usual, blame the users for trying

[thc69]

Heheh..."too many" passwords. I've found that the username/password pair concept is so alien and nonunderstandable by so many users that it's entirely pointless. My more saavy clients understand how it works, but use a single insecure password (including one who uses "password") everywhere.

I hate to say it, because the whole concept is so incredibly simple to me, but it's just not going to happen with users.

Further, they want to be _told_ that they're secure, they want to make somebody else suffer when their security is breached, but they do NOT want to work in any way to remain secure, even the ones who understand the concept.

Re:as usual, blame the users for trying

[WindBourne]

Funny thing about this, is that a bad password is one of the top problems in *nix world. In the MS world, it is very low on the totem pole. Much more could be accomplished by updating Windows and all its anti-viral software on an everyday basis or by simply upgrading to a superior OS.

Re:as usual, blame the users for trying

[Otter]

(BTW, this is basically a dupe from about four or five years ago...)

Huh? The study came out today! Poor Zonk catches enough flak already, without hassling him over this.

Unless you're saying that we've heard this before, which is certainly true (we get a story like this every week or two), but until the lesson starts to sink in to admins' heads, I say keep 'em coming!

Re:as usual, blame the users for trying

[Beryllium+Sphere(tm)]

>I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building

Except for auditability. Individual passwords help you answer questions like "who looked up Bill Gates's credit report?" or "who deleted the database?".

Re:as usual, blame the users for trying

[soft_guy]

until the lesson starts to sink in to admins' heads, I say keep 'em coming!

OK. But what exactly is the lesson? You're damned if you do and damned if you don't?

Re:as usual, blame the users for trying

[ant_slayer]

I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building.

That's a cool idea except that you are only considering the impact to day-to-day operation. I worked in incident response and computer forensics for a fortune 500 for a few years, and I can provide for you the part you're missing. The vast majority of cases where we got involved were internal folks abusing the system.

If everyone was as honorable as you and I are, then there would be no problems. Heck, then we wouldn't need security on the perimeter. But an alarmingly high number of security compromises happen after someone who works there gets ticked or interested or greedy, etc. I'm not even talking about "espionage" where someone hires on with your company to get at the gooey chocolate center.

You can only let go of access controls on the inside when you can trust everyone on the inside. You may feel offended that you, as an employee, should not be trusted, but alas -- history, case law, and the whole industry of internal investigations indicates that employees cannot be trusted outside of reasonable bounds. A cool enough lawsuit can take a company down.

Most people think that password security is to keep some "criminal" from getting into the company's secrets. Unfortunately, most of the time the "criminal" doesn't come from outside.

-Ant Slayer-

Re:as usual, blame the users for trying

[jschottm]

I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building.

Beyond the excellent point that a very large part of computer attacks (including people prying into information they aren't supposed to have) are inside jobs, what you're proposing means that once a trojan/virus penetrated a user's computer, the inside of the network would be ripe for the taking. Just like when Blaster got in behind the firewalls via laptops and hit the unprotected systems.

Not to mention the fact that it's relatively easy to socially engineer yourself past the front door.

The world could function more efficiently in theory if no doors had locks and cars started by pressing a button, in practice it would be a really bad idea.

kwallet

[DarkProphet]

I find that kwallet works well for this in KDE, but its a feature sorely lacking in WinXP, though I am not sure I trust XP to store my passwords ;-)

I just use the same 4 passwords for everything, but trying to figure out which one of the four a certain one is can be a problem, since in some cases you only get 3 login attempts...

Re:kwallet

[tktk]

What about logins? Don't you ever encounter sites where the login you want has already been taken? Then you have to get the right combination of login and passwords.

Re: kwallet

[Abelard+Lindsay]

Password safe - http://passwordsafe.sourceforge.net/ for those stuck on Windows boxen

Re:kwallet

[TheViffer]

AnyPassword - http://www.romanlab.com/apw/ is just another Windows Program. Pretty nice. Load it up on a thumb drive and away you go.

Re:kwallet

I more often run into the case where they insist on giving you one login, or use your email as a login (which email did I give these idiots this time?). I usually end up going through the "forgot your password" routine to find out that I my login was my hotmail address.

Re:kwallet

[Jugalator]

but its a feature sorely lacking in WinXP, though I am not sure I trust XP to store my passwords ;-)

Bah, all those uninformed KDE users!

This is how Windows XP users do to identify themselves automatically via a global password!
It's easy as pie, and when done and Microsoft have your information, just login to any supporting application with your server-stored identity.

Wohoo! Thank YOU, Microsoft! :-D

[/ignorance]

Re:kwallet

[pyrrhonist]

Since everyone else is doing it, I'll list a Windows password manager too.

Try http://keepass.sourceforge.net/.

KeePass can:

• Automatically enter a usernames, password, and <enter> for you.
• Use a key disk, a master password, or both.
• Be run from a USB drive (leaves no traces on the machine you run it on).
• Use non-standard input/display fields, so password grabbing software can't swipe your password.
• Generate passwords based on your specifications.
• Store notes and other data in its password database.
• It can run in the systray for easy access, and load when you log in.
• Use AES or Twofish.

...and it's open source!

Re:kwallet

[Hellasboy]

You've had plenty of good responses but I can't help it to notice that all the solutions were limited to windows boxes. What if I need to recall a password on OSX, or some flavor of Linux?

Are there any Java password managers that can run off a jump drive and leave no trace on the host machine?

Albeit, now we're limited to machines that have Java installed... but this solution seems to make it a better cross-platform solution.

Re:kwallet

[Johnny+Mnemonic]

What if I need to recall a password on OSX

Then you'd be using the Keychain, which comes with the OS. You can set it to unlock by default once you login; lock after a certain period; or have a different password than the login pass, requiring a manual unlock.

Are there any Java password managers that can run off a jump drive and leave no trace on the host machine?

There've been hints for how to put your Keychain on a Jump drive for your Mac--basically a symlink.

Re:kwallet

[TClevenger]

Does anybody know of a program that has OS X, Linux and Windows/DOS versions? I'd love to have a single encrypted database with Windows, Linux and OS X programs that can open it, so I can store it on a keychain and access it from any of my home computers.

Re:kwallet

[HorsePunchKid]

Yet another Windows recommendation: Password Agent. Does everything I need it to do, as far as I can tell.

Re:kwallet

[HorsePunchKid]

Though having looked at KeePass, I can't really recommend Password Agent. It looks like KeePass does essentially everything that PA does, only it's free.

Re:kwallet

[sdpinpdx]

There've been hints for how to put your Keychain on a Jump drive for your Mac--basically a symlink.

Not even that. Just open the keychain access app, and tell it where you want your default keychain.

Re:kwallet

[Durinthal]

Don't you ever encounter sites where the login you want has already been taken?

Actually.. no. I never have. That's one of the benefits of having a unique moniker.. That's also the downside though; anyone can track where you've been online fairly easily.

Re:kwallet

[Habahaba]

I once got a small exe from somewhere (maybe Google finds it)... it is called pspv.exe - it opens up the Windows password safe in well in an instant. So, it's not that safe at all. BTW, Google notifier stores the passwd in that same IE password safe (!=safe) But sometimes it's good if you can retrieve the passwds... I have no idea of my ./ passwd, but Opera keeps it - it just does not ever tell me anymore what it was.

Just use your Social Security number.

[team99parody]

It's a number that's supposed to be kept secret with whomever you share it with (because society would collapse if they didn't) --- and it's a number that just about every organization seems to want anyway (so you don't have to fear revealing it to them since they have it anyway)

Good idea?

Re:Just use your Social Security number.

[AutopsyReport]

And if the encryption scheme being used was later broken, not only would someone have all the passwords, but all the corresponding social security numbers as well. I'd say that's not too good :)

Re:Just use your Social Security number.

[AutopsyReport]

Wow... Hook, line and sinker. What a bitch!

Re:Just use your Social Security number.

I'm pretty sure the parent was shooting for "funny"....

But interestingly enough, the analogy seems sound because so many stupid companies (banks, brokerages) will happily reset your password if you give them your SS# and mother's maiden name (which is a common "i forgot my password" code).

Somehow we trust them with the Social Security numbers; but get all paranoid about sharing the much less valuable "password". This makes no sense. Rather than worrying about encrypting passwords; we should be worrying about encrypting the SS#s when we submit them to companies.

Re:Just use your Social Security number.

[AnonymousJackass]

Good idea?

No!! That would give your boss and your Significant Other (assuming you give your S.O. such priviledges) access to your email/bank/whatever accounts! They're the last people you want accessing them!

Re:Just use your Social Security number.

[everphilski]

No letters. Won't pass on some password systems.

-everphilski-

Re:Just use your Social Security number.

[merreborn]

Just use your Social Security number... Good idea?

No.

That's about as secure as your mother's maiden name, or your dog's name.

Which is to say, it's the worst password imaginable.

Do you want your father/mother to have access to all your accounts?

Hell, for wellsfargo.com, your SSN is your username!

Not to mention there are under 10^9 possible SSNs, and the first 3 (5?) digits can be calculated based on your place and date of birth! That reduces your number space to 10^6 or less, which, at one request/second, could be cracked in 11 days -- And 1/second is a very slow rate!

Re:Just use your Social Security number.

[team99parody]

encrypting the SS#s when we submit them to companies.

Hmm.... For all these guys worrying about using a different password for each website - would it be legal to "make up" fake SS#s when dealing with stupid organizations who shouldn't really have access to it anyway. Personally, I think I'd feel quite a bit safer if my school (where I know the guys running IT) didn't have access to the same SS# for me as etrade.

And for that matter, I'd feel even safer if flakey companies like Visa who use even flakier companies like ChoicePoint didn't have access to the same social security number that ETrade has.

Seems the real answer to me is what the parent poster suggested --- Visa should only have an encrypted version of my SS#, and ETrade should only have a version encrypted by a different key.

Re:Just use your Social Security number.

[elocutio]

Just use your Social Security number. Good idea?

Well, considering that it's a NUMBER, and there are obvious and public rules that determine its composition, this is a very trivial brute-force crack waiting to happen.

The key reason why alphanumeric passwords are conventional (often a network password policy requires a certain combination of numbers and letters), aside from over-the-shoulder obfuscation, is that they are harder to crack with a dictionary or brute-force approach.

Most private investigators could tell you a person's social security number for a fee; in fact, many internet sites offer this same service.

In general, pairing obvious personal information with your identity/alias/etc is a bad, bad, bad idea. I remember from my technical support years, seeing passwords that were obviously bank card pin numbers, or SSN serials, or daughter's name. If your password stores more information than a keyed access to your private/proprietary systems, it's a bad password.

Re:Just use your Social Security number.

[Cro+Magnon]

You especially don't want your SO to have access to your bank accounts after she's discovered that love letter to Susan in your email!

Re:Just use your Social Security number.

the first 3 digits aren't related to where you were born. they're related to where you were living when received your SSN. i didn't get a SSN until the 5th city I lived in, it has nothing to do with where I was born, and everything to do with where I was living when I was registered.

sometimes i wish my parents would have just not gotten me an SSN, not like I get much use out of it.

Re:Just use your Social Security number.

[Fulcrum+of+Evil]

would it be legal to "make up" fake SS#s when dealing with stupid organizations who shouldn't really have access to it anyway.

I dunno, probably wouldn't be illegal, unless you picked one that someone else already had. just to be safe, try using xxx-00-xxxx. None of those are valid. You can also ferret out the 'sample' ssn that's likewise invalid.

Re:Just use your Social Security number.

[SatanicPuppy]

Don't even need to break the scheme really. Ever notice that some sites, when you forget your password, will email it to you? Email you YOUR password, plain text, through email. Which means they're storing it in a format that is readable to them, AND they think email is an acceptable medium for transporting passwords. Oy vey.

That kind of stuff makes me crazy. Any system I design has completely obfuscated passwords, the sort that can't be retrieved but have to be reset. To authenticate I mangle the password that they submit, and see if it matches the mangled one on file. Sure it's possible to de-mangle them, but it's a hell of a lot harder than cracking a piece of 2-way encryption, and you don't have to worry about people who are merely curious or unskilled.

I can't think of a situation where I would want someone to be able to find out my password. I don't want them to be able to email it to me. If I forget, just reset it and send me a temporary password. Anything else is begging to be broken.

Re:Just use your Social Security number.

[merreborn]

"the first 3 digits aren't related to where you were born. they're related to where you were living when received your SSN" Interesting. As far as I know, most americans born natively in the last decade or so get SSNs at birth.

Re:Just use your Social Security number.

[sploxx]

You're just trying to obfuscate the fact that 880782 is your general password!

My Voice..

[Blade80]

My voice is my passport.

SSH keys

SSH keys are all you need, entering passwords is so 20th century.

One Solution

SplashID or similar products give you a strongly encrypted database that you can sync with portable devices; in my case, a Palm OS based phone. I've been keeping my passwords and other sensitive information in there for years now. Works great.

You want to make the password protecting that database a good one, though...

Don't forget

[GWBasic]

Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.

Re:Don't forget

should I ask about your take on ATM machines?

Re:Don't forget

[midnightblaze]

This irritates me to no end. Here is my password management strategy: I keep two passwords, one for secure things that would bug me if they got broken into, and another for things I don't care about. They're both strong, but unfortunately have to be only a mix of letters and numbers. Lowest common denominator, my experience has shown. When work forces me to change my password, I generate a new one, discard the old one I used for non-secure things, and my old one for secure things becomes the new one for the non-secure things. Because these password systems aren't standard at all, like the parent mentioned, I'm forced to use that lowest common denominator. And yes, I memorize two rotating passwords for everything. Having a separate password for everything (yes, I tried that) got old real fast. So lets standardize on a password system!

Re:Don't forget

[GWBasic]

I can live with that, but when they add full QWERTY keyboards, then I'll expect true passwords.

Re:Don't forget

[shadow_slicer]

It's even worse when the password systems aren't self-consistent.
At a company I used to work for I had a certain password: "!sw33th0m3Alabama~". Since I was a low-ranked engineer at the time, My office was provided an old Windows 98 system. My login and password worked perfectly that. Then one day I needed to login to one of the NT 4.0 machines in the lab. The NT machine wouldn't let me log on...After dealing with IT for an hour I told them to just to reset my password. I ended up changing it to "Pa55word". After that it worked....

I won't answer that!

[game+kid]

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?

I'd answer, but then it'll give insight into my password preferences, and then I'll get c00tz0rs from t3h l33t h4x0r2!!1!eleventyone etc.

My password

[anonicon]

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?

I just use the rotating password of IAmGodsGiftToWomen01, 02, 03... No geek will ever come up with that one!

Re:My password

[game+kid]

Somehow I feel that post just invalidated those passwords. ;)

Re:My password

[RDFozz]

Unfortunately, this is a common way to generate "unique" but memorable passwords, when passwords change frequently (say once a month).

Re:My password

[Jeff+Hornby]

A lot of geeks would come up with that password.

Of course most women would disagree.

Re:My password

[JamesTRexx]

The idea of a geek and godsgifttowomen invalidates my dinner.

IT requiring password changes

[ChrisF79]

I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.

Re:IT requiring password changes

[Ziviyr]

I suppose they locked out incremental passwords too?

Re:IT requiring password changes

[alan_dershowitz]

Where I work (which shall remain nameless) people get around this password restriction by making their password "SOME STRING"1, then when they have to change it in a few weeks, "SOME STRING"2, and so on. I can't believe this is any sort of superior "security", badgering people into choosing terribly predictable passwords.

Re:IT requiring password changes

[ChrisF79]

That's pretty funny. I've never tried it here so I can't speculate. But in a little less than 8 weeks I can let you know!

Re:IT requiring password changes

[Harry+Coin]

At my previous employer, they required a 8+ character password with a numeral, a special character, an uppercase letter, a lowercase letter, and each password had to be >30% different from any of the passwords you'd used in the previous year. That last requirement made sequencing impossible and just making a new password pretty damn hard.

Re:IT requiring password changes

My IT department makes me change password every three months. The new password must have at least one letter, one number, and one punctuation character. My username has letters (my real name) and punctuation (to replace spaces); as I can't reuse passwords, and after password 12 I ran out of ideas, I've just used username for my password. So, the first time I did this, my password was username1, then username2, etc.

Security gains? Probably a security loss, as I've gone from a fairly complex, long, obscure password, to something that should be automatically added to any dictionary search on my username.

Anonymous for the obvious reason.

Re:IT requiring password changes

[Dadoo]

At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months.

Okay, I have to ask: does anyone really still think changing your password regularly is useful? These days, when someone hacks into your system, the first thing they usually do is set up a back door, so if you change it, they can still get in. IMO, requiring frequent password changes actually hurts security, because users are more likely to write them down and keep them where other people can find them.

Think of a good password, remember it, and don't change it, unless there's a good reason.

Re:IT requiring password changes

[TClevenger]

I think that that's one of the biggest problems in corporate password policies. When multiple systems have different password change intervals, and don't synchronize passwords between them, you end up with a much bigger mess. The solution I recommend for users (since changing the Corporate is impossible) is to change their password when prompted by any system, and then go change all their other passwords to match immediately afterwards. It takes a bit more work, but at least you don't have different passwords because one system prompts every 8 weeks, and the other prompts every 45 days.

Re:IT requiring password changes

[shiftless]

Yeah, I'm in the Air Guard, and we have the same crap. For a while, every time I would come to drill I'd have to get my password reset because how the hell can you remember a password when you have to change it all the time? So when I have to change the password I just change a digit and a capital letter. Terribly insecure.

Re:IT requiring password changes

[asbjxrn]

It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up.

And they give you a new password over the phone with a reminder to change it once you log in, right? Locking of accounts is the best way of training the admins to respond to social engineering in my opinion.

And two passwords? You're lucky. I've got about 10 passwords where I work. And that is without counting the machines I'm hired to administer... (Even the phone voicemail has a 6 digit pin that needs to be changed every 3 months!)

Re:IT requiring password changes

[Lifthrasir]

sequencing/picking a password made easy:

• 1!Aaaaaa
• 2@Bbbbbb
• 3#Cccccc

Re:IT requiring password changes

[Sunthalazar]

Actually, my biggest concern about the: "your password has to be X% different from your other passwords/you can't reuse an old password" is that it means somewhere they are saving all of the passwords that you've ever used. If they are just doing a "you can re-use a password" they could save a hash, but if they are doing "it must be significantly different from", then they have to save the whole password.

Which would make that just an absolutely delicious place for someone who was trying to break into other people's stuff. Not only do you get their current password, but you get all of their old passwords, which are very likely to have been used before for other things.

Unite the password...

[PHanT0]

All it takes is a fingerprint scanner, USB ID Key, good NIS setup, or my personal favorite - tiny RFID tags under the skin... ohh nelly... now I've got to cut off a chunk of johnny's hip to commit identity theft!

Re:Unite the password...

[Skadet]

tiny RFID tags under the skin

THE MARK OF THE BEAST!! AHHHHH!!!!! *points and jumps up and down*

Re:Unite the password...

[Amouth]

*raises hand*
and your point.. how much diffrent than someone using a not yet invented real time DNA scaner..

when you look at it with that view

we all have the "Mark if the Beast"
*sits back down*

personaly i like the RFID tag idea.. but i am going to sheild mine if i ever get it.. don't want to be seen from space

Given up

[mikejz84]

I have given up with passwords and just switched to 'asdfasdf1234' never cracked yet.

Clever storage is the secret

[NotFamous]

45Ty34#

I store mine on Slashdot!

Too many systems

[airjrdn]

Companies want products "now". That means using a new product written specifically for a given task, often times a purchased product. That in turn means no connectivity with existing systems, which leads to yet more logins & passwords. Keeping them in sync can be a nightmare. Even knowing this is the cycle, many companies will continue with their historical way of doing things, yet wonder why their staff need to remember 20 different login/password combinations.

Information Security

[Divide+By+Zero]

Something you have (physical key)
Something you know (password)
Something you are (biometrics)

One is good, two is better. Give your users an RFID card, smartcard, RSA SecurID (or similar) or fingerprint reader. Tie in your gift(s) to your authentication scheme.

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Re:Information Security

[John+Harrison]

There are products out there from companies such as ActivCard and Protocomm that will securely store your passwords and also enter them via a script. Generally the use has to remember one password (called a PIN) to open up their smart card and then they don't need to remember anything else. Having a token and a single comples password (and/or a biometric) is generally more secure than trying to juggle dozens of individual passwords.

Disclaimer: I install such systems for a living, so I might be a bit biased.

Re:Information Security

Something you have

Are there any systems out there that let me login using my herpes?

Re:Information Security

[99BottlesOfBeerInMyF]

Something you have (physical key)

Something you know (password)

Something you are (biometrics)

I strongly object to this bastardization of traditional authentication scheme theory. "Something you are" is a load of crap. It is an attempt to graft biometrics onto existing theory without evaluating how they really work. Biometrics identifiers are just something you have and need to be evaluated on their strengths and weaknesses on that basis. For the most part biometrics are something you have that you keep with you all the time and cannot easily remove or change. This is good in that it makes them harder to steal and less likely to be lost. This is bad because you cannot put them away somewhere safe and are constantly exposing them to the possibility of being copied. It is also bad because unlike other things you might have and use to authenticate, biometrics are almost impossible to change, so once compromised are a nearly permanent vulnerability. Finally, biometrics are bad because they can lead to the escalation of a crime in that their theft can be physically damaging. Take note of the man who was first kidnapped, then had his thumb cut off when car-jackers wanted to be able to start his fancy thumbprint lock car. Criminals don't need to be given extra motivation to commit mutilations.

Biometrics proliferate these days largely on their "cool" factor. The more blinking lights and high-tech gadgets the more secure it must be, right? Sadly they are being used to replace either the something you know or something you have in traditional biometric schemes, with the end result being less overall security. Biometrics have their place, and that is in a tightly controlled environment, supplemented by human observers to prevent copies from being easily used, and as an additional security measure on top of "something you know" and "something you have" that can't be copied from your beer glass at the bar. They do not belong in an authentication scheme in place of either a traditional "something you know" or "something you have" unless your goal is to have very, very convenient placebo security that is trivially bypassed by design.

Re:Information Security

[darrylo]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Biometrics is a bad idea, if for no other reason than thieves will chop off body parts: Malaysia car thieves steal finger

Re:Information Security

[ebuck]

Yes, but security assumes a managed environment, and in a managed environment you can disable things if they pose a risk.

I can disable something an attacker knows (change the password).
I can disable something an attacker has (invalidate the particular security card, etc.)
I cannot disable something a person is.

If an attacker obtains a fingerprint (via a fingerprinting kit and coffee mug) I can't disable the item without locking out authorized personnel. Advances in technology will not be sufficent to deter an attacker, as every system will eventually be fooled by a copy of high enough fidelity.

Biometrics is an interesting field, but it is not useful for security, as identity theft (finger prints, retnia photographs, etc.) prevents the differentiation between an attacker and authorized personnel.

Re:Information Security

[P3NIS_CLEAVER]

guess you shouldn't have 'logged' into the barho system.

Re:Information Security

[MenTaLguY]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Indeed. It's also significantly harder to change or replace.

Re:Information Security

[Bush+Pig]

> You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Oh, I don't know - I'd be a bit nervous that my finger would be forcibly removed to access my bank account. All they'd need is a meat cleaver.

Re:Information Security

[soft_guy]

I think biometrics is bad because once it is breached, you can't change it. It is still subject to many kinds of attacks (replay attack for example.)

At least with passwords, I can change the password to something new.

Re:Information Security

[shis-ka-bob]

I agree with your general assessments, but don't think that severing thumbs is a likely outcome. A brief kidnapping seems like it could be more issue. The other fundimental isssue is that the biometric output needs to be compared with data that is 'on file'. All you have to do to defeat the system is to be able to mess with the file. Besides, once somebody steals the file, you are really SOL. If somebody steals a file with your credit card number, you can have a new card with a new number issued. Anybody want to get a new thumb each time some idiot at VISA decides to make his next house payment by selling credit card numbers?

Re:Information Security

[maxume]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

The corollary is, of course, that it is also *much* more difficult to get a new finger.

Re:Information Security

[99BottlesOfBeerInMyF]

...but don't think that severing thumbs is a likely outcome.

The example I gave was not theoretical, it has already happened. Given how rare thumbprint locks are, I'd say that it is potentially worrying as a new, common crime. I'd not care to hazard a guess either way at this point.

The other fundimental isssue is that the biometric output needs to be compared with data that is 'on file'.

This is, or course, the most likely avenue of attack. It is somewhat mitigated in that a database can just store a one way hash of your fingerprint, but all it takes is one broken hash, one company that does not correctly implement the hash or does not implement a hash at all, or one man in the middle attack either over a network or using a fake reader (like the ones used to steal ATM card signatures now) and you're screwed. I'm sure you can get you bank to disallow your account to be accessed using thumbprints, but it will be a huge pain for everyone involved, and more of a pain as biometrics become more and more common. I would not worry so much about Visa, as they will probably implement a good hash, I'd worry about every single retailer you ever use.

"Something you have" that is unchangeable makes for a pretty poor authentication scheme and I'm glad at least some people can see that.

Re:Information Security

[John+Harrison]

You might have missed it, but IBM announced cancellable biometerics a few weeks ago. I'm sure that you could google it, I'm too lazy/busy.

Re:Information Security

REDUNDANT
why did you reply without reading what you were replying to?
fuck you.
I hate you!

Re:Information Security

[darrylo]

No offense, but I think a lot of people here on /. use PDAs for this. It's just a matter of using decent (secure) software. I've got hundreds of passwords, login names, dates, notes, and other info stored in encrypted form on my palmpilot.

(I've also got incremental palmpilot backups being done to an SD card every night. I periodically manually backup the SD card to my PC and CDroms, and so my PDA could get lost/stolen without much harm, except to my pocketbook. ;-)

Re:Information Security

[starfishsystems]

I strongly object to this bastardization of traditional authentication scheme theory.

Your argument begins by objecting to a widely accepted partitioning of the authentication space, but the reasoning you present seems only to support the partitioning as given.

As you point out, biometrics is not just something you have, but something you are, since they are based on nonsubstitutable parts of your person. This condition leads to a particular set of authentication characteristics which, as you point out, must be considered on their particular merits.

By contrast, something you have, such as a cryptographic token, is an artifact. Being an artifact carries quite a different set of characteristics than being a person, and requires a different analysis.

In other words, you make an effective case that it's completely appropriate to partition the authentication space as given. Your objection seems not to be with the theory, as you claim, but with some fairly narrow applications of the practice.

Re:Information Security

[geekoid]

A smart apssword works just as well.

And for enough monetary gain, people will take a fingure.
Also, your fingures becaome useless for this if that place that information is stored becomes compromised.

I can brute force all three of those methods.

Re:Information Security

[bigpat]

RSA SecurID

And I usually keep mine right next to the computer or in the drawer hidden under some papers. Sure it is credit card sized, but it is calculator thick and isn't something I'm going to carry around with me. The key chain like one they have on the web site might be more likely to remain with me, but still it seems that it is more likely to end up sitting next to your point of access anyway. Still, it does add some security since it is something in addition to a password, but I don't think it adds as much security as some physical object that is actually small enough to make it practical and comfortable to carry with you all the time. Really, any token that is not easy to carry is as good as the physical security of wherever it is located.

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

yes, but I would much rather lose a token or forget a password.

Re:Information Security

[thermal_noise]

Something you would've been (famous)
Something you could've been (a contender)
Something you should've been (born into a wealthier family)

Re:Information Security

[jschottm]

This is bad because you ... are constantly exposing them to the possibility of being copied ... once compromised are a nearly permanent vulnerability

Good biometric identification properly implimented (not necessarily easy to do, mind you) shouldn't be copyable or stealable. A poorly designed fingerprint scanner is bad because a mold can fake them. A poorly implimented fingerprint scanner is bad because the finger can be chopped off. But a good fingerprint scanner properly implimented (say, with a security goon sitting there making sure the user puts their finger on the scanner, not someone else's) is more secure than relying on just "something you have" - a security goon watching people swipe cards can't easily tell if it's me swiping my Sonitrol or someone that mugged me scanning my Sonitrol.

Fingerprints also make a fairly poor biometric measurement. I'm not saying that there are good ones yet, but there is potential in the future.

Re:Information Security

[John+Harrison]

No offense taken. Your solution works for you and provides a level of security and that is great. For a large organization though buying a password management system can make a lot of sense and it can enable things you might not have thought of. For instanct, you can have password randomization such that users don't (and can't) even know their own passwords. You can generate cryptographic keys on the card for signing and have keys for encryption and authentication. So the solutions I mention can do things that the PDA can't.

Re:Information Security

[fuyu-no-neko]

"Biometrics is a bad idea, if for no other reason than thieves will chop off body parts: Malaysia car thieves steal finger"

Brings a whole new meaning to the idea of hackers stealing your password.

Re:Information Security

[99BottlesOfBeerInMyF]

Your argument begins by objecting to a widely accepted partitioning of the authentication space, but the reasoning you present seems only to support the partitioning as given.

Not so. Biometrics are something you have. A fingerprint, a keycard, and a brick wall with a barcode on it are all fundamentally, "something you have." Biometrics are a subset of "something you have" that has a particular set of criteria, just like keys. The only reason why some people try to classify them as something new, even though they meet every criteria for "something you have" is because in many cases they are a very poor "something you have" and when properly evaluated that is easy to see. For example, they are very commonly used to replace passwords resulting in replacing a "something you know" scheme with a very weak "something you have" scheme. Considered in that light, it is very hard to make any sales, so vendors try to avoid evaluation of biometrics based upon traditional, well proven, criteria and try to bill it as something new.

biometrics is not just something you have, but something you are, since they are based on nonsubstitutable parts of your person.

Biometrics are something you have. They can be copied or taken from you. They are just something that is difficult to change or replace. They function (within authentication theory) exactly like any other "something you have" by being presented to a person or device.

By contrast, something you have, such as a cryptographic token, is an artifact. Being an artifact carries quite a different set of characteristics than being a person, and requires a different analysis.

Now you're confusing nomenclature. A token is generally something you know stored on something you have. A physical device with a key on it is something you have. You claim that being a person carries a different set of characteristics, but authentication schemes can't identify what is a "person" only known physical characteristics that that person carries with them as part of their body. Having your thumb or someone else's thumb is no different than having your key or someone else's key. A thumb may be more evident when it is tampered with (although not necessarily) but it also is very inconvenient to change and is constantly exposed to copying. Fundamentally, however, it is still something you have.

Every biometric I have ever seen merely tests one or more body parts, all of which are each just "something you have" and do not differ in any fundamental way than any other "something you have." Like other poorly chosen "something you have" items though, almost all biometrics have some serious drawbacks and some advantages. What I object to is not evaluating them properly by claiming they are somehow fundamentally different. It is not so. An RFID chip embedded in your arm is not a biometric, but has almost all of the same advantages and drawbacks, as well as some additional benefits.

I did not focus very much upon why I object to the classification of biometrics as not "something you have" because I thought it would be somewhat self explanatory. Hopefully now though you can see the danger of bypassing the traditional definitions of authentication theory in order to try to make an exception for a series of "something you have" items in order to avoid having to properly evaluate them. Whenever I see "something you are" I curse the clever marketers that are willing to promote insecure authentication schemes based upon whiz-bang marketing and blinking lights instead of a solid, reasoned evaluation of the benefits and drawbacks. For people who are not familiar with authentication theory it is as if someone started quoting the theory of gravity as "every object attracts every other object, except airplanes and the earth because of airplanes hi-tech design" in order to sell airplanes. It is marketing bullshit, not science.

Re:Information Security

[99BottlesOfBeerInMyF]

Good biometric identification properly implimented (not necessarily easy to do, mind you) shouldn't be copyable or stealable.

This violates fundamental authentication principals. Anything that is "something you have" can be stolen and/or copied, it is just that some items are more difficult to steal/copy than others. There is no reason why the entire human body cannot be duplicated to a level that the Heisenburg uncertainty principals makes them indistinguishable. Maybe it is unlikely, but it is a mistake to assume it cannot and never will happen.

But a good fingerprint scanner properly implimented (say, with a security goon sitting there making sure the user puts their finger on the scanner, not someone else's) is more secure than relying on just "something you have" - a security goon watching people swipe cards can't easily tell if it's me swiping my Sonitrol or someone that mugged me scanning my Sonitrol.

What if they use a latex copy on a real thumb. Those are pretty hard to see, but are detectable by a really well made scanner. What if a thumb is cut off and surgically grafted onto another person. That would be pretty hard to detect by any scanner. I'm not saying biometrics are useless, it is just that their usefulness is limited to specific situations as part of a larger authentication scheme involving other "something you know" and "something you have" mechanism and under competent human observation. Implementing a poor security mechanism can lead to a false sense of security and be even worse than no formal security. Biometrics are largely misapplied and trying to make up an exception for them and tack it onto existing authentication theory is a mistake. Biometrics need to evaluated based upon their advantages and disadvantages within the context of "something you have."

Re:Information Security

[theLOUDroom]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Sure you can, it takes one second, hurts like hell and will make you wish you had just used a freakin password.

The real application for biometrics is when people don't want to be identified. This is pretty much the opposite of what we're taling about here.

Fingerprint readers for PC logons are just freakin retarded. The fingerprints are all over the place (like the screen next to the reader), they're easy to fake, and once I do get a fake, you're REALLY SCREWED because you can't change your fingerprints.
As another poster pointed out, biometrics are really nothing more than "something you have". They are no more special than the keys on my key ring... except that I don't leave a copy of my keys on everything I touch during the course of a day.
If you want a really secure logon use a password and a smart card.

RFID cards needlessly expose you to more attacks. Even if your RFID gives you not just a ID number, but an actual challenge response authenticaion, you're still subject to other sorts of creative attacks. A big part of the problem being that it's really obvious when someone's reading your smartcard, but not when they're reading an RFID tag.

Re:Information Security

[starfishsystems]

A physical device with a key on it is something you have. You claim that being a person carries a different set of characteristics, but authentication schemes can't identify what is a "person" only known physical characteristics that that person carries with them as part of their body. Having your thumb or someone else's thumb is no different than having your key or someone else's key.

Your comments are very useful in clarifying where we differ, and why.

On the assumption that there is no distinction between "having" and "being", your argument follows logically and is well reasoned. It only depends on there being no fundamental or nontrivial difference between "something you have" and "something you are". It might seem that authentication schemes can't distinguish between "having" and "being", but in fact they can do so at a fundamental level.

To refer to my previous post, something you "have" is strictly an artifact. An artifact can be anything agreed between the parties, which means (a) it can be given arbitrary cryptographic properties, and (b) a different artifact can be substituted by mutual agreement from an infinite space of possibilities. A good cryptosystem takes specific advantage of these conditions, for example by allowing different signature algorithms and key lengths. In general, artifacts permit arbitrary cryptographic strength, which is clearly valuable, but not all that authentication is about.

Something you "are," on the other hand, is by definition a natural measurement associated with your person, not an artifact. Not being an artifact, it does not have arbitrary properties, but natural ones. Being a measurement of a certain object, the space of possible substitutions is also finite. In practice, there aren't many suitable biometric properties. Some would argue that there aren't any, but that remains an open debate. In case it turns out there are, it should be clear that they require very different treatment than artifacts.

The point is that authentication built around "something you are" has to operate within the constraints of both measurement and a finite set of properties. Authentication around "something you have" does not have such constraints. The difference is fundamental, and indeed testable.

To return to your claim that authentication schemes can't distinguish between these two classes, of course it's possible to build a naive authentication model that ignores the distinction, but I'd argue that's simply bad engineering. Good engineering doesn't just treat these properties as a set of bits, but recognizes the difference between how these properties are derived, and treats them appropriately.

Thanks for keeping this discussion rigorous, and interesting.

Re:Information Security

[99BottlesOfBeerInMyF]

An artifact can be anything agreed between the parties... Something you "are," on the other hand, is by definition a natural measurement associated with your person, not an artifact.

I don't see why your thumb is not an artifact according your definitions. It seems like you're trying to define "something you have" as any agreed upon object that is not a biometric, which seems to be a spurious addendum. You claim a biometric "does not have arbitrary properties, but natural ones" but there is no reason why an artifact cannot have natural properties. Early authentication schemes employed naturally occurring artifacts such as jaggedly broken rocks and pieces of wood whose natural grains/features could be aligned to provide a matching "key." In the case of an artificial object or a biometric you are still measuring one or more properties of a physical object. The fact that that object is a part of a person's body is a significant characteristic, but does not fundamentally alter the way the object is measured or verified. Heck, thumb print devices could easily be keyed to arbitrary thumbs taken from cadavers, which would make artifacts that are identical to biometrics, are measured in the same way by the same device. How does this change the nature of an authentication scheme?

The point is that authentication built around "something you are" has to operate within the constraints of both measurement and a finite set of properties. Authentication around "something you have" does not have such constraints. The difference is fundamental, and indeed testable.

You're operating under several false assumptions. First there are any number of limitations on what artifacts can be practically used in an authentication scheme. Second biometrical testable properties of the human body can be altered or spoofed just as any other "something you have."

To return to your claim that authentication schemes can't distinguish between these two classes, of course it's possible to build a naive authentication model that ignores the distinction, but I'd argue that's simply bad engineering.

I don't understand your assertion. Biometric devices have to be built to test certain properties of a human body and those properties must be measured in advance in order to be used. Other "something you have" schemes are built to test specific properties of some object which has to be set (or measured) in advance. How then does a biometric measurement and testing of something that is part of your body differ from the measurement and testing of something that is not part of your body in a way that biometrics should not be subject to all the same tests and evaluation criteria that other "something you have" artifacts are? In what way do you believe they should be treated differently and why?

Re:Information Security

[starfishsystems]

I don't see why your thumb is not an artifact according your definitions.

Because you don't get to manufacture a new thumb in order to meet changing requirements. That would qualify it as an artifact, whereas a thumb, like all sources of biometric information, occurs naturally, and thus is constrained in the range of requirements it can meet.

Early authentication schemes employed naturally occurring artifacts such as jaggedly broken rocks and pieces of wood

Naturally occurring objects are not artifacts. An artifact is "an object produced or shaped by human craft". The word comes from the same root as "artificial." Got it?

In the case of an artificial object or a biometric you are still measuring one or more properties of a physical object.

Here you're treating your conclusion as a premise. No, artifical objects are artificial. They need have no reference to any physical object. For example, a digital certificate is an object created from a cryptographic, that is, mathematical, process. It has no physical properties. Conversely, biometrics are strictly derived from physical properties.

biometrical testable properties of the human body can be altered or spoofed

That may make them bad candidates for use in strong authentication. I made that observation already. A good biometric obviously would be one that is hard to spoof. But that is all beside the point. Clearly these are natural properties that you carry with you. You can't manufacture them to arbitrary standards in the same way as you can an artifact such as a digital signature. That constraint may make them better or worse in certain applications. The point, and you're helping to make it here, is that these two classes require fundamentally different treatment.

Biometric devices have to be built to test certain properties of a human body and those properties must be measured in advance in order to be used. Other "something you have" schemes are built to test specific properties of some object which has to be set (or measured) in advance.

I notice that you're again applying your conclusion as a premise. We've already established that your argument rests on making no distinction between "being" and "having." So far, you haven't produced anything in support of that premise.

How then does a biometric measurement and testing of something that is part of your body differ from the measurement and testing of something that is not part of your body

Because artifacts are not about measurement and testing of natural properties in the first place! That's your claim, not mine, and I don't see that it can be successfully defended.

I think that this will be the end of my contribution, since I've presented my point of view and clarified my understanding of yours. If you want to add any final comments, please feel free.

Re:Information Security

[nine-times]

I strongly object to this bastardization of traditional authentication scheme theory. "Something you are" is a load of crap. It is an attempt to graft biometrics onto existing theory without evaluating how they really work. Biometrics identifiers are just something you have and need to be evaluated on their strengths and weaknesses on that basis.

Actually, the "something you are" idea is older than biometrics. Imagine someone trying to get into an old fortress. You might protect it by requiring that someone know a password before they can enter (something you know). You might require that someone have some sort of token, such as a signet or letter (something you have). It might be that there are guards ordered to only let in people that they already know on sight (something you are).

Arguably, you might say that all three are "things one has". A person might "have" an item, or "have" a physical characteristic, or they might "have" information or knowledge. These distinctions can be a bit fluid, too. A password is typically thought to be "something you know", but if I write it down and forget it, in a certain sense, it has become "something I have". You might have an encryption key on a disk, which is comparable to a very complex password written down, and it also becomes "something I have". I might also know something about the security (something I have or something I am) which allows me to circumvent it, thereby making it an issue of something I know.

Anyway, the point is, security which measures an object I can carry, drop, hide, or loose has different strengths and weaknesses than security which measures a biological aspect to my person, and still different from one which measures my response to some sort of prompt/question. You seem to acknowledge this in your own post. Biometrics have different strengths and weaknesses than carrying some sort of token. It is not an essential difference, but these different strengths/weaknesses that are the justification for defining it as a different sort of security.

I agree, however, that biometrics are often over-hyped due to the cool-factor of them. To hear some people talk, passwords are horrible and never work and a simple thumbprint scanner is foolproof. Of course that's silly. There are plenty of good reasons why passwords have been used for so long (though I won't detail them all here).

I do also think, however, that you'll have a hard time arguing that a security system which measures "something you have" and/or "something you know" wouldn't be strengthened by also requiring some biometric check as well. The best security systems will check for a wide range of things, and take into account the routes to circumvent the system.

Re:Information Security

[99BottlesOfBeerInMyF]

Because you don't get to manufacture a new thumb in order to meet changing requirements.

I've never seen being able to be changed or have a new one manufactured as a criteria for "something you have" in authentication science. Even if it were, for some weird reason, there is no physical reason why someone cannot grow a new thumb or build a new prosthetic thumb with a thumb print. I reject your argument that this is a valid distinction.

Naturally occurring objects are not artifacts.

OK, now you're arguing semantics. You're the one who started using the term, "artifact" which is not the term used in the original argument. The phrase, "something you have" was used and I don't see why that does not encompass biometrics. You have a thumb and a thumbprint and an eye and particular DNA characteristics, etc. Furthermore they are applied identically to "something you have" in authentication theory.

The point, and you're helping to make it here, is that these two classes require fundamentally different treatment.

I'll ask the same question I did in my last post. Since you can use the same reader to read biometric and traditional "things you have" and since both objects have to be measured or keyed to a device prior to use and since biometrics and other "something you have" items can be stolen, faked, or lost naturally, in what way do they fundamentally differ that requires they be treated differently? Obviously all keys will have different advantages and disadvantages. Thumbprints go with you everywhere and are always exposed, but very hard to lose. A regular brass key is easier to lose, but less exposed to copying. Why should biometrics be placed in a special category, where they are not directly compared and evaluated beside other "something you have" keys?

I notice that you're again applying your conclusion as a premise. We've already established that your argument rests on making no distinction between "being" and "having." So far, you haven't produced anything in support of that premise.

Do you have a thumb. All right then, it is "something you have." Provide a good reason why it should be treated differently and I'd be happy to listen. So far I have not heard any reasons from you. If I'm creating a security system I'll consider biometrics the same as any other "something you have" and evaluate a given biometric on it's appropriateness based upon how it compares to other available "something you have" keys. In applying basic rules of authentication theory, each and every one applies just as much to biometrics as other keys. The only possible exception is that you should change biometrics on a regular basis, which I still hold is true. It may not be practical or even possible due to the limitations of most biometrics, but for a secure system they should ideally be changed regularly and certainly should be changed when they are known to be compromised. The fact that this is not usually practical speaks to their unsuitability as keys in most cases, not to something that should be changed in basic theory. Should modern medicine reach the point where it is practical to change biometrics regularly, they should certainly be changed regularly (or more likely just not used at all). I fundamentally disagree with special casing biometrics. They should be evaluated on the same criteria and treated in the same way as any other key with the same limitations (like an implanted RFID chip).

Re:Information Security

[99BottlesOfBeerInMyF]

It might be that there are guards ordered to only let in people that they already know on sight (something you are).

You acknowledge the possibility of this later on, but let me just say, I reject this as a valid criteria. There is no way to measure something you are. You can only measure and test against known characteristics (something you have) and by asking questions (something you know). Guards might pass Bob through because they know what bob looks like, sounds like, and because bob has the knowledge to respond appropriately when asked about his wife. If someone else can disguise themselves to look like bob (something he has) and sound like bob (another physical characteristic, and something he has) and they know how to respond about his wife (something he knows) then they too can pass even though they are fundamentally not Bob. That is because "something you are" is not a testable or even definable characteristic. Trying to tack it onto a scientific theory is completely unsound.

The reason I object to this addendum so strongly is because it leads to people trying to evaluate things like thumbprints and voice patterns under special cases, exempt from the normal tests and principals that apply to "something you have" keys. This leads to lesser security and poor selection of "something you have" keys.

As for the rest of your post, I agree wholeheartedly. Biometrics are useful for very trivial security or as part of a layered security system, with human oversight, and additional checks. Biometrics are convenient and user friendly. I fear, however, they will be horribly misused, in places where non-scientists make decisions and where poor scientists make decisions without considering what is and is not a scientific and testable criteria. Muddying the waters with psuedo-scientific bastardizations of real, well thought out, time tested, rules and principals will only make matters worse.

Re:Information Security

[nine-times]

I don't think we have any fundamental disagreement. However, I think that saying Bob has physical characteristics (like a certain shape to his face) is pretty comparable to saying Bob has knowledge of the password. In neither case does the word "has" mean quite the same thing as saying Bob has a key. If you really want to get down to it, we could say Bob's brain is a "physical characteristic", and therefore the password, existing somewhere in is brain, is "something he has".

In your example of Bob, you mentioned that you would have to know how Bob would respond to a question about his wife. If you ask Bob a flat-out question, like, "where's your wife?" and check for a correct answer, then sure, that's an issue of something you know. However, if Bob has a certain speech pattern, or a personality quirk, those are also "things that he is". It's not sufficient to "know" that he has the quirks, you have to fake having them also. You have to fake being Bob. Or are you going to insist "personality" is also something you "have"?

If we allow ourselves to say that knowledge is just a special case of "having", then why not allow that "having" a face or thumbprint is a special case of "having"? They do warrant being separated out a bit, and talked about specially, don't they? If for no other reason, then to talk about the weaknesses, the fact that you're carrying them around all the time. People can see your face and touch your hands (or touch something that touched your hands). They're unprotected, constantly changing, constantly being damaged. You can't replace them or change them. They weren't designed to be machine readable, and therefore aren't as easy for a machine to read (reliably). You are agreeing, aren't you, that biometrics have some real weaknesses that aren't present in other "something you have" items?

Muddying the waters with psuedo-scientific bastardizations of real, well thought out, time tested, rules and principals will only make matters worse.

I don't mean to muddy the waters at all. The idea isn't new or unscientific. It isn't untested. We can disagree about whether we want to separate out the different sorts of "having" for the sake of terminology, but it doesn't change the fact that "facial recognition" and behavior measurements have been used in security for... well, forever. It just didn't used to be computers doing the facial recognition.

Re:Information Security

[99BottlesOfBeerInMyF]

You have to fake being Bob.

I disagree with this. You only have to fake the characteristics of Bob that the guards know. You don't have to fake "being bob" because most of what makes Bob, Bob is completely unknown to the person(s) testing Bob. In some cases this may be a lot of various information and characteristics, in others it might be basically nothing. If a random person goes up to the guard and says, "hey I'm Bob" when they are really not, and are passed through because the guard know Bob is supposed to be coming through, but has no idea who Bob is, has the attacker faked "being Bob" or did he just faked on particular characteristic that Bob has?

Bringing this back to modern terms, does a thumbprint scanner test to see if you are Bob or if you have the same thumbprint that it is expecting? Faking being a person is a combination of things you know and things you have, but you have to take into account the tester. Any given test for identifying a person either through something they know or something they have is subject to all sorts of deception and avoidance. Your assertion that what is being tested is who a person is, rather than a combination of "things they have" and "things they know" is mostly due to the fact that thousands of tests are being issued more or less simultaneously by the most advanced tester known to man, another human. In reality, however, most biometrics are tests from a machine and they all test very specific characteristics. Unless you can define the essence of a person and build a physical test for it, I can't agree that that is what is being tested, only individual characteristics, which make them "something you have" in my opinion.

They do warrant being separated out a bit, and talked about specially, don't they? If for no other reason, then to talk about the weaknesses, the fact that you're carrying them around all the time. People can see your face and touch your hands (or touch something that touched your hands). They're unprotected, constantly changing, constantly being damaged. You can't replace them or change them. They weren't designed to be machine readable, and therefore aren't as easy for a machine to read (reliably). You are agreeing, aren't you, that biometrics have some real weaknesses that aren't present in other "something you have" items?

I agree that most biometrics have a whole slew of weaknesses not usually built into traditional "something you have" items, but I disagree that they need to be treated any differently than other "something you have" items. All such items need to be evaluated and handled according to their strengths and weaknesses. Security badges may be visible all the time. Implanted RFID chips may be taken with a person everywhere and read/copied without their knowledge. Analog magnetic devices and physical keys may wear and change shape, or decay over time. Not all security devices are designed to be easily machine readable, like older passports. Some identification keys may be irreplaceable and some biometrics can be changed with modern medicine. At the most basic level photo IDs may be defeated by hair dye. All of the problems and advantages of biometrics may be present in other "something you have" keys, it is just not common practice to combine all these weaknesses because it makes for what can be a very poor key, which biometrics usually are as well.

The idea isn't new or unscientific. It isn't untested. We can disagree about whether we want to separate out the different sorts of "having" for the sake of terminology, but it doesn't change the fact that "facial recognition" and behavior measurements have been used in security for... well, forever. It just didn't used to be computers doing the facial recognition.

You misunderstand me. I'm not suggesting biometrics are new. I'm suggesting that biometrics being a special case and not subject to the same evaluation and procedures as other "something you have" items is new and unscientific. There is no reason, scientifically, w

Re:Information Security

[nine-times]

I disagree with this. You only have to fake the characteristics of Bob that the guards know. You don't have to fake "being bob" because most of what makes Bob, Bob is completely unknown to the person(s) testing Bob.

I didn't say you had to *be* Bob, but just that you had to fake it. You have to alter characteristics of your being in order to mimic characteristics of Bob's being.

Bringing this back to modern terms, does a thumbprint scanner test to see if you are Bob or if you have the same thumbprint that it is expecting?

It's testing part of what it means to be Bob by testing for a specific physical characteristic of Bob. Is your problem here that biometrics aren't "soul" measuring devices? Yes, when you measure what a person is, you're measuring certain limited characteristics, whether they be physical, mental, or behavioral.

Your assertion that what is being tested is who a person is, rather than a combination of "things they have" and "things they know" is mostly due to the fact that thousands of tests are being issued more or less simultaneously by the most advanced tester known to man, another human.

No, my assertion is all security could be said to be testing for "things they have", but that "things they know" and "things they are" are special cases, worth distinguishing.

Your objection that biometrics don't measure a person's essence, to me is like saying that asking for a password does not measure "something you know" because it only measures your ability to respond. You don't actually need to know anything to give the right response to a question about Bob's wife, you just have to be able to respond close enough to fool the guard, and it certainly doesn't measure *everything* that Bob knows. No, biometrics don't simultaneously measure *everything* that you are, but they measure some portion of your physical being. You don't have to actually be everything Bob is, so long as you can fake characteristics of Bob close enough to fool whatever is measuring it.

Biometric devices don't test "something you are" they test one physical characteristic of your body, which is, in principal, no different than any other physical object you might have.

It is different, however, in that it's measuring a physical characteristic of *your body*. And this is my point: it deserves special classification as a more problematic version of "something you have" in that valid users are going to be less able or likely or willing to change their "authentication key" if it requires extensive surgery and transplants. I'm not saying it can't be faked or it warrants bypassing rigorous analysis. Biometrics have one strength over normal "something you have" items in that they're convenient-- you always have it with you, without needing to carry anything extra. Therefore, while "something you are" items aren't necessarily more problematic for "the enemy" to steal/circumvent than normal "something you have" items, they're certainly more problematic for the valid users once they are stolen.

Re:Information Security

[99BottlesOfBeerInMyF]

I didn't say you had to *be* Bob, but just that you had to fake it. You have to alter characteristics of your being in order to mimic characteristics of Bob's being.

For any given test you have to alter a single characteristic, or in some cases have that characteristic stored elsewhere. Having a severed thumb may allow me to open a biometric lock. You don't necessarily have to alter your characteristics, just to have a characteristic that will pass inspection.

No, my assertion is all security could be said to be testing for "things they have", but that "things they know" and "things they are" are special cases, worth distinguishing.

Things you know are treated as a case in authentication theory because they are not physical, and are subject to a whole set of rules and procedures. Properly implemented they cannot be taken by force, nor even through most coercion. Things you have are physical objects. They can be taken, unless there is a mechanism for their destruction. A whole set of rules and theories apply to these items as well, and they are different in many cases than for "something you know" keys. A well designed, very high security authentication scheme might, for example, provide multiple passwords, including one that will allow access to a honeypot system and provide false information and possibly one that will disable all that users passwords and provide confirmation of that to the user. In this way a well trained person can either direct a torturer to a pre-prepared fake store of knowledge or disable access and make sure the torturer know that has happened (thus removing motivation for further torture). The point is, these are two, well defined aspects of authentication theory and while a given implementor of an authentication system may not fully understand why they are obeying a particular rule of that theory, it can still protect their system.

"Something you are" is not measurable by itself. You can't measure that someone is that person. You can measure that they know things (something they know) or that they have a particular, pre-measured characteristic. In authentication theory this is exactly the same as any other "something you have" key. I do not know of any feature of a biometric that makes it distinct in practice or application from any other "something you have" key. You have not provided any example of a way a biometric can be measured that makes it distinct in use.

It is different, however, in that it's measuring a physical characteristic of *your body*.

I deny this is a valid difference. If I graft a key onto my body, how does that make it different in use from a biometric? I'll address each of your points below.

valid users are going to be less able or likely or willing to change their "authentication key" if it requires extensive surgery and transplants.

Hair color is a biometric. It is easily dyed a different color. An implanted RFID is not a biometric. It requires surgery to change. I see no fundamental difference.

Biometrics have one strength over normal "something you have" items in that they're convenient-- you always have it with you, without needing to carry anything extra.

See the implanted RFID example above. It is always with you, but not a biometric. Also, biometric can be lost to an accident or attack. This is not a fundamental difference either.

...they're certainly more problematic for the valid users once they are stolen.

Depending upon the situation a valid user may be killed for losing a normal "something you have" key. Depending upon the biometric, a user may not care if a sample of his hair or DNA is taken. Again I see no fundamental difference.

I don't see any aspect of a biometric or it's use that cannot be true of a normal "something you have" key. They behave exactly like any other "something you have" and do not require a special case for their handling. Creating a special case is unnecessary and more

Re:Information Security

[nine-times]

I deny this is a valid difference. If I graft a key onto my body, how does that make it different in use from a biometric? I'll address each of your points below.

Depends... can the key be removed or changed without causing permanent and irreversible damage to the carrier? If so, then the difference might be slight. However, it might still be a detectable alteration to the person's biological being. Let me put it this way: if authentication is based on voiceprint, thumbprint, and a scan of the vein patterns in my arm, no one can detect that ahead of time. They must be familiar with my security system and anticipate that those qualities will be looked for. If an object can be found in some kind of a search, that object tells the searcher that I use that means of authentication somewhere.

Hair color is a biometric. It is easily dyed a different color.

I don't remember suggesting that we use hair color alone as a means of authentication... That people have physical characteristics that are easy to change/fake is pretty irrelevant to whether "having" physical characteristics yourself brings up different security concerns than "having" an object with certain physical characteristics.

Depending upon the biometric, a user may not care if a sample of his hair or DNA is taken. Again I see no fundamental difference.

You will see a difference when you ask the user to change his DNA for future authentication.

You have failed to convince me and unless you come up with a real, fundamental difference (in terms of their characteristics or the way biometrics are applied) I don't think I will ever agree with you.

Eek. I guess I'm in trouble now. Wait.... I have a real good rebuttal: You have failed to convince me, and I don't think I'll agree with you!

Re:Information Security

[99BottlesOfBeerInMyF]

Let me put it this way: if authentication is based on voiceprint, thumbprint, and a scan of the vein patterns in my arm, no one can detect that ahead of time. They must be familiar with my security system and anticipate that those qualities will be looked for. If an object can be found in some kind of a search, that object tells the searcher that I use that means of authentication somewhere.

You're asserting that all physical keys are detectable and that biometrics are not detectable as such. First, you're making the assumption that an entire person can not be duplicated in their physical form which, while true given our current technology, is not a truism. It is just the current situation as far as we know and thus cannot be a scientific fact. Second you are asserting that non-biometric "something you have" items are detectable, which is not necessarily the case in any given situation. normal keys can be mixed with dummy keys, making the "real" key indistinguishable and obfuscated keys can be disguised as normal materials people carry with them every day. If a key for a given individual is a particular brand and shade of lipstick in its original container, how can the attacker differentiate this from all the other objects a person carries daily? Finally, if a given set of biometrics is used, it is subject to a corrupted authentication attack by randomly attacking valid users, removing biometrics and seeing if they are able to gain access. It need not even be detectable in that an agent could obfuscate a fingerprint, or covertly administer a drug to change a voice pattern. None of the characteristics you mention are unique to biometrics, aside from being a part of the body, which is what defines a biometric and is, hence, a logical definition flaw.

I don't remember suggesting that we use hair color alone as a means of authentication... That people have physical characteristics that are easy to change/fake is pretty irrelevant to whether "having" physical characteristics yourself brings up different security concerns than "having" an object with certain physical characteristics.

I asked for a fundamental difference between biometrics and other "something you have" objects. Your reply was that biometrics are not easily changed. In response I gave an example of a biometric that is easy to change and an non biometric that is not easy to change. How then can you claim that this is a fundamental difference that warrants biometric being classified differently?

You will see a difference when you ask the user to change his DNA for future authentication.

This is completely irrelevant to your point. You claimed a fundamental difference was that a legitimate user cares if they have a biometric taken from them. I provided an example case where an user would care a great deal about a regular "something you have" and another where a user would not care at all if a biometric "something you have" is taken. Your response that a different property (and one I already have shown to be false) is the fundamental difference just shows how indefensible your assertion is.

You have still not shown any difference of biometrics in general that makes them different and need to be treated differently than other "something you have" keys. You've mentioned plenty of examples of how a particular biometric differs from a particular "something you have" but no trait that is unique to biometrics. Why should I treat biometrics differently than any a arbitrary "something you have" key?

I'm afraid you are just trying to invent some difference and/or sidestep any argument to avoid admitting that you were mistaken. You still have not provided a single fundamental difference.

Re:Information Security

[nine-times]

You claimed a fundamental difference was that a legitimate user cares if they have a biometric taken from them.

No, I claimed that they'd care if you asked them to change their authentication. My assertion from the beginning was, while lifting my fingerprints might be easy, it's hard for me to change my fingerprints. Getting DNA, taking a picture, scanning my retinas might be within our technology, but ask me to change my DNA, have enormous amounts of plastic surgery to change my face, get hand/eye transplants, and you're going to run into trouble. Passwords can be changed. I can be issued a new keycard. You want to issue me new hands and a new face, that's a problem.

I'm afraid you are just trying to invent some difference and/or sidestep any argument to avoid admitting that you were mistaken. You still have not provided a single fundamental difference.

And I'm afraid you're just stonewalling and there's no point in continuing this. If you want further clarification, go back and read my prior posts, as I don't intend to respond further.

Re:Information Security

[99BottlesOfBeerInMyF]

I claimed that they'd care if you asked them to change their authentication.

Will a user care if you ask them to undergo surgery to have the RFID chip (not biometric) implanted at the base of their skull removed? Yes they will. Will a user care if you ask them to get plastic surgery on their face (biometric), some will some won't. Will a user care if you ask them to shave their mustache or dye their hair (biometric)? Most probably won't. Will they care if you ask them to take pills that will alter a portion of their body chemistry (biometric) that will have no detectable effect except for being readable by a scanner? Unlikely.

There are numerous non-biometric "something you have" keys that users will care about getting changed and even some examples biometric keys users most likely will not care about having changed. Sorry, this property also fails the test.

If you want further clarification, go back and read my prior posts, as I don't intend to respond further.

I've read your prior posts. The number of fundamental differences you listed is zero. I've given examples to disprove every one you've come up with and you've failed to refute any of my examples. Everything you have presented is a way some biometrics differ from some non-biometric "something you have" keys. I don't expect you to respond and that is just fine; you've been grasping at straws for quite a while. I'm sorry you can't see the danger of special casing biometrics and I'm sorry you seem intent on doing so. I hope that your promotion of this process does not lead you, or more likely someone else trying to create or follow a formal authentication policy to misuse biometrics in a dangerous way. There is already plenty of such misuse going on and I'm sorry I was unable to convince you from a purely logical standpoint that your categorization is wholly unnecessary and dangerous.

Password manager

[Neil+Watson]

I encrypt my passwords in a text file. Many passwords I can remember but, some are used infrequently. Keeping them encrypted yet easy for me to access has made my life easier. I wrote about it Here

For everyday users I don't think constantly rotating passwords is a good idea. It's too inconvenient for them. Once that happens they start to write them down. I think a combination of a hardware key and a passphrase offer better security. As the saying goes, something you know, something you have or something you are.

Re:Password manager

[JamesTRexx]

Same here. Not only is the file encrypted with ccrypt, but I store it at home on one of the machines with an obscure filename. Whenever I need it at work I can ssh home and read/change it.

Re:Password manager

Not only is the file encrypted with ccrypt, but I store it at home on one of the machines with an obscure filename.

You do not trust your encryption program?

Re:Password manager

[JamesTRexx]

Any encryption can be cracked eventually, so I never trust it completely. And it's a simple extra precaution.

And for the contrary opinion

[joeflies]

CNET commentator mentions that you should take the results with a grain of salt. A company that sells tokens wouldn't publish a report saying that most people are ok with passwords. And also note at the end - the actual survey data is not available to you unless you're a member of the media.

Then there's also the fact that Lloyds performed a survey that contradicts the findings - passwords are fine as long as there's proper education.

Get rid of them

[Otter]

At least part of the problem in my workplace is that there are dozens of different webapps (which is a problem in and of itself), each of which has a different login/pass combination. It is simply impossible to not write them down.

A simple solution would be to just eliminate password protection on most of them. They're only available on the intranet -- is there really a serious threat of people hax0ring other workers' accounts and taking their online sexual harassment training for them?

Re:Get rid of them

[Kainaw]

is there really a serious threat of people hax0ring other workers' accounts and taking their online sexual harassment training for them?

Funny you should ask... I found the web-based Sexual Harassment training a stupid waste of time and energy. I tried to get it stopped, but management wouldn't listen. So, I wrote a script that pulled everyone's username from LDAP and completed the training for them on the first day it was available. Everyone got a "thank you" email and nobody wasted any time (except me - but then I spend my day reading slashdot).

Re:Get rid of them

[TykeClone]

At least part of the problem in my workplace is that there are dozens of different webapps (which is a problem in and of itself), each of which has a different login/pass combination. It is simply impossible to not write them down.

The Federal Reserve System is finally moving from their old DOS based Fedline system to a web based one. The old system was secure - a stand alone machine on its own dial-up connection. Users required 2 passwords - 1 for the system and 1 for "host communications". They changed frequently, but didn't suck too much.

Fedline on the web, however, takes this to another level. Each "application" that you access on the web has its own password, beyond the password you need to access the initial site. It's always fun to tell the operations people that we can now do this on the web, but here are your 8 additional passwords - I think that I'm going to have a user revolt because of it someday

Kind of makes one want to drop the FRB apps and use a simpler system through a correspondent bank...

Re:Get rid of them

If there is no security, I could write a web page on the internet that when viewed by you would do anything I wanted with the application on the intranet.

The best part is when they check the logs, they will say the request all came from your PC.

Re:Get rid of them

[jjoyce]

But now you've got bigger problems 'cause they're all running around playing grab-ass.

Re:Get rid of them

[penguinoid]

While I admire your going the extra mile to help your users, you are openning the possibility that you will be used as a scapegoat if there is a sexual harassment problem in your office. I don't know anything about where you work, but I think the "training" is just a way for the managers to cover their asses if there is a scandal. Now they can't cover their asses except by pointing the finger at you.

Re:Get rid of them

[jazman]

reminds me of that Dilbert where Wally goes on SH training, then goes up to Alice and says something like "Amazing - 30 minutes training completely erased billions of years of evolution. Do something sexy and watch me ignore it!"

... MSN Passport?

[everphilski]

... nobody seems to be a big fan ...

-everphilski-

Re:... MSN Passport?

[vsprintf]

... nobody seems to be a big fan ...

Yeah, and all just because Passport allowed sinister types to hijack your hotmail account and any information you had entered in Passport. One little mistake by Microsoft that was remedied within a few weeks, and the people on Slashdot can never forgive or forget or stop talking about it or bringing it up over and over again whenever Passport is mentioned. Personally, I can't think of any company I'd trust more with all my personal and financial information. (If anyone had trouble detecting the sarcasm, let me know, and I'll work on it. :)

Re:... MSN Passport?

what is sad is the number of people that actually think that way.

The right tool for the job

[El+Cubano]

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?

Just use the right tool: MyPasswordSafe

There is also a GNOME or GTK tool that is similar, but I didn't like the features nearly as well. This thing will store your passwords in an AES encrypted file protected with (I believe) an arbitrary length passphrase (mine is about 100 characters). I believe that it similar to the password safe (or something like that) that comes with Mac OS X, but it has been a long time since I even had a look at it.

Re:The right tool for the job

[Drubber]

There is also Password Safe, from Bruce Schneier, author of the venerable Applied Cryptography tome. It's an open source project and very good, IMO.

Compromise

[Daveznet]

Its about compromise. Having a crazy password policy implemented is going to force the end users to write down their passwords underneath thie keyboards etc, and having a simplistic policy is no good for obvious reasons. What needs to be done is have a policy that is useable and secure. Not only do policies regarding passwords generations need to be put in place but policies about writting them down and leaving them on your desk need to be an issue as well. Computer security has to be both on the computer and the user end.

One solution...

[jd]

...would be to use one password you can remember, for everything. Almost. The key is in that "almost". You have a password calculator, on which you enter your password and the name of the facility you want to access as one long string. The calculator uses a hash function to turn that into a meaningless string. You now have one unique password per machine you want to use, but only one password to actually remember. Nothing is written down and if anyone examines the calculator, all they'll see is a device that does MD5 or SHA1 hashes - they won't be able to actually get any passwords from it.

Furthermore, unless someone DOES obtain the calculator AND knows how you identify the machine, you can tell who you like what the password you remember is. They'd still have to guess the hash function and the salt you're using. And if the user doesn't know how the calculator works (only that it does), social engineering won't help in getting the function, even if the cracker got all the other data. A cracker would need to actually try different hashing functions to be able to crack passwords for other sites, which increases the odds of them being detected.

Re:One solution...

[geekoid]

or, have a long phrase thats easy to remember and personal. For example I could use the intitials of the county I was born, the sum of the zip then the abrev. of the state my wife was born in, the first 3 of my child hood pet, followed by thr sum of my age when my children were born.
so: cos24nevtob73
once you start using it, it will become easy toremember, but if I should forget, I can figure it out.

now, you would need to know a lot of personal information to find out what my password is. To be extra paranoid, I could put in information that is not documented anywhere, or not related to me.

of course this is just on example, but you could use this everywhere and be pretty secure.
If your ISP/work can't figure out they're being brute forced, then no amount of security will help them.

Keep it simple

[$RANDOMLUSER]

I use MYCROFTXXX.

tired of remembering all my PINs and passwords

[kalla]

I have to remember at least two PIN numbers for my job, then at least four safe combinations, and then countless computer passwords. It's ridiculous. This sort of thing actually encourages worse security, because there is NO way I am going be using a different password on every account, so I use the same one on every box. Whenever I am forced to "change the password" I switch to password B. Then the next time, it's back to password "A". And don't get me started on the "must be at least ten characters, use random numbers, letters, at least one capital letter and special character" crap.

Re:tired of remembering all my PINs and passwords

[TheRaven64]

At a previous job, I had to take my hard drive from my machine at the end of each day and put it in a filing cabinet. This then had a combination locked bar bolted to the front (one of those right n, left m, right k... things). One day, I got in, past the security guards, with my photo-ID badge, past the keypad lock on the door, got to my desk, and realised I had forgotten the combination to get out my hard disk and start working. Ten minutes later, I had discovered that those locks are actually really easy to crack...

I use Password Safe

[alan_dershowitz]

I use Password Safe on a USB pen drive. It has a master password that it uses to encrypt all my other passwords in a tidy MFC application. In x86 Linux I access it using Wine, which works fine. For my OS X machine, I use pwsafe, a console app that lets you access Password Safe databases, and dumps the password directly into the X clipboard buffer. (Use the CVS version, the latest regular build can't access the latest Password Safe database format.) I found other unix password safe compatible workalikes to be extremely poor.

This solution works well for me. Just make sure you back up your pen drive.

Re:I use Password Safe

[hey]

Me too, it's good.
I especially like the LACK of bells and whistles.

Re:I use Password Safe

[sploxx]

I use Password Safe on a USB pen drive. It has a master password that it uses to encrypt all my other passwords in a tidy MFC application.

You use the USB pen drive because you want to have your passwords portable? Do you use it only on computers installed by yourself?

What if the PC you use your decryption APP has a password logger installed?

I think that a cheap pocket database/organizer would be a better way to store password. Attaching a cable to get a dump of the database's flash memory is still a bit harder than using a hw/sw key logger. If the organizer encrypts everything with your master password, the situation is even better.

Re:I use Password Safe

[alan_dershowitz]

With the exception of my machine at work, I do not use it on any machine I did not configure myself. All the machines however, are used exclusively by me.

As for keyloggers, the apps both dump the password into the clipboard, bypassing the keyboard. The master password I actually made a string with letters, numbers, capital and lowercase, that happens to be a common string typed on any particular machine I use. It's not a perfect solution, but I'm willing to take acceptable risks to get around the fact that I need over 40 passwords for my job/personal life.

The most unobvious but important risk mitigation suggestion I can recommend is keep your work password database separate from your personal password database. There's no good reason to keep them together, and very good reasons to keep them separate.

Re:I use Password Safe

check out wikid: https://sourceforge.net/projects/wikid-twofactor/

open source, two-factor authentication

Re:I use Password Safe

[NivenHuH]

FYI, the Keychain Access utility in Mac OS X will do this for you as well..

Re:I use Password Safe

Password Safe is a great little app. I've been using it for about a year now. I expected to find this discussion full of its praises. We need more slash dotters to get on board and see how great it is.

Re:I use Password Safe

[darrylo]

I think that a cheap pocket database/organizer would be a better way to store password. Attaching a cable to get a dump of the database's flash memory is still a bit harder than using a hw/sw key logger. If the organizer encrypts everything with your master password, the situation is even better.

Yes, a PDA is the way to go (cheap or otherwise ;-). It's much more portable than a desktop or laptop (which you need with a USB drive), and you have a much lower chance of encountering keyloggers and the like. USB drives can also get infected with viruses, etc..

Of course, storing the data in encrypted form on the PDA is an absolute must. Anyone who doesn't, gets what they deserve. ;-)

Re:I use Password Safe

[sploxx]

It's not a perfect solution, but I'm willing to take acceptable risks to get around the fact that I need over 40 passwords for my job/personal life.
Well, for some passwords I even have a text file, especially for the 100+ web accounts that are not really important but still somehow neccessary. Of course, one needs to be realistic here :)

Re:I use Password Safe

I like PassSafe too, but I carry it on my USB pen (with my PortableFirefox and my PortableThunderbird) all encrypted with truecrypt that gives one level more of security (in windows, that extra level is very good ;)

Sorry 4 my bad english, cheers..

Re:I use Password Safe

[loyukfai]

FYI, there is a similar project called KeePass.

http://keepass.sourceforge.net/

Re:I use Password Safe

[Huh?]

Here is a "Password Safe" compatible program that runs natively in linux. Nice if you don't want to use WINE, and want to share a Password Safe database with Windows machines.

Simple Method

[abscondment]

I never seem to run into this problem. I have one password, with roughly four levels of complexity. Each version has the same meaning, and as such they're all easy to remember. Which one I use depends on the criticality of the resource it protects, but no matter which one it is, I'm never more than 3 tries away.

Now, when there are policies in effect that enforce password changing and prohibit reuse of old passwords, this presents a problem: it's hard to continue generating new obfustications of the same phrase.

What about passphrases?

[jotok]

It's a lot easier for me to remember "It was the best of times, it was the worst of times" or "Iwtbot,iwtwot" than some "strong" password (say, 10 characters, case-sensitive, with special characters and numbers thrown in).

Although we'd still have to deal with most of my co-workers using "Git r dun!" as a passphrase...le sigh.

Password Database, Encrypted

[Atlantic+Wall]

The best password database storage app i have used is Password manager by Cp-Lab. It encrypts your passwords with 8 diff types of encryption in a small db. Well developed, cheap, allows for custom printing and custom fields. For IT admins this is a must NOT A SLASHVERTISEMNET http://www.cp-lab.com/

I work in web hosting...

[Skadet]

In the (California-based!) tech support center. You might be shocked at the number of people who have no idea how security works.

Prime example. When a customer wants to cancel their account, we direct them to an online form which asks for their registration # or domain name and their password to verify their identity. Invariably, the customer forgets their password and when we respond that we can't cancel their account without that information, they ALWAYS ask, "can you tell me my password?"

I am not joking. People call in all the time wanting their login information without being able to verify a thing. By the way, when this happens, there are two options - the "forgot password" form which mails the info to the admin address on record, or providing the billing CC# (you pay the bill, you get the key)

But I digress. Ultimately, the general public couldn't care less about passwords because they don't truly understand their function other than "it gets me where I need to be"

Microsoft Passport

[Evil+Butters]

What? You mean you all don't just use Microsoft Passport?

HA! HA!

Re:Microsoft Passport

[Skadet]

I was completely expecting the HA! HA! guy from fark. /don't mod if you don't know what I'm talking about //where'd the ha ha guy go?

johnny mnemonics

[Uzik2]

mnemonics make it simpler. Think of a phrase that's important to you personally, such as "now is the time for all good men to come to the aid of their country". For site #1 use the first letter of
each word as your password: "nittfagmtcttaotc". For site #2 use the second letter, etc. If the word is short substitute the site number. It can be easily remembered without any paper to prompt
you and generates long passwords not findable by dictionary
attacks.

I hope they didn't waste taxpayer money on that study.

It's easy

[carlosnotjackal]

http://keepass.sourceforge.net/ Just a master password needed.

I'm suprised that nobody has mentioned.....

[8127972]

..... Single Sign-On Manager by RSA. The IT manager then has the choice of using an RSA SecurID Authenticator, RSA Smart Card, RSA USB Authenticator, a biometric or (god forbid) a password.

Re:I'm suprised that nobody has mentioned.....

[thermal_noise]

> ... choice of using an RSA SecurID Authenticator,
> RSA Smart Card, RSA USB Authenticator ...

So I got all that vendor independence going for me.

Which is good.

Re:I'm suprised that nobody has mentioned.....

[fugspit]

That's simply amazing! A survey commisioned by RSA Securities highlights a problem that can be solved by products from ... RSA Securites.

Whatever next?
A survey conducted by Starbucks reveals that "Coffee is good for you"
A study by Anheuser Busch uncovers the fact that alcohol is good for the heart
An independant think tank funded by Microsoft issues a report proving that Windows is faster/securer/cheaper/sexier than Linux

Security

[Widowwolf]

Thsi is why i use a free a free program called Password Safe (http://www.schneier.com/passsafe.html) You remember 1 password to login to your safe and then you can see all your entries from there..and as far as i know there is no limit on #1 the entries in each list, #2 The amount of lists you can have..you just have to remember that one password..a definitely good utility for windows..all you apple and linux heads..dont know if it will work for you.It only takes a second to login and your are ready to go.. and when the fiel that stores them auto encrypts your data..as far as i know no one has broken it..From thier front page

With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all. Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm. Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.

Re:Security

[nsayer]

I use a free program to do this called Keychain Access. Not only is it free, but it came with my computer. No download required.

Re:Security

[Widowwolf]

whered you get your prebuilt from?Laptop or desktop?

Re:Security

[Ernesto+Alvarez]

  Thsi is why i use a free a free program called Password Safe

I do exactly the same as you do, except I run a similar program on my PDA. Pretty good idea, and the most often used password usually end memorized, minimizing the need to unlock the database. You should probably try random passwords also.

Regarding Password Safe, it's encrypted with blowfish. Unless the author (Schneier) made a design mistake your passwords should be safe. Tried to get it used at work, without success, though.

Another thing I also use is Mozilla's password manager (in FIPS mode). Easy to use, too.

I also complement things with OPIE (also known as S/KEY) for my root account, which I don't use unless necessary, and with SSH public keys and GPG (but that's another story).

Re:Security

[nsayer]

From Apple. It's a powerbook. My reply was designed to be slightly humorous. Keychain is a facility built-in to the OS to allow any application to store sensitive information in a secure password-protected store. The user has control over when and/or how often he is prompted for his keychain password. Since the prompts come from the system they are resiliant against spoofing (at least so long as you don't ignore the warning signs of a spoofed window). Additionally, keychain access allows you store things like secure notes, so you can safely store things like safe combinations or non-computer passwords or website passwords that don't allow saving. It's also the certificate and CA manager.

Text file with automatic encryption/decription

[Gzip+Christ]

Here's my solution... I have emacs set up to automatically encrypt and decrypt files that end in .gpg when I open/save them. It's very handy for safely keeping all my passwords. I use crypt++ and this snippet for my .emacs file:

(setq exec-path
(nconc exec-path
'(
"/usr/local/bin"
)))
(load-librar y "mailcrypt")
(setq crypt-encryption-type 'gpg)
(require 'crypt++)

Re:Text file with automatic encryption/decription

[Neil+Watson]

If the unencrypted working file is stored on your hard drive it can be retrieved by others via undelete programs. Be sure to store it in RAM only.

There's some decent password managers

[Nik13]

Too many passwords? Definately, especially if you work in IT, I have dozens of them to remember... Even for home stuff I got dozens: different forums (web related, IT related, AV related, etc), news sites like /., dozens of online stores, email, etc... It's just too much for my memory, so instead of using the same password everywhere or writing them down or such, I resorted to use a decent password manager. I've picked KeyPass (worth every penny they ask IMHO), but there's lots of others - including some F/OSS ones like KeePass or Oubliette, you can even find a bunch on sourceforge, and they're usually quite simple programs to "tweak or enhance" if they're not exactly like you wish they were (add new cryptos, GUI changes, new features, etc). I've looked at the code of a couple and it was nicely done, good quality code, pretty secure stuff. It would be quite simple to make a basic one from scratch too (using some of the high level languages with very complete libraries and frameworks like we have nowadays), the DPAPI could be useful too.

Ideally it should run without being installed (and without too many dependancies), off a memory stick or PDA for portability. Some browsers have password managers, but it's a partial solution (only good for websites, and only work in this specific browser on this very PC), and I have problems trusting some of them (IE) to keep passwords secure at all.

Not sure what's out there for linux though...

Re:There's some decent password managers

[dbug78]

IMO, the missing piece for all these password managers is the ability to be transparent. My users already authenticate when they sign on in the morning. There's no reason they should have to further authenticate to get into our processing software or QuickBooks or anything else. These password managers should be able to create special Windows shortcuts that will launch the application and automatically type the name and password for you. It has all the info it needs... name, password, path to executable. When you create a "special" shortcut, it's actually running the password manager's executable with an identifier for the app. The PM launches the app you want and, after a configurable delay, automatically completes the login process for you.

App on my Palm Pilot

[f_g_goss]

I have two apps on my Palm: one generates passwords, another stores them in a "vault" with a master password. Works well especially the password generator. I just select upper/lower/mixed case, alpha characters and how long to make the password string. Copy-paste into the password vault. Done.

I tried reasoning with the IT people

[TomorrowPlusX]

I made the argument, some time ago, that instead of forcing us to make new passwords every 45 days ( which is basically a solid way to guarantee weak, easily dictionary-attacked passwords stuck on the monitor ) they should allow us to keep our passwords longer the more complicated they are.

Say, I choose an easily dictionary attacked password with just 5 lowercase letters. Whammo -- I'm told I can use that password for 3 days. So I make a 20 character, non-dictionary password with a mix of letters, numbers, random symbols, etc and I'm told I can keep it for a year.

Seems to me that's a reasonable approach: reward people for better passwords.

Suffice to say, I was told: "No way, we like it as it is"

Re:I tried reasoning with the IT people

[omgwtfroflbbqwasd]

There are a few main attack vectors with regards to simple (one-factor) passwords:

• Brute Force (vs live system or cracking encrypted pw)
• Interception (trojan, sniffer)
• Intentional sharing/distribution

Complex passwords really only protect against brute force attacks - be it against a live system or against a password database (shadow, SAM, etc.) One factor authentication can only defeat intentional sharing if you are using biometrics - tokens or passwords by themselves can be shared. Thus, the main weakness to your approach (short of two-factor auth) lies in the likelihood of the password being intercepted. If said password traverses the network unencrypted, then that probability is high and voids your argument, but that all depends on the network applications which the password is used for.

Biometrics not the solution

[millermj]

There's a way to exploit just about anything. It's guaranteed someone is going to invent a way to fake a fingerprint or a retina to gain access. At least a password can be changed once guessed. I'd like to see you try changing your fingerprints.

Re:Biometrics not the solution

[Nik13]

That's one thing that kinda worries me. One could make a simple USB device pretending to be a fingerprint reader using a microcontroller, using the same Device_ID/Product_ID as a real USB fingerprint reader (preferably a common one that's widely supported), that would send pre-recorded biometric data from a flash ram. It sounds pretty simple to do. I don't know in what format that data is stored (similar to some image file or very long hash I imagine), and once someone has a copy of it (if it's like an image file then it would be possible to fabricate one from fingerprints you leave everywhere), then they'd basically have a copy of what's meant to be proof of your identity... It sounds quite simple to intercept or copy the biometric data (stored inside some DB - risk of SQL injection and other threats). It doesn't sound exactly secure to me.

Re:Biometrics not the solution

[SydShamino]

Yes, fake fingerprints or retina are a problem for biometrics.

But, a bigger problem (for now) is someone cracking your database of biometric data, and being able to retrieve the information you store to identify people. This is why there is research into Replaceable Biometrics.

If the stored database cannot be related to the person, then again a criminal is forced to go directly to the source (you) to copy or steal the finger or retina. Ideally, they would then be stopped by not knowing your password, or not having your key. If a criminal has all three, such as by kidnapping your children and forcing you to retrieve the data yourself, then there is still a fourth identification option:

* Something you do (i.e. something out of the ordinary that draws attention to yourself)

If you walk in and say "Hello Bob" to the security guard every day, and today you say "Hello Jim", maybe he will know something is up and alert the police. Or, maybe the security guard simply notices that you are sweating or looking very nervous, and investigates without you intentinally alerting him at all.

Re:Biometrics not the solution

[tooth]

I've heard that some retina scanning systems can be setup like that: Right eye == all okay, let me in. Left eye == let me in, but trigger silent alarm.

Re:Biometrics not the solution

Of course there's a way to exploit just about anything. But it's an arms race. When that type of lock gets compromised, you can either shrug and run with the odds or upgrade to the next technique.

Padlocks and regular door locks were first compromised when? And people still use them.

The ideas is just to make things more difficult for your criminal than the next target.

If you think you have the "perfect" method that can't be comrpromised (which by your own admission you don't), good luck... it isn't.

One good way to reduce password complexity BTW is to... ah... don't keep so many accounts.

Re:Biometrics not the solution

[Tired_Blood]

I'd like to see you try changing your fingerprints.
Reminds me of this guy, though it was poorly executed. Unfortunately for him, even if it was done well any future robbery investigations would be simpler given that very few people have blank fingerprints.

Back on topic, the real problem with biometric security measures is that it's easier to remove body parts than it is to fake them. If given the option of being forced to provide a means of authentication, I'd prefer losing control of a passphrase over losing an eye if only because it's far easier for me to eventually regenerate a new passphrase.

Re:Biometrics not the solution

[permaculture]

Back in the 80s I stayed a while with a British Army base in Germany. At the time they were on 24 hour alert; i.e. if the Russians invaded they'd be ready to move out to the combat theatre in 24 hours.

One of the tasks I accompanied them on was guarding a series of ammo bunkers. During the briefing I was permitted to listen in to the initial instructions, but I was sent out of the room when they gave out the "silent alarm' code. This is the code you use when you're under duress, i.e. if your wife is held hostage or someone is holding a gun on you.

In one episode of Dr Who, the Brigadier managed to give a silent alarm to the Doctor, even without having made a previous arrangement. He was phoning the Doctor with a gun at his head, and he said "Everything is perfectly fine. And Doctor, you can tell that to the Grenadier Guards." This was sufficient to alert the Doctor to the situation.

Its easy..

[slashmojo]

There's loads of handy password management apps around for all platforms such as..

Revelation for linux/gnome.

Lots more you can find on http://tucows.com/ or your favourite software download site..

I have close to a hundred logins stored (encrypted) and gave up trying to remember them all a long time ago.. its really not an issue with such a program. Just make sure to keep a backup somewhere or you are screwed when your pc dies.. ;)

Password Management Software

[binaryspiral]

FlexWallet or eWallet.

I prefer FlexWallet for all of my passwords. I use more than 30 passwords just for systems I am responsible for accessing. It has a desktop app and a pocketpc version that syncs when docked.

Triple encrypted goodness on the database it uses. Now I just have to remember the password for that.

My System for Passwords

[under_score]

I have three "good" passwords upon which I create variants. The three basic passwords all have a pseudo random combination of caps, lowercase, numbers, and punctuation. Then, when I have to change a password due to corporate policy, I simply change a single character so that my password gradually evolves... and stays very memorable. Admittedly, remembering the base passwords in the first place was a bit painful. But so far that I know of in over ten years of use, I have never had a password compromised, including passwords on servers that are publicly accessible. In my own experience, most tech users who are not technically inclined do indeed have very poor passwords: sometimes just their names even. I try to educate people on it but it is hard going. Most people just don't feel that it is worth the bother... and probably from their own perspective, a risk analysis would show they are correct.

My girlfriend does this

[AutopsyReport]

If my girlfriend needs a new password, she doesn't think of something personal to turn into a password, but instead finds objects around the computer (that will usually never stray from it) and uses that as her password. So for example, a Dell Trinitron monitor, her password becomes trinitron. She picks up brand names from things associated with her work area or things around the house, and uses it once. At least the password isn't carried over to different accounts she has, and the password is easy to remember when its right in front of you. Eventually she memorize's it by constantly having to look for it. Though I wouldn't recommend this technique for the Slashdot crowd -- Playboy is such an obvious password.

Re:My girlfriend does this

[soft_guy]

This technique is still vulnerable to a dictionary attack.

Re:My girlfriend does this

[sploxx]

So for example, a Dell Trinitron monitor, her password becomes trinitron. She picks up brand names from things associated with her work area or things around the house, and uses it once.
Ok, you have a very valid reason for not making your girlfriend's name public. And is not because you don't really have one :-)

Re:My girlfriend does this

[AutopsyReport]

Definetely. But so is pretty much every other common password. It is an alternative, however, to trying to conjure up meaningless passwords that you have to write down to remember.

Re:My girlfriend does this

[soft_guy]

The book "Authentication" recommends a scheme whereby you create a password consisting of 2 short unrelated words with a number or punctuation character in between. They say this is a good compromise between ease of remembering and security from dictionary attacks.

Examples:

duck3quit
item(mind

These are easier to remember (you may not have to write them down) than something like "j4*v@m4o-", but just as secure.

Didn't there used to be a keychain fob for this?

[mckwant]

I seem to recall something on thinkgeek or something that had five buttons, and required 5+ keystrokes to validate that you could get into the password file. Then, on the attached LCD display, you'd see your passwords.

Seems like exactly the sort of thing that would be useful in this sort of situation. Anybody else had experience with this gadget, or similar?

What's news?

[Tony]

Every few months somebody makes the "discovery" that users can't remember all their various passwords, and that help-desks are swamped changing passwords, usually for the same dozen users that can't remember how to do their own job on the computer, and are always asking for help with some program called "Microsoft," as in, "Oh, I'm using Microsoft, and I need to know how to find out how many departments have gone over budget."

This is the same damned thing that's been going on for almost twenty years. And yes, corporate password policies add to the problem, rather than fixing it. As a superuser, I've been using "God as their password" as my password for years, since I heard that most 1337 h4ck3r6 use "God as their password." I've never been hacked. Or cracked. Or sniffed. Or snuffed. Go figure.

So, this is exactly the same thing they'll find out next year, too.

Can we say "duh"?

[phlegmofdiscontent]

Seriously, I've got maybe 9 email addresses, 3 or 4 different logins at work and dozens of websites with passwords. With the websites, I can have the password manager do it's trick, but I'm screwed if I use someone else's PC or if someone uses mine, for that matter. So, I've had to resort to using the same couple passwords for the majority of things and I have to write down my work passwords. Who the hell can remember all of those passwords, especially if they rotate on a monthly (or whatever) basis and have to conform to rigorous password requirements?

I write my passwords down.

[LionKimbro]

I write my passwords down in a special location in a special book.

• You can't look at my password over the Internet.
• You can't (for at least 30 years) make a robot that will find my passwords.
• If a server that stores my password is compromised, then it is only that password that is compromised.

I have offloaded Internet security into Material security.

I use a separate password for every forum I care about. My passwords on my personal computers are changed regularly. I can do this, because of my password book. Without it, this would be implausible.

It is conceivable that someone will get my password by taking my book from me, and snapping pictures of the password pages with their cell phone. Very well then, let someone make the $500 airplane trip over here, come into the office, find my book, and then start snapping pictures. Or maybe find me on the streets if it's lunch time, and rip the book out of my backpack. Conceivable.

But I think this is prohibitively expensive for most people. It would be cheaper to hack a website, and get some other guy's password, and see where else the password might be usable.

I think it is less risky to keep a watchful eye on my password book, than to use only a finite number of passwords.

If someone thinks this is wrong, tell me what you do, and tell me why it is more secure. Not what you can imagine doing; Rather, tell me what you really do.

Re:I write my passwords down.

[soft_guy]

This sounds like a really good technique because in real life people are unlikely to know which book you have these written in and steal it from you, unless you are constantly using the book in front of people. If I were using this technique I would not tell my coworkers that I was doing so and I would try to avoid using the book in front of them.

One nice feature is that if the book is stolen, or you suspect it has been stolen, you can change the passwords - provided you can change them without knowing them. The weak point is that if you lose the book, you might have problems remembering the passwords. But perhaps you are like me and don't lose things that you use frequently.

Re:I write my passwords down.

[Catamaran]

That is also what Bruce Schneier does.

Re:I write my passwords down.

[LionKimbro]

If I worked in a big company, where physical security was a real issue, I'd probably encrypt my passwords as I wrote them down, and decrypt them as I read them out. The aim isn't to be foolproof; the aim is to thwart casual curiosity snooping.

If I didn't take my company password book with me home, I'd keep it in a locker at work.

Re:I write my passwords down.

I do the same thing. The only person that knows where I store my passwords is my wife, and I trust her. My desk is such a mess it would take forever to find where I wrote the passwords down (and I usually don't go parading around telling people I write them down)--see? security through obscurity does work. :)

If someone did break into my house there's about 1000 other things that are way more valuable to steal than a freaking password book that you can use to login to amazon, newegg, and pay my gass bill. And I'd bet most computer criminals aren't willing to up the stakes from hacking someone's computer to break and entering.

-- gid

Simple, elegant solution

[pubjames]

I saw on a web site somewhere (sorry can't remember where) a simple, elegant solution to this problem, at least when it concerns logging on to web sites.

You have a single password. This password is combined with the domain name and then processed with an appropriate mechanism (e.g. MD5) to produce a unique password for an individual site.

I think that's a great solution and think it should be incorporated into all open source web browsers. The user doesn't even have to know it is happening. Much more practical than biometric solutions.

Re:Simple, elegant solution

www.GiveMeTheKey.com ?
by your description it looks like this is the one..

Re:Simple, elegant solution

[IceFoot]

Hmmm. If someone finds out your ONE password, can't they use the same MD5 hash you use, and access ALL your web sites? No security there!

Re:Simple, elegant solution

[Kjella]

For every problem, there's a solution that is simple, elegant and wrong. If you are using a weak password, I can locally try to calculate md5(weakpassword + mydomain) until I find a hash matching the one you sent me. I can even build a database of them, to use as a lookup table. Granted, it only takes one strong password but if you are using this for every puny site, chances are most will use a short password. If you have been relying on that "security" to keep passwords apart, I suddenly have your password for every site, since I too can now calculate md5(weakpassword + otherdomain). Unless you want to have a cryptographic salt, in which case you're back to the problem of moving it from machine to machine.

Kjella

I hate passwords

[null+etc.]

Passwords are too complicated to remember. So are username, account details, etc. That's why I just hack into other people's accounts. Their passwords are much easier.

It was a joke, people.

Some of my pswds (old ones..really)

[mayhemt]

Gx2700- impossible to guess ( the model number of Dell machine i logon to..)
7940 - imp to guess again..well its a pin for our corporate voip number...7940 happens to be my cisco phone model number too..
Fedoracore4 - imp to guess again..(That i m not telling what it is for...)

Kerberos

[PureCreditor]

why can't all companiese simplify and streamline their system access by using single sign-on systems like Kerberos?

Then they can enforce frequent password change policies (45/90 days) without requiring the user to keep track of a dozen system accesses.

i used to work in a bank that has 2 passwords for the intranet, one for Novell/Windows, 1 for Oracle, 1 for DB2, and about 4 seperate Unix servers. gaaaaaaaaaaaaaaaaaaa

Use tokens, and let users pick their passwords

[m50d]

If you try and force users to use stronger passwords than they can remember or change them too frequently you'll just get post-its and helpdesk. If their passwords aren't secure enough, get them to use etokens or something similar.

solution

[tuggy]

http://www.GiveMeTheKey.com

Password Maker

[yulek]

i just started using PasswordMaker a few days ago and it's very cool. the only thing i don't like about this kind of solution is that if you somehow compromise your master password you've got to go and change ALL of your passwords.

the firefox extension for PM is very nice.

I changed my password this morning

[RingDev]

And I had some app running in the background (something FF related?) that kept trying to auto apply my original password (yes I cleared password from inside FF). After the 6th lock out of the day, I got my network tek's to let me reset my password.

Total cost of the password change? Maybe a manhour's worth of time (between myself and waiting on the teks, and the teks stoping their work to fix my account). So maybe a hundred dollars or so. But we have 800+ employees in 5 branches. That's a lot of password change headaches.

-Rick

Great idea, until...

[jxyama]

You encounter very common "change your password every N months and it cannot be the same as the last X passwords."

I wonder how long before we figure out that this very requirement frequently leads to sequencing of the password, which completely defeats the purpose of changing it every so often.

I do like your idea, though, for places where I don't have to change the password every so often.

Re:Great idea, until...

[Bush+Pig]

I've worked in a lot of places that enforce this asinine rule. I've finally caved, and my password is now $name_of_favourite_child01, $name_of_favourite_child02, ... - fortunately the password-checker isn't smart enough to spot this.

I figure if this causes any security problems, it's totally the fault of the accountants who think they know more about system security than an IT professional. If a secure system was actually really important to them, they'd just let me invent a good password and only change it when I though it was necessary.

Re:Great idea, until...

[bdcrazy]

From what i can ponder, the point of consistantly changing passwords is to limit the time in which someone who has your password has access. Though just having the password once is enough to cause problems usually. Though if someone got your password and then changed it you will notice the next time you try and log on. Anybody have any ideas on any other reason you'd want changing passwords? That policy doesn't quite make sense to me, unless you didn't have other controls on where they could connect from, how much they had access to, etc.

Re:Great idea, until...

[tehshen]

You encounter very common "change your password every N months and it cannot be the same as the last X passwords."

I am more worried about someone gaining access to the system, and being able to see a list of all our common passwords. Which makes me use even more complex passwords, which makes it even harder...

Re:Great idea, until...

[6Yankee]

Yup. In my last place they had this ridiculous rule. I went through the phonetic alphabet three times.

Re:Great idea, until...

[Tim+C]

I worked on a system used predominately by legal people - lawyers, their secretaries and assistants, etc. This system enforced a password policy that mandated changing passwords every 30 or so days, and prevented the reuse of the previous 5 passwords.

*Every* single user I came in contact with used passwords of the form $password1, $password2, $password3, $password4, $password5, then back to $password1...

Re:Great idea, until...

[Bronster]

D00d, you're so cool you obviously know what you're doing.

I guess you've such a seasoned professional that you know all about exposure windows and you're so sure of the security of every piece of software on your network that there's no way that anyone could lift /etc/shadow or its moral equivalent from any of the machines, so you may as well just have your password sitting around being the same everywhere for years.

Go you.

I just wish more things would allow you to authenticate with an SSH key, then I could run ssh-agent locally, authenticate with my computer once per (login || screensaver_lock) and have it accepted by most services I have to deal with.

Assuming no crack against dsa-1024, I'd be responsible for the security of my own "token" without the inherent problem that the amount of "randomness" a person can remember is now less than the amount that can be brute forced with a bot farm - which is the underlying cause for the need to change passwords frequently as well as have them more secure than your oh-so-clever little personal rebelion against all that's stale and st00pid about your life.

Re:Great idea, until...

[surprise_audit]

Changing the password often takes care of the case where an attacker gets your password and accesses the system in a way that isn't easily visible. For example, if you're an accountant you might have access to company financial records, and it could be useful for a competitor to be able to view them occasionally. If your password is forcibly changed every month, the attacker has to get it all over again, and may leave a trail in the logs.

Re:Great idea, until...

[surprise_audit]

I'm guessing it'll store the one-way encrypted passwords. If you try to reuse a password, it'll encrypt it via the usual method and find it matches. OK, so there may be extreme cases where several words hash to the same value, but they don't care...

Re:Great idea, until...

[surprise_audit]

I just wish more things would allow you to authenticate with an SSH key, then I could run ssh-agent locally, authenticate with my computer once per (login || screensaver_lock) and have it accepted by most services I have to deal with.

That would be nice, but I suspect that wouldn't work so well for me. I have to use ssh to get to a bunch of systems and when my login password expires I *still* have to update it. Never mind that I have authorized_keys, ssh-agent or anything else... Some of them have both ssh *and* telnet, and when the password expires ssh simply won't let you in. You have to telnet in and get the "password expired" prompt, change it, then go back to ssh. And don't even get me started on the SeOS "secured" systems...

Re:Great idea, until...

[Bush+Pig]

You really are a fool, and my life is neither stale nor stupid. When the system is sitting behind a bunch of firewalls, proxies, VPNs, etc, etc, that I'm comfortable in assuming are being managed by people who know what they're doing, I see _absolutely_ _no_ _fucking_ _point_ in changing my password every 6 weeks (or whatever) just because some dopey auditor read in a Gartner "paper" that proper security requires frequent password changing.

You wouldn't happen to be one of those people, would you? I thought so.

Re:Great idea, until...

[Ed_Pinkley]

my password is now $name_of_favourite_child01

Don't let your $less_than_favourite_child find out about this or s/he might feel bad.

Sneakers reference

[CoolBru]

No-one seemed to have mentioned that the pass-phrase to decrypt everything in the world in the movie "Sneakers" was "Too Many Secrets". I guess it could have been too obvious.

Re:Sneakers reference

[Sponge+Bath]

...pass-phrase to decrypt everything in the world in the movie "Sneakers"

I thought it was "cooty's rat semen".

Keep it SIMPLE - Try this instead algorithm

[spineboy]

I just use an algorithm based on the web site, plus an additional few letters. For example if the site is Slashdot your password could be slashDOG8cAt, on Google it could be googDOG8cAt, etc. You can get a little more creative when financial or other stuff is valuable, e.g. a different user name and password algorithm for banks/credit card sites, etc. One important note - treat every computer not in your home as being infected with a virus/key logger - DON'T use public computers for your financial stuff.

Obviously - for many websites, security really doesn't matter, and so the same password can be used for most of them - just don't use the same one for the important stuff.

Maiden name back doors

[j-cloth]

Mom's maiden name is one of my biggest annoyances.
My bank just implemented a mandatory Mom's maiden name password retrieval system. So now I have my super-secure-password-that-nobody-will-ever-guess- or-hack with a wide open back door.
pisses me off.

Re:Maiden name back doors

[pete6677]

You don't have to use your mom's REAL maiden name. The bank won't actually verify it. Just make sure to remember which name you gave them and don't make it too obvious for someone to guess.

Opposite problem at my work

[fak3r]

This is a problem, however at my work (and a few other gigs) I've seen Password deficiency in the workplace. Too many projects headed up by non-technical people that don't understand the importance of passwords. Obviously a unified solution (NFS or the like) would help tremdously, but for things like servers, getting to a root acount woudln't be a good use, so I think it'd need to be a biometrics (fingerprints) solution, with a "sudo like" funtionality on the server. ie- the user with this fingerprint can do these things, etc.

The password for the passwords

[xiando]

I use Another Password Generator for all my passwords. http://www.adel.nursat.kz/apg/

As a general security measure, I use different passwords for all the Internet services I use. I simply do not trust the random forum and service owners I use enough; not because I distrust any concrete service like say Slashdot, but because it only takes one dishonest service owner to look up my password in order to have them all if I were to use the same one everywhere. Instead, I have a very long, huge text-file with all my password which is stored on my bestcrypt http://www.jetico.com/ partition. The system works great for me. Alright, I have to look up the service and password every time, but as I always have that file open in kate since I use it frequently it is not a big deal. This works fine for me and I recommend it. This way I only have to remember the actual sentence I use as a password for my bestcrypt drive, and nobody can use the password on one service to guess my password on another since they are all random garbage like we4kBoc3fis...

So I think that a "a master password" IS the solution. Every employee can easily have their own personal master password where they keep a record of all their passwords, and this allows every employee to have a random password that only works for them assigned for each service they use.

All you need is...

[scdeimos]

KeePass Password Safe

People are stupid

self included.

My bank used biometrics

But I kept getting access to John Holmes account. And they say those e-mail elargement ads never work! Ha!

(hopefully moderated for humor)

Can you say...

[vrta]

...OneBigTextFile?

Cross platform solutions?

I found that keepass works really well. But I've switched to a mac and the OSX keychain doesn't have as many features.

I wish there were a cross platform solution, so I could store the database on a flash drive and access it at work (on a windows pc) and at home (with an OSX solution).

Shibboleth

It does not solve all the problems, but shibboleth may solve some of them at least.

Password expiring

[BrookHarty]

I started using robotron, way too many passwords to type in daily. I have password safe with over 300 passwords, from sites, servers or applications. Crazy.

Then IT thinks its good to change passwords every 30 days on some sites, password management alone takes 1-2 hours a week, not counting the times I have to change passwords for other people.

If anyone knows a opensource robotron replacement that works in both IE and Firefox, reply. As for password safe, been trying a new opensource one called Keepass that looks pretty nice, and ported to multiple platforms.

Mods have no sense of humor today?

Flamebait? Surely that mod didn't think the OP was serious?

This is my JOB right now

[aflat362]

I just finished converting one of our web applications from having a log on screen to be LDAP integrated AND single sign on.

It was not a simple task - its a shame - it shouldn't be complicated.

Anyway. The solution to too many passwords is implementing server side apps that use some sort of single sign on.

Also - personally I have hundreds of passwords for work ( I admin lots of stuff and work on lots of different servers )

And hundreds of passwords for my personal use. I manage them all with PasswordSafe - available on Source Forge.

SETEC Astronomy

[tfriedlich]

The reason we have too many passwords is obviously because we have too many secrets!

use smart cards

[tolonuga]

old problem. I started four years ago with the goal to get rid of
all those passwords, and instead use a nice usb crypto token for
authentication.

my suggested token is a axalto/schlumberger cryptoflex 32k with
egate token adapter (so you don't need a smart card reader,
only a usb port). I don't work for them, I don't get any benefit
from this suggestion. but they are cheap, fast, latest technology
(important if you consider timing attacks, power analysis attacks
and all that stuff), and most important: well documented, well
supported, and easy to buy (www.scmegastore.com). most other
companies hide their details (even the user manual requires
an NDA), and buy is sometimes difficult (because they want
to sell software and services, not only the plain token).

openct: smart card reader
opensc: smart card library plus pkcs#11 module
openssh: recompile --with-opensc
mozilla: simply load the pkcs#11 module.
libp11: easier to use than the standard pkcs#11 interface.
engine_pkcs11: engine so you can use openssl with your smart card.
windows: "smart card bundle" our binary installer bundle with
openssl, opensc, putty, libp11 and engine_pkcs11.
pam_p11: login with your smart card (simple, local module).
pam_pkcs11_ login with your smart card (full features, signature checks,
ca chain checks, crl checks, ldap, kerberors, etc.)

all of that: www.opensc.org

disclaimor: this is shameless advertising for my open source projects.

How many passwords do you have?

[skoda]

I'm a typical engineer at an aerospace company and I have 15 passwords, 9 usernames and a voicemail PIN for my accounts. There are about 5 different sets of password requirements, depending on the system. Some require symbols, uppercase, or numbers and some don't. They have different refresh cycles, most on out-of-phase 90-day cycles. Some secondary systems have to be updated manually to be matched to primary passwords.

I can't remember them all, so I use a password minder program on my PDA to reference. This stores all my passwords - except for the three passwords and two usernames which are verboten outside of their area -- and I refer to it every few weeks when I blank on an infrequently used password.

Is this typical? How many do you have?

Just use passports!

[Jugalator]

Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

Doh, I can't believe this, this is why the Microsoft Passport Network exists!

What do you mean "potential problems" by the way??

Just submit a minor resumé of yourself and a valid mail address to Microsoft and you're in!

I like SplashID

[Just+Some+Guy]

SplashID is my Palm password vault of choice. Windows and Mac users can also sync it with the associated desktop program. If only it would sync with KDE Wallet, it could be my most favoritist Palm application ever.

Re:I like SplashID

[Milican]

I have been using SplashID for years. Since my Visor Edge days. I have never had a crash of any kind or a problem migrating the database from Palm to Palm. I love it!

JOhn

Pin Number

[hackwrench]

I use digits selected from pi

Re:Pin Number

[poopdeville]

I hope you don't start with 31415926...

Re:Pin Number

[Cro+Magnon]

Augh! You bastard!

Re:Pin Number

[arminw]

.....I hope you don't start with 31415926......

No, he starts at the other end of PI.

My favorite for web sites

[Beryllium+Sphere(tm)]

The Mozilla extension pwdhash generates a strong site-specific password by hashing the URL with your master password. I wish they salted it but that raises some usability issuess (what if the salt gets deleted? Where do you put it?).

I reviewed it at my security newsletter for nontechnical people

this one works...

[toocoolforschool]

I use passwords that, even if they were broken, no one would dare type: CmdrTacoIsSoSexyAndHot!Droolz!11!

What I'd like...

[Kjella]

...is a small device with fingerprint reader and PIN. Then I could set the security to be any combination of the above. For many things, for example slashdot I'd like to have it simply identify me without either. For smaller things (say, equal to cash in wallet) I'd say fingerprint is good, click to confirm. Token + PIN for bigger things (this is like a VISA card). And finally all of the above for when you want maximum security.

What's the advantages?

• One device to fit many levels of security.
  
• The fingerprint is used on your trusted token, so is your PIN. Noone will be able to place a fake front on it, nor does it ever leave your token.
  
• Supports many identities. My "slashdot" identity would be separate from my "bus passenger" identity and my "VISA card" identity and my "real" = SSN-style identity.
  

Cons:

• Requires massive cooperation
  
• Fairly expensive
  
• Requires me to carry a device at all times
  

I already carry a cell phone and a stack of cards everywhere. It's not expensive to me. But it'd take an insane amount of cooperation to get a standard going and the device popular.

Kjella

Frequent user of the Password Forgotten? links

[forged]

Some passwords (mostly web accounts & stuff) I don't even bother to recall. And I don't want to set my accounts password to so some common default and take the risk that an attacker will break in one then try using the same password with other online accounts, which would work because that is something I'm ashamed to admit I'm guilty of doing.

So I just use the "Forgot Your Password?" links which are now everywhere, fortunately, to email me a new, randomly generated password to my email address. Within minutes I'm able to logon where I need to. Whenever possible I set the cookie to "Remember Me" so I don't have to do that little trick all too often.

When's the last time you logged on to Slashdot ? You can set the login cookie to expire every year... Good enough for me and perfect illustration of the point.

Why must we reinvent the wheel?

[grasshoppa]

Why do we insist on believing that everything having to do with computers is new? We have a mechanism in place for just this kind of security. It's called the lock and key.

So, everyone has a usb pen drive. We'll call this a keyring. The keys are encrypted certs stored on this keyring. Think pgp.

Now, each system you want to access, you simply plug in your key ring and let the system do the rest.

Now, I hear some of you saying: What happens if I lose my keyring? Same thing that happens if you lose your regular keyring, you change the keys. And being encrypted bits of data, you can make backups in the comfort of your own home.

I imagine a system where you are never actually prompted for a password, although websites and the like may ask for your credentials. This would all be stored in either your keyring or the underlying OS itself, supplied as requested.

Re:Why must we reinvent the wheel?

[dmitriy]

Keyring for Palm OS

Re:Why must we reinvent the wheel?

[soft_guy]

There are a lot of systems that work like what you are describing. For example the Keychain feature of MacOS.

It is not without its flaws. And neither are physical keys. There are all sorts of problems with real locks. If I get a hold of your keys for just a second, I can make a clay imprint of your key and duplicate it. People know how to pick locks, etc.

Similar

[marcus]

I use a mnemonic , usually a shape. As in, my yahoo mail password is shaped like a "Y", Amazon is an "A", etc. That is usually enough to trigger the rest from memory. Work is a "W". Since they do have a password expiration policy, I just walk the "W" around the keyboard since there are dozens of variations possible.

Re:Similar

[Bingo+Foo]

And your slashdot password is "ewqasdcxz"

Thanks!

Re:Similar

Actually, I think it'd be eszc

Re:Similar

[ryanov]

I do this too, and recommend it to people at my helpdesk. I can always draw a shape on the keyboard starting from a particular location and it works, whereas sometimes even the most random things fail a dictionary search (our strong password module is a bit overzealous).

speaking as a helpdesk employee

[DohnJoe]

I can tell you that even one password is too much for most people to remember. And I'm talking about university staff and students, you'd think their are smart enough to remember...

Anyway, the main reason is our windows policy that forces you to change your password every 3 months. People tend to be annoyed by this and just quickly think of something which they then easily forget. So I think this policy actually is doing more harm then good.

-DJ

Your mother

testing 1 2 3

Password Policies

[kckman]

I am responsible for assisting in account management and security maintainence for my organization. People have the capacity to remember multiple passwords. When they complain about the complexity of the rules we have or the number of different passwords for the many systems we have, I remind them that they probably have remembered hundreds of telephone numbers and know many recipies without fail. This puts it all in perspective for most of them, but all the same I always check under their keyboards for evidence.. hehe

People are Lazy

[Cunjo]

Unavoidable obstruction to high security on the end user level. if they're too lazy to write down or memorize their passwords, too cheap for higher-technology solutions (biometrics, etc..), and not employed by a company that offers neat little LED gizmos to feed them a new password every minute, how can they expect their data to remain secure from everyone else? I personally very much like this site's services... people don't often guess 20-character randomly-gneerated passwords.

passwords suck - we need something better

[MikeFM]

Passwords for individual websites is a bad idea. Better would be to modify software to generate custom key pairs on a per website basis based from a combined salt string generated from a digital signature for both the user and website. The browser could prompt, on first demand, for a username and password that would be hashed to create a unique sig for the user and that'd be hashed with the website's digital sig to create a unique id sig and that would then be transmitted to the website to prove the user's identity.

I'd use the site's domain name as part of it's sig so that it couldn't be spoofed easily. Have the browser check that the sig is coming from the site it claims it is coming from.

I'm sure this idea needs polish but it's really the sort of system we need. Something that doesn't require the user remember more than one username/password combo and doesn't require any computer to remember the user's password data for them (bad for security and troublesome if the user roams). If the user decided to change their password they could use current methods of going to the site and submitting their email address, which gets sent a link that will allow the user to associate their new password with the old identity.

Novell ?

[IgorMrBean]

Novell has a product called DirXML (Nsure Identity Manager) which can synchronise password from and to almost any database. They provide connector for ADS, Oracle, PeopleSoft, SAP, etc. And you can write your own... With NSure SecureLogin which can safely store password for you, I've setup some truly Single-Sign on solution. Connect a biometric or a token card reader, and you're all setup !

Public Key Authentication

[bobbuck]

The networks should standardize on a public key authentication system so that only ONE password and ONE I.D. is needed. Then the various networks, servers, and companies just add the authorized user to their authorized user list while a public key server maintains the users and keys. The client machine generates a login request with the private key, and the server authenticates the login request against the public key server.

passwords...

[yeruki]

If you have a post-it up on your monitor, then wouldn't someone figure out your password much easier? I never put numbers in my password, but I use caps and things that people wouldn't expect. It's crazy how people try so hard to hide their password and make it so complex that they forget it. That's happened to me on more than one occasion, and I had to ask the tech support to change it. From another post, I do believe everyone should have their own form of coding...like some secret spy network...

no shit!?

[John+Nowak]

The reason he didn't explain it was because it was bleedingly obvious and he assumed you'd know what he was showing. I've never seen such a pratish post in my life. Ecode.. whatever.

Why not use SSL and certificates?

[Coder7]

One password to protect your certificate. The certificate can be used to provide access to as many sites or services as you need. Certificate revokations are relatively easy to implement, and in most cases yearly certificates would be sufficient to keep things secure. This concept is being implemented by the organization I support, and so far we haven't noticed any problems.

Re:Why not use SSL and certificates?

[pclminion]

Certificate revokations are relatively easy to implement

Easy to implement, but there's a million ways to do it. It's far harder to get any significantly large group to agree on which method of revocation to implement. Your scheme is feasible in a controlled environment, such as a single corporation with a suite of internal services all using the same scheme. But it would be impossible on the wild Internet.

Re:Why not use SSL and certificates?

[Coder7]

Impossible... nothing is impossible

No kidding!

[kiddailey]

Seriously. It's annoying. I've tried it all: post-its, using the same password, using a "root" password with a number added to the end. Unique passwords for each site using the domain and a number, storing passwords in handheld devices and looking them up manually and various password managers.

I finally ended up with my preferred solution, which gives me a seemingly random string of characters for every site that I visit. These strings are a hash value generated by combining the domain name of the site, another private salt value and a master password as the final salt value. With this method, I only have to remember one complex password.

This doesn't work for sites that require you to change your password often (since the domain stays the same). But given that I only need a couple of those, another alternative works fine.

The major downside (one could argue, flaw) in this is that if someone were to have your master password, they'd potentially (assuming they knew the logic and hidden salt values behind the hash) have the ability to access ALL of your accounts you had used the system for.

Obviously, for this reason you must be careful in selecting a long, complex and unique password while avoiding the temptation to write it down on a post-it note :D

How important is the protection?

[fishbowl]

If your password is compromised, will someone be able to do stock trades and make it look like you did it? Would they be able to expose your company trade secrets and make it look like you did it? Would they be able to access classified material of a military nature (even mundane stuff?)

Stuff that could put you in a Federal Supermax or Gitmo deserves good security hygiene on YOUR part.

Can you pass this responsibility to your employees? Certainly! Make it a serious matter to forget a password. No help desk call needed. The post-it note? A firing offense! It's that simple.

Can you pass the responsibility on to your customers? NO! And here's where you are forced to compromise. All you can do here is a best-effort at security. That has different parameters for a bank, than for a mundane blog.

Too many passwords....

[NerveGas]

    For most people, *one* password is too many to remember.

steve

Idea from Security Now podcast - Use a hash

[RandoFernando]

One of the Security Now podcasts had a good sugesstion to have a unique password algorithm (IMO a good suggestion). The algorithm is the same for each website, but the password itself is different for each website. For example, the inputs for the algorithm would be: the name of the website, and, some kind of hash unique to you. You insert the hash somewhere into the name of the website. Suchlike:

website: slashdot
hash: #somekindofnumericalsequenc#

Then
password: slah#somekindofnumericalsequence#dot

or

website: hotmail
hash: #somekindofnumericalsequenc#

Then
password: hot#somekindofnumericalsequence#mail

The point is, it's easy to remember a password formuala/algorith that applies to many, many places rather than trying to remember manay, many passwords. You don't even have to write them down.

Different passwork requirements hurt the most

[Balthisar]

I'm forced to change my NT password every 60 days at work. So I do something I know is "the wrong thing" -- I used the same password on every work system. My password is secure, and I'm not worried about it, so I just don't worry about it. What sucks, though, is that many of our systems have different password requirements. Some require a mixture of upper and lower case. Some don't allow a password to begin with digits and some do. Some require at least 8 characters and others have an 8 character limit. When my 60 days get close, it usually takes me three or four attempts to get the same password on every system until I work out the kinks in all of their different password demands. And God forbid I forget one of the systems; I'll never get access to it again with the passwords I choose.

Oh, thanks to someone here many, many moons ago, I don't try to think up hard-to-guess passwords any more, or make up pneumonics I'll forget, or any of that nonsense. Patterns in the keyboard are super easy to remember and impossible to just guess without having my accounts reset.

Argghhh, fer crisakes

[Usquebaugh]

Identity 2.0 it's nearly been blogged to death.

Take a look at this really cool presentation, even if you find the subject matter boring the presentation is sharp, http://www.identity20.com/media/OSCON2005/ /. news for the lazy and ignorant

Re:Argghhh, fer crisakes

[AKAImBatman]

OR, you could just use a cookie. (Reread the grandparent, and understand.)

Re:Argghhh, fer crisakes

[Usquebaugh]

You can use a cookie or you can have security, which do you want?

Re:Argghhh, fer crisakes

[AKAImBatman]

Actually, I was looking for an amused chuckle. (Seeing as Slashdot uses cookies.) Then again, humor must be an outmoded concept.

Re:Argghhh, fer crisakes

[michrech]

No, it's just been negatively moderated.

Mike

Re:Argghhh, fer crisakes

[Petrushka]

One could always try using a browser that supports integrated cookie preferences on both a global scale and also on a site-by-site basis, for whether cookies are accepted or not, whether they get treated as session cookies or not, and even I think how individual cookies from a domain get treated ... Opera's cookie handling really is miles ahead of any other browser I've tried.

Biometrics work great

I've been using IBM Security Chip with biometrics for 2 or 3 years now and have had great luck. I just got the new T43P with built in biometrics and have it control everything from internet passwords to power on and hard drive passwords. The best part is everything is encrypted with a key stored in hardware which makes it pretty darn secure and really easy to use. Its a pain if the chip goes bad, so archives still have to be kept of the key on physical media, but in a corporate environment this could be done pretty securely for an entire organization from a centralized system.

Re:Biometrics work great

[Zey]

Biometrics is a false dawn. The best cautionary tale is The Mickelberg Stitch in 1982. The pricipal evidence (aside from false confessions) used to convict them were fingerprints found on cheques. Cut and dried, you might say... except that one of the brothers worked with latex. The police had used latex cast-offs to acquire his biometric identity and used it.

That was 1982 and I doubt criminal elements would need latex cast-offs to defeat biometrics. If they're decent folk, they'd be able to use image capture from something you've touched and lathe the prints into latex. If they're not, they just chop off some fingers and/or gouge out one of your eyes.

All you need to know

[dtk13]

Security Now podcast.

My solution

[TimTheFoolMan]

My solution is not nearly so geeky as some of the others, and is relatively low-tech.

There is one password that I use for all accounts that don't require frequent changing. It's a nickname that only one person in my life ever called me by, and it can easily be combined with a number for numeric/alpha requirements. The name is 8 characters long, which is sufficient again for many uses.

For accounts that require regular change (most of my work accounts), I tend to use one password, and change them all at the same time. This password is typically in the form of:

XXYYYYYYYY

Where XX is a two or four digit year, and YYYYYYYY is the name of a person or thing. The person or thing is associated with the year in some way (birth, death, marriage, etc), and the name may be a nickname or uncommon reference. I'm currently on my 12th or 13th version of this, and may or may not ever recycle them. (Some secure systems don't allow this, or prohibit it for an extended period.)

Some of the more cryptic things I have used were:

- Date of our church's original establishment, along with a portion of the church name
- Date of my first pet's birth, and that pet's name (don't use current pets)
- Date of first GF breakup, and GF's name (possibly not an option for some slashdotters)
- Model year of first car, and car model (72PINTO)

Current things in my life are generally off-limits. If I use a name of a friend, the date is then more cryptic, such as the year I met them, or the year of a significant event in their life.

I suppose this is a fairly hackable scheme. If so, feel free to suggest improvements.

Tim

Password manager

[vanyel]

I use SplashID on my Treo, combined with using one password for each of several classes of applications to cut down on the number of them. FWIW, I saw this weekend that Microsoft has a $50 fingerprint reader at Fry's, but with a big warning "Not to be used for financial or sensitive data". At least they're letting people know you can't trust it...

ye olde garden shears

[Medievalist]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

And, the friendly staff at Abu Ghraib can cut your finger off easier than they can torture a password out of you, so it might just save time for everyone!

Another Problem: Timing a Password Change

[Prototerm]

One of the biggest problems I have is when I cannot change my password on *my* schedule. I like to change my password on the first of every month, and sometimes the administrator has assigned an arbitrary number of days, such as 30 (31 would be better). A very few won't let you change your password earlier than 2 or 3 weeks, so it becomes difficult to catch up if you have to use a "temporary" password to satisfy the 30-day system.

I've found that, rather than use a grid or somesuch as others have suggested, what works for me is to make up a multipart password consisting of two unusual words plus a series of letters, numbers, and symbols referencing the current month and year (all in some consistant order). On the first of each month, you need only change the date part. The result appears random, is easy to remember in the long run, and requires nothing be written down. If you're *really* paranoid, you can select two different words translated into two different foreign languages.

As has been pointed out before, the administrators who enforce the toughest rules aren't improving security. The only thing they're improving is the sales of Post-It Notes.

Just use one long password

[computergeek1200]

I think that it is better to remember one long string of characters instead of remembering a bunch of passwords.
My old password was:
erihjt9hjnvsiudb9i0943ujgsdojnoa

the key problem

[timmarhy]

the key problem here, is that people are lazy and stupid.
the best way to secure something without taxing the average persons feeble brain is to use a password and an ssh key on a swipe card or a usb drive.
that way even if someone gets one they are very very unlikely to get the other. it also means you can change the ssh key on them without them having to remmeber anything. hell in a system i'm impementing everyone get a new key when they swipe in for the day and it expires after 24 hours.

You only ever need 5 words maximum.

[chris_sawtell]

I only have to remember 5 passwords:-

1. My own login on my machine.
2. The root login on my machine.
3. The root login on my IPCop firewall.
4. The banking website.
5. The dozens of spurious web sites all get the word common to them all. Basically none of them actually _need_ a password at all, because there are no money or privacy issues, so a common word is a satisfactory solution.

Also they all have very effective mnemonics, so I won't forget them. Now-a-days KDE's Kwallet system is a very effective solution to the dozens of web site passwords stupidity.

SHA1 and a piece of paper

[The+Chaotician]

Here's my solution: I keep one good password in my head. On a piece of paper (or two - no need to keep it private, you can write it in the sky if you want), I write a "hint" for each password I need to remember. For instance, my yahoo hint is "yahoo". My ebay hint is "ebay".

The actual password for each site is the first 8 chars of the SHA1 hash of my memorized password concatenated with the hint (sha1(passwordyahoo), sha1(passwordebay) etc).

I keep a gdesklet applet open on my desktop to generate passwords when needed. The SHA1 algorithm is freely available and already implemeted as libraries in many languages, so moving to a new computer or rebuilding the password generator is simple.

secure master scheme details

use a system as follows - append a symbol such as $ and then a rotating number with a fixed codeword: - the rotating number changes when password changes are required.
codeword for private financial systems - finance, banking, etc. - example - costly$10rover
codeword for personal systems - email, etc. - example - mymail$10rover
codeword for games, etc. example - gamer$10rover
codeword for hardware around the house - firewalls, etc. example - keepout$10rover

Synchronization is not that hard...

Come on guys, there are reasonable products out there to synchronize passwords
between systems. Surely one strong, remembered, frequently-changed passwords
is more secure than a dozen passwords on a post-it note, less costly than a
smart card or hardware token, and not as vulnerable to gummy bears as a consumer-grade
fingerprint scanner!

One such product is here: http://psynch.com/

I'm sure others work too.

Password Technique

[Dugsmyname]

A techinique I have been using for almost 2 years is to Write a few sentences on a sticky note close to my workstation. Each sentence describes a time in my life, i.e. "I used to ride my bike after elementary school", "I watched Star Trek after I returned from Classes at College", etc. Maybe I'm just weird, but I remember the street numbers of all the places I've lived, so I use those numbers to form my password. If this seems to cryptic here is an example.

Rode bike around block after elementary school = 1234 Adam St.
Watched Star Trek after College = 493 Jones Ave.
Let son mow yard for the first time = 3009 George Lane

My password for this postit note would be: "12344933009"

I am able to remember a 19 digit numeric password very easily by using this method (even without the postit hint)

The best security is....

[Cheeze]

cat /proc/sys/kernel/random/uuid | cut -c -16

simple python script

[shis-ka-bob]

uc = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
lc = uc.lower()
digits = "0123456789"
funny = "!@#$%^&*-_"
import random
for letter in lc:
if letter in vowels:
print letter + " - " + random.choice(uc) + random.choice(funny)
else:
print letter + " - " + random.choice(lc) + random.choice(digits)
# the indents are lost. Indent if/else by one tab and the print lines by two tabs
# 1 tab = 4 characters (don't flame me about tabs vs. spaces)
# there are lots of elaborations (three characters per line, randomly swapping the order, etc.)

Re:simple python script

[jaseuk]

Take a look at apg.. Find it on freshmeat/google..

apg -m 12 -x 14 -t
IgcusbavZeb7 (Ig-cus-bav-Zeb-SEVEN)
koatDokwepht (koat-Dok-wepht)
AwUkTeduldAc (Aw-Uk-Ted-uld-Ac)
gizJogcypnot} (giz-Jog-cyp-not-RIGHT_BRACE)
NodwacIbVawl (Nod-wac-Ib-Vawl)
vekOypevpast5 (vek-Oyp-ev-past-FIVE)

It pronunces nicely random passwords that can be pronounced so that you can remember then.
Pronounciation is in brackets.

Jason

Re:simple python script

[LordFnord]

> koat-Dok-wepht
Sorry, I don't recognise that spell.
What next?

> Aw-Uk-Ted-uld-Ac
Sorry, I don't recognise that spell.
What next?

> Nod-wac-Ib-Vawl
You summon a grue.
The grue eats you.
Your score was 0.
You cast 1 spell.

Play again?

Re:simple python script

[Vic+Metcalfe]

jason, I'm sorry mod points I have not for you.

Powerful is the Post-it notes plus apg force.

Firefox Master Password

[planckscale]

I love Firefox's Master Password. Although I use very secure pw's for my banking, forums, and pretty much anything else, I dislike having to type them in over and over as I go through my bookmarks. I set my gmail notifier to run logged in when I start my browser, so whenever I open my browser, I am asked for my master password which is very high on the password-meter scale. Now I can surf the web logged into all of my sites. If there was a biometric system like a finger print reader that could be associated with the Firefox master password, it would be a benefit, but I'm pretty happy with it's current configuration.

My password IS 'password'

[ecumenical_40oz]

Isn't that the cleverest thing ever! Nobody could possibly guess that, not in 1000 years. Who would possibly think to look for such an obvious word? And when that doesn't work, I make my password my login name. It hurts being this smart.

The Laws of Identity

[krunk4ever]

i thought this article written by Kim Cameron addresses some of the issues mentioned here:
http://www.identityblog.com/stories/2004/12/09/the laws.html

I honestly just...

[zetes]

... remember all my passwords. I am only talking on the order of 20-30, but I remember them all. It is not that hard, but then again flying isn't that hard for superman. ;-)

Z

Maybe it's just me...

[switcha]

but I have 9 other chances to switch that one up once "guessed." ;)

manage my passwords with PINs

[goodminton]

I installed PINs, http://www.mirekw.com/winfreeware/pins.html, on a USB key over a year ago and haven't had a problem remembering passwords since. It's hard to beat a free solution that offers 448-bit Blowfish encryption and helpful features like password aging and password generation.

only 8?

[phsdv]

that is only 8 passwords, you are lucky!

I have to deal with: 1 Novel passwd (for 4 different systems), pincode + logname + passwd for internet, 1 passwd for LDAP (deals with about 6 different systems, however passwd length is limited between 6 and 8 characters!!!). 1 pin code + passwd for separate VLAN, 1 password for special large emails system (handles files > 2G!), 1 passwd for the 2 linux servers, login name + passwd for documentation system, 1 passwd for normal (outlook) email system, 1 for lotus notes email (yes, I have to use 3 different email systems). 2 logname + passwd for special database apps, And some of these are requiring you to change your passwd evcery 6 weeks or so.

So I have to remember about 4 different login names, 2 pincodes and more than 10 different passwords. At least some systems use LDAP otherwise it would have been 16 different passwords.

My best friend is a post-it! Of course, if you do not know the master passwd, the codes on this paper are useless.

RSA SecurID

this thing is great, because the big threat is not the shmuck looking at your physical machine or sitting at the desk next door but the guy sniffing packets, hacking your machine over a network or running a trojan on your machine. Also even if they get the tag you still should have a strong password to go with it and once it goes missing you call up the admins and they deactivate the token before he has a chance of getting into your system....That is until someone breaks RSA's number generation algorithm, about which little is known.

Looking for Palm OS X Keychain sync

[adturner]

Based on the topic, this is probably as good as any to ask:

Does anyone know of an conduit and Palm app which will sync the OS X keychain to the Palm and allow me to view/edit/create keychain entries on my Palm?

Since Tiger supports syncing of the keychain over iSync to your .Mac account, the syncing is obviously possible... just not sure how open the Keychain database is.

And yes, I know about all the OS X/Palm apps which allow you to store passwords and view/edit them on the Mac/Palm, but I don't want TWO password databases. OS X Keychain already does everything I need and it's well supported in many OS X applications. No need to reinvent the wheel.

-Aaron

Password safes considered unsafe

[hacksoncode]

The notion of having some master password that unlocks a "password safe" that stores all of your crazy passwords for different sites is a powerful one, but it has one huge hole that has bitten me more than once.

Windows (as would be any OS that attained broad use) and/or disk hardware are sufficiently unstable that I occasionally have to scrap my existing data and start over from scratch. Additionally, I use many different computers on different networks to access the same websites, etc. Backups are a pathetic workaround for this, and are themselves a vulnerability.

In fact, any scheme that relies on a password safe resident on one machine will always be susceptible to catastropic lossage, and is a pain to use on other machines. And any scheme that relies on 3rd party storage of the passwords is vulnerable to attacks on that storage and is inherently harder to maintain.

Personally, I think the only thing that will eventually solve this problem is a single password plus a smartcard-like system (with automated backup to some other local storage). We're not going to get there easily, though. And it's not a panacea either, because smart cards can be lost, stolen or fried just as easily.

Ironically, this problem is essentially another variant of the fundamental issue surrounding identity theft: in an information society, it's absolutely crucial that we be able to reliably uniquely identify every person, but anything we use to do that will end up being abused just like SSNs.

biometrics

Biometrics are starting to mature. We should be looking at "secure" biometric devices in the next five years or so, which could take a load off of both over-passworded employees and their helpdesk staff. In the meantime, current biometrics work well for getting rid of passwords, but are not very secure in and of themselves.

For now, we can only memorize or use password generators (like the perl script given above). Or forget and create a new account... if we can.

My password is... easy and always unique

[porneL]

md5(master_password + website_domain);

Re:My password is... easy and always unique

[aXis100]

Great idea really. The only issue is password policies that require upper/lower case, special characters and regular changes.

Just put it in your wallet.

Pick a totally random password, and put it in your wallet. If anyone can get access to your wallet, they can get access to you. If the bad men in the dark glasses want your password, they'll drag you off, and torture it out of you. But short of brute force, if you take care of your wallet, your password is safe.

If someone can read your password note as you type in your password, they've already got past the physical security in your building. Any decent spy who can get into your building can probably install a keylogger or just videotape (or even memorize!) your keystrokes if given the opportunity to watch you. If you're relying on a password to protect you against that kind of attack, you've already lost.

Fortunately, for most of us, that level of security isn't required. We just want to keep some semblence of an audit trail, so that it's fairly clear who did what. For that level of security, as long as someone isn't staring at the paper as you type in your password, you're probably quite secure. You've got total randomness against a non-local attacker (so those threelite internet haxors can't crack your password), and a local attacker has to physically compromise either *you* or your entire workplace security!

In short, don't put you password on a post-it, because yes, janitors can read those, and not all of them are computer illiterate. But don't use a weakened password just so you can remember it, or someone on the internet will crack it, and then you'll have *real* trouble.

To bad there isn't an RFC...

This is where a decently support standard would really help. Something that's easy to use and implement in 3rd party applications (i.e. from PHP, ASP, ASP.NET, etc etc etc).

Isn't this where LDAP was supposed to help? Does anyone have any real world experience write 3rd party software that will do single sign on with MS's ActiveDirectory, Novel, Sun, Netscape, etc etc? All from the same code base and _simple_ to configure?

effective strategy

I have a strategy that has worked out very well for me. Well worth implementing, if I do say so myself!

(1) For any site or "thing" that makes you set up a password, first consider whether or not it needs to be secure in your own judgment. For example, I don't give a rat's ass of somebody figures out my NY Times login or my TitanTV login, but I'd rather they don't get my bank login!

(2) For "unimportant" logins, choose an UNUSUAL login name (so that you don't find that it's already been claimed on more popular web sites), and a password of 6-8 characters, that you use for ALL of them.

(3) For "important" logins, have one part that is a "master" password, maybe 5 characters. Then, for each site, choose a few additional characters that you tack on to the beginning or the end of it, which remind you (in some obscure way) of the service it's a password for. Personally, I have adopted a simple cipher. So, if the password is for Bob's Skate Shop, I might choose bss. Supposing my cipher is "1 letter later in the alphabet", that becomes ctt.

In my opinion, this creates an ideal balance between usability and security. If somebody finds out my password to Bob's Skate Shop, they would still need to know my cipher, and figure out which part of the password is "standard", before they could log into my credit card account.

steel door on a house of straw.

[twitter]

One is good, two is better. Give your users an RFID card, smartcard, RSA SecurID (or similar) or fingerprint reader. Tie in your gift(s) to your authentication scheme.

Hook up your windoze computer to a network and have it owned in 12 minutes anyway. All good practices, when applied to insecure softare, are just an inconvenience to the user. What good are passwords, expensive biometric scanners and all that when your users have Outlook, IE and your "server" runs junk that gets owned all the time? That's just good money after bad.

Re:steel door on a house of straw.

Moderators: Please note that "twitter" is a known fanatical sycophant whose obnoxious offtopic rants are legend here on Slashdot. It doesn't matter what the topic is, he'll find a way to scrape in some pointless Microsoft bashing. While nobody expects us to love Microsoft in any way, his particularly tepid style of calling anyone he replies to "troll" or "liar" or "fanboy" because he happens to disagree with whatever they're saying is well documented and should not be rewarded. If anything, twitter is the type of person that should not be part of the open source/free software community. He is an anathema to all that is good about free software.

I'm posting this so that you (the moderator) have some context to consider twitter and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or Mepis or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.

If you're a /. subscriber, I invite you to look through some of his posting history. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.

To get an idea of what I'm talking about, check this post out. This is an article about email disclaimers. The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx, because "is teh free".

Here's another. In this post twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.

Here's that drive-by advocacy and FUD in motion: twitter goes on about some topic and then drops the usual "oh and M$ is teh evil" because "WMP phones home" or some such. Called on his FUD, he then claims that WMP stores every song and movie you've ever played in a file, somewhere. Pressed further, he just sort of slithers out of sight, his FUD-spreading complete. This is not about some Microsoft technology that nobody likes anyway; it's about lying for the sake of lying. Way too many of his posts are exactly like this one.

More? Just read though this post and the subsequent replies. I guess this stands on its own. Or these two. Or this one. Or this one.

Still not convinced? This is what twitter considers "humour" while going about his daily "M$" routine.

M

That's exactly how LID works

Except that it masks PGP keys etc. behind a very simple user interface.
Several open source implementations are available already.
http://lid.netmesh.org/

The password pyramid

[TheLittleJetson]

At the top, are your ultra secure passwords that you only use for your bank / brokerage / etc. At the next level down, is your password that you use on all your personal computers, encrypted volumes, shell account, etc. Below that, is your password that you use for stuff you login to over the internet and don't want other people logging into (e-commerce, etc). Below that, is the one you use for crap you couldn't care less if people use (nytimes.com, etc.).

If you follow that system, you'll end up with only half a dozen passwords or so, and you'll still be pretty secure, as the important passwords aren't used as often as the less important ones.

Re:The password pyramid

[Zepalesque]

Recap:
- ultra-secure password
- PC password
- internet password
- crap password

I don't think pyramid means what you think it means.

Re:The password pyramid

[TheLittleJetson]

I don't think pyramid means what you think it means.

Pyramid like the old pyramid, or a pyramid scheme... The lower down the rank you go, the more places you use that password. I guess it's more of a triangle, if you wanna be a dick about it.

hashvalue=master password +domain name

Great utility that generate password for each site by hashing
the values of a master password plus the domain name of site
E.g.
          my_master_password+cnn.com=unique hash
          my_master_password+slashdot.com=unique hash
        The unique hashes are used as password and you only have to
        remember the master password which remains the same.
See a video tutorial: http://weblog.infoworld.com/udell/gems/singleSignO n.html
Or original site of utilitiy: http://angel.net/~nic/passwd.html
Plus a bloggers explanation:
        http://weblog.infoworld.com/udell/2005/05/03.html

What about usernames?

[slashbob22]

I realize that they aren't generally designed to be hidden, but I often get more frustrated with the number of user names which I have to remember. Sure I would like to maintain a consistent account name across all services but there is always some 'jerk' who parks on my preferred username. Some sites are beginning to wise up to the situation and including a "mail me my username" option. Writing all my usernames on paper is unrealistic and a single sign-on system, internet wide, is infeasible. Logon overload is certainly a realistic problem as registration becomes required on more and more services. Hopefully logon's will not become so prolific that I will need a username to Google search. Am I the only one who is finding this?

easy password

[Ranger]

I have a password that will be easy for everyone to remember, foo.bar. Change it to that and everyone send me your id's and I'll make sure it's secure. That way everyone only ever has to have one password.

I worked for a company that had the most retarded rules for passwords. It had to have a number and a capital letter in it. The number had to between the first and last letters. We had multiple logins for various systems. We had a separate login for our computer, then a login to access our application suite, then a password for each application. And we had 7 or 8 of them. Needless to say, I kept the same password for as many of them as I could. My password was ih8Sprint. And then they made us change them every 60 days, so it became Ih8sprint, then iH8sprint, then Ih85print. You'd never guess who I worked for.

Re:easy password

[debiansid]

Sprint...

MUAHAHAHAHA...

Mobile phones?

[Trejkaz]

I don't work for sun, but I think that the mobile phone makes a pretty good store for passwords encrypted by a master password.

The PC is obviously out of the question if you use different operating systems... for instance, my home PC is primarily a KDE desktop, so its wallet app is used for storing all passwords. But I have no simple way to access that wallet from the Winblows machine I have to use at work.

Phones, however, usually have this "code memo" feature these days, which lets you wrap any information you want in crypto, and seems to be quite useful for password storage.

Of course, the same master password problems apply... if you lose that one password, you lose them all. And if someone steals that one password (and the phone) they steal all your passwords. But it's better than a simple text file on disk somewhere, and much better than the post-it notes.

Security versus the ability to work

[gdav]

Where I work (a university) we used to have a fairly fierce password regime. Change it every four weeks, no re-using of old passwords, minimum eight characters including mixed case, numerals and punctuation - that kind of thing.

Later on, we learned better, and adopted a much more relaxed regime, in which we specifically didn't force expiry or insist on passwords like tH1s#0n£3&@ for most of the users (we were stricter with people who could order goods or edit the payroll!).

The main reason was that we evaluated (for a range of typical users) the potential financial cost and likelihood of being prevented from working by our password regime, against the potential financial cost and likelihood of suffering a security breach. And in almost all cases, our security policy turned out to be much more damaging than any plausible security breach.

Re:Security versus the ability to work

[Ernesto+Alvarez]

The main reason was that we evaluated (for a range of typical users) the potential financial cost and likelihood of being prevented from working by our password regime, against the potential financial cost and likelihood of suffering a security breach. And in almost all cases, our security policy turned out to be much more damaging than any plausible security breach.

And that's not counting the way users were subverting the password scheme in order to be tolerable (yes, they were subverting it, with rules like that it always ends like that). You are probably safer right now.

What most people fail to realize is that password security cannot be too relaxed or too strict. Erring on the relaxed side you get stupid passwords, while on the opposite you get stupid passwords translated to 1337.

Personally, six months periods and random passwords are good enough. The root passwords are all random and changed periodically. So are the important passwords (like vpn access, we (the admins) choose them). As for other passwords, it's better not to try to force things. Just make sure that nobody does stupid things (post-it on monitor, etc) and an ocasional John the Ripper run is usually enough.

But how serious is the problem?

[LK3]

What I'm wondering, in connection with the requirement by many companies that passwords be changed regularly, is this: is there any empirical evidence as to how much password hacking actually occurs, and whether this policy has any real effect? By "password hacking" I mean anything other than theft of the actual password files housed by the authenticating system.

Because unless someone has stolen your password from another source (like the authenticating system itself, in which case changing the password regularly has no effect), changing passwords just provides another opportunity for your password to be written down and then lost/stolen. The fact that most people write the password down somewhere in the vicinity of their computer makes this even worse.

And changing passwords can't prevent brute force attacks, which rely on running through multiple combinations automatically.

(By the way, anyone want to guess how unlikely it is that bad guys will try to figure out your password by determining your dog's name and your birthday, or whatever silly mnemonic device you've converted into a password? Bruce Schneier calls some bad terrorism response plans "movie plot" scenarios because they are responding to things that only occur in movies, not real life. Although the movie scene with someone breaking into someone's computer by reasoning out what the person would use as a password is ubiquitous, does this really happen?)

Finally, the other justification for this policy of having ever-changing passwords is that if someone does get access to your password, it will either be outdated already or will become outdated. But how many situations does this really cover -- and how much of a help is it if you are not scheduled to change your password until 2 months later (now, a password that changed every day or every minute would be a different story -- oh, wait, isn't that encryption?)? And even it it helps somwhat, does that outweigh the risk of having employees post their passwords next to their computer?

Know what these policies may really represent, at least in some instances? Businesses trying to make it appear that they are putting security into place, when it's really just a fig leaf.

Re:But how serious is the problem?

FADE IN:

Large red numbers on the computer screen in front of our hero are COUNTING DOWN from 100. Our hero's brow is furrowed in thought and consternation.

HERO: I've tried everything. His wife's name. His mother's name. Even his mistress' name. I've used his birthday, his wedding day...

SIDEKICK: How about his dead cat's name?

HERO: Tried it. Nothing.

The countdown clock is down to 20. 19. 18. 17...

SIDEKICK: Maybe we're going at this the wrong way.

HERO: That's it! He's a very, very clever man. What if his password is one of those we've already tried ... except backwards!!

Re:Security for Apple Heads

[PhunkySchtuff]

Us Apple Heads, as you put it, don't need Password Safe (as good a product as it is) as we have, built right into the OS, the Keychain - an AES128 encrypted file containing

• Web Passwords
• Application Passwords
• Security Certificates
• Public/Private keypairs
• Secure Notes

It integrates with most apps on the system so, for instance, if I go to a passworded site in Safari (the Web browser) and Safari can get the username and password from the keychain (by asking me for my keychain password) and then I can optionally allow Safari to always access this item without asking me first. You can have multiple keychains, have some unlocked automatically and have more secure ones that you have to unlock each time, or even go into the Keychain Access application and manually unlock...

Re:Security for Apple Heads

[Widowwolf]

very nice..i woul dswitch to apple but #1 is price, #2 is too much softwar i run that is not compatible...

Too many passwords, single authentication source

[GC]

I've worked in companies which require you to have to remember passwords for lots of different systems.

In my most recent company I've worked to ensure that Windows, UNIX, Remote Access passwords are all sync'd.

When we ask someone to log in to a system, we ask them to use their 'office' password, not your network password, not your windows password, not your unix password, your office password.

Single logon, can be done - should be used.

Distributed

[Rytsarsky]

How is it that no one has mentioned distributed identity protocols, such as Open ID? That would solve the problem for the web, at least.

dedicated PDA

[Maljin+Jolt]

One USB stick is not enough for your passwords.

I picked one of my PDAs fully dedicated for only password database, plus other technical details for my machines, net services or other accounts. Methodically not using it for anything else, no network, no usb plug to any machine, ever. Backups on flashcards. Second identical PDA in the drawer, without data but ready to accept backup flashcard at any moment, usualy used for playing with NetBSD.

Today, the database has 726 records of active nick/identities, Maljin Jolt on Slashdot among others. What a pile of sticky labels could that be!

www.muyseguro.com

[jlromero]

I've written an online service called www.muyseguro.com (which stands for "very safe" in spanish). Currently is in spanish only. It is a digital vault online for storing passwords, credit card info, and any other sensitive information that you may need to keep it safe and ubiquitous. The info you store there is encrypted with powerfull algorithms (128 bits encription), so it can be kept safe. Please, review it and let me know your thoughts about it.

Phone passwords

I have 3, count them 3 different passwords for my phone alone at work. God save me from the passwords! Biometrics never looked so good....

Too many passwords

[c0d3h4x0r]

Too many passwords
are being lost in the dark
Too many passwords
are stained up or marked
with the brown of coffee that must get spilled
so that we can stay up without caffeine pills

Too many passwords
are being posted on Fark
Too many passwords
are lost on a lark

My Method

[Lord+Kano]

I have a few words, all of which are non-English that I combine with certain numbers. In all there are about 5 words and 5 numbers that I combine to make up the vast majority of my passwords.

Sometimes I splt the word and insert a number, other times I add a leading or trailing number and other times I do a combination. So sometimes I forget a password, but I can give a few guesses and get my stuff.

LK

Everyone stand back...

[Yomer333]

I work for the network engineering department at my college, and a quick tally puts me at: 3 switch passwords 4 passwords for different types of wireless AP's, etc. 4 passwords for utilities to manage said hardware 3 passwords for various scripts written by people around the cubicle farm 2 passwords for programs we use to log the location, serial number, etc. of all of our switches 1 home login 2 passwords for email addresses (school and gmail) 1 universal password I use for stuff that doesn't need to be particularly secure. The only passwords that are static are the home login, gmail account, and universal password. The work passwords are changed every 45 days, the school password has to be changed at least every 120 days. Because of my affinity for losing wallets, I can't really keep a list or anything. I don't use any cheating methods like prefixing all the passwords with the same string. This is partly because I don't choose any of the work passwords, and partly because that's lame. The idea is if you're not a moron, you should be able to keep track of a couple of passwords if you're going to be using them reasonably frequently.

"Even a monkey can remember 10 digits. Are you dumber than a monkey?"

Use phrases

[happymark]

E.g.: IWillBeBackBaby,ILovePizzaHut,LifeIsWonderful, etc I think passphrases are much simpler and easy to remember.

There's never an excuse for password juggling

[Julian+Morrison]

Changing passwords and entropy-enforcing rules seem to me like putting your cash on the table-top, then building a barb-wire fence around the table. Putting cash on the table is something you do when threats are small. If threats become larger, you put the cash in a safe, not try to secure the table.

An IT department that's worried enough it wants to juggle passwords, should instead hire a security expert. Then they can look at ideas such as requiring logins to be from a physically secured console, biometrics, challenge-response tokens, etc.

Real Solutions

[matthewmok]

http://www.schneier.com/passsafe.html

http://www.cyber-ark.com/networksecurity/passwordv ault.asp

My solution

[schnitzi]

My solution -- I changed all my passwords to "passw0rd". Notice that the "oh" is actually a "zero". No one will ever guess that!

What's the point of password changes?

[sasdrtx]

What the hell *is* the purpose of forcing password changes? If my account is compromised, is it not so bad if the bad people only have access to it for ~60 days or less?

And if the account hasn't been compromised (say 99.99999% of the time), what good is a new password?

Seems useless to me.

Algorithm ? Shmalgorithm!

[wetdirtmud]

Everyone here using inovative forumals to encrypt and remember a password? I just make the letters rhyme, and then make a song out of it, depending which website I use!
Slashdot, Slashdot where are you? HxcB4MU!

WOMP

Waste of Mod Point

Hold that flame!

[TheLittleJetson]

Pyramid like the old pyramid should be the old FOOD pyramid.

DNA

Use DNA.

There are alternatives...

[grikdog]

Including turnkey or "cookie" systems, such as the one GWB carries to identify himself to Launch Control. A simple flash memory card plugged into a USB port, etc. All it takes is the will to develop systems that DON'T use passwords. The minor stuff on the Internet is already managed by KeyChain on Mac OS X, and presumably similar stuff elsewhere. Passwords are sooooo passe, and dongle security is soooooo scalable, you have to assume passwords are still around because NSA wants you to use them.

Re:There are alternatives...

[grikdog]

Hmmmm... Judging by some of the other posts here, that's probably incomprehensible. What do you put IN the dongle? Three or four megabytes of RANDOM data (as in Yarrow random, or even if you've got it TREWLY RANDUMB). Then the system works by generating a (*ahem*) password a la carte in several steps: Get the date, seed Mersenne Twister, read pseudorandom bytes from the dongle, reseed the much larger internal table of Mersenne Twister (you can use another instance, of course), store the date in your FS with the (encrypted) data blocks. The date is of course, just a salt -- but with that, AND THE DONGLE, you can access your own computer, the encryption scheme constantly changes with each passing second, the data is actually encoded using AES and your token 256-bit password. This has a fancy name, I don't remember it, though.

Macintosh has had a password manager since 1995

[iliketrash]

Macintosh has had a password manager, Keychain, since 1995. It uses a single master password and integrates with applications. For example, if you access a web site with a Keychain-savvy browser such as Safari, Omniweb, or Camino, the site's password and username fields are automagically filled in. Other applications are supported. See the other poster on this subject whose post was buried.

1995, Dude.

I really like that wallet approach.

[inspector_grim]

I would like to second the recommendation for Oubliette, I particularly like these features:

• Inbuilt randomizer that is quite flexible to constrain as needed.
• Nice and easy drag and drop between Oubliette app and target app... This means no keys actually being typed.
• Not entirely certain but I *think* the cut and paste is secured somehow.

Anyways it works and has solved my password problem. The problem in a corporate environment is that this kind of approach is not deemed "seemless" enough. In my opinion the whole directory based SSO approach is overkill in the majority of cases. But if that floats your boat check out:

• Protocom Secure Login (now owned by ActivCard)
• Passlogix
• many others but market is consolidating

There seems to be a move towards store and replay of these types of passwords on a smart card in the medium term.

Long passwords

[n54]

Are anyone else finding that it is actually easier to remember longer passwords?

I recently started using passwords of about 30 characters and they are much much easier to remember than small ones (and I actually have short-term amnesia! Or maybe that's the explanation?). Actually I'm even thinking about trying out 60 characters the next time I need a serious password (I'm not talking about stuff like logging into Slashdot which I simply don't bother remembering).

With the long passwords I have the flexibility to use a few standard words combined with pseudo-random keyboard patterns as well as meta-information (information I immediately associate with the password itself).

A generic example could be:
word word, several pseudo-random pattern strings, meta-information

The words act as a sort of list lookup or trigger effect for the rest of the password. So the first "word" I remember if I think for example "black morning" is the rest of the password, it becomes kind of a synonym in my own private dictionary.

A specific example could be (created for this occasion of course):
Black mOrNing Xr7o_:AW#OKjh FFF:D 1c#(

Thats 37 characters and filled with patterns of various kinds (most importantly the pattern established in my brain after typing it regularily). The seemingly jibberish patterns all have a distinct meaning to me, lots of personal human stuff that would not only require an AI or two to figure out (probably even if I told them) but those AI's would have to be very similar to myself (fat chance!) :)

Also I throw in at least 1 "rule-breaker" into the password (usually the most difficult thing to remember in the start).

Btw for using about 60 characters I'm considering iterating the process one step based on an intial 30ish password.

And as to speed I would guess I use something akin to 10 seconds typing in the about 30 character passwords, perhaps 15, anyway it is fast and becomes automatic after a while.

Mod Parent Up!

[n54]

Damned this was funny lol

So please moderators mod this gem up.

Thank you LordFnord you made my day! (and it's still morning over here) :)

KeePass with optional key file

[Raithmir]

KeePass has to be the best password manager around IMO. Free, Open Source, AES encryption, and in addition to a master password for your password database you can also specify a key file needed to open the database that you can carry around on a separate USB key or whatever. http://keepass.sourceforge.net/

Simple workable solution

[tod_miller]

One way password generation based on a simple recognition factor.

For instance, I take the url of a site and place a process on it (in this case I look at first letters of syllables) and then add the number of letters in the main url, if there is a hyphen I add each section as seperate numbers of letters. I then add a reveral of my dob (adds some security for brute forcers - which might as well take an eternity) then my initials reveresed in alternate caps, then tag the dns tld onto the end.

So my password for slashdot can be easily deduce is you know I was born on July 9th 1973. I am hoping it is still hard enough that even knowing my middle name is Paul you still cannot work it out.

I suggest everyone does this, you soon find it easy to manage site passwords in your head, and then every year you can change you algorith.

I am starting to think I should change my algorithm, erm! :-) Please don't hack.

please type the word in this image: eternity
random letters - if you are visually impaired, please email us at pater@slashdot.org

Biometrics is _not_ the way to go

[tcpip80]

I have 1... 2... 3... 8 computers just in the room I'm sitting in. I have three computers in the living room; two are in the kitchen. I use about 4-5 computers daily at work. Soo... shell out at least $50 for a biometric device for each one, rather than remember a password? How would biometrics work for a remote console session, which is an indispensible part of my job?

Biometrics are like the Dvorak keyboard layout - a fantastic idea for a small part of the populace. Unfortunately, unless a computer idea is a great idea for computer professionals, it won't fly.

When Strong Passwords are Needed

[ricksmith]

1. No password should be based on personal information, unless it lives inside a protected perimeter (your house) and the password can't be used remotely to access the system. But if that's the case, then maybe you don't need a password at all!

2. Passwords for high-end web sites should be hard to guess (1 chance in a thousand), if you are confident that the web site will detect attempts at trial-and-error attacks against your account. Unfortunately, it's hard to tell what sites do when they get bad password attempts.

3. If you're using Microsoft domain authentication, or a web site that's not going to detect trial-and-error attacks, you're screwed. You have to pick a really nasty, impossible to remember password. This is because it's possible to do on-line trial and error guessing through things like the SMB protocol. I use two longish words with a comma in between - that defeats on-line and off-line attacks.

4. If you are really protecting important information, then spend a hundred or two dollars per computer and put in something serious, like smart card authentication based on a public/private key pair.

Shameless Plug: My company has a solution

[scorp1us]

I just started at a company (Secured Services), we make a SSO (single sign-on) product (Identiprise) that is Solaris/Linux/Win32 compatible. Not only that but we can require Certs or RSA tokens (the key fob things with the changing random numbers). Once authenticated we can protect all coorporate assets. (We can even secure command line FTP traffic)

Our system also has user self-service, so your helpdesk doesn't have to field password change requests.

Once you're signed on to windows, the Proxy add-on system can automatically log you into any website, It will learn and maintain your passwords. Most of our customers use it to secure their web apps which are given out to subscribers, but it can work the otehr way: secure access to the services your organization subscribe to.

It's a really cool system.

If you have a large organization, I'd love to hear from you. (Note that this is my first ever hawking of a product for whom I work on in all my years on /.)
jhihn@secured-services.NOSPAM.com (Remove the 'NOSPAM.')

Forgot the '-' in the domain link

[scorp1us]

I really should preview!!!
That is Secured - Services.com.

How many times...

[red990033]

How many times are we going to see an article about this kind of stuff?? I don't check /. on a daily, or even sometimes weekily basis, but I've seen at least 3 articles on this same issue within the last month!

Seems to me, if we were in D.C., /. would be lobbying for the Department of Homeland Security.

AI Roboform anyone?

[Longshottek]

uh, has no one here ever used Roboform? yeah, they don't have a linux version (yet) - but I gotta admit I'm happy with my password organization.

at least it keeps everything local, works in IE & Mozilla.... and they even have a USB key and PALM sync'er
(roboform.com, duh)

Insecure if I want to be...!!!

[methodadmin]

You know I have long been saying that this complex password thing is a crock of bull!!! A web site I log into for my student loans requires me to have a password at least 6 character long with one upper, one lower, and one numeric...

Now everyone out there shouldn't we have the right to keep our personal information insecure if we want to... I could live with 1 or 2 popups saying "Are you sure?" but let me make a simple password if I want to it's my info not yours... Am I wrong??

I guess for companies internal networks that's another thing but these website are all crazy... Maybe I don't care if someone can login to my bank account and steel the $3 I have...

Just my thoughts...

Most IT attacks...

[jotaeleemeese]

.... are internal jobs.

Path of less resistence (an internal attacker does not have to go through as many loops as an external cracker. There are fraudsters whose step #1 is to get a job in the company to be attacked).

Stringent rules are completely justified.

Ah the passwords.

I wish with all my heart that the incompetnet security administrators of $BIG_BANK where I work read this.

One of our password systems (because we have about 4 different ones!) makes us type a password, completely unrelated to the one we need to access our application, when we need to request a reset.

We are emailed half password, then we read the other half on screen (which we can access with the initial password), in order to check the progress of our request.

Once it is approved, we get another half password that can be used to claim the real password we are after.

Every single time I have to go through this proceudre, the password has been houston1 (name of town changed to protect the innocent).

How idiotic is that?