Too Many Passwords

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

Better than post-it notes

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:Better than post-it notes

[shis-ka-bob]

The whole point is that you can can be using 'hard' passwords that look like Jibberish(TM), but are easy to remember. You can even do things like build a seperate cheat card for each month and then keep the same mnomonic but have the password change. (This has its own drawbacks - you need to keep 'last month's' card around long enough to change all of your passwords.) It isn't hard to remember 'a few' passwords, but it gets pretty hard when dozens of groups want you to have passwords and everybody warns you that is it bad form to use a single password more than once.

One thing that I did find to be a signficant drawback to this is that some companies are demanding an upper case letter, a lower case letter, a number and a funny character. It is quite possible that the transform of an easy to remember work will not happen to have all of these. One solution, that actually makes this less secure, would be to have all vowels contain a lowercase letter and a funny character and have each consonant contain an uppercase letter and a digit. This really reduces the number of potential passwords, but such is the cost of making the 'powers that be' happy.

Re:Better than post-it notes

[TheRaven64]

Rather than a PGP key, why not a personal SSL client certificate? Support is already integrated into most browsers, and organisations such as CACert issue them for free.

Re:Better than post-it notes

Evil sites *could* still cause harm. Think about a man in the middle attack:

1. you got to evilsite.com, and enter your public key
2. evilsite.com automatically connects to bank.com, and enters your public key
3. bank.com encryptes some string, and sends it to evilsite.com
4. evilsite.com sends the encrypted password to you
5. you decrypt the data, and enter that info to evilsite.com
6. evilsite.com forwards the data to bank.com

Now, while you play on evilsite.com, evilsite.com empties your bank account. Not likely? What if you went to evilsite.com by following a link in an email that looks like it came from bank.com, and where you have a bank account? And don't think like someone who knows better. Think like your grandmother.

Re:Better than post-it notes

[pcraven]

Too slow.

Use a phrase, like: SlashDot Keeps Posting The Same Thing Over And Over
Use the first letters: sdkptstoao
Modify it a bit: SDkptst0a0

You just remember the phrase and you are good to go!

kwallet

[DarkProphet]

I find that kwallet works well for this in KDE, but its a feature sorely lacking in WinXP, though I am not sure I trust XP to store my passwords ;-)

I just use the same 4 passwords for everything, but trying to figure out which one of the four a certain one is can be a problem, since in some cases you only get 3 login attempts...

Don't forget

[GWBasic]

Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.

IT requiring password changes

[ChrisF79]

I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.

Biometrics not the solution

[millermj]

There's a way to exploit just about anything. It's guaranteed someone is going to invent a way to fake a fingerprint or a retina to gain access. At least a password can be changed once guessed. I'd like to see you try changing your fingerprints.

I write my passwords down.

[LionKimbro]

I write my passwords down in a special location in a special book.

• You can't look at my password over the Internet.
• You can't (for at least 30 years) make a robot that will find my passwords.
• If a server that stores my password is compromised, then it is only that password that is compromised.

I have offloaded Internet security into Material security.

I use a separate password for every forum I care about. My passwords on my personal computers are changed regularly. I can do this, because of my password book. Without it, this would be implausible.

It is conceivable that someone will get my password by taking my book from me, and snapping pictures of the password pages with their cell phone. Very well then, let someone make the $500 airplane trip over here, come into the office, find my book, and then start snapping pictures. Or maybe find me on the streets if it's lunch time, and rip the book out of my backpack. Conceivable.

But I think this is prohibitively expensive for most people. It would be cheaper to hack a website, and get some other guy's password, and see where else the password might be usable.

I think it is less risky to keep a watchful eye on my password book, than to use only a finite number of passwords.

If someone thinks this is wrong, tell me what you do, and tell me why it is more secure. Not what you can imagine doing; Rather, tell me what you really do.

I changed my password this morning

[RingDev]

And I had some app running in the background (something FF related?) that kept trying to auto apply my original password (yes I cleared password from inside FF). After the 6th lock out of the day, I got my network tek's to let me reset my password.

Total cost of the password change? Maybe a manhour's worth of time (between myself and waiting on the teks, and the teks stoping their work to fix my account). So maybe a hundred dollars or so. But we have 800+ employees in 5 branches. That's a lot of password change headaches.

-Rick

Re:Information Security

[darrylo]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Biometrics is a bad idea, if for no other reason than thieves will chop off body parts: Malaysia car thieves steal finger

Security versus the ability to work

[gdav]

Where I work (a university) we used to have a fairly fierce password regime. Change it every four weeks, no re-using of old passwords, minimum eight characters including mixed case, numerals and punctuation - that kind of thing.

Later on, we learned better, and adopted a much more relaxed regime, in which we specifically didn't force expiry or insist on passwords like tH1s#0n£3&@ for most of the users (we were stricter with people who could order goods or edit the payroll!).

The main reason was that we evaluated (for a range of typical users) the potential financial cost and likelihood of being prevented from working by our password regime, against the potential financial cost and likelihood of suffering a security breach. And in almost all cases, our security policy turned out to be much more damaging than any plausible security breach.