Too Many Passwords

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

Better than post-it notes

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:Better than post-it notes

[shis-ka-bob]

The whole point is that you can can be using 'hard' passwords that look like Jibberish(TM), but are easy to remember. You can even do things like build a seperate cheat card for each month and then keep the same mnomonic but have the password change. (This has its own drawbacks - you need to keep 'last month's' card around long enough to change all of your passwords.) It isn't hard to remember 'a few' passwords, but it gets pretty hard when dozens of groups want you to have passwords and everybody warns you that is it bad form to use a single password more than once.

One thing that I did find to be a signficant drawback to this is that some companies are demanding an upper case letter, a lower case letter, a number and a funny character. It is quite possible that the transform of an easy to remember work will not happen to have all of these. One solution, that actually makes this less secure, would be to have all vowels contain a lowercase letter and a funny character and have each consonant contain an uppercase letter and a digit. This really reduces the number of potential passwords, but such is the cost of making the 'powers that be' happy.

kwallet

[DarkProphet]

I find that kwallet works well for this in KDE, but its a feature sorely lacking in WinXP, though I am not sure I trust XP to store my passwords ;-)

I just use the same 4 passwords for everything, but trying to figure out which one of the four a certain one is can be a problem, since in some cases you only get 3 login attempts...

Don't forget

[GWBasic]

Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.

IT requiring password changes

[ChrisF79]

I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.

Biometrics not the solution

[millermj]

There's a way to exploit just about anything. It's guaranteed someone is going to invent a way to fake a fingerprint or a retina to gain access. At least a password can be changed once guessed. I'd like to see you try changing your fingerprints.

Re:Information Security

[darrylo]

You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.

Biometrics is a bad idea, if for no other reason than thieves will chop off body parts: Malaysia car thieves steal finger

Security versus the ability to work

[gdav]

Where I work (a university) we used to have a fairly fierce password regime. Change it every four weeks, no re-using of old passwords, minimum eight characters including mixed case, numerals and punctuation - that kind of thing.

Later on, we learned better, and adopted a much more relaxed regime, in which we specifically didn't force expiry or insist on passwords like tH1s#0n£3&@ for most of the users (we were stricter with people who could order goods or edit the payroll!).

The main reason was that we evaluated (for a range of typical users) the potential financial cost and likelihood of being prevented from working by our password regime, against the potential financial cost and likelihood of suffering a security breach. And in almost all cases, our security policy turned out to be much more damaging than any plausible security breach.