Too Many Passwords

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

I know how it feels...

[XXIstCenturyBoy]

I have a very very clever comment to add to that thread, but I forgot my password :(

Re:I know how it feels...

[Fulcrum+of+Evil]

Someone should invent a special "web token" of sorts that would keep you logged in.

Tried that. Turns out, nobody wants all their online identities to merge together.

Re:I know how it feels...

[JoeBar]

Fabulous idea. I propose we call it a "cracker"!!

Better than post-it notes

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:Better than post-it notes

To steal an old post to an old comment -- that's a very interesting perl program...could you post the output instead of the well-written perl code, though?

Re:Better than post-it notes

[shis-ka-bob]

The whole point is that you can can be using 'hard' passwords that look like Jibberish(TM), but are easy to remember. You can even do things like build a seperate cheat card for each month and then keep the same mnomonic but have the password change. (This has its own drawbacks - you need to keep 'last month's' card around long enough to change all of your passwords.) It isn't hard to remember 'a few' passwords, but it gets pretty hard when dozens of groups want you to have passwords and everybody warns you that is it bad form to use a single password more than once.

One thing that I did find to be a signficant drawback to this is that some companies are demanding an upper case letter, a lower case letter, a number and a funny character. It is quite possible that the transform of an easy to remember work will not happen to have all of these. One solution, that actually makes this less secure, would be to have all vowels contain a lowercase letter and a funny character and have each consonant contain an uppercase letter and a digit. This really reduces the number of potential passwords, but such is the cost of making the 'powers that be' happy.

Re:Better than post-it notes

[Ed+Avis]

Or better, just use your GPG keypair to identify yourself to start with. For example, when you register on a website you could paste in your GPG public key. Then to authenticate, the website encrypts a word with that key and shows it on a page; you decrypt it and enter the original word. So - no need to remember a password for this website, and if the website is cracked or just plain evil, they still can't do anything to access other sites since all they have is your public key.

The browser could automate this pretty easily, of course

as usual, blame the users for trying

[yagu]

(BTW, this is basically a dupe from about four or five years ago...)

From the article (and the post):

The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are)...

First, I can't let this pass. I was on the IT team for a large company that had the described oodles of systems and oodles of passwords dilemma. And I'd been out on the floor where our users had to use these systems. The last thing in the world someone should be saying to them is, "You know how you are", as if these people are doing some wrong. Their jobs of dealing with the consumer public is hard enough without having to genuflect to the "security" (inconsistent, obfuscated, inane, ineffective, and myriad) measures of the systems from which they are supposed to server the consumers. I never had to deal with as many passwords as they did, but had I had to, I'd have been tempted to do the same thing.

As for the dilemma of too many passwords... yeah, there are too many passwords. And the funny thing about that is, they (in my opinion) provide little to no security and may even subtract from the overall security of the network. Especially in a closed access building (which these users were), passwords were and are a hindrance, not an enabler. I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building. Most stolen and broken passwords are via social engineering, and half the social engineering is just gaining access.

In the personal computing arena, I'd be awfully surprised if even 10% of the problems occur because of too many passwords. More likely it's because of incorrectly configured access levels for general users.

I'm guessing the world of passwords will never go away, but in settings where users have to deal with many (in the case described above, literally hundreds) of systems and their various password paradigms, passwords SHOULD go away (NOTE: the use of the plural... I'd be okay with somehow consolidating total access down to ONE password). Somehow it must be comforting to PHB's to know their universe is multiply protected by multiple schema, whether or not it affords any protection.

Don't forget

[GWBasic]

Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.

IT requiring password changes

[ChrisF79]

I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.

Re:Information Security

[99BottlesOfBeerInMyF]

Something you have (physical key)

Something you know (password)

Something you are (biometrics)

I strongly object to this bastardization of traditional authentication scheme theory. "Something you are" is a load of crap. It is an attempt to graft biometrics onto existing theory without evaluating how they really work. Biometrics identifiers are just something you have and need to be evaluated on their strengths and weaknesses on that basis. For the most part biometrics are something you have that you keep with you all the time and cannot easily remove or change. This is good in that it makes them harder to steal and less likely to be lost. This is bad because you cannot put them away somewhere safe and are constantly exposing them to the possibility of being copied. It is also bad because unlike other things you might have and use to authenticate, biometrics are almost impossible to change, so once compromised are a nearly permanent vulnerability. Finally, biometrics are bad because they can lead to the escalation of a crime in that their theft can be physically damaging. Take note of the man who was first kidnapped, then had his thumb cut off when car-jackers wanted to be able to start his fancy thumbprint lock car. Criminals don't need to be given extra motivation to commit mutilations.

Biometrics proliferate these days largely on their "cool" factor. The more blinking lights and high-tech gadgets the more secure it must be, right? Sadly they are being used to replace either the something you know or something you have in traditional biometric schemes, with the end result being less overall security. Biometrics have their place, and that is in a tightly controlled environment, supplemented by human observers to prevent copies from being easily used, and as an additional security measure on top of "something you know" and "something you have" that can't be copied from your beer glass at the bar. They do not belong in an authentication scheme in place of either a traditional "something you know" or "something you have" unless your goal is to have very, very convenient placebo security that is trivially bypassed by design.