Password Complexity in the Enterprise?

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

Simpleton passwords are my friends at work

[9mm+Censor]

I work at a call center. The password I was given, was "apple123". After 6 months I was prompted to change it. So now my password is "apple456". If I were to work here for another 6 months, I would change it back to "apple123" but I quit because I value my sanity.

Re:Simpleton passwords are my friends at work

I work at a call center. The password I was given, was "apple123". After 6 months I was prompted to change it. So now my password is "apple456". If I were to work here for another 6 months, I would change it back to "apple123" but I quit because I value my sanity.

I use the password "rudibakhtiar" She's welcome to root my box anytime!

Re:Simpleton passwords are my friends at work

[Penguin+Programmer]

At my previous job, there were two of us with sudo access on the new fileserver I set up: myself, and the previous admin (who wasn't really a computer guy, just the guy who ended up doing their computer stuff before I was there).

His password was qwer.

Needless to say, I restricted SSH access (which was the only remote access to the fileserver) to my user and my user alone.

Re:Simpleton passwords are my friends at work

[rabiddeity]

You didn't happen to work for a company called "UNATCO", did you? I know a lot of their passwords were like that.

Re:Simpleton passwords are my friends at work

[9mm+Censor]

Seeing as my password is "apple123" I think that is a bit of a hint ;) Hint #2: Jobs gives me a job. Hint #3: White computers! Hint #4: Stupid users. Hint #5: WTF are you doing on /. if you dont know that I am working for apple (via a contractor) yet.

Re:Simpleton passwords are my friends at work

[rabiddeity]

Think Deus Ex, if you've ever played it? Nevermind, I guess it's a bad joke if I have to explain it.

Re:Simpleton passwords are my friends at work

[nelsonal]

I couldn't remember where I'd heard UNATCO before. I think by the end of that game I could reliably guess the passwords for most terminals. Really fun game though, especially once you get the dragon's tooth sword. Was playing in the dark when I ran in to that Croc in HK, nearly jumped out of the chair on that one.

Skroob.

[Tackhead]

> We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters.

"0123456789aBcDeF"

That's amazing. I've got the same password on my 6-piece luggage set!

Re:Skroob.

Look4ABetterJob!

Re:Skroob.

[Captain+Splendid]

Dude, you need a new joke.

Re:Skroob.

[LurkingStranger]

I work as an automation consultant. And at present, work at 5 sites. And have control and LAN and WAN accounts at all sites. And my office account and the VPN for the office. And home an the MAC at home and the Linux box at home. Some are PINed secure digital tokens. Some are numbers and letters, some are numbers and upper and lowercase number. Most have to be 6 chars. It is a bit insane. And at the rolling 6 weeks expiration, I lose about 4 hours changing and synching it all. The more conservative clients are starting to use smart cards...anyone else seeing that?

That's not too strange

Those requirements don't sound too tough, though 16 charaters is a little long.

As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

Example:
Slashdot is full of bad grammer,misspellings and inaccuracy

=

s1F0bgMaI

The phrase is easy to remember; the number and uppercase substitutions come with repetition.

Re:That's not too strange

[pete6677]

Yes, but try getting an administrative assistant to do this. They won't; you can guarantee they will just do the easy thing and write it down. This is not always a bad thing, though, provided they don't stick it on their monitor or something.

Re:That's not too strange

[renelicious]

Actaully I think the "first letter of the phrase" idea is too complex, why not just use a phrase. Most sane passwords allow up to 128 characters. You can easily type a whole sentence, which is much easier to remember. Use something like:

Jane's birthday is on October 12th. (with puncuation)

or

Do or do not, there is no try.

Re:That's not too strange

[alfs+boner]

Also:

Slashdot users are uneducated unemployed and overweight

=

SurU2a0

Slashdot users frequently complain about things, despite being overlooked and ignored because of their ignorance.

=

sUfcaTdb0a1b0t1

=

Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.

=

ga5e2pcntd31g1719905

Diabetes is god's way of telling you to lose weight, and that you look disgusting.

=

d1gW0tyT1w47yLd

Re:That's not too strange

[no_pets]

Very true. I've noticed as well by the afternoon I'm not really thinking about typing it - my fingers have learned the new password.

But, I will add, my rules are to change passwords in the morning (if possible) and never change a password on a Friday (unless you absolutely have to) because it's easier to forget by Monday.

Re:That's not too strange

[BobPaul]

I like those password, but I would just type them in full. All of our passwords are phrases that are over 30 characters long including punctuction. This excludes those that need to be entered frequently and repeatedly, like that for managing printers, which is short and not very secure but doesn't really matter because that password can really only stop and restart printers. I used to abbreviate like you did, but I've found I can often type the whole phrase faster since I don't have to think of the word, then determine the first letter of that word and remember if it's capitalized or not. Now I just think of the word and type it.

Re:That's not too strange

[charlesnw]

I just added that password to my cracking dictionary. I will post a message to /. every time my cracker gets in using that PW :)

Re:That's not too strange

[spaceyhackerlady]

As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

This is one of my faves.

It's immune to a dictionary attack, and any good password will be. It's also largely immune to social engineering, i.e. somebody looking over your shoulder as you type. You think "Now I'm possessive it isn't nice. You've heard me say that smoking is my only vice...", and they see NIpiinYhmstsimov, random garbage with no pattern. Much harder to remember.

Just don't hum the tune while you type. :-)

...laura, probably showing her age again

Re:That's not too strange

[bigmouth_strikes]

> Goatees are stupid, especially on effeminate, pudgy computer nerds; they didn't even look good in the 1990s.

Hey, I resemble that remark!

Re:That's not too strange

Wow... that's a really good method.

I have a question for you (and anyone else out there), though.

I have a large number of online accounts, and I learned the hard way (blech) that it's REALLY BAD to use the same password for all of them. So: what's a recommended way of managing large numbers of passwords for different online accounts?

My current method is this:

* use the same random 6-character root, consisting of upper/lower/digits
* for each account, append a 2 character abbreviation relevant to the site the account is on

That way, I only effectively have to remember one password. For example: if my "root" password is "Sukk3R", then my password on hotmail would be "Sukk3Rhm", my password on SlashDot would be "Sukk3Rsd", my password on flickr would be "Sukk3Rfr", my password on LiveJournal would be ""Sukk3Rlj", and so on.

That way, it's very easy to remember, but I'm not using the exact same password on multiple accounts.

Re:That's not too strange

[martinultima]

I refuse to consider any password secure unless it's at least 16 random alpha-numerical characters, uppercase and lowercase, generated via a random password script. My own password on all my machines was generated with this random password generator I wrote in Python, and I've been using it well over a year on every single one of my machines without a single problem. My root password, of course, is 32 characters long, and entirely different altogether.

If it helps, I did write the one password down for the first few months, and after that I managed to memorize it and just threw the paper away altogether. Both the passwords were, of course, saved in a hidden file in my home directory, readable only by me, and protected by at least one of the passwords with the end result that no one would get in without my permission. And eventually, I memorized the root password as well. Took a while, but I did!

Re:That's not too strange

[elvum]

To make it even easier to remember, why not make the phrase an acronym for some well-known English word?

Re:That's not too strange

There are many phrase dictionaries out there just for attacking this system. Try again.

So what's to keep you...

[Flimzy]

...from simply rotating the password?

Jan: 0123456789abcDE_
Feb: 123456789abcDE_0
Mar: 23456789abcDE_01

You get the idea

No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.

Re:So what's to keep you...

Better solution: set your password. Use it for one day. Come in next morning: call support: lost password. Get new password. Use it for one day. Come in next morning: call support: lost password. Get new password. Use it for one day... If they complain, tell them you cannot remember such a long password, and you don't want to write it down because it'll make it less secure.

On a more serious note, unless you work at a nuclear launch site, the password requirements are flat out ridiculous. Get your IT department fired.

And for reference, my company's password requirements: 8 characters, mixed case including one non-alphabetic class (digit, punctuation, symbol, etc), cannot repeat any of previous 24 passwords, expires every 3 months. The 3 month lifetime is somewhat annoying, but other than that it works well enough.

Re:So what's to keep you...

Some idiot is going to use these passwords, mark my words.

Re:So what's to keep you...

[Achromatic1978]

Maybe it's a form of non-directed social engineering! ;)

Re:So what's to keep you...

[Kadin2048]

I know people who do something similar to this, by typing geometric patterns on the keyboard. (They weren't using it actually to control access to anything, just as passwords to test accounts and the like.)

You start off with "1qaz2wsx3edc" and then when it expires, you change it to "qaz2wsx3edc4", etc. Depending on how intelligent the password system is -- in this particular case, not very -- you could get away with it. I think more secure systems probably pick up on the lack of difference between the two and would prohibit it.

It's easy to create very complex, seemingly-random passwords that include numerics and punctuation this way, but it's very prone to shoulder-surfing. If anyone sees you enter it even once, they'll know what you're doing.

Re:So what's to keep you...

[mengel]

And then you get the Dvorak keyboard, and Ouch! you can't remember your password anymore :-)

Re:So what's to keep you...

[yuri+benjamin]

When I worked in a call centre with monthly forced password changes, I did the geometric keyboard pattern thing. It's faster to type, easy to remember and I didn't give a schit about security anyway - it wasn't my network.

Suggested to me:

[wild_berry]

One of the best I'd seen was to take first letters (or last, or second, etc.) from words in a song that you know the lyrics well. They have a decent amount of randomness and each album you buy will supply a couple of years' worth of passwords.

Writing them down in a safe location is a helpful aide-memoir. You could just have a lyrics file saved to a thumb drive or scrawled in a diary.

Re:Suggested to me:

[SomeGuyFromCA]

The problem there is forgetting which song and which phrase in which song.

"... okay, now for the root password, did i use the chorus from broken, the bridge from coin-operated boy, or the intro from engel?"

Re:Suggested to me:

[Gaewyn+L+Knight]

1wtfyl@@... 1wtfyf71... mW31f... ybmc7g.

hehehe... even with the song good luck figuring those out... and anyone else seeing them will think they are line noise

Re:Suggested to me:

I'm going to rip all such combinations from azlyrics.com and put it in my dictionary file.

Re:Suggested to me:

[barzok]

NiN, "Closer"

Only took about 15 seconds to work out.

Re:Suggested to me:

[Gaewyn+L+Knight]

Bwahaha...
Awesome job!

Ok... so evidently I need to choose some of the old Celtic tunes instead :P

1dmp,1d7r... @@7w1bmb... Umpswmd.

Re:Suggested to me:

[kafka47]

That's pretty good, even if you write it down as someone finding them is likely not going to assume song lyrics are a password. Contrast this to "zex242ab" which does indeed appear like a password.

Another suggestion I've heard is to use a combination of visual patterns on a keyboard, i.e. "pl,12#edc" is a good password that you can follow visually without having to necessarily remember it exactly.

...and hope you didn't eat something messy for lunch that'd leave a trail behind as you type. ;-)

/K

Re:Suggested to me:

[the+phantom]

That can't be Celtic -- too many vowels.

Re:Suggested to me:

[thogard]

How many memorable lines are their out of top 40 songs over the last 40 years? I'll give you a hint, its much smaller than you think. If there was one memorable line out of every top 40 song and the list was completely replaced every week, it would be about 4 times bigger than the number of words in a grade school student dictionary. Of course some songs have maybe a dozen lines that their fans will remember but some songs have been in the top 40 for a very long time and a busy month may have nearly a 1/4 of the list replaced.

Re:Suggested to me:

[wild_berry]

I was suggesting that people learn the lyrics to a song by any artist they like, so increasing the available options. I wouldn't advise it to anyone who wasn't into music that much, and I'd definitely recommend avoiding high-rotation chart tracks.

Re:Suggested to me:

[thogard]

Find someone who has a few CDs from one of the artists that you have the same albums. Have each of you write down three lines out from each song on each album and then compare lists. The statistics of this end up being very much like the birthday paradox in that as you add more people to the pool, the collision domain shrinks to nothing very quickly.

The scary thing about "password best practice" is that its all based on something that sounded like a good idea at the time (and might have been). I have friends who happen to like obscure songs written a thousand years ago in Latin but if they did the experiment above, they will come up with about the same results. Add in a random group of musicians in the SCA and the chance of an obscure song goes to zero.

Re:Suggested to me:

[wild_berry]

I was expecting that people would pick rare or unspecial lines of songs that people underrate. That's a wiser move than just taking the few lines that stick out (and padding words you don't remember with 'b' from 'blah'). Part of the security schema will involve not disclosing what source the passwords come from or what form a password takes -- a no-brainer.

Re:Suggested to me:

[thogard]

Your getting into complexities that I believe won't help. Go to your CD collection and get the most obscure thing you have where you have at least 3 CD's and do the experiment. Then google for the lines you used. Your mind will be slightly tainted towards the most obscure lines you can think of because of this discussion but I expect you'll be surprised with the results.

The not disclosing the song is a given but its irrelevant since external hackers just use dictionaries anyway. I've seen dictionaries with song lyrics and Shakespeare over a decade ago.

On the Enterprise?

[mph]

I know a few...

"Theta alpha two seven three seven blue"

"One one A"
"One one A two B"
"One B two B 3"
"Zero zero zero destruct zero"

But usually, voice identification is enough.

Re:On the Enterprise?

My favorites for voice identification would have to be

"Soylent Green is people"

or

"Main screen turn on!"

Re:On the Enterprise?

[poena.dare]

Yeah, I used to go for super duper password complexity on the Enterprise, but Data kept mimicking my voice, so what's the point? You can't win.

Re:On the Enterprise?

[Municipa]

I always wondered why they didn't just made the password, "Please blow up the ship now, thank you. Please."

And if I were anywhere near the captain when he/she said the password I would just record it with my tricorder.

Re:On the Enterprise?

[Beryllium+Sphere(tm)]

I tried that last set but I never did get access. There was a pause for about half a minute and it dropped the connection.

Re:On the Enterprise?

[zolaar]

forgot the big mother:
[inhales...]

"one seven three four six seven three two one four
seven six Charlie three two seven eight nine seven
seven seven six four three Tango seven three two
Victor seven three one one seven eight eight eight
seven three two four seven six seven eight nine
seven six four three seven six
Lock."

Re:On the Enterprise?

And lest we forget...

Picard Four Seven Alpha Tango
Crusher Two Two Beta Charlie

Re:On the Enterprise?

[serutan]

Queen to queen's level three.

Well, this is a classic dilemma

[biglig2]

Make the passwords to hard to remember and people write them down because thay have to.

Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

Myself, I use muscle memory to store mine. I make up an entierley random password and spend 20 minutes typing it over and over again until my hands remember how to make that sequence of twitches. Works great; and no risk of me acidentally telling someone my password because I don't know what it is.

Re:Well, this is a classic dilemma

[tomhudson]

Of course writing your password down and keeping it in your wallet or purse is better ... follow the MONEY!.

Just use the serial number off a piece of currency, and a few letters, and you're gold. Just don't spend your password,

Re:Well, this is a classic dilemma

[bluelip]

I know some people will call BS, but there is some truth to your evidence. There's been more than one time when someone asked a person in my unit for a password and we couldn't rattle it off from the top of our head. Sit down at a keyboard, and it basically falls out of our fingers.

Weird? Yes.
Logical? Not at all.
Probably some tricks our mind is playing? Yep.

Re:Well, this is a classic dilemma

[Beryllium+Sphere(tm)]

>Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

Not only that, it has a quantifiable value, allows you to choose an arbitrarily complex password, and protects against the self-administered DoS of a forgotten password: http://www.berylliumsphere.com/security_mentor/200 4/03/heresy-write-down-your-password-what.html

Having the password "written" down in an encrypted file should satisfy anybody sane, and if your company is insane, hey, they can't prove there's a password inside the file! Bruce Schneier's Password Safe has been holding up pretty well in the real world and in the crucible of people looking to get famous by finding a flaw in Schneier's work.

Re:Well, this is a classic dilemma

[DaSenator]

Isn't that what most people do for personal passwords anyways?

I mean, I don't know many people who do the steps that you did (and that's a really good idea to practice what you did, as I'm implementing it for my monthly password change for next month), but for people who type their personal passwords on their personal computers and don't tell anyone the password or write it down, isn't the concept at least the same?

I'm probably wrong here, but I still gotta say, your idea is pretty darn smart, especially with a longer (16+ characters) password.

At least that's just my opinion.

Re:Well, this is a classic dilemma

Yeah, I do something like this too. And I type Dvorak, so I have to "learn" it twice.

Re:Well, this is a classic dilemma

[Shadarr]

Password Safe is indeed a tremendous tool. Not so much for the logon password (which I would need to have remembered before being able to launch Password Safe anyway) as for the obscure passwords that expire every 90 days and get used once or twice in that time. Where I work we have all sorts of passwords, way too many to remember without writing them down. Password Safe effectively lets me just remember one.

Re:Well, this is a classic dilemma

[JaredOfEuropa]

Some advice Bruce Schneider once gave: there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet. Your wallet is a security mechanism that you already use, and you are very practiced at keeping it secure.

Paper left in a wallet tends to become crumbly and perhaps ultimately unreadable. That's why people tend to keep such bits of paper in their desk drawer rather than their wallet. Or (especially if they have to remember multiple passwords) in a Word document protected by a silly password. Of course, passwords for "functional" accounts that are shared between users are recorded in a different favorite place: the office whiteboard.

To improve security and make the users happy at the same time, this is what we are currently doing:

1) Enforce "good" passwords but do not let them expire (do lock it out upon 3 incorrect passwords). Instead, notifying the user of his last login time and last workstation used.

2) Look for Single Sign-on solutions. Some applications can leave user authentication up to the OS: being logged in to Windows NT (for instance) is good enough for the application to trust that you are you. If you are writing an application that requires controlled access, consider implementing SSO.

3) If you cannot get around the fact that users will have to deal with multiple password, consider a Password Vaulting solution. Basically this is nothing more than a bit of client-side code that remembers passwords as they are entered once, and then enters them automatically the next time you come across the same login window. Sounds crummy, but there are a few secure enterprise-level password vault applications that store passwords centrally and encrypted.

4) Use sudo or kerberos or similar for functional accounts.

Re:Well, this is a classic dilemma

[Monster_Juice]

there is nothing so terribly wrong with writing your password down on a piece of paper and putting it into your wallet.

This would probably work well for me even though I have about 20 passwords. My wife on the other hand has 1 password and 20 purses. I can see her going to work and claiming she has to go home and change purses.

Re:Well, this is a classic dilemma

[WuphonsReach]

I divide my passwords up by classification:

1) The ones I deal with on a daily basis. These number in the range of about 1 dozen, but are still easily rememberable. Length varies from 12-30 characters, includes digits, mixed-case and is comprised of multiple words. Memorable, typeable, and fairly secure. Some of the longer ones are 40-80 characters in length, but they are ones that I only use when booting up the laptop every few weeks. I use them all frequently enough that they're memorable (although I still back them up in a GPG-protected file).

2) The ones that I let the web browser remember. Such as forum passwords. Since I use a laptop that I keep secure, I'm not terribly worried about letting the web browser remember these. Those passwords are generated by a random algorithm and are usually 20-40 characters in length with random caps and symbols inserted into the middle / ends / beginning. I keep track of these by placing them in a text file prior to encrypting to contents of the text file with my GPG key. If I ever need to look them up, I open the text file, copy the contents to the clipboard and decrypt it.

3) Other seldom used passwords. These are almost all randomly generated (30+ characters with random sybols, digits and caps). Again, I simply store them in plain text files where the contents of the file is a GPG encryption block. To get at the password, I copy the contents into the clipboard, decrypt and there I have it.

The plain text file with GPG encrypted contents works well for many reasons. It's backup-friendly (I could even put the contents into source code control), I can e-mail the blocks to myself on other machines without worries or I can make backups of all of my passwords by mailing them to a webmail account. I can setup the contents of the file to be readable by my co-workers for cases where multiple of us need access to the password.

Re:Well, this is a classic dilemma

[tyldis]

> Myself, I use muscle memory to store mine. I make up an entierley random password
> and spend 20 minutes typing it over and over again until my hands remember how to
> make that sequence of twitches. Works great; and no risk of me acidentally telling
> someone my password because I don't know what it is.

I do the same. My password is about 20 random characters.
The best part is that when you are drunk your hands refuse to type it correctly, and you can't type it slowly since that breaks the rhythm.

I believe that has saved myself and my employer tons of work.

Re:Well, this is a classic dilemma

[biglig2]

Sorry, I was using purse in the UK English sense, not the US English sense. We say handbag where you say purse, and we say purse where you say... I don't know actually what you say.
In UK English, a purse is literally "a bag for holding coins"; more practiacally these days a woman's purse is a large wallet that has a coin holding compartment. Wallet is optimised for people with trouser pockets; purse is optimised for people with bags.

Anyhow, what I mean is, keep the password in the same palce as your credit cards, ID card, paper money.

Re:Well, this is a classic dilemma

[biglig2]

I guess it's all in the choice of paper. Or you could invest in a credit-card sized laminator, they're fun.

Re:Well, this is a classic dilemma

[biglig2]

The muscle memory one is not so good if you have lots of passwords, of course; in that case.

I have three, and manage withouot a card - my password, my root password, and an insecure password I use on web sites etc. where I won't loose any critical data (and where obviously i don't want the web site to have my real password) Oh, and a variant on my insecure password for sites that have more complex password rules than my insecure password meets.

Of course, this means that CmdrTaco could hijack my Flickr account, but I'm prepared to live with that risk.

Re:Well, this is a classic dilemma

[Alioth]

Muscle memory is great until you go on a trip to France, and at the internet cafe are greeted by an AZERTY keyboard!

Re:Well, this is a classic dilemma

[ntshma]

"Paper left in a wallet tends to become crumbly and perhaps ultimately unreadable. " !? What the hell do you do with your wallet??

Re:Well, this is a classic dilemma

[takshaka]

A bag for holding coins is a change purse. If the change purse is of sufficient size or is used to carry standard female paraphernalia, then the change is dropped.

We use purse, handbag, and pocketbook pretty much interchangably to mean "that thing in which women keep their lipstick." By we, of course, I mean men. Women have all sorts of words for handbag, like Eskimos for snow. We don't understand these words.

The thing a man carries in his back pocket may be called a wallet, billfold, or pocketbook.

Re:Well, this is a classic dilemma

[biglig2]

Ah, I am responsible for IT systems in a large number of countries, so all my passwords are chosen to only include characters that are in the same position on every langauge of keyboard.

Re:Well, this is a classic dilemma

[raju1kabir]

Sorry, I was using purse in the UK English sense, not the US English sense. We say handbag where you say purse, and we say purse where you say... I don't know actually what you say. In UK English, a purse is literally "a bag for holding coins"; more practiacally these days a woman's purse is a large wallet that has a coin holding compartment. Wallet is optimised for people with trouser pockets; purse is optimised for people with bags.

In the US they say "purse" when they mean "vagina", so be careful with that one. The Yank word for a small coin bag is "bum". The thing that men carry their money inside, which you call a "wallet", in the US is called a "pants fanny". Hope that's helpful.

Never assume your company won't be targeted.

[Subacultcha]

Every company has some information that needs to be secure. With a network, you're only as secure as the weakest link--one machine is all it takes for someone to infiltrate it.

While your company's password policy is much more stringant than my company's, it doesn't sound too paranoid at all. As far as remembering the password, you should write it down and carry it with you if you're having trouble remembering it. It should only take a couple days of logging in before you have it down, so then make sure you destroy the paper it's written on.

The thing is, you really need to worry about someone hacking your password remotely and a simple password of only lower-case letters and maybe some digits is a heck of a lot quicker to hack than mixed upper/lowercase, digits, and symbols. If someone got the piece of paper in your wallet, they probably would also get your keycard into your office, too. Once they had physical entry into your office, the password wouldn't be that big a deal. They could just steal your data drive and take all the time in the world to hack into it.

Re:Never assume your company won't be targeted.

[vldragon]

In all reality the long password idea is great. However once you have a 16 digit password it no longer really matters if you mix it with numbers and special charaters. This is from an article on password myths: "Now consider this password: SeandialVickyandhorusbloomkendallWyoming. It is not complex by any measure. It contains only two character types and all of the components are words. They are, in fact, words picked from the Microsoft password strength checker's dictionary, which includes 2,254 words. There are 40 characters in this password. The character set those characters are chosen from consist of uppercase and lowercase English characters, or 52 characters in total. That means there are a total of 4.45×1068 1 to 40-character passwords possible from that character set. If you use a brute force attack and you can guess 600 passwords per second, it will take you 1.63×1058 years to guess this password. But you may have captured a connection to a server and have the challenge-response sequence to crack it. In this case it will take you only 1.30×1054 years, assuming you are a nation-state and have access to nearly unlimited computing power." Also having to change the password every month is a terrible idea as others have described and is completley uneeded. With proper audit tools administrators should be able to tell if a user is logging in at odd times or in odd ways. If this is seen then someone most likely has this persons account information; however if this is not the case then making this person change their password every month only makes him change a secure password.

Re:Never assume your company won't be targeted.

[Todd+Knarr]

I'd argue that. Nowadays it's pretty hard to crack the corporate firewall to be able to attack the machines you could try a password attack on, and moderately risky to get physical access to the building and the network wiring. It's dead easy, though, to e-mail a trojan or other malware masquerading as some suitably-attractive bait (new screensaver, porn, etc.) and count on at least a few people in the company getting bit by it. Note that that malware doesn't need to crack your password, it's already logged in and running as you and Windows will happily present your credentials whenever "you" try to access a machine.

IMHO passwords are far from the weakest link anymore. You want some rules to prevent the obviously-stupid passwords but basic complexity rules (eg. at least 6 characters, at least two of upper-case, lower-case and numbers, no dictionary words, can't repeat the last 2 passwords) along with a 4- to 6-month change interval should keep password cracking from being a serious problem. Aside from some special cases (eg. Windows LANMAN hashes, offline cracking of Unix passwd files), the days of password cracking are over.

Re:Never assume your company won't be targeted.

[Lemmeoutada+Collecti]

Every time I see someone go over rules like your suggestion, I wonder why everyone suggests to limit the keyspace and provide a clear logic for attack? Correct me if I'm wrong, but it seems that those rules (easily learned through minimal social engineering) would make it easier to crack, despite the length minimums. For example:

Given a 6 character password from that scheme, I know the following always holds true:
Minimum of 1/3 of the password is uppercase, dictionary attacks are weak, limiting to non dictionary words means that users will most not use a symbol.

So I have a good chance using a list of names, months, and years against them and finding at least one match. More than likely several users are using the initial capital form of a family member's name and a month or year from a birthday as a password.

The thing I have a hard time grasping with all of this is why? No matter what the complexity rules, no matter how often the changes, it still relies on a single point of failure. And then there are all the shortsighted corporate rules, like not allowing connections to the company data source without a user password, which means someone somewhere has saved that password in a Microsoft Access or Excel file.

And the most fun thought is that no matter how secure your system is, no matter how well you lock everything from the wireless to the terminals down, some person is going to e-mail confidential data outside the company, and blow the whole door wide open. Even the military cannot 100% prevent that, and they are about as paranoid as possible about leaks.

Re:Never assume your company won't be targeted.

[Todd+Knarr]

I think you misunderstood the character-class rules. They're speaking about how many classes of characters have to appear in the password, not how many characters of each class. Essentially a password has to be either mixed-case or mixed letters and numbers, but it does not have to have any particular number of upper-case, lower-case or digits. It can also be based on a dictionary word, it just can't be only a dictionary word (ie. "dictionary" is illegal but "dict10nary" or "dict1ionary" are acceptable. That limits the search space in some sense, but it does so by forcing the password into a much larger search space (the set of dictionary words with 1 or more digits inserted at one or more points in the word is orders of magnitude larger than the set of plain dictionary words). This takes advantage of the fact that not all search spaces are equal, some are much harder to search than others.

And as I said, most attacks won't be on passwords. The idea here isn't to make passwords highly secure, since attackers probably aren't going to bother cracking them. The idea is just to keep them from being trivial to crack, so the casual kiddie trying the obvious things won't get in, while letting them be easy enough to remember that people won't have too many problems with the change interval or with remembering passwords for multiple systems. This frees admin and user attention for more probable vulnerabilities, eg. "You know that e-mail that promises you Jada Pinkett-Smith and Lucy Liu porn if you just open that executable? Well, they're lying. ".

Picture, picture on the wall.

Picture Password: A visual login technique for mobile devices

unlikely

[hrbrmstr]

"16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string"

this is an exaggeration. I can believe 8-character password every 45 days that cannot be the same as any of the previous 6, but there's no way that the stated requirements are correct. every user would have sticky notes on the bottom of their keyboard or phone or on their laptops in order to remember their password.

no real enterprise security shop would condone such a moronic password policy.

if a company were that paranoid, they'd have invested in PKI or use SecurID.

tell us what the real requirements are and maybe we can offer some concrete suggestions.

Re:unlikely

[19thNervousBreakdown]

In my job, I talk to network administrators very frequently while supporting our software. Generally the problem is, our product's default password doesn't meet their complexity requirements. The solution is simple, I ask them what their requirements are and make one up that meets them.

Those requirements are absolutely not unlikely. I run into requirements at least as idiotic about once a month. Some of the stuff I've heard, I didn't even think it was possible to create a password that met them, and they had to be changed once a month. I've also run into stuff that probably reduces the keyspace (requiring 2 numbers, 2 special characters, 2 upper, 2 lower tells you a lot about every password when minimum length is 8). That one also had to be changed monthly.

These requirements are for ... well, I'm not going to even say what type of company that last particular one was in order to protect my job, but trust me, you'd be very surprised, and probably upset. The fact is, the type of critical thinker that can actually come up with a good password policy is somehow a rare person, even in IT. Since the people doing the hiring generally have no idea how to interview, you'll find that person with almost perfect random distribution at small and large companies, government offices, schools, banks, consultants, mom-n-pop stores, you name it. It's a sad, sad situation.

Re:unlikely

[sconeu]

no real enterprise security shop would condone such a moronic password policy.


Never underestimate the power of human stupidity. Or corporate stupidity, for that matter.

Re:unlikely

[BlueWomble]

That would require 192 unique characters to be used in continuous rotation.

Sounds more than just unlikely.

Re:unlikely

It could be that you can't repeat characters in the same position... so something like this would meet the rules:

AB!DEfgh.jk12345
B!DEfgh.jk12345A
!DEfgh.jk12345 AB
DEfgh.jk12345AB!
Efgh.jk12345AB!D
...

Re:unlikely

[hrbrmstr]

this is one of the few times i wish posters could mod, cuz that succinct analysis should be bumped way up.

Re:unlikely

no real enterprise security shop would condone such a moronic password policy.

Must be nice to have no corporate work experience. You made me laugh out loud.

Re:unlikely

[knisa]

My company is close, and it wouldn't surprise me if they decided to ramp up the requirements...

Classes:
lower case letters
upper case letters
numbers
symbols

The password has to have eight characters, three of the above four classes, can't contain your name, username, or any part thereof.

You should hear our users whine, even though they could have pretty easy passwords if they stopped to think...

Password1
Pass1234
password!
Ilikecheese!

I have a few base passwords, and most systems use a variant of them. Over time, my most secure password rotates to my second most secure password, and so on down the line.

Re:unlikely

[hrbrmstr]

ours is the same and i think it might be the whining of our users that you hear *:^)

we have been looking @ PKI-based login (via USB tokens) for quite some time, but they whine about those things as well.

our users would probably prefer some type of biometric solution, but the only one i'd let them use would be one where they have to give a tissue sample each time they need to authenticate. after enough logins, no more users... problem. solved.

Depending upon the system, that's sufficient.

[khasim]

The key is not how complex you can make a password.

The key is how will an attacker defeat it.

So, a simple password is sufficient if the attacker will not have enough chances (statistically) to defeat it. This is easy to accomplish by having a time delay between authentication attempts or a lock-out period. But this is only sufficient if you have a person actively monitoring the authentication logs.

Example: Suppose you have a list of 10,000 common words. You take a random word, a digit (0-9) and another word, that will give you 10,000 x 10 x 10,000 possible combinations (1,000,000,000 or "one billion"). So, if you get 3 guesses before you're locked out for 15 minutes, then you can guess 12 passwords an hour ... 288 a day ... 864 over a 3 day weekend. Round that up to a thousand and it's still a "one chance in a million" to guess the password over 3 days of trying.

As long as there is someone reviewing the logs, the attempts will be noticed and actions can be taken before there is any real chance of your password being cracked.

And WordNumberWord is not that difficult to remember.

Now, this is NOT a good practice for passwords for encrypted files or anything else that can be cracked off-line.

Re:Depending upon the system, that's sufficient.

[jafac]

That's only a real problem if your lockout has an auto-reset.

If you're configured to lock an account after 3 bad attempts (like most systems I've ever been on), with the only account reset possible being a manual reset with administrator intervention, how can someone guess 3 billion (or whatever) times?

Well, anyway, in Windows, the SID-500 account (built in Administrator) can't be locked out. So I suppose someone could sit and hack away at that password all day long. Which is probably why it's a good idea to set that password to some impossibly long super-complex string, lock that password away somewhere, and have your admins use non-builtin admin accounts. Or even disable the SID-500 account - (not sure if that's possible either).

Re:Depending upon the system, that's sufficient.

[Joe5678]

Well, anyway, in Windows, the SID-500 account (built in Administrator) can't be locked out.

Not totally true. It can't be locked out for use on a domain controller locally, but for remote access, or access across a network, the lockout policies apply just like any other account. So really it's only a concern if the "bad guys" are sitting down at your domain controller.

Re:Depending upon the system, that's sufficient.

[ebh]

WordNumberWord is not that difficult to remember.

There are zillions of ways to create passwords that are hard to crack and easy to remember. That's not the problem.

The problem is when you have to remember lots of them. I have over 300, for the various accounts on the machines I administer, as well as for web sites, ATM PINs, etc. They're on facilities with differing requirements and aging schedules. Lessee, is this the one that requires or forbids special characters? The one that has to be more than eight characters or at most eight? The one I have to change, or the one I'm not permitted to change yet? The one that requires upper and lower case letters or is case-insensitive? Or was it all numeric?

There's simply no one-size-fits-all way to generate and remember passwords.

"Your retina scan has expired -- choose a new one"

Re:Depending upon the system, that's sufficient.

[Thundersnatch]

Most challenge-response schemes can be cracked off-line as well, if the initial authentication (including nonce) is intercepted. Micrsoft NTLM, Kerberos, HTTP Digest, LDAP, RADIUS, and NIS all share this same vulnerability if the password complexity is low.

Performing your authentication inside a TLS/SSL session prevents this type of attack, but TLS use is rare for anything other than HTTP and SMTP even though most recent versions of popular authentication systems support it or IPsec in some fashion.

Of course dictionary attacks are the best initial off-line attack approach after you capture the network packets of an authentication session. But even a completely random 6-character password, for example, would require only about 300 million hash/encrypt operations to crack off-line. This is trivial on modern hardware... perhaps hours of CPU time. A 12-character random password, on the other hand, would require about 2^78 operations, which would take thousands of CPU-years.

So basically, passwords suck, even with "good" authentication protocols. They're only any good inside encrypted channels, and truly strong passwords are too hard to remember.

Re:Depending upon the system, that's sufficient.

Another option of password cracking is to run a few passwords against a number of accounts on the network.
If the account is locked after 5 incorrect password, 4 passwords can be run against the account and if not successful, move to the next account and try the same passwords again...
This way, an entire organisations user base can be checked without creating any security alerts...

An attacker can then come back the next day and start again until they find a password match.

Re:Depending upon the system, that's sufficient.

[CastrTroy]

Here's the answer. If you don't already have a palm pilot, get a cheap one (like the Zire) and download the Palm Keyring. That way you can keep all your passwords in your palm pilot, encrypted, and accessible with one password. It can also generate passwords from 6? to 20 characters in length, and with various symbols and other criteria to meet you needs.

Re:Depending upon the system, that's sufficient.

[ebh]

I use a much lower-tech solution. I have a credit-card sized address book that I keep in my wallet, in which I describe my logins and passwords in ways only I understand. No actual passwords are written down, so this book would be useless to a thief.

Re:Depending upon the system, that's sufficient.

[poizenisXkandee]

oh i definitely agree. I don't have all that many important accounts but some things that require the credit card number, SSN, etc, are pretty important. And a few of my passwords differ and I understand that other people go through the same thing. Looking at it from a sixteen year old n00b POV, I never realized how important internet securtity is. A password needs to be something that the user can remember, fits the criteria of whatever place they're making an account for, and something that would be difficult to hack into. Another question is what kind of things are people so desperate into hacking into? Major bank accounts sure, but the uberobsessiveness of NeoPets in protecting their users...that is just depressing. They have so much security for it. All over fake points and stuff and pets. Yeah, I love it and use it, but still. Ah, but I digress. There really are only so many ways to make a password. Its just hackers that annoy me.

Re:Depending upon the system, that's sufficient.

The three (or whatever) month requirement in companies isn't to prevent it from being brute forced (I hope), its real advantage comes from keeping others from sharing passwords. If you make it inconvenient enough to prevent password sharing by issuing account with proper privileges to the proper people, then they won't share passwords. Other wise they just send out email to their group saying "the password for system foo is now bar".
Its effectively reverse social engineering.

Easy Solution

[Greyfox]

Request password reset daily. I have 4 or 5 user IDs across a multitude of systems in my company and can never remember the ones I use about once a month or so. Typically I end up having to request a password reset for those systems. I have a co-worker who has to request a password reset every time he logs into his bank system. Back when I was working at EDS so many people were requesting a password reset that they started making each department pay for them (Apparently it was billed out at around $30.) Or yeah, you could just write your passwords down on a post-it note stuck under your keyboard...

A lot of co-workers just rotate through all 8 or 12 iterations of passwords and then restore their original password, as well. Fucktarded password policies decrease security, but you'll never convince management of that fact.

Re:Easy Solution

[fish+waffle]

I have 4 or 5 user IDs across a multitude of systems in my company and can never remember the ones I use about once a month or so. Typically I end up having to request a password reset for those systems.

At my former employment i had at least as many, with the same problem, and much the same solution. Several of my coworkers kept the usual piece of paper in their desk with passwords, and many just kept text files on the system they used most often.

I complained at one point and was told i should just use the same password everywhere. Sadly, every system had different password requirements, expired at different times, and several had different allowable characters (one was case-insensitive, others had different non-alphanumeric symbols missing or required)---just keeping track of all the systems required a list. I used to get password expiration notices from systems i'd never even logged into.

A lot of co-workers just rotate through all 8 or 12 iterations of passwords and then restore their original password.

That was also a solution i used a few times out of frustration. Problem was that around iteration 7 or so i'd lose track and forget some subtle detail of iteration 6, and end up locked out of the system, requiring a reset anyway.

The end result was:

• I had a paper list of several old, some current passwords in my desk drawer
• I gave up on choosing good passwords; abcdef01, increment number as required worked for many, some required rotating the abcdef through a few systematic, obvious and easy-to-guess variations (month names, colours, slightly mangled worked well)
• Most passwords would eventually require a reset, resulting in a new password to be sent to my manager, then to me, all in clear text through email

What they protecting so obsessively through password schemes i'll never know. Guess it worked though, i often couldn't get into the system i needed to get work done.

I could never remember all those passwords....

so I emailed them to my hotmail account (ooh, hope we don't compete with whatever company owns that site); and can access them from my cell phone every time I need to log in at work.
I would have just written them on a piece of paper on my desk, but their policy is not to -- and nothing in their policy seems to say I can't email them --- after all, they emailed some of them to me.

Passwords Are Not The Problem

[nbannerman]

Password security actually doesn't bother me that much.

Physical access to systems is a much more pressing concern. I work in a college, and there is no way I'd be able to enforce a strict password scheme in such an enviroment. Students can't remember a simple password, let alone something designed to beat a determined attacker.

So, rooms are locked, laptops are secured, and accounts are locked down so that any attacker hacking an account is left with nowhere to go.

Obviously, I enforce strict password schemes for myself and the rest of the ICT Support team. But for the entire user-base? Sadly, I don't have the time.

My method

[Rysc]

I use two complementary password generation schemes:
(1) I pick a word or pair of words and convert them to 31337. Example: supersecure->sp3rs3cur3. This is 10 chars long, which is Good Enough for a commonly rotated password, easy to remember but hard to guess.
(2) I choose a phrase, such as a quote I like, and use the whole thing, For a while my root password was: myvoiceismypasswordverifyme. Now, technically that's not very secure because it's all lower case letters. But due to the length the amount of time it would take to crack is quite high. Again, good for a commonly rotated password.

For added security I use method 2 with method 1. Here's a secure password I no longer use: Iseemt0behavingtremend0usdifficultywithmylifestyle ! (Uppercase I intentional; exclemation point included.)

You get the idea.

Re:My method

Your method is good, but if I don't **force** users to use good passords, then they never will. I'd be full of '1234abcd' passwords. Here's the rules (enforced):
  - no password can be used within 13 months.
  - must be at least 8 characters long
  - password **must** contain number, letters and mixed case.
  - no more than 3 of the above can occur in a row.
  - no sequence of any 3 is allowed.
  - All requested passwords are checked against telecom, English, Spanish, German, Chinese, and Indian dictionaries.

'Cba.432#' will work, but 'abC.234#', 'bgT.2006#', and 'mlp8thn!' all fail.
SecurID works, but tokens only last 3 years. I'd prefer a competing product that lasts 10 years and is **completely** interchangeable with RSA's answer, but haven't been able to convince the rest of the company they really are the same.

Re:My method

[uniqueUser]

I have an O'Riley Java book that has an excelent glossery. Every 30 days or so, I pick a new phrase from the glossery. Since the password changes so often, I have to cheat for the first few days after the change. I write the page number, column number, and word number in my white board as a hint. My last password was '~Applet.destroy()123'

Re:My method

[dkleinsc]

Iseemt0behavingtremend0usdifficultywithmylifestyle !
Don't you know how much damage that can cause? Talk like that can ensure that alien species destroy each other, send fleets to the Earth, and get themselves devoured by a small dog!

Re:My method

"myvoiceismypasswordverifyme..... But due to the length the amount of time it would take to crack is quite high."

It's a lot easier to read though. If someone watches you while you enter your password, they could miss a lot of the characters but still figure it out. Just like playing wheel of fortune. mvimpvm is just as secure from a search perspective (now that I know your scheme, I would search only valid sentences to get your current password) and is more secure from a visibility perspective, as it doesn't have nearly as much redundant information.

Translating to 1337 is just stupid. That was a bad idea ten years ago, before 1337 was popular. Now you'd probably be better off leaving it untranslated.

Re:My method

Well, if you actually used "myvoiceismypasswordverifyme", that's probably in a cracker dictionary somewhere just because it's from a techie movie. 1337-ified dictionary words are also a target, because it's still faster than trying *every* valid character combination.

Of course, most people wouldn't go through the trouble of cracking it in any case.

Re:My method

[famebait]

Your method is good, but if I don't **force** users to use good passords, then they never will.

How is forcing them to write them on post-its any better?

What I like

[Reality+Master+101]

Unless there's some flaw that I don't know about, I've always liked the password method where it's two random English words (DoorAsphalt or MessHeave). It's easy to remember, and assuming, say, a 40,000 word dictionary, that gives 1.6 billion combinations.

Re:What I like

[stonecypher]

That's statistically as secure as a four and one half letter password, assuming 96 usable characters. Does that qualify for a flaw you don't know about?

Re:What I like

[Reality+Master+101]

That's statistically as secure as a four and one half letter password, assuming 96 usable characters. Does that qualify for a flaw you don't know about?

Yes, that's true. But what is the goal of a password? If it can be that easily defeated with brute-force methods, I suggest that password complexity is just a red herring for bigger flaws in the security system. It should not be possible to feed 1.6 billion combinations of something into a security system without someone noticing.

If we're talking about, say, an encryption key, then that's a different kettle o' fish. But I suggest that for system-access passwords, this method is fine.

Re:What I like

[a9db0]

I use a similar method on some systems, though I inject a random number in the sequence. Like Door19Asphalt or Mess27Heave. Just avoid using the current month or year, and of course 42.

And no, none of those work on my slashdot ID.

Re:What I like

[localman]

Not quite... the format itself is something you need to know. I don't know how that effects the outcome, but if the cracker doesn't know whether they're using just letters, two english words, capitalizing any letters in the words, adding a symbol between the words... overall I think it's a decent password scheme if the words are chosen randomly (not hand picked) and if you vary them just a little with captalization, 1337 speak, or a concatination symbol. Oh, and my dictionary has over 200K words in it too.

Cheers.

Re:What I like

[stonecypher]

Not quite... the format itself is something you need to know.

No, it isn't. This is highschool algebra. It doesn't matter what the meanings of those characters are; it's a discrete enumerated set, and that means all you need to know to find the combination list is how many there are.

For a radix ninety-six password character set, a four-character password has exactly 84,934,656 possible combinations. For five characters, there are instead 8,153,726,976 combinations. The method he uses is equivalent to a two character password with radix fourty thousand, which has a possible range of 1,600,000,000, which is inbetween 96^4 and 96^5. To be specific, his two-word 40k dict scheme is equivalent to a 96 radix password of length 4.6432.

To be clear, increasing the size of the dictionary doesn't help. Two words in your dictionary have 40,000,000,000 possible results, which is equivalent to a radix 96 password of 5.3484 characters. Still unacceptably weak.

"But how could that be? 40 billion is a huge number!" No, it isn't. In context the required passwords in the story are 16 characters, and most OSes actually have radix-128 passwords, not 96. Yours is 40 billion space. That scheme is 5.192*10^33-space.

• 40000000000
• 5192296858534827628530496329220100

Pretty big difference in strength, when you get down to it. In order to match, you need seven words (hell, you even need 6 words with the full OED,) and that's assuming that people use words from all over the dictionary - words people don't know and can't spell. Please remember that the average adult only knows 25-30K words; you're not going to see a lot of people's passwords saying "acerose rhabdomancer zythyr coreaur philoblapterer quirit egg." If you're willing to have a password that's seven words, why don't you just use the first three to fill out your 16-letter requirement, then use one letter further on in the sentence each month? I got my 16 off of the first two.

And then, what about those of us who want actual strong passwords, and are willing to use internal schemes to come up with things like F6hY_n'@1:t-+3bR ? (For reference, I just use a salted MD5 hash run through uuencode against my unchanging password and the first second of the appropriate week as a unix timestamp; I get an unassailable unreversable new password every week, I have the thing running on an old Sega VMU, so it's effectively a one-time pad, and it's easily changed en masse with another tool I wrote.)

By the way, here's a web version for you (I can't get the uuencode stuff past the character filter, so you get hexadecimal) :

<?php

    $oneweek = 60 * 60 * 24 * 7;

    if (isset($_GET['length'])) { $len = $_GET['length']; } else { $len = 16; }

    $now = time();
    $firstSecond = $now - ($now % $oneweek);

    $hash = md5($firstSecond . $_GET['pass']);

    if (($len-1) >= strlen($hash)) { die("Requested hash too long for MD5."); } else { echo substr($hash, 0, $len); }

?>

Dictionary keys are a neat idea, but they don't work in practice. People won't use the whole dictionary; if you're lucky they'll use 1/4 of it. 50,000 * 50,000 = not strong enough.

Re:What I like

[localman]

Wait, if it is just a string of characters, a discreet enumerated set, as you say, then why is my password not considered 10 letters strong if it's two concatenated five letter words? To make that leap you're using information that the cracker won't have, namely that I use two english words. Of course, if I advertise that fact you'd be right, but I would never tell anyone ;)

I understand where you're coming from, from a cryptographic standpoint. But in practice you simply can't enforce passwords to be that good. No really, I've tried. Virtually nobody uses the full 96 character set for their passwords and they're certainly not randomly chosen. So if I use two randomly chosen words from even a simplified dictionary, I think it's better in practice (though not in theory) than what you're saying.

Furthermore, I'd say that, depending on the application, 40 billion can be far more than enough. In fact, 10,000 is enough for high security in certain applications. Don't believe me? Check out your ATM PIN number. The important bit is that it has a physical key that you lose after three tries.

Any login system should be set to lock out after a small number of failed attempts, such that the 40 billion possibilities are suitably secure. For things that can be cracked offline you can't rely on such things, so for sure, encryption keys need to be much much larger.

Cheers.

Re:What I like

[stonecypher]

Wait, if it is just a string of characters, a discreet enumerated set, as you say, then why is my password not considered 10 letters strong if it's two concatenated five letter words? To make that leap you're using information that the cracker won't have, namely that I use two english words.

In context, the scheme requires all people to use two-word passwords. Therefore it is the size of the dictionary, not what's contained inside, which matters. And, of course, dictionary crackers already do try concatenation attacks, so even if they didn't know it wouldn't help you.

I understand where you're coming from, from a cryptographic standpoint.

I really don't think that you do.

But in practice you simply can't enforce passwords to be that good. No really, I've tried.

That's funny. I tried and it worked. So did the company which sparked this discussion in the first place. In fact, BSD has this kind of requirement turned on by default, as do applications like Plesk and cpanel.

In fact, it's quite easy to enforce good passwords. If you'd bothered to read what I said, you'd know how I did it.

Virtually nobody uses the full 96 character set for their passwords and they're certainly not randomly chosen.

Yeah, hi. Did you notice the code I pasted? Not only does it use the full radix as demanded, but MD5's particular reason to exist is to create as even as possible a distribution among a bit series.

So if I use two randomly chosen words from even a simplified dictionary, I think it's better in practice (though not in theory) than what you're saying.

Yeah, and this is why I think you don't know where I'm coming from. Dictionary crackers have been attacking and breaking your scheme since 1970.

Furthermore, I'd say that, depending on the application, 40 billion can be far more than enough.

Yeah, well, a 386 can break a 40-billion-space hash in under five minutes, so it's pretty clear it isn't.

In fact, 10,000 is enough for high security in certain applications. Don't believe me? Check out your ATM PIN number.

Yeah, well I'll tell you what. As soon as you have a video camera hovering over your sign-in forms, and are a purely physical object which consumes the ATM card after three faulty tries, I'll start taking you seriously again. The two situations aren't even remotely similar.

Of course, *my* PIN is actually sixteen digits. Amusingly, your bank will let you use a more secure password if you want to.

The important bit is that it has a physical key that you lose after three tries.

Oh, you know about that? Then explain to me how this is parallel to your dictionary scheme. Do you take away the attacker's computer? Or are you still fooling yourself into believing in network identity control?

Any login system should be set to lock out after a small number of failed attempts, such that the 40 billion possibilities are suitably secure.

Yeah. How? IP addresses are easily faked, as are MAC addresses. Unless you want to lock out the entire internet every time you're attacked, this is preposterously unrealistic. Try thinking the whole scheme through, before saying "this is what you should do."

By the same token, you might as well say that down elevators are silly, and we should all just hang-glide back to the street because it's faster and more fun. Once you bother to actually consider the ramifications of what you're saying, you'll find that the plan falls way, way short of realism.

I am so glad that the security industry has credentials, to keep people like you out. It amazes me how unwilling some people are to admit to themselves their own naïveté.

Re:What I like

[localman]

Ah well, good luck then. Most of the things you are railing against here are acceptable standards to the credit card industry for tier1 vendors. But what do they know? I know that my company passes these guidelines. We do use SecurID where needed, but for many things it's not.

I'm skeptical that the password scheme you're talking about actually works because, you know, people write down difficult passwords. Sure, you can issue everyone a 128 bit hex key and they'll just save it on sticky or something, and depending on how they handle said sticky you may have trouble. I feel you're confusing the cryptographic and the human side. And you can most certainly lock attacked accounts by IP. Heck, you can lock the account entirely -- we're talking about a single user here. That's a valid response and adequately mimics the behavior (from the crackers' perspective) of revoking the plastic card. Once you know you're under attack (and how) you can come up with a defense that addresses it. I'm sure you'll pick this all apart, but keep in mind we may be talking about different cases. Each case has it's own requirements. This scheme works for what I'm doing. Maybe it won't work for what you're doing. I respect that your system's needs may be different.

It doesn't seem you respect my thoughts on this, which is fine, but I'm not talking out of complete ignorance here. It's part of what I do for a living. I'm not going to bother with any further line-by-line response because most of your replies are based on reductionist view without taking my whole argument into account. I think that mentality is insecure. Security is not about key size or password strength or any other one thing. It's about coming up with a combined human/machine infrustructure that works to minimize risk. It's exceptionally hard, if not impossible, to do 100% "right", as Bruce S has pointed out.

Cheers.

My policy

[RemovableBait]

I've always found it a total pain to remember passwords for different resources, so I came up (probably stole the idea from someone, too long ago) with a method of using the keyboard as a sort of encoder/decoder. What I do is I have a memorable word or phrase, but I always type in the letters above or below the actual characters. This means I can turn a memorable phrase, say, "slashdot.org", into gibberish, like "woqwye95l94t". (No, that isn't my Slashdot login, so don't even think about it :).)

I've found that, while you need to think about it at the start, it doesn't take too long before you're used to using it. Of course you can (as I have) obfuscate it even more. For example, you could change the case (upper/lower) on alternate letters, type your memorable word/phrase in backwards, alternate above and below keys, etc.

Just an idea, real good for the corporate logins... you can easily remember a word or name, and quickly turn it into something the IT Dept. would approve of.

Re:My policy

[WuphonsReach]

Look into using a password safe or keeping seldom-used password / account information in GPG-encrypted text files. That way you only have to remember a core password / passphrase to get at seldom-used secrets.

For the GPG method, create a new text file for each resource. Open it up in notepad, type in the access information. Then copy the contents to the clipboard and encrypt it before pasting it back into the text file. Now you have a secure secret that you can put anywhere (shared folder, mailed to your home or webmail account, or printed out and left on a desk). Plus it's easy to backup.

If / when you need access to that secret again, open up the text file and decrypt the contents.

Re:My policy

[Twisted64]

An easy idea - install the Dvorak keyboard layout, and a shortcut to change layouts. Whenever you type a password, change to Dvorak. Now you have no idea what your password is, but you can get it back by switching to Dvorak and typing in something simple. Of course, you probably couldn't do this on just any old computer...

Perhaps this is a bad idea. I wanted to check out Dvorak, and my shortcut is left ctrl + left shift. Now if I tab around, I ogee.bnf .be gl yfcbi a ,drn. nry ru jpalv

Re:My policy

[Kadin2048]

This is a fairly good idea -- assuming you use a good password for the GPG encryption. Because unlike system-access passwords where (assuming it's intelligently built) the attacker would be locked out after a few bad attempts, if they get your encrypted file, they can hammer away at it until the end of time in order to get at what's inside. So that password has to be much more secure than anything inside it.

Also, if you're going to go the stored-and-encrypted route, there are a number of small shareware type products that do the same thing but store them in a database so they're easier to search through once you accrue a large number of them. Whether or not you'd want to trust a product like that if it wasn't open source is a good question, though. Maybe there is an open-source password database around somewhere.

Re:Character Reuse?

[19thNervousBreakdown]

Columns.

Easy Solution-Fingers

Get yourself a Lexar JumpDrive with TouchGuard

The Enterprise

I think the password complexity on the Enterprise was very weak. Recall the episode where Data finds the individuals from the 20th century? They started causing havoc because the Enterprise relied more on trust than password protection. One idiot even walked onto the bridge.

Crackability is poorly understood by the clueless.

I think that people who work with this should work with a password cracker at least once. They generally work by taking in a wordlist (which may contain many things not quite like "words", such as keyboard runs-12345, !@#$%, asdf, etc.) and applying many rules to them (e.g. take two short words and add a number to the end). They also have "brute force" rules that can, say, try every password containing only lowercase letters & numbers. The brute force of lowercase letters + numbers took, for the DES passwords I cracked on an old Pentium 166 MHz (not even a Pentium Pro), about a few days, IIRC.

So you can see why they want you to have long passwords with a balanced diet from the "four food groups" for passwords (lowercase, UPPERCASE, 1234567890, and #$@$@%). They make you change them because your lazy ass is very likely to reuse the same passwords elsewhere (and yes, the shady porn site operator you registered with might very well have added your username & password for the site to their "word list" as per the above). And they don't let you reuse it because if they discovered it once and added it to their wordlist (this happens by default with crackers like JTR), their rules will certainly find a trivially modified one.

Of course, that still doesn't fix user-education problems like the lusers who write the password down under the keyboard/monitor/chair/tower/desk or in their desk drawer, etc. Nor the lusers who use unencrypted services and have it sniffed off the wire (or via the spyware they have installed).

And, naturally, they generally only get to brute force it to begin with if they steal the password's hash somehow. If they're storing unhashed passwords (they'd damn well better not be), the crackability of your password won't matter, save that it shouldn't be guessable.

So what I'm trying to say here is that, if you want to make your admin happier, generate a long, random phrase, condense it into 12 chars or so with a healthy mix from those food groups, and write it on a card in your wallet (the phrase, not the password). Most people take care of their wallets and the cash inside pretty well. You should do the same with your password instead of complaining.

complex password algorithm

[mugnyte]

Take a simple phrase or word, and apply your own standard cipher.

I take input (like "frankenfurter") and apply:
    - reverse letters "retrufneknarf"
    - substitute numbers for vowels "r1tr2fn3kn4rf" or "r4tr3fn2kn1rf"

I can write this original word right on my monitor, or in my wallet, and it still doesn't give my folks enough to hack in quickly. Each time i need a new password, I pick a new input word, but keep the cipher the same.

Pick your own cipher, but there are lots of standards morphs for words.

Pray tell, how?

[stonecypher]

or -- God forbid -- have a security system that makes sense?

The first person to suggest a system that both makes sense and is actually secure will be rich overnight. Don't ask for something if you don't know anyone who can provide it, and can't say how yourself. It's like whining that GM hasn't made a car that gets a bujillion miles per gallon and has pretzels for exhaust.

Re:Pray tell, how?

[Procyon101]

cacert.org

Re:Pray tell, how?

[Dunbal]

Don't ask for something if you don't know anyone who can provide it, and can't say how yourself.

      That won't get us very far. It's actually need that drives invention, not the other way around. So ask all you want, and maybe one day someone will be clever enough to supply the solution to your problem.

Re:Pray tell, how?

[stonecypher]

Er.

1) I was telling someone else to not whine that they needed something if they didn't know how. "That won't get us very far." What won't? I didn't propose a plan of action; I was simply pointing out to the parent that they didn't have one. What is your specific criticism?

2) "It's actually need that drives invention" Nonsense. There are tons of things that drive invention - personal interest gave us the lightbulb before the development of electrifaction; there was not a need, as homes were successfully gaslit. There's no need for almost any of the bulk of luxury technologies out there; things like massage chairs aren't needed, they just satisfy creature comforts. Dumb luck and bad office cleaning gave us modern antibiotics. Radio was developed to win a bitter argument between Marconi and Jagdish Bose. Video games were developed independantly half a dozen times as a hobby on oscilloscopes, mainframes, EDSAC, televisions, and even blinkenlights. Quite a bit of development is purely for profit.

Need in fact drives relatively little invention. Yes, there are a few dramatic examples, especially during wartime, but the great bulk of human invention does not come from a presupposed desperation. To reduce people's ambitions to the results of happenstance is ridiculously reductionist.

So ask all you want

Yeah, I was telling the parent not to ask for things. I haven't actually asked for anything. Did you even read the very short thing I said?

and maybe one day someone will be clever enough to supply the solution to your problem.

Actually, I don't see a problem. My employees use mnemonics, and we've all got nice strong passwords. I run an automated password cracker on my own server 24/7, and I put a polaroid of anyone caught with a weak password up in the kitchen.

Nobody's ever been up there twice.

Much more secure than the alternative

[stinerman]

Anyway ... you know what this makes me do? Write it down somewhere. How secure is that?

If you have an easy to guess password, anyone with an Internet connection is a threat. If you have a hard one (not guessed in one month) and have to write it down, the only people who could log in as you are people with physical access to your piece of paper.

Yes, you do have a right to complain as that system seems to be a bit overkill, but writing down a hard password is infinitely better than having to use an easy one so you can remember.

My solution

[Deagol]

After getting fed up with trying to think up clever, secure, mnemonic passwords every time an online service forced a change on me, I decided that all new passwords for every account everywhere would be a unique one: "ps waux | md5" ("ps -ef | md5sum" for you linux folk), truncated via cut(1) to whatever maximum password length.

Next, I create a pgp-encrypted (symetric -- with a good password) text file with the account info for all my accounts. I email that to my gmail account for online backup and to have it accessible.

So, for hitting slashdot, I "gpg -d /path/passwords.txt.asc", punch in my password, and cut-n-paste. Not only is this easier than I expected it to be, it's far more secure, as I now have *really* safe passwords for all of the many sites I visit.

(WTF is up with the first paragraph tag of my posts being eaten?)

Re:My solution

Uh...so how do you remember your gpg password?

Re:My solution

[Deagol]

The point is that it's easier to remember 1 good password (on *your* system) than the inane policy set by your employer or 20 different passwords for various web sites.

Re:My solution

[Abcd1234]

I used to do something very similar until I got my Palm. Now I just use GNU Keyring to store all my passwords, locked up behind a single strong password.

Re:My solution

[WuphonsReach]

I use GPG as well, but I keep each password in a separate text file. That way, even if someone shoulder-surfs me, they can only see a single password.

Most passwords that I use are randomly generated using a custom script that I wrote (a dictionary of 300k words combined with numbers, caps and symbols).

Re:My solution

[Degrees]

I really like that program. I also like that I can use Java Keyring to open the file on Windows, and confirm that I'm making a good backup of the database.

In my ideal world, there would be a port of it to the BlackBerry, as I carry that more than my Palm Pilot nowadays.

Write it down

[Wanker]

Write it down somewhere. How secure is that?

This is surprisingly secure, as long as you write it somewhere safe. Security pioneer Dorothy Denning does this, as do a number of other "security professionals". There are simply too many places a password is needed now to follow good security rules for all of them. The human-factor limitations lead to the obvious conclusions that people must either:

• write down a password
  
• store the password online
  
• use the same password lots of different places
  
• choose a really simple password
  

Writing down a password is safe if nobody can get hold of what it's written on. Storing it online is pretty much just like writing it down, except there are opportunities to make it safer. There's really no safe way to use the same password lots of different places or a really simple password.

Use a password generator to create some truly horrific 20-character monster and write it down. Keep that paper safe!

how we do it

[mnemonic_]

At our company, we have a password bank containing 1000 or so english words, like "drive," "window," or "shelf." Users are tasked with choosing one word from the password database to use, then recording it in a text file on their computers. This has been highly effective, especially considering our military contracts which often require security clearances. I suggest this method as an efficient new paradigm of corporate password management. It's a proactive move towards the future of secure computing.

Re:how we do it

[Chapter80]

Is this just a poor attempt at a joke? Or am I not understanding?

Your users have a choice of (only) 1000 words to use as a password, and must store it in a text file?

So lets ask a simple question...

[spagetti_code]

How many times have banks/people lost money due to weak passwords?
vs
How many times have backs/people lost money due to social engineering?

Forcing people to have crazy passwords may reduce the number of
times that password is cracked (from near zero to nearer zero).
But stopping social engineering will have a *far* greater impact -
because its actually pretty common for people to hand over their
passwords and account details to nigerians or email from pay pal.

So its not about the size of your password. For example: PIN codes
are pretty secure, but they are only 4 digits. The reason: You need the card
and you get 3 tries before the card is swallowed. 16 digit pins with
alpha numeric would *reduce* the security because many people will write
their pin on their card or keep it with their card.

For a bank - any simple 8 letter word will do for a password. A bank just needs
to be sure you can't have more than 3 tries before your account is locked
out.

And that holds true for any authentication system.
Lock your users out (so they have to come to you) after 3 tries.

Re:So lets ask a simple question...

[Incongruity]

And that holds true for any authentication system. Lock your users out (so they have to come to you) after 3 tries.

Yes, but this then EASILY enables a denial of service attack. If I don't want you to be able to log in, all I need to do is fail to enter your password 3 times. That's why the temporary lock-out and active monitoring is a good thing (tm). -inco

Re:So lets ask a simple question...

[David_W]

Lock your users out (so they have to come to you) after 3 tries.

I agree with this general principle, but you have to be careful: This can easily turn into a Denial of Service situation. Anyone who'd like to lock out your account just has to fake three logins and you're stuck until you get an admin to unlock you. (This can get rather bad if the admins are swamped, or not available at the time you try to access the system.) I tend to prefer time-limited lockouts, or possibly a system where once you are locked out, you have to go elsewhere and enter a really long passphrase to unlock it (and then still enter your normal password to get in).

Re:So lets ask a simple question...

[spagetti_code]

You have a good point - A timed lockout is required to stop
brute force, but wont hinder a user (who needs to wait 60 seconds after
every 3 tries).

However that wont stop a DoS on an account. If DoS is the goal,
the hacker has a process that keeps entering your ID with a bad
password. Probably a better solution there is after 10 bad tries -
lock that IP out for an hour.

Anyone dealing with this? How are you doing it?

Re:So lets ask a simple question...

[dknj]

For example: PIN codes
are pretty secure, but they are only 4 digits.

Incorrect. Go and call your bank

Re:So lets ask a simple question...

[Achromatic1978]

Incorrect, yes, but for all intents and purposes, correct.

If you want to be able to use an ATM anywhere in the world, you'd better have 6, or even better, 4 digits in your PIN.

I travelled to France, intending to just withdraw cash, rather than deal with exchange houses, etc... machine would not accept my PIN because it had 7 digits, and their machines could only handle 6.

An inconvenience in my situation, but had potential to be a serious problem.

Re:So lets ask a simple question...

[m-wielgo]

Most atm machines I've used actually take your card (for shredding) if you have 5 invalid attempts. I had it happen to me when I typed in the wrong PIN (confused with another card) and the machine didn't give it back to me..

At one company we used passwords you dare not say

[Alpha27]

One time our CEO was in a meeting with clients, and she had to tell them the password so they could access a page on our website. She told me she embarassed having to tell them the password was "nachomama".

She was lucky she didn't use the other password "sofakingwetodddid".

That's how you ensure your passwords don't get around.

I hear this ALL the time...

[The+Last+Gunslinger]

From my customers, and it's a very valid complaint.

My big blue employer sells a nifty little piece of client software that not only creates and stores these random-assed passwords for you, it also plugs them in with your username when apps/sites prompt you for them. It's a clever little product, but my only complaint with it is that it's for Windoze only, and I've been running a Linux desktop for quite some time now.

Stop using static passwords

[Morty]

Two-factor authentication has been recommended over passwords for quite some time. And with good reason: passwords are static. Draconian password policies are intended to prevent password guessing, but when a password can somehow be intercepted without guessing, the password can be trivially replayed. Passwords often can be intercepted in other ways; anyone who has ever had a trojan or virus on a PC could potentially have lost every password accessed from the PC. Viruses and trojans can install a keystroke logger, so even a randomly-generated 500-character password can be intercepted. Similarly, if you use the same password on more than one system, and one system is compromised, the compromise can be leveraged to attack other systems. In the real world, passwords are bad. Policies like the one described above are somewhat inane attempts to workaround the problem with password guessability, but they cannot solve the other inherent problems of passwords.

Then combine this with the fact that humans themselves are a weak point in any password scheme. If you require letters and numbers, people will try to use words and numbers that are meaningful to them -- names and birthdays, for examples -- even if the policies forbid them. Ot they will write passwords down and tape them to their monitors, or under their keyboards, or inside a desk drawer. Or they will http://news.bbc.co.uk/1/hi/technology/3639679.stm
give away their passwords for chocolate.

Two-factor systems work around the "replay" problem. They are not perfect because they are still subject to session hijacking. And they cost more money to implement -- you need to buy extra hardware. But they beat passwords any day.

One-time passwords are another solution to some of the problems, but IME, are harder for users to deal with.

what threat?

[pobudz]

Since when are passwords an issue? Who needs a password when the idiot leaves his computer unlocked? I work in a call center environment and its standard practice (and openly accepted and promoted by supervisors) to create chaos for those who leave their computers unlocked. I'm talking adjusting regional settings, reversing mouse buttons, lowering mouse sensitivity to the lowest possible value, customizing appearance so EVERYTHING is the same color... a good 30 minutes to fix... less if you can navigate Windows blindfolded. With the number of people relying on IE/FF to save passwords and forms... leave that terminal open and I can pretty much view and navigate to what I want by opening IE/FF and browsing through the history.

hidden vulnerabilities

[J.J.]

1. Are you in a Windows domain?
   
   • if yes, is the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\NoLMHash set to 1?
     
   • if no, then your password is:
     
     • converted to uppercase,
       
     • truncated to 14 characters
       
     • stored in two seven-character halves that may be bruted independently -- single 2GHz system can brute the entire keyspace in about 90 days.
       
     
     
   • if NoLMHash is set to 1, then your password is stored as a relatively secure MD4 hash. resources to crack in a reasonable timeframe are significant.
     
   • either way, the complexity of your hash is actually irrelevant:
     
     • in any domain that still supports NTLM authentication (vice pure kerberos) you can use smbproxy to authenticate with the hash, vice the password. w00t.
       
     • the hash is stored in the domain SAM and the local SAM, and may be dumped with pwdump, given administrator credentials
       
     • the password hash is also stored in a user's logon struct, down in ... winlogon.exe (?) -- that whole "single sign-on" thing. has to be somewhere.
       
     
     
   
   
2. not in a windows domain? I'm not qualified to answer.
   

so basically, passwords are irrelevant, but are a tangible element to everyone. so when the boss asks for better security, the IT admin implements greater password complexity, the boss notices because he has to type the damn password every day, and the IT admin get kudos. because of course, if user convenience decreased, security obviously increased. yay.

what is the value of having a complex password? it should be complex enough an attacker can not guess it. everything else relates to an attacker's ability to *crack* passwords, which is irrelevant in the world of windows these days. in a few years, NTLM will have died and kerberos will rule the day. then things might be different.

dollar password

[illuminatedwax]

You should keep a dollar folded up in a safe place in your wallet, and just use the serial number on it as your password.

Re:dollar password

You should keep a dollar folded up in a safe place in your wallet, and just use the serial number on it as your password.

I tried that, but was socially engineered into giving it up for a plate of nachos and a beer.

Re:dollar password

[illuminatedwax]

Shit, where can I get a beer and nachos for a dollar???

Alternative password expiry schemes

[Neoncow]

Most people have responded with their experiences in keeping track of their passwords, but I was wondering if it would be possible to implement a system where the password expiry would be based on the complexity of your password. So when you enter your passowrd, the system could analyse the length, number of repeated characters, digits, and symbols. Then with the complexity, it could calculate the exipry time. So people who have passwords of length 8-12 would have to change their passwords every month, those who have 20+ length passwords could keep theirs for 6 months (depending on how you calculate the complexity). This way people could 'buy' a longer expiry time by adding symbols or length.

My personal favorite way of generating secure passwords is to use a Passphrase. You can use Diceware to generate some passphrases for you http://world.std.com/~reinhold/diceware.html and it also has instructions for adding symbols/numbers to the passphrase.

Other slashdotters have mentioned Password Safe by Bruice Schneier. I strongly recommend this as well. I keep a copy of these at home encrypted using my master passphrase just in case I forget them.

Re:Alternative password expiry schemes

[Chapter80]

Interesting thought. But the idea of password expiry is not just to reduce the available time to crack. It's to limit the damage if the password has been compromised. If we change passwords every 90 days then a bad guy only has 90 days to do some damage.

A talented bad guy would install a back door within that time window, though.

Re:Alternative password expiry schemes

[WuphonsReach]

Most people have responded with their experiences in keeping track of their passwords, but I was wondering if it would be possible to implement a system where the password expiry would be based on the complexity of your password.

And as an attacker, if I could find out this information (knowing which accounts expire frequently), that would tell me which accounts to attack (due to having less complex passwords). Not outside the realm of possibility, however unlikely, and it provides information on the password.

(A similar concept is the old Lotus Notes login screen. Instead of displaying a single '*' for each character typed, it would display a random number of '*'s. That made it more difficult for a shoulder surfer to see how many characters were in the passphrase at a glance. Note: It was still possible to listen to the keyboard or, worse, watch the operator's hands or shoulder movements.)

Re:Alternative password expiry schemes

[lucaq99]

Old Lotus Notes?! It is still like this, I use Notes at work and that is one of the first things that I noticed, was the random number of hashes it placed on the screen as I was entering my password.

Where it started...

Yeah, we have similar requirements in the place I work. How it began is a tale similar to how the pile of sh*t became a growth promoting product that has a pleasant smell.

Passwords can be easily guessable. In many cases you can brute-force accounts if given enough time and access. This works more often than you'd think because many accounts are not attempt limited and people tend to use simple passwords.

Simple passwords? By this I mean common words, spouses names, team names. In places that force periodic changes of the password, use the month followed by a number, etc.. But if you lock the account after three failures then that helps to limit that threat. But what people hear is that common words are guessable so these are disallowed.

But then, someone could get their hands on the password file (i.e., /etc/shadow or /etc/passwd or some other hash database). Many of these are still crypt'ed which is pretty trivial to break.. That's the reality.. But what people hear is that crypt is just a certain bit length and that's trivial to break. So maybe they specify that passwords need to be longer. This doesn't change the bit length of the hash, nor does it really help security, but people think it does. Why? Well, when you hash a 5 letter password or a 10 letter password it will still generate an x-bit length hash. The misconception is based on the assumption that a password cracker will first try "aaaaa", then "aaaab" then "aaaac" or some variation of a rote search. A shorter password will then be found sooner than a longer one. In reality what happens is that all possible passwords are pre-hashed in a dictionary. So say someone gets a hold of the password hash file. It doesn't the password per se, but you can use the dictionary and lookup the hash and with a second or two find a password that generates the appropriate hash (i.e., you don't need the actual password, just a password that hashes to the same value). Solution - don't let the hash table out.

Then there's this requirement for non-alphabetic characters in the password. When password strengths are calculated (i.e., the number of possible hashes for a given hash length), the first thing that people take into account is the bit-size of the hash. This is often immense. However, most people use a small fraction of the available input variation. I.e., they tend to use all lowercase, no spaces, no punctuation, rarely numbers. And the letter-only passwords tend to follow English letter distributions to the tee (i.e., e used most often, then t, etc.) This makes it super easy to construct a dictionary. Or so you'd think. The truth is that machines are so fast today that the difference in time for coding to use the frequent letters first, versus the infrequent is not worth the time so everything is pre-hashed. But this is somehow lost and we end up enforcing stupid symbol and capitalization requirements. Solution - don't let the hashes out so that people can compare the known hash against the dictionary.

Then there's a requirement that the new password be significantly different from the old. This came about because people were using buffy01, then buffy02, then buffy03, etc.. People do this because thinking of interesting passwords every month is a nuisance so they developed a system to make it easier. Horrors! It doesn't matter that the buffy01 and buffy02 hashes would look completely different and do not appear in sequence in the hash dictionary. In other words, changing a single character will generate a completely different hash.

There are tons of other issues, but the point is that enforcing a few select rules is as good as forcing twenty complex ones.

Long Passwords are Easy

[KermodeBear]

"Long Passwords Are Easy as 1, 2, 3!" There's a good example of an easy to remember 'password'. It's not a word really, it's a phrase, but it is what I use all the time. They're easy to remember ("I HATE THIS STUPID JOB!!11!1"), fairly secure, and pretty buff against brute force attacks. What about something like "This is my Password for 6/1/2006"? I understand where you are coming from, being forced to use a 16 character password is a bit unwieldly, but it's not as bad as you are making it out to be.

Enterprise

[LordoftheLemmings]

Am I the only person who saw the subject and immediatly thought Star Trek?

Re:Enterprise

[TheNumberless]

That was a good one. The password turns out to be 11001001. Though one byte is about as non-complex as a password can get.

Securid

[cortana]

Get a bloody SecurID token (or similar) already.

Re:Securid

[lucaq99]

and how do you purpose that I sync this token with Yahoo.com or my company's internal servers if it is not a product that they support?! Yeah, they are nice, but they don't work stand-alone...

Especially if you are just a lowly worker-bee and you don't make any IT security decisions, and are not in a position to make suggestions, this might not even be an option for you.

Get a bloody brain already...

The key is lockout.

[SatanicPuppy]

We allow pretty insecure passwords, all things considered. "password,1" would be valid, for instance, because it's longer than 8 characters and has punctuation and a number.

At the same time, we lockout after three unsuccessful attempts, and we don't allow password reuse for more than 2 years. So while the passwords tend to be on the simple side for the average user, the danger for brute forcing is nonexistent because of the low lockout.

I myself believe in obscene passwords. "Strong" password validators light up when I'm half done typing it in. But since I can fit the obscene things into my head, that's my privledge.

Re:The key is lockout.

[flooey]

So while the passwords tend to be on the simple side for the average user, the danger for brute forcing is nonexistent because of the low lockout.

Assuming, of course, that you've analyzed all of the methods that the password could be used to make sure that they're not vulnerable to offline cracking attempts. Most things (like passwords sent over an SSL connection) are such that offline cracking attempts turn into offline cracking attempts on the underlying encryption, but some things (like WPA passphrases or HTTP digest authentication) are such that the password can be brute forced offline just fine.

I can one-up you

[MightyYar]

At my company, they have almost the same policy as yours - though not quite as restrictive. Strike one. Once, they had to migrate us all from one email server to another or change some startup script or something, so they called us all up and asked us what our passwords were. Strike two. About a week later, I found an Excel spreadsheet with every user's login name and password on the common "public" fileshare. Strike three...

Though probably unethical, it was very interesting to see what everyone used as passwords - very reflective of their personalities. Many were things like their children's names followed by "123". In one case, it was a pilot who used names of aircraft like "Cessna" - but most people seemed to take the 123 route in order to satisfy the password filter's insistence on numbers.

What's the deal

> What's the deal with passwords in a corporate environment these days?

There's a good chance it's because of Sarbanes-Oxley (SOX). There were rules about financial fraud that others (seems to be mostly consultants) have used to push for more restrictive password policies.

An interesting article I found:
http://blog.seattlepi.nwsource.com/buzz/archives/0 03950.html

Hashapass!

[the_mice]

I've started using what I think is a great was to create what appear to be rather secure passwords that are easy to remember and recoverable (that's a highly qualified statement as I am in no way a security expert). Go to:

http://www.hashapass.com/

and enter your "parameter" (e.g. "march2006") and "master password" (e.g. "mysecretpassword") and you get a password (e.g. "K0u4CUXG") generated from the two. Of course you still have to remember the password, but at least if you forget it you can recover it from wherever you are, without having to write it down. It's all local JavaScript on the browser, so there's no network exposure...

t.

Passwords ... ugh.

[Onuma]

It's much easier to remember your thumb or forefinger than it is to remember a 16+ character alphanumeric/special characterpassword. The military makes us have that type of password also, it can't relate to anything in your name, profile, history, or anywhere else easily accessible.
Just get a simple fingerprint scanner, make have a primary and a backup print...just in case someone severs or severely damages a finger beyond the point of recognition. They're not overly expensive and they're much more difficult to get around without lopping off the user's finger.
They make USB, PCI, and other variants that are easy to come by and relatively cheap. Isn't this really the way to go, until retinal scanners become equally inexpensive?

Re:Passwords ... ugh.

[Zadaz]

Please, no, not fingerprints. Sure, you can't loose them, but you can't change them. How is that secure? Just because it's hard to break it today doesn't mean it won't be trivial tomorrow. See Bic pen vs Kryptonite Locks) Since we're dealing with physical access, it's impossible to determine when that day will come. (Unlike passwords where you can use pretty basic math to figure out how long it will take to brute force it.)

If someone manages to steal or forge my finger prints, my life is over. I can't ever have access to anything secure again. (If everything was secured with my fingerprint that is.)

On my systems we have three strikes and out. You get three chances to enter the correct password. After that it locks you out. Either you know the password or you need to go through the recovery process (which involves a timed lockout and a catchpa). We don't put too many restrictions on the content of the passwords, and we have very few recoveries. And so far, no unauthorized access. That we know of.

"Security" is a feeling, not a state.

Re:Passwords ... ugh.

How do you prevent replay attacks, either physical or electronic?

I use my Tecra's thumbscanner

[mnmn]

Once you sign up your thumb, you just swipe your thumb and youre logged in. With further swipes, you can make it remember passwords to various websites and the likes.

So get a complex password, and put it in a piece of paper in your wallet. Then use the thumb device to 'remember' it and just use your thumb. Its faster than typing the password, and breaking it is currently hard (not enough hacker culture knowledge out there to break it quickly).

My friend spent a little while yesterday trying to break it and failed. I dont know why he even tried.

IBM has standard PC keyboards with the scanner built in. I'm getting one of those for my desktop, its addictive!

Re:I use my Tecra's thumbscanner

[Kadin2048]

This has been discussed over and over. Using fingerprints for access may well be an absolutely horrible idea. All somebody has to do is get your fingerprint, and you're hosed. It's all the worst parts of passwords, combined with a biometric that you can't change.

If you only ever use *your* password scanner, and you know that the thumbprint never goes further than your computer (actually, an intelligent device would hash the thumbprint in hardware before transmitting it over the USB bus), then you might be a little better off, but it's still a huge risk. You only have ten fingerprints: if those were to get compromised, you're SOL.

That's why I never want to see them in public places like ATMs and whatnot. It would be too easy for an attacker to just put down their own thumbprint scanner next to it, or tap into the data line between the scanner and the machine's CPU and grab everyone's prints. Identity theft made easy.

Forget passwords, use passphrases

[patio11]

They're easy to remember and extremely difficult to brute force. Just tell your users "Write a snippet of something which is meaningful to you". We can all type at 30+ words a minute so entering a 30 character password in natural English (perhaps without spaces) goes supringly fast. For example, supposing I liked classical literature, I could use socaesarmaythenlesthemayprevent (this is part of Brutus' soliliquy in Act 2 Scene 1 of Julius Caesar, which I had to memorize way back in high school). If you want to be reaaaaally anal you can obfuscate it a bit (l33tify, what have you). There is no convinient dictionary of "meaningful phrases in English" out there, although I suppose it would be somewhat less than secure if someone were able to find out you were, e.g., a Star Trek fan. And they're guaranteed to be easy to remember -- humans are a lot better remembering natural language they have an emotional connection to than remembering arbitrary alphanumeric strings. In fairness, I stole this tip from a Slashdot discussion about a year back sparked by advice from Microsoft, and have been using rediculously long passphrases since for all my "if that breaks, I'm "#$"#"#$%ed" logins (I still go with crazy insecure for trivial things like my slashdot login). I've got about 12 of them at the moment and have no problems with remembering them and changing with the security policy, whereas beforehand I had a discrete post-it.

Re:Forget passwords, use passphrases

You never make typos?

Re:Forget passwords, use passphrases

[djmurdoch]

That might be a good idea, but there are still various password systems out there that restrict passwords to 8 characters. I found this using ODBC to connect to MySQL, for example.

Re:Forget passwords, use passphrases

So google only found about a half million hits of that line.
There are dictionaries of phrases. They tend to be full of the crud that school kids had to remember.

Overkill

[dtfinch]

People won't brute force your 96 bit passwords, but that doesn't make you secure. I'm betting you have plenty of bigger security problems that have been ignored/overlooked.

Passwords suck

[RzUpAnmsCwrds]

Passwords suck. They always have, and they always will. Unlike smartcards, they don't protect against man-in-the-middle atttacks. They are easy to forget, easy to guess (in many cases), and, with a bit of social engineering, easy to steal. Many sites (Slashdot included) don't even bother to use SSL for logins. That's just sloppy.

Re:Passwords suck

[SplasPood]

If someone wants my karma, they can have it. :P

Never assume your employees won't be targeted.

"Every company has some information that needs to be secure."

Like the fact that Subacultcha wears a dress.

Make them come to you.

[Associate]

Which is real practical in a 24 hour operation where you work bankers hours and take a long lunch. And no one on the night shift speak Hindi.

use alternate keyboard layout

[okmnji]

I have a few different password systems, but one I started using more recently involves just using an alternate keyboard layout. That way, I can have a nice, easy password like, say, "MyComputer'sAwesomePassword". Then I type it as if the keyboard was a DVORAK layout. Or, if it's a DVORAK keyboard, type as if it were QWERTY. Throw in a few numbers for good measure, and you got a decent password.

and squirrel noises...

[Sarkoon]

Whenever this topic comes up, I always refer people to this classic Dilbert strip:
  http://pag.csail.mit.edu/~adonovan/dilbert/show.ph p?day=10&month=09&year=2005/

-Sarkoon

And if you need symbols...

[LoonyMike]

... just toss a Shift at some of the digits:

s1F0bgMaI becomes s!F0bgMaI

It's easier than you think to brute force

[Wee]

It should not be possible to feed 1.6 billion combinations of something into a security system without someone noticing.

I worked at a place a couple years back that had a dodgy .php script on a web server. And wouldn't you know it, there was a ginourmous .htpasswd file sitting in the docroot. And, as luck would have it, some of those passwords were also system passwords (yes, this was against policy, but the terminally obstinate could and would get around the rule).

Since I don't have access to his hardware, I can't say how easy it was for the cracker to push a few billion letter combinations at that file. But after looking into writing some automated security checking stuff, I can tell you that john the ripper makes quick work of a passwords like MessHeave, so I'm not sure he had to examine the entire space. All the "hard to guess" passwords were safe. The two-word combos, words with numbers after them, and some of the 133t-ish ones were pretty much all broken.

It probably shouldn't be possible to brute force a password attack, but in some cases that can happen. So why trust umpteen other mechansisms to prop up an inherently weak password scheme? There are more points of failure that way for sure.

It's good to assume every other part of the system is secure, but I think that is (at best) shirking responsibility. Reminds me of that Russian proverb: Trust in God, but keep rowing to shore. It's better to use good passwords to begin with, I think.

-B

Re:It's easier than you think to brute force

[Reality+Master+101]

So why trust umpteen other mechansisms to prop up an inherently weak password scheme? There are more points of failure that way for sure.

Because, as we know, the biggest security flaws are humans themselves. The best passwords are ones that don't have to be written down, and the "better" the password, the more likely it can't be remembered. It seems to me that it's better to not depend on long passwords to hide flaws in your security system, which just creates more flaws in the humans.

Re:It's easier than you think to brute force

[stonecypher]

Yeah, or you can use simple mnemonics. Believe it or not, people aren't dumb, they're just lazy; if you give them an easy way to be safe, they'll do it. The reason you keep hearing people saying to use the initial letters of a passphrase is that that works very well.

IatVMoaMMgIIAVaM - Seventeen characters and easily remembered by any theater major (I am the Very Model of a Modern Major General; I've Information Animal, Vegetable and Mineral.) If you're feeling particularly paranoid, enleet every other letter when warranted. I4tVM0aMMgI1AVaM is quite strong.

And frankly, if you can't remember even one phrase, you're a slouch and there's no saving you.

Re:It's easier than you think to brute force

[Alan+Shutko]

Great. You now have ONE PASSWORD you have to use everywhere. It's strong, but since you're using it everywhere, it is now vulnerable.

Any set of guidelines that only looks at one password is flawed. I have probably 20-30 different passwords for work alone. I have vastly more than that if you count all the accounts I have at different places. Yes, I can remember ONE PHRASE. I can probably even remember 20 phrases. I certainly can't remember 100 phrases and the mapping of which phrase maps to which account. It gets even worse when you add punctuation... do I happen to remember which pauses had commas?

Re:It's easier than you think to brute force

[stonecypher]

Great. You now have ONE PASSWORD you have to use everywhere. It's strong, but since you're using it everywhere, it is now vulnerable.

Huhu. Maybe nobody let you in on this amusing little fact: there are more than one memorable phrase in the English language. Other candidates include "so long and thanks for all the fish," "we hold these truths to be self evident, that all men are created equal," "the use of words in meaning something other than their literal intention," "neither rain nor snow nor the dark of night shall keep us from our appointed rounds," "four score and seven years ago our forefathers brought forth on this new continent," "oh baby that's too big i have no idea what we're going to do," "dude there's a satellite dish sticking out of your ass," "i'm sorry mario but our princess is in another castle," or "great, now you have one password you have to use everywhere."

I'm sure with one of those wacky new-fangled security devices - what are they called, library cards? - you'll be able to find others.

Any set of guidelines that only looks at one password is flawed.

Luckily, I never said anything about looking at exactly one password. Do not pretend people said things they didn't in order to invent critcisms.

I certainly can't remember 100 phrases and the mapping of which phrase maps to which account.

Wow. Who would have ever thought of a mnemonic ... for a mnemonic? Perhaps, for example, you could choose phrases appropriate to the account you're generating passwords for. The mario quote for your video game account, so long and thanks for all the fish on the work machine named zaphod, your email account would be the postal quote, and the one about wang for your gay porn collection, for example.

It gets even worse when you add punctuation... do I happen to remember which pauses had commas?

Yeah, so don't add punctuation. Take a look at the example I gave. (That said, if you can't remember the punctuation, your grammar isn't all that great.)

No, really.

My company has a similar password policy (except for the "cannot compare in any digits" part). It used to be marginally saner but they've recently made it much more anal.

The funny part is, it's a newspaper. ANYTHING on ANY of the operations computers is either useless or published nationally within 24 hours (except the vary rare embargoed material, which has a shelf life of a week or less).

But that's just to log on to the network. However, you can access our publishing system over the internet, without connecting to the corporate network. On our old publishing package one password was good forever, but I'm not sure about the new (web-accessible) one - it's still quite recent so all you need to log in is a user name (which is invariably the same as the username portion of our e-mail addresses).

I just went through this

[Chirs]

Having just gone through this, I can commiserate. We have to change passwords every 6 months. Here are the criteria:

at least 8 characters
both upper and lower case letters
at least one number or symbol
can't contain a dictionary word of 4 characters or longer
none of your last 6 passwords
not any account name
no date or year
no sequentially repeating characters
no space, editing, field-separator or quote marks
no letters in forward/reverse alphabetic sequence
no letters in forward/reverse keyboard pattern
no dictionary words with "1337" substitutions
no only numbers or only punctuation

Try coming up with one of those that's *also* easy to remember and fast to type. It's a pain.

Re:I just went through this

[CortoMaltese]

Lucky you. At least you know what the criteria is. It is not unusual that there is no documented policy, or if there is one, that it doesn't match the configured policy. Better yet, you might have several accounts with conflicting password policies (e.g. one has min n characters, another max n-1 characters.)

My idea of a convenient and secure solution is a smart card based USB token with a PIN code. Unfortunately, from the management point of view, forcing employees to memorize 16 character passwords each month appears cheaper than the USB tokens. And of course, the tokens only work for applications and systems that support it somehow.

Re:I just went through this

Not a problem. My current system password matches that exactly, and I change that every 3 months by changing the embedded numbers to the next in a non-obvious sequence.

Re:I just went through this

[gregmac]

Well, effecively that reduces the keyspace to brute force. Since it's so complex, probably all passwords are just the minimum 8 characters. Computationally, it's probably not any simpler, since something still has to check each password guess for those requirements, but at least that can be done offline. In fact, with a small amount of coding and a bit of time, I could come up with a list of valid passwords.

Of course, if you have a lockout policy (After x tries, lock account for y time) then it can slow down brute force attempts, and if you have someone monitoring those logs, then you can even figure out that someone is trying to get in. Ironically, with a lockout policy, it doesn't really matter how complex the password is, since the changes of guesssing even a simple password in say, 3 tries, is pretty small.

If you want security...

[Khyber]

I'm hoping you're not using Windows. I happened upon a nice little tool that allows me to blank all Windows passwords under 2K/XP (Must be using the NTFS file system, however,) if you give me physical access to the computer.

Gain access to PC
Blank all passwords
Tell someone
???
Profit!

Re:If you want security...

[smellystudent]

For the local PC, sure. What a surprise. This gets you access to network resources how?

Re:If you want security...

[Khyber]

How does it get me network resources? I blank admin account password - admin account has admin access most likely across the entire system. Once I gain access to that account - what's the next logical step, eh?

Re:Hmm. John Luke's account...

[rudolfel]

you forgot to tell us your ip address

Remembering a password is easy

[Cro+Magnon]

Even remembering a password that changes every month isn't too bad. But remembering 50 passwords that have different rules, and have to be changed at different intervals is almost impossible.

Over the Edge

[infosec_spaz]

Yes, That is a bit over the edge...sounds like you got one of those Policitaly correct consulting firms who talked your company into some kinda shit that is archiac, and silly. If that high of a security level is needed, they should switch to using either your employee badge system to do the login via a card reader attached to your PC, or biometrics, or both. Simply swipe your badge, and scan your finger/thumb, and you don't have anything to write down, or forget...unless you are one of us who forgets his/her badge on occasion :o)

What's so hard about it?

[Proteus+Child]

A password with the requirements you've outlined is pretty easy to generate and remember: myPASSWORD33fitsHERE999

American English words, a couple of digits, mixed capitalization without looking too much like l33tspeak and it doesn't look like line noise. Someone running a password cracker would have to try every combination of words in their dictionary file with multiple attempts for capitalization and numeric sequences mixed in, a data set that contains too many permutations to feasibly try.

Just don't write it down anywhere. It would be easier to steal the little sticky-note under the keyboard than it would to brute-force it.

Password complexity depends on the system

[m-wielgo]

I work for a defense contractor (aerospace) and password complexity depends on the system it's applied too. Some systems, like older mainframes need a security exception because they were not designed to meet complexity requirements. Others however, like simple workstations need only be a minimum of 8 alphanumeric characters and changed every 90 days. Some ID's, like service and generic utility IDs need to be 16 characters, (alphanumeric mixed case and sepcial characters) and changed every 120 days. Again, it all depends on the system the ID/password is for. Obviously a workstation that accesses TS/SCI material will require stricter password complexity requirements than a workstation that creates company wide information...

in your situation though, you're security admin is crazy.

Remember the Morris Worm!

[mengel]

The Morris Worm (the first internet Worm to infect a large portion of the Internet, back in '88) included a very short list (~500) of passwords to try to get root with. It also tried people's first names, last names, etc. (read all about it in spaf's analysis).

Obvious current candidates for obvious-password-cracking are things like MS-SQL, which allows you to send a whole request with a single UDP packet (as demonstrated by the old SQL-Slammer worm in 2003...)

So yes, cracking poor password choices has lead to signifigant breakin and security woes through the years.

On the other hand, rules like "Include mixed case and special symbols" doesn't particularly solve the problem. toggling the case of letters and appending digits on obvious words has been a feature of programs like "crack" for decades, and that's what those rules promote. When user Fred Jones makes his password "FredJonesFredJones123!" to pass the rules check, it still isn't a terribly secure password. Or the user just writes down their password and PostitNotes it to the screen...

A much better approach would be one like one posted here to Slashdot a while back, Inkblot Passwords, where you show a user a series of randomly generated images which are associated with their account, and they enter a two-word phrase associated with each inkblot.

Passwords are not security

[sysadmintech]

Passwords should not be considered security, but as authentication to resources. Network security should be applied by the admin through rights.
If you are concerned with the security of your passwords, admin should use a password management system and encrypt. Two part authentication can be considered security and USB flash drives are cheap. You then could use something you know and something you have.
I have used the same 6 letter admin password for about 20 years. It was stolen once by a student looking over my shoulder. I caught him within a half hour of trying to use it and had the logs to prove it and everything (nothing, looked around) which he had done. I had him pulled out of class by security. I have set up passwords by department (in specific situations) where whole departments used the same passwords, but employees only used "their" PCs and accessed the same accounting information. Using static ips and logs you can tell what each user in doing.

use honey token passwords

In my previous job as a network security guy, I used to write down fake passwords on post-it notes and leave them in places like on the bottom of my keyboard, CRT etc. I even had a fake combination written on the back of the lock gaurding my document safe so that anyone that found it would think me an idiot and waste time trying to figure if it was right or left on the first of the more than three numbers.

My PHB came by to warn me about the need for security, so I grabbed a passing by clueful intern and asked him what the post-it note on the back of the lock was.

Without missing a beat, he turned to my boss and told him it was a decoy.

The PHB was unamused.

Occasionally I would have worksation accounts set up that would make use of these fake passwords that would email my blackberry if used, and then shut down the machine. It never happened, but it was fun setting it up.

pass phrases are a beautiful thing

[Wolfger]

Current corp policy here is minimum 8 characters, characters are classified as "upper case", "lower case", "numbers", and "special characters", and we must use at least 3 different classes of character in the password. Password changes every month, and we cannot repeat any of the previous 10 passwords....
Simple solution is to use a pass phrase that's easy to remember, and add numbers to the end of it. Like:
"I hate our dumbass security policy01"
"I hate our dumbass security policy02"
"I hate our dumbass security policy03"
"I hate our dumbass security policy04"
"I hate our dumbass security policy05"
"I hate our dumbass security policy06"
"I hate our dumbass security policy07"
"I hate our dumbass security policy08"
"I hate our dumbass security policy09"
"I hate our dumbass security policy10"
"I hate our dumbass security policy11"
at this point I can either start the sequence over again, or keep counting upwards.... how many months has it been since this dumbass security policy took effect? :-)

Physical Security

I simply store the passwords that I have trouble remembering on my camera's compact flash card: Added with steganography (http://en.wikipedia.org/wiki/Steganography) to some pictures. They're also backed up on a photo sharing site online, though I have it set so no one can view them but me.

SSO

Go for a Single Sign On system. Syncronize all your system to have a single password (and a single username if your systems are relatively full and flexible) and then make the password as hard as you can. PS: If you go for a corporate closed source solution, just make sure it's not Computer Associates' eTrust SSO. Novell is the best.

They have to know your account.

[Grendel+Drago]

Also consider that this attack will only work if the attacker knows your account number. If they're both secret--the ATM card example--it's a nonissue.

Passwords do not prevent theft

Passwords are almost irrelevant these days. In order to comply with U.S. export laws, businesses usually use crap encryption so that they are not required to collect+submit names & addresses of each end user outside U.S. and Canada to the government. Examples of companies unwilling to sacrifice your security just so they can sell to more countries are rare. I only know of one, Innersafe Corporation, and that is because I know someone at there. I think they're going live this month. Any bets on how long it'll take for them to be pressured by the govt. into weakening their products?

Just remember, even if your password is 100 characters long, a keylogger can still grab it.

Wrong end of stick.

[wild_berry]

I suspect you've misunderstood what I'd heard recommended: picking the 'n'th letter from each word in line of a song. It may be pride-before-a-fall but a near-random string of letters strikes me as immune to dictionary attacks. This fails google: stuff with this kind of lettering doesn't score well on page rank.

Re:Wrong end of stick.

[thogard]

Most people can't cope with the n'th letter at all. If they can cope with it, then their password entry will be so slow that shoulder surfing will be more than enough. There are a few very well documented psychological reasons why this is true. Try typical social engineering techniques before you recommend them. A small amount of experimentation goes a very long way.