Slashdot Mirror
Strong Passwords Not As Good As You Think
Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.
How did you now my password?
If your computer is hacked than you're boned.
Seems to me that the solution is to have a strong password and keep your computer free of malware.
Is that really so hard?
It breaks my pluginses, my precious!
Yes! Now i can change my password back to password!
surely we should all be changing our passwords back to "Joshua"?
I wouldn't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging. However with the number of brute force methods out there for cracking weak passwords, I don't see how this in any way reduces the value of strong passwords on systems where passwords are critical.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I advise people to use unusual sentences as passwords.
For example, look at the previous sentence.
It contains uppercase letters, lowercase letters, spaces and punctuation.
It's easy to remember, and hard to guess, so users are unlikely to forget it/write it down.
And even if you did write down your sentence/password near your computer, people might not even guess that it was your password.
and he autographed my copy of Applied Crypto for me, and he copied a little puzzle inside the front cover. It was a 3x3 matrix of numbers. I could never make heads nor tail of it. Has anyone else seen this and solved it? I'm at work so I do not have my copy of applied crypto with me, or I'd attempt to post the puzzle.
Biometric authentication.
No problems there!
Finally had enough. Come see us over at https://soylentnews.org/
So because something that's good against brute-force attacks, but isn't against phishing and keyloggers, we should stop doing that? Phishing and keylogging are a result of strong passwords. So you need to implement adequate measures against those instead of saying strong passwords are useless.
If users have a hard time remembering their passwords, train them in it. Using phrases from which you take letters of which some are substituted with letters are very easy to remember for a user, yet very hard to bruteforce because you can make them quite long easily.
I love the need to link to bruce but his contribution to this piece is "Strong Web Passwords Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?" by Dinei FlorÃncio, Cormac Herley, and Baris Coskun."
Really? Did we need to cite his commentary on this one?
You thought you could trick me into admitting my password was trustno1? Well, it didn't work.
...but are useless against phishing and keyloggers....
No kidding. Here's another news flash for you, computers do not run on magic crystals.
Proverbs 21:19
But maybe it's just the summary? I'll go RTFA right after this, or at least skim it. But since phishing and keyloggers are only two threats, and people can still guess passwords (or brute-force them) I think I'll keep using randomly generated passwords.
"Wrote a piece" apparently means "wrote a sentence" because all Bruce said about the paper is that it was "Interesting", then he C&P'd the abstract. Why not link directly?
Okay, I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place. However, this ignores the type of attack where a remote hole allows retrieval of a file, and that hole is used to retrieve the password list. There are also other attacks which would allow one to get ahold of your encrypted password, not least by sniffing, which can then be brute-forced without having to worry about three-strikes policies.
In other words, keep your complicated passwords, they are still necessary to defeat dictionary attacks. Security is not something you can buy in the store, it is a mindset that you must adopt. The more factors of security, the better. If you can't memorize a complex password after using it twenty or thirty times, you should start playing memory games or something. Even I can do that and my memory is poor enough to be a liability (and always has been since childhood.) We're all different and excel in different ways, but you owe it to yourself to sharpen certain skills.
I guess the bottom line is that I'd be concerned about employing someone who can't remember a password. You write it down until you memorize it, you treat that piece of paper as precious and secret, you burn it and scatter the ashes (or eat it, or whatever) when you no longer need it. It shouldn't be that difficult for a modern human who can understand how to operate a computer.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Bullet proof windows not as safe as previously thought. Under certain conditions, such as a door being unlocked and/or open, a bullet proof window may not keep you safe from robbery at gunpoint.
1 - 2 - 3 - 4 - 5
Nobody knows it.
Give me an Ubuntu CD and I'll show you just how useless any password is without encryption...
In particular many *NIX environments still don't natively allow spaces in passwords, so that approach would fail there.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
At least read the summary, if to TFA! How will that help against phishing and keyloggers?
Slashdot is an excellent source of many of these sentences, as with spelling mistakes they're even harder to brute-force.
I sometimes set my password to ******** It sounds stupid but it has two advantages:
1. I know that I've typed in a * because I can see it
and, most importantly
2. When I have to repeat my password to confirm it, I can just copy and paste the previous field, saving me literally seconds of typing
Summation 2
The summary is missing an important point. The article suggests that weak passwords can be made secure by limiting the number of guesses allowed using a three strikes rule.
However, this solution has some problems. If any old password is allowed, there are 10-20 passwords which are most commonly chosen by all users. These are still likely to be guessed by an automated guessing system.
Also, the three strikes rule can be circumvented by using a botnet based attack. A botnet of 50,000 nodes would be allowed 150,000 guesses.
One other benefit to requiring strong passwords is that it may keep users from reusing the password from their Yahoo account, fantasy football account, etc.
I signed up for a forum a couple of weeks ago. I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing. When I clicked submit, I got an error message telling me that my password needs a number in it. So I append a '1' on the end to satisfy the filter, and click submit again. I get *another* error message telling me that it needs to be mixed case, so I capitalized the first letter. Now I'll forget the password and never be able to guess the damn thing again, so the next time I want to log in to whatever forum this was, I'll need it to send me an email with a reminder.
It would be really nice if they'd just turn those damn filters off. This forum site isn't a bank. I couldn't give two shits if someone hacks my account there, not that my regular password is particularly guessable anyway. Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses. Failing that, it would be nice if they at least provided some instructions with the password box that say something to the point of "Capitalize the first letter of your generic password and append a 1."
[/rant]
So, uh... passphrases?
Like the paper says userids aren't secrets but non-secret userids make spam easier. Many companies use initial + last name as the user id: eg jsmith. If they also added a random 4 digit number: eg jsmith1234. It would make guessing userids harder for spam. And make unauthorized login attempts harder.
Tell that to application developers at banks, utilities, and other important accounts that only allow alpha-numeric characters in the password. Who still limits passwords to max 10 characters? Aren't we all salting and hashing anyway?
How can we put pressure on the application developers to allow us stronger passwords? I can't necessarily change banks or utility providers easily.
They'd also have to be a pretty good typist, since they can't see what they've typed. Plus, the password box doesn't visibly change to reflect the extra keystrokes after it's full, so you can't tell if you hit an extra letter. If you only get 3 tries before your account locks out, this might not be a very good idea.
Then of course most passwords can't be longer than a certain length, which the other reply already mentioned.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
When a company makes the requirements so difficult. For example: Symbol, plus one caps, plus one lowercase, plus one number, and at least 8 characters, changed every month and never being able to repeat. Then this policy is applied to every system, which if they are not all AD (active directory) controlled means someone has to remember multiple passwords each month.
What happens? People WILL use post-it-notes with their passwords. Security can bitch and moan all they want about this but the alternative is people callign helpdesk 5 times a day saying "reset my password".
There needs to be a balance when using passwords...too easy and you have little/no security, too difficult and you force people to find routes to remember their passwords (e.g. post-it notes) killing any security. You would be better off to have too easy of passwords.
If a company is that paranoid about password security then install fingerprint/eye-scanners. They are very inexpensive (sub $100 retail) and you will save users and help desk a world of hurt.
I do not support "The Man". I also do not support your irrational stupidity
Is it time to explore other methods as well? Require fingerprint reader, retinal scanner, a few security questions about your mother's maiden name and your favorite childhood pet, a couple complex math problems, and then insert your driver's license as well as your tongue into a USB device(patent pending)...lets really make sure its you.
Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place.
This may be statistically true, but isn't it missing the point of defense-in-depth? Why rely on three-strikes to catch brute force attempts, when you can also have a password that resists brute force in the first place.
Really, your password has to be two things: unguessable and unique. Unguessable in that no one can read a quick bio of you and start hammering out children's names or birthplaces and unique in that you're not sharing the same password across multiple hosts. That being said, I use the PC Tools Password tool to generate my passwords. However, this introduces a whole new problem as I now have to maintain and secure a file containing all of these impossible-to-remember passwords that represents the keys to my kingdom.
I swear to God...I swear to God! That is NOT how you treat your human!
Until I decided to post this my slashdot password WAS trustno1.
All of the 'strong' password crap also makes crackers ignore easy passwords. Every rule you add for making a 'secure password' limits the combinations available. Everytime you make a restriction you are in fact making it easier to brute the password.
Trustno1 has been a great password for years. I've had a honeypot setup for at least 8 years using that password for root and administrator and never has it been tried to authenticate with it, even with the hundreds of thousands of attempts that have been made.
Even the bad guys have been socially engineered into making some very well known passwords great for securing important things, such as slashdot, which used trustno1 for my account until about 30 seconds ago.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I agree, except to improve upon this, you can just use the first few letters of each word, or even just the first letter.
this keeps the passwords reasonably short which is good both for typing quickly (and from just finger muscle memory) as well as being better in cases where passwords are truncated by the system inuse.
moreover, beyond the first few letters the entropy added by the remaining letters is dropping swiftly so they add less protection if someone know you are using whole words.
Additionally if you write the sentence on the wall, but are using only the first few letters of each word, it adds enough obfuscation that someone present at your desk and seeing the sentence probably won't have time to work out your cleverness.
Some drink at the fountain of knowledge. Others just gargle.
According to the article (cited by the citation):"Users are frequently reminded of the risks: the popular press often reports on the dangers of ïnancial fraud and identity theft, and most ïnancial institutions have security sections on their web-sites which oïer advice on detecting fraud and good password practices. As to password practices traditionally users have been advised to . . . "
-Choose strong passwords
-Change their passwords frequently
-Never write their passwords down
I would suggest that this is a case for the popular quip: "Pick two".
I am not a crackpot.
They make things hard on users, but are useless against phishing and keyloggers.
O RLY?
Unlike, for example, the keys to my home. If I give those to complete strangers they are still quite useful. For picking my nose.
Well, if I'm signing up for a forum or some free email account somewhere, I don't need industrial-grade uncrackable password. Actually, if my password gets cracked, big deal. It's just come crappy account somewhere. I just love signing up for something because I want to ask a question, and the system refuses my password because it doesn't have two symbols, a mix of uppercase and lowercase, and two different numbers. Oh, Jip*4&nv4X isn't a good password, nix on that! And by the way, here's a brand-new illegible CAPTCHA for you for every new password try, only barely readable by native speakers of English. Anyone else from any other culture who doesn't use the 52 Roman letters, you're out of luck.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
A strong password is a good thing to protect your front door. Of course it is useless if you tell it everybody (phishing) or if you install password logging tools to tell the password a special group of people. But that has nothing to do with the password, it has to do with human behavior. A strong password is good, but it is useless without other security measures. This is no surprise. I hear the loud noise of a rice sack falling over. If I am not mistaken, it comes form China.
1) The application can only handle X amount of characters where X is less then the sentence
2) You need to have symbols in there (e.g. '*')
3) You need to change this once per month
4) You have multiple systems which require passwords
5) Passwords may not be repeated
All of this = reasons why your password method may not be the best.
There is a reason why ma-bell made phone numbers seven digits long and it's not because ma-bell anticipated the need to use every 10 million number combinations...it's because 7 digits is what the human brain can easily remember. Easily being "you remember this once" not "you need to remember a new number every month, including different character sizing, symbols, etc"
I do not support "The Man". I also do not support your irrational stupidity
should only expire when you suspect they have been compromised.
If you're changing your password every 30 days, the value you get from cracking it is heavily reduced and so it isn't WORTH cracking.
When people say they can't remember their passwords I tell them to write half of it down on one piece of paper and half down on another. Keep the papers in different places, maybe half in your purse or wallet and half in your desk.
I tell them very bluntly that "this is only temporary until you memorize it. After A FEW DAYS shred the papers."
Yes, this creates a security risk, but it's contained and is an acceptable risk in our environment.
Oh, we have quarterly password changes and no-last-N-password and must-be-hard-password requirements on our systems.
The one thing I don't do is go back a week later and ask if they've memorized their password yet. That's outside my political authority.
Obviously anonymous for this.
This summary is terrible, even for /.. It makes it sound like strong passwords are ineffective, when in fact TFA claims that they are overkill for some situations.
I do agree though that passwords that expire are a bag of chach.
call me FOSS im the boss with the sauce and the source
Comment removed based on user account deletion
Maybe you could just sum up? ;)
This makes me want to install keyloggers on all of the computers in my office.
-Chris (aka Lenwood)
My password ends in:
3...
4 PROFIT!.
It's a reward for whoever cracks it - they'll probably profit.
Yes. Especially if you have an ironic/sarcastic/sardonic mind. Something relatable and recallable : /.? YouInsensitiveClod
Banking? AllMyEggsInOne
Facebook? PeopleCareAboutThisCrap
Digg? AMillionMonkeys
L33T as desired for added security. Though with phrases you really take note of sites that have an arbitrary length limit. "Between 6 to 8 characters? Really?"
I've been using some form of a keycard to get into my building/office/server room for how long now?
Could a little USB reader integrated with the OS really be all the expensive.
Getting this integrated with the browser world might take some time...but I could see a good password saver attaching your keycard to your ID and encrypting it up. Something that keyloggers couldn't get to. Malware might be a harder problem, but if the program is smart enough to detect access to the metabase of password it might actually become a malware detector.
At the very least logging into Active directory at work would be swiping my card, encrypting the number, having Active directory have the number in my card, and havign the kernel active. If someone steals my keycard they can access my machine, but then there is some physical trail. Maybe have me put in small password after my keycard swipe to get in if you're really worried about that.
Then put a web cam on my desktop and have it record when the keycard is swipped...okay maybe that's a bit ridoulous. In all honesty making my user have a 12 digit password is as well....at the end of the day no one wants to hack the normal office works user id and password because it doesn't have meaningful data. The IT worker and the HR person maybe...
Is this the whole "piece" he wrote?
TIA
Nobody brute forces anymore. Nobody. Any sensible password challenge/response system (I doubt there is such a thing if it relies only on that, but I ramble...) will lock you out and disable the account after so many tries, and usually the amount of tries is far lower than the threshold where guessing yields a meaningful chance to succeed. If it doesn't, steer clear of such a system altogether, if it doesn't come up with one of the simplest security "features", it probably is hellish insecure altogether.
Take, just for example, various game account or freemail system that let you retry infinitly, because their support would be flooded if they locked you out after 3 tries. Yes, you could keep guessing. And probably it is done. So a "strong" password means more security. Usually, no. Because they invariably also feature some braindead password recovery feature (ya know, the supersecret questions like "what was the name of your pet dog", again with infinite tries) that is usually even easier to defeat than the password guessing game.
You can, essentially, really go back to "12345" style passwords. There are way more than three possible easy to remember passwords, from birthdays to loved ones' names to even your CC pin number, and three being the usual number of retries before lockout. And without lockouts, the average "guess-hacker" won't go for your password. They go for the other venues that are usually far easier to break.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Back in the day there was some issue with Zmodem (or was it kermit... it was a while ago) that downloading a text file with +++ATZ^MATH1 would cause you to disconnect. Ironically I used that for years as a password. The funny thing was when people would try and download a password.txt file for bruteforce they always got disconnected. Now I tend to use passwords that you can't even type the characters normally â-'â-'â-"707âoeâ"â© was a good one to use. Go head and keylog that, damn bot would likely thing the password is 176177178707189190201 discarding the alt code
-=[ Who Is John Galt? ]=-
Where strong passwords help is in case a vulnerability is discovered in the restricted password guesses or if someone finds a way to get your password hashes(corp network) and they take them home to try and brute force them. Defense in depth. Not any one solutions solves all problems. You need multiple protections in place. Each one itself is just as important as the others.
Strong passwords are meant to foil would-be "guessers" and encryption crackers. Phishing schemes and Keyloggers require some sort of duping of the user as well as unknowingly willful compromising of the user's system to gain access.
A strong password scheme is quite effective at keeping a password cracker busy for an inordinate amount of time and a randomly generated password will keep the likes of Snidely Whiplash from acquiring access to the system by correctly guessing "Passw0rd" as the password. Both methods would require enough time to crack the password that it would be hopeful that your security systems would be able to pick up the unwanted behavior, stop it and notify the proper people that an attempt to compromise the system was logged.
That is or course, if you are not using an OS "secure" enough to use hash tables to store "encrypted" keys and the passwords those keys encrypt. I mean, we don't know of any OS that would do that, do we? (I'm rolling my eyes right now, just so you know).
Strong passwords are are useless and only cause users problems? That is absolutely stupid. First off, strong passwords have nothing to do with phishing schemes, they are about brute force / guessing passwords. Just like a seat belt (a safety device) on a car isn't meant to protect you against car fires. Protecting you from car fires is done in a completely different way.
Strong passwords have a purpose and that purpose hasn't changed and is extremely valuable in protecting you accounts.
Phishing != brute force attack. Stop scare mongering.
Well, yes, if your system is easily compromised by key-loggers than it is irrelevant how strong your password is.
I like to use systems where this is not the case.
I also use passwords generated by random generators with a length of at least 12 characters.
Still, the best choice is to isolate sensitive stuff to other user accounts so your compromised ones only do limited damage.
If someone gets root privileges on your box, than you are SOL anyway, so rounding up this with IDS systems to ensure system integrity and maybe put most of it on read only partitions improves the situation.
Not even I'm that paranoid though. User level security on a Linux box is enough to make me sleep good at night.
...and to remember. At least for those amongst us who don't think orthography is peeking at birds.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
An other hurdle to usability is when you have multiple systems at work place that require a rotating complex password where you can't remember what password belongs to what system. Where I use to work we would have a password for the NT/domain PC login, and a password for the UNIX terminal thing everyone had to log into do anything. And withing the software on the UNIX terminal they used, for certain subsystems there was "shared" passwords that never changed, while remembered, they was still semi-complex, e.g. real word that substitutes a couple numbers for letters. I counted once, I had to know 25 different passwords, two-personal, and two "shared" to do my job, and I wasn't even working in a IT or IT-like postion.
I use a Whitespace program as my password. Beat that!
There's a bigger problem that I've yet to see written about and that's the shared username/password issue. I have at least 2 dozen different accounts, if you include Amazon, EBay, credit cards, bank account, youtube, blog/forums, etc.There's no way that I'm going to use different user names for each of them.
And of course, I'm going going to use the same passwords for the accounts as well. While I'm not too worried about using the same username + password for both Amazon and Ebay, what if I have the same password for MyFavoriteBlog.com. A single nefarious employee at a large blogging/forum site has access to many username/password combinations. What's to stop that user from trying those username/password combinations through eBay, every major bank, every major credit card, etc?
In truth, I user different user names for more "secure" sites like Amazon and banks than I do for ones that I don't trust, but I'll bet that most people don't bother.
Forcing users to change passwords does nothing against keyloggers either. But it definitely makes it easier to tell when a user has changed their password.
They'll type the current known password, then tab or click, then type some new cryptic garbage, then tab or click, then the same cryptic garbage.
But the worst possible password constraint I can think of is limiting the maximum number of allowed characters. I can think of absolutely no good reason for this restriction, yet large companies, such as Cedar Point's online reservation system posses this restriction.
Question everything
As all things in security, it's not black and white.
What exactly does "strong" mean? That's the important password.
In most circumstances, your threat model why you need a "strong" password is password guessing. It is rarely an actual brute-force attack, because most systems these days prevent a brute-force attack (e.g. they lock you out or reset your password to a random one that they send you per mail if you try it more than X times).
If your threat model does not include brute-force attacks, what you need is a "difficult to guess" password. That means you don't use "password" or "secret" and you don't use your own name, the name of your significant other or dog, your birthday and so on.
And that's all there is to it, really. All the bullshit about using numbers, special characters, etc. is just that - bullshit. It's defense against a threat that's not important anymore.
IANAL, but I am a security professional. Most of my passwords contain no numbers, and where the systems enforce them, there's usually a single number at the end or beginning. But I can type all my passwords in about a second on a standard keyboard. That makes shoulder-surfing a lot more difficult. In fact, I can make fairly good guesses at most "hunt and peck" people's passwords when I watch them type it in from across a small room. And the more difficult it is, the longer it takes them to type it in, and the easier it is for me to spot it.
So it all depends on your threat model, as always. Know what you need to defend against, and you'll have a pretty good idea of how you need to defend.
Assorted stuff I do sometimes: Lemuria.org
Seriously. It's free and cross platform. Or else get a full-on corporate password manager/vault. In this day and age it drives me fucking insane that everyone acts like this is still an issue and post-its are the only viable solution. FFS.
I install and show people how to use Keypass and allow them to use it for any passwords/info they want and people realize it is handy as hell and adopt it with little issue. I've also set up larger corporate systems with SSL based access and everyone uses it, and especially data centers and banks find it invaluable. TANS are also another great computer-based solution. ...or, if even those are impossible use a simple word or the first letter of each word in a sentence and then tack on the number of the month. Every month use the same thing but with the next month's number. Easy because the first part becomes ingrained in the memory from constant use and you only have to know what month it is for the number part. Much better than simple words and it is at least almost strong without all the complexity to the user.
http://teasphere.wordpress.com - A little spot of tea
I have even heard it recommended to do the same thing with a certain key in place of the space bar.
"Iradviserpeoplertoruserunusualrsentencesrasrpasswords."
The space bar makes a distinct sound. A careful listener could hear the typing with the spacebar sound indicating spaces and how many letters in each word and how many words were being used. This is a nice first step in guessing the passphrase.
Using a letter as the space makes "overhearing" the passphrase a hair more difficult. Of course, if I was really this paranoid, I wouldn't use a wireless keyboard.
Can I get an "Amen" here?
Why, without your clothes, you're naked, Miss Dudley!
Conventional "strong" passwords protect against someone trying to guess or brute-force the password. They're really good at this.
The problem is, few attackers try to guess or brute-force passwords anymore. It's too time-consuming and too readily detected. Most of them will try to get you to tell them the password by one means or another. Phishing e-mails, keyloggers, traffic sniffing, man-in-the-middle attacks, the whole point of all of them's to get your password directly without having to figure out what it is. And against that sort of attack, "secret" is precisely, exactly as secure as "wkL3jfo*Zle". To guard against those attacks you need to strengthen things other than the password itself. And part of what you have to harden against attack is the user themselves, which makes it unlikely you'll succeed.
... AI roboform.
http://www.roboform.com/
Strong passwords may not save you from keylogging, but that doesn't make them altogether useless. Rainbow tables, for example, will expose weak passwords but not strong ones on Windows machines. If you're using a boot disk to get into a computer that might store one of my strong passwords, well you can wipe it out or change stuff but at least my password is no less secure than before.
I am literally 3000 tokens away from the chaotic crossbow --Stephen
I've taken to drawing on my keyboard, seeing as I am a touch typist geometric shapes work really well, also the ASCII output from XINE turns my movie collection into wonderful passwords in ASCII and great seeds for keys.
"the Spanish Inquisition"
One-Time-Passwords and Strong Authentication are the way to go.
This needs to become about Strong Authentication, not strong passwords. Changing a password often just frustrates users and doesn't help against base level attacks like keylogging. And if your password only changes every month or two then its still valid for quite a while if it is discovered. We should instead be using multple password factors for all secure scenarios. Something you know AND something you have (some sort of One Time Password, certificate, or biometric factor). This is less frustrating for the user than having to change their password all the time, and it defeats keyloggers, phishing, etc. Soon the web will have to wake up to this. If some of the big players would start to play ball, and say, support the yubikey token at least, then we might start to get the ball rolling. At least since the identity field is consolidating a bit with infocard and openid, we'll be in a position where all you need is an identity provider that can support multi factor auth.
Pasting tab characters into text entries is a pain.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
1. "But the worst possible password constraint I can think of is limiting the maximum number of allowed characters." There is a maximum because some backend systems can't handle a password longer than that.
2. Always set the maximum number of attempts allowed: 3 or 5, depending on how smart/dumb your user base is.
3. Use Self Service Tools. Have a user answer security questions (At least 3 different ones). So when they forget their password, they can log into a system themselves to change their password (Using a secure kiosk or guest account, with access only to the self service tool).
4. Leverage single sign on technologies. Having 10 different applications with potentially 10 different passwords causes people to write the password own on sticky notes (Or on a excel spreadsheet). Using SSO mitigates that.
5. Force password changes frequently. Every 3 months, I would suggest.
6. Not allow users to use their previous 6 passwords at least and make sure that at least 2 characters are different between passwords. So they can't just go from Password1 to Password2.
It's not a fool proof solution, but that combination of rules I have seen work the best at corporations.
I usually design web password thingies like that with minimal requirements: password must be at least four characters, cannot be all lower-case letters (but all caps or all numbers is fine), cannot be all the same character repeated and cannot be entirely sequential like "12345" or "ABCDE" (but these are valid substrings as long as there's something else too). Oh, and I hadn't realized I'd done this, but apparently the character set is limited to \x20 to \x7e; no control characters, upper ASCII, or Unicode. I'm not sure why I put that restriction in, but it shouldn't be an issue for most English-speaking people.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Something like those secureID tokens or the Paypal security device. Standardize a protocol for them so we can use the same damn one everywhere. Biometrics are crap, for any affordable devices. But a reasonably secure password/passphrase with a token or smartcard would be very secure with little effort from the users. The problem is that everyone is trying to create their own little systems that can't inter-operate. Even if the stupid Paypal token isn't the best security out there, combined with a decent password it would be very hard to crack. It's also easy to use, keeping acceptance and compliance high. They are also reasonably cheap. Now you need my username, password, and the token. Significantly harder to crack while being rather easy for the user to deal with.
FYI, Prince changed his name to that silly symbol because his record company claimed rights to the name "Prince". BTW Prince isn't some made-up stage name, his mother named him that at birth.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
What annoys me is when the security people demand passwords that are, in terms of strength, way out of proportion to the data they protect.
My bank password? Yes, that should be strong. The forum where I go for auto repair advice? No, I shouldn't have to memorize an 8 character password with at least one upper case, one number, and one symbol character.
And then you come back 2 months later, guess your password or they send you an email (which is of course unencrypted, but then so was the login prompt) and force you to change it to something else that you wont remember.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Except that they're two sides of the same coin. Strong passwords are worthless without good filtering, common sense, and vigilance, and all of that is for naught if your password is "12345". A more appropriate observation would be, "Using a hard to guess password is worthless if you tell everyone what it is."
https://www.eff.org/https-everywhere
Well unless they have a sticky note next to that sticky note that says "The unusual sentence on the note next to this is actually the password and not just a random, unusual sentence."
While a lot of people have said "don't worry about strong passwords because systems lock you out after 3 tries" or something like that, there is an exception. Back in high school, a friend and I took all the local LM hashes off the school machines (we all had our own network logins) and then cracked them offsite. The actual network authentication would lock you out if you tried too many times, but our cracking rig would allow you to try an infinite number of times. In general, we'd stay away from the passwords that took too long to compute since there were so many weak passwords that we got nearly instantly.
So, I guess the moral of the story is that while any good system includes lockouts, if the password hashes are ever obtained, the strong passwords do come in handy.
and a fun fact: 90% of girls passwords in my school were the names of boys.
Another trick is to take a sentence or song lyric and use only the first character from each word, but then tack on some numbers and special characters. For instance using the sentence above, generate a password that looks like this:
Iaptuusap&+0
If you chose a sentence or lyric that has meaning for you, you probably don't need to write it down at all, but if you absolutely had to write something down you could write:
"I advise people to use unusual sentences as passwords and add nothing"
You won't forget it, but it's not obvious that it's your password cheat.
Alternatively, choose something that you already have on your wall, like that Dilbert cartoon and use the text from one of the panels...
The solution is to put a chip in our heads that generates very long elliptically secure keys that can be used to authenticate with any service. When someone walks up to an ATM machine or uses a website they just need to start saying, 10010010101010001010100101.... you get the idea.
TFA repeatedly misuses apostrophes to form plurals ("userID's").
But, I wanted socialized health insurance!
This why a browser which can remember passwords is nice.
Now the theoretical keyspace from allowing all of these characters is 66^6 or approximately 10^10.9
26+26+10=62. Where did you get the 66?
...the second story in as many minutes stating the fucking obvious.
Did we just change management or something?
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
I note many laptops now come with fingerprint scanners. That's a little bit harder to fake. But it should be coupled with a password. That way you have dual layers of security. But with a Windows box you just boot it up in Knoppix or something similar and it exposes the whole NTFS filesystem.
If that forum is one that has some sort of authentication procedure for creating new accounts (image recognition, response e-mail, etc.), they may be more worried about comment spam than they are about your account in particular being hacked. I've seen a few forums where the majority of the posts are Viagra spam.
T
Laws are horrible moral guides, moral guides make even worse laws.
I use complex but easy to remember, something like: Five%of60isTHREE Easy to remember, but not easily guessed.
I'm not not licking toads.
Why don't we use keys for securing access our computers? I've never understood this.
They're good enough for our cars and houses. Let's find a way to lock the computer and the network with real, physical keys.
Ok..now..what did you say your user name was again?
I have always believed the weakest point of passwords is keylogging and phishing, all these stupid sites that make you type one uppercase, one number and so on; I have always believed are wasting our time and making things harder for use to remember.
So, I concur. Long complex passwords is a waste of time.
Managing multiple identity's, that's a whole different story.
6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
Everyone can change their password back to 'trustno1' now
I juz like changed my MySpace passwurd like you said, what do I do now? Luuulz! O.o
Another trick is to take a sentence or song lyric and use only the first character from each word, but then tack on some numbers and special characters. For instance using the sentence above, generate a password that looks like this:
Iaptuusap&+0
If you chose a sentence or lyric that has meaning for you, you probably don't need to write it down at all
Another trick is to punch the password-rule-setting administrator in the mouth, and use however you'd write down his yelp of pain (eg, "Yeearrgh"), appended with the number of his teeth you dislodged. The sheer satisfaction guarantees you'll never forget that password.
Several years ago I read (and wish I remembered where) a technique that I thought was quite interesting. It was a rule based authentication scheme. Each account on a system would have it's own set of rules that only the user would know. For example.
login: myid
What is 2+4?:cat
Here I might have set up the rule to say whenever there is a mathematical equation, with an even result and it's in the morning enter "cat", if it's in the afternoon enter "river", if the result is odd and it's monday then enter "blue", tuesday enter ... you get the idea.
The response has nothing to do mathematically with the question, but relies on the fact that I know what the proper response should be. And even is someone was watching my response. Each time I log in a different rule would be used (maybe the next question would be "what color are roses?")
Three strikes is usually enough to stop a brute force attack. That and a list of super-common passwords that you can't use "querty", "password", "trustno1", etc. And if something does get through, they could just disable the account.
The problem isn't one password. It's 82 freaking passwords because every web service in the world, and several different departments at work all want a password, have different rules, and require change every so often. There's no effin' way I can remember all that.
The problem is compounded by pompous admins who think they understand security and don't. Result? Bizarre systems that accomplish nothing or less. See the previous comment about how complex password rules actually decrease the search space for a password guessing malbot, for example.
Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses.
You forgot Tengwar.
Let's do the maths:
A 5 character case insensitive password has 11,881,376 possible permutations.
A 6 character case insensitive password has 308,915,776 possible permutations.
Let's make two assumptions. The first assumption is that an attacker attempting to break into your system only needs to guess one password in order to sufficiently escalate his privileges enough to become a serious security threat. Let's also assume that if allowed to, one of your users would pick the password 'god' or 'abc123.'
By requiring our users to set a password longer than 6 characters, we've made our password 25 times more secure.
308,915,776 (total permutations)
-11,881,376 (the number of permutations our attacker no longer needs to guess
/11,881,376 (How many times stronger is this result)
-------------
25
When we add the requirement of case and numerics, the numbers are even more staggering:
56,800,235,584 (6 character case required alphanumeric permutations)
- 308,915,776 case insensitive permutations
/ 308,915,776
-----------------
Almost 192 times more permutations.
Obviously, password strength requirements alone do not make a security plan, but they do play an important part. I remember one situation where 6 people in a row were able to guess a co-workers password based on knowledge of her character and religious beliefs.
Years ago one of my co-workers was asked by management to do a global password change on the systems (s)he supported. It was to be done late Friday afternoon for the "usual" reasons. The systems were such that you couldn't just expire them so they were individually reset to new ones. (S)He did this and then put post-its on everyone's monitor to let them know what their new password was when they came in on Monday. Shortly thereafter there was a new global password change.
My post was in regard to saying that strong passwords were difficult to remember. Sentences are easy to remember. I'd argue that they're easier to remember than an eight-digit string of numbers and letters.
As for phishing or keyloggers, the quality of a password is irrelevant if you have that problem, isn't it?
A password could be a very long and completely random string of characters and symbols but if someone else knows it then it offers no security.
The best solution I can think of to prevent phishing and keyloggers is to teach users to identify phishing and to make keylogger installation difficult.
Implying that the additional security from strong passwords isn't worth the associated problems because guessing isn't the easiest way to compromise someone's account is like saying that it's okay to leave all of your home's windows unlocked and open as long as your front door's locked.
One way to make easy-to-remember very strong passwords is to scramble an address, viz. Ukiah2035Elm.
If you must use a public computer, you can protect yourself from keyloggers by jumping from box to box: type part of your userid in one box, click elsewhere and type other stuff, click the password box and type part, back to the userid to finish, back to the password, etc.
There are so many naive users that even very simple precautions make you an unattractive target.
Christ, I could have detonated a nuclear weapon thinking that it was my luggage.
What the hell kind of employee are you that you can't manage a simple task three times a year?
"Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?" by Dinei FlorÃncio, Cormac Herley, and Baris Coskun."
That's not "a piece".
Obviously, the only way to really and truly secure your companies computers is to have the security office collect all of the power cords in the office. That will guarantee that no unauthorized users can access them!
I hear ya, I was going to write something quipy myself only to find I'd forgotten which random password I use for this forum.
T
Laws are horrible moral guides, moral guides make even worse laws.
I think that I must be the only person who actually read the paper. The point of the author is not that we don't need good passwords, but rather that we would gain much more security out of making the user ids strong. The individual talked about all of the ways that accounts can be broken into and talked heavily about the method of bulk guessing accounts. If the site's user ids are very dense (meaning that the unused input space is little), then the chances of a break in are much more likely (like in the case of site generated user ids that are sequential). This is because the input space for passwords is only so large, and it is very likely that 1 in 1,000,000 users will have a random password. The research talked about how in order for this to be true, the site has to have a large amount of users (like a national bank chain). The author even mentions that it doesn't matter if the user writes his/her strong user id down, as it is only a portion of the credentials and is intended to prevent the bulk guessing of accounts. This used with stronger passwords (I should note that the author even talks about not really needing strong passwords if strong user ids are used) seems to be a good defense. It is a very interesting read, and the author brings thoughts to the table that have not really been discussed (as far as I have read). Before anyone attacks this simple synopsis of the paper, please read it to fully understand lol.
Everyone can change their password back to 'trustno1' now.
You mean everyone can change their password back to 'password'.
Let's face it, it's 2009: 1980's coolness is out, 1990's awesomeness is in...
Well it serves me right for trying to get all fancy. Don't you hate it when you remember which password you used, but forget how you spelled it? I got locked out of my bank account for that one time. Originally I was going to advocate going the l33t method and swapping out numbers for letters but I seem to have outsmarted myself there.
You may not care but as an admin of such a site, I do care. Botnets want on those sites to spam senselessly. If you have a 'throwaway' password
Error: The password you have chosen is too short.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
I actually used that password 13 years ago, although not recently.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
You should set your password to,
I am a pedophile and this encrypted partition contains my child pornography.
That way, if a court orders you to reveal your password, you can plead the 5th Amendment.
-- 77IM
PS. I am not a pedophile, and my encrypted partition no child pornography, just pirated movies and TV shows.
Student: Is it true that the foundation of the universe is paradox?
Master: Well, yes and no.
My 23 character strong password was invalidated by my bank's eBanking system's idea that it was too long...
Furthermore many modern sites really wouldn't be affected as they would have a cookie letting them
Meant to say that would be a user with the cookies allowing later login without presenting credentials.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
And by that logic, you shouldn't get vaccinated, because vaccines are ineffective against stabbings, shootings, heart disease, or drug overdoses.
Still, many strong passwords for different things, changed regularly plus many Linux Live CDs to stop weird software, plus hardware checks, plus fingerprint readers will prevent it all from being doooooomed!
I work for a gigantic, univerally hated TLA. Our formal password requirements are addressed in two places in the regulations that govern our work. Those regulations are translated into a document that must be signed by every user every time they gain access to or alter their access to a protected system. In one of the formal requirements documents, writing down passwords is discouraged but not forbidden. In the other, as well as the doc that users sign, passwords are required to be kept secure and confidential but writing them down, per se, is not addressed.
Here's how I approach my users when they complain about passwords. First, I make sure they know I feel their pain. No matter how many passwords they have, I have more. Over 60, as a matter of fact.
Second, I tell them it's OK to write down their passwords. I pull out my wallet, slip out a credit card, and point to the account number. I tell them "See that? That number is, in effect, a password to my credit line. I don't mind that it's written down, embossed on a piece of plastic. Why? Because I'm not going to lose it! It's OK if you write down your passwords; just don't lose the thing you wrote them on." As a result, I'd guess that half our users have a slip of paper in their ID badge holder on which they've written down all their passwords. That's fine with us. Even if the badge were lost, every employee has a non-obvious user ID (that nobody writes down because it's the same for every system) that must be paired with every password to gain access to systems, so a baddie with one of those slips of paper is still highly unlikely to be able to gain any meaningful access.
So, why do you indicate that writing down passwords would take you out of the ranks of the good guys? Seems reasonable to me.
I don't know which area you live, but stabbings, shootings and drug overdoses is not in my daily repertoire ...
Maybe you should think of moving instead of getting your vaccinations done, less lethal!
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Research shows that houses aren't as good as we think. We should go back to caves now.
Great advise: There are some weak segments in your chain of defense, so just forget about it all together and open the door wide.
Phishing is entirely avoidable and key loggers are something you can at least try to avoid by keeping your system updated and not downloading that funny flash video that your aunt thinks you just have to watch. So what's left? Brute force and DNS insertion. The latter you can't really do anything about (i.e. with reasonable amount of effort for the average user), but a strong password is hardly the "struggle" it's portrayed to be, isn't it?
I'm surprised nobody's mentioned the stupidly simple and cheap two-factor authentication methods available. Example: World of Warcraft. People are constantly getting "hacked" or keylogged or whatever for that game's credentials, yet I have not heard of a single person with the keyfob they sell for $6.50US ever being hacked or keylogged. I mean, c'mon. It's less than $7US for permanent security.
The only downside is that there is no standard for this in terms of which keyfob works with your particular system, meaning your company or message board or whatever would have to figure that part out. Still, if it's a company, why not use that remote-access(VPN) keyfob for normal logins that require passwords as well.
I know Shell Oil does this with password + smart card, so having one doesn't matter as you need both, plus physical access to the correct server/LAN environment.
I'm surprised this is so constantly debated as a topic of security instead of a topic of onerous usability requirements imposed by draconian IT departments. Seriously. Remember a simple, permanent password + keyfob combination, or remember stupidly complex random gibberish that's required to change every 45 days. Seems easy to me.
Okay, the smart move for all of these websites.
Store your credentials in a plain text file (one per site), with the contents encrypted as a PGP/GPG ASCII block. Easy to backup, you could even just print out the contents of the text file, or mail it to some other location.
The trade-off is that you have to keep your PGP/GPG key secure.
Personally, for the less sensitive sites, I give them a random 18-32 character password and let the browser simply store it. Although I still store the credentials in GPG encrypted text files.
Wolde you bothe eate your cake, and have your cake?
Jeez people, read the article. It's talking about WEB passwords, you know, the kind which are impractical to crack by brute force, because a typical web server will lock you out after three failed attempts. For web passwords, the biggest threats are keyloggers and phishing attacks, not brute-force cracks. A simple 6-digit numerical PIN can't be brute-force cracked in less than 1000 years if the server locks you out for 24 hours after three failed attempts.
Of course, there are lots of fascistic sysadmins who demand impossible-to-remember passwords, but that's really not the topic at hand.
Alejo
---------
Writing advice: Proofread carefully to make sure you don't any words out.
I've found this is a nice way to create complicated passwords that are immune to dictionary attacks. Choose a pattern of shift on/off and draw a nice little picture. It's fun and easy. And you could probably write down what the picture is without arousing suspicion, if necessary.
Long live the BSD license
Okay, I have to change my password every 10 days. But wait, I only have 2 eyes. Retinal scans are out. Hmm, 10 fingers. That works for now until some other security know it all comes along and says it needs to be 20. Ok, now I have to take my shoes off to meet the requirement. Please. And I can't remember was it the left foot or right foot and third toe. At some point, this is all unmanageable. It already is. Lets please stop it now. I have NEVER in 20 years had any of my passwords hacked. Why? I am likely too under the radar for most hackers and maybe that's what security experts need to teach. Until then, just turn off the password checking.
I know this isn't really on topic, but it may interest some of you that I was told by a security consultant that in 2002 British Telecom (BT) had a call centre of 200 (two hundred) people doing one thing and one thing only: re-setting forgotten passwords for BT employees worldwide. This call centre had grown from 4 people in 1996. In the end, it was the accountants that persuaded the IT department to do something about it. Part of the solution was to install something called an "LDAP server" on the network which in effect meant that various applications could use a centralised authentication system. That managed to keep the call centre rising above the 500 people in 2007 that had been projected by 2002 trends. It now stands at about 350 operators, 24 hours a day, 365 days a week. A cost that BT has to accept as "reasonable."
"And the meaning of words; when they cease to function; when will it start worrying you?"
WTF is this? $25 House locks?
No no no, you see it's more like having a car...
Nope, wrong. We shouldn't use biometrics at all, since they're a) easy to foil and b) immutable. It is as if you're constantly carrying your password on your person, because that's all biomets are, fancy passwords, and you're stuck with these because you can't change them. So you want to add a password in the mix? Well, instead of asking for one password you're asking for two, one of them problematic - you might as well ask for a longer password and save yourself the headache. Smartcards on the other hand are a good idea, as long as their range is short enough. I've worked with systems that we were able to overhear. While we liked that because otherwise we would have had to take a detour through the neighbouring wing to get to the cappuccino machine instead of swipe, walk through straight corridor, swipe, I think that if you would want to come up with a good security policy you might want to avoid that.
Consecutive characters my ass! No matter what I type my passwords are always *******, or *** or ****** etc. So far nobody has ever guessed!
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
English has remarkably little entropy. A letter in a sentence like this one has an average of 1.3 bits of entropy. To improve the secrecy and randomness of passwords, I recommend substitutions. Take, for example, 'A bird in the hand is worth two in the bush.' This can be mixed into, '@B1rdInTh3H4nd1$W0rth2InDaBush!'. Perhaps not as easy to remember, but after you've made a few passwords like this, it becomes second nature. In my experience, it also becomes easier to mentally 'chunk' passwords, so something like 'B3hold0bli1v1on1$@Hand' is fairly simple to recall.
Of course, this brings us to a rather interesting junction. The second sentence has more entropy, making it more resistant to cryptographic analysis. The first sentence has more letters, making it harder to brute force. (Though it has no numbers or symbols, but lets set that aside.) Which is better? Depends on your purpose, I think.
That's impractical if you need to change passwords often, the admin only has so many teeth.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
I found this system to work well. For any non-critical passwords (mainly websites/forums), I have a specific string I base my passes on (let's say it's "passwordssuck"), and each site has a slightly different permutation on this. If I'm making a password for 'website.com', it might be passwssuck or, if caps/nums/symbols are needed, something like p4ssW$suck... I would try to make any required permutations apply first to the website-specific additions, then to the leftmost possible other characters (no number equivalent for W or P so use the A). To make it less obvious to an unscrupulous forum/site operator that you are using such a system, it can be better to use something that doesn't look like words, such as the first letters of words in a memorable passphrase (e.g, "strong passwords protect your account from being compromised" = sppyafbc = (in the website.com example) 5ppyaW$fbc .... Looks completely random but it's memorable if you use this same system everywhere, and there aren't many things to try if you forget the exact symbol substitution etc for a given site.
So slashdot pass could become 5ppya$Dfbc, midgetpron.com you use $ppy4Mpfbc, and so on - so long as you follow the same ruleset each time you'll never forget them.
I haven't seen any forum sites that enforce password expiry, obviously that'd screw you over.
I'll post again about those changing passes, but need to post this now before my flaky mobile safari crashes again. :p
TFA suggests countering brute force attacks with lockout mechanisms. I'm sure the users will be happy about not being able to log in just because their password was recently brute-forced. Any lockout mechanism is vulnerable to DoS, please remember that forever. And don't argument with IP address restrictions.
+3 funny ey. "In Soviet Russia, passwords crack you!"
This stuff is kind of obvious to those who are familiar with the technology. Password strength is good defense against certain types of attacks, such as dictionary and brute force, but have always been vulnerable to keyloggers and phishers. If you are stupid enough to download and install a keylogger or you get fooled into a phishing site, your password strength is meaningless. Passwords have always been the weakest form of security. The other two forms, smartcards (what you have) and biometrics (who you are) are more secure. Combinations of these forms are even stronger (passwords in combination with a smart-card, for example). Passwords also suffer from other drawbacks. Passwords strong enough to be decent are hard to remember, so people tend to write them down. Passwords weak enough to remember are vulnerable to dictionary and brute force attacks. Passwords are, and will likely remain, the weakest form of security for those reasons. Yet they will also likely remain the most common form of security. Companies simply don't want to take the expense of building computers that require smart card or biometric access. Even on laptops this type of added security still remains uncommon.
Open Source: Eroding the Digital Divide
What a crap statement. That's like saying door key/lock combinations are useless because you can bring someone home with you, let them spend the night, and have them rob you before you wake up in the morning. The answer to phishing is simple - you just use some common sense. As for keylogging - keep your system physically secure by keeping it away from physical access, and logically secure by installing and maintaining good quality anti-virus/anti-malware programs. Oh, and stay away from hacking/porn sites. lol
I signed up for a forum a couple of weeks ago. I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing. When I clicked submit, I got an error message telling me that my password needs a number in it.
Even if you want to use strong passwords at all, requiring a digit is a stupid way to do it. Nowadays the most popular minimum password length is 8 characters. Assuming your available character set is 7-bit ASCII minus the control characters (making 95 available characters), the knowledge that the password contains at least one digit eliminates over 41% of the search space for 8-character passwords.