Slashdot Mirror

← Back to Stories (view on slashdot.org)

Strong Passwords Not As Good As You Think

Posted by CmdrTaco on from the still-better-than-'password' dept.

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

24 of 553 comments (clear)

  1. News at 11 by sweatyboatman · · Score: 4, Insightful

    If your computer is hacked than you're boned.

    Seems to me that the solution is to have a strong password and keep your computer free of malware.

    Is that really so hard?

    --
    It breaks my pluginses, my precious!
    1. Re:News at 11 by Tridus · · Score: 5, Insightful

      Yeah, this.

      "Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.

      Users have to be able to remember their passwords in order for this security to be of any use. Push them beyond that ability, and you're actively making the situation worse.

      --
      -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    2. Re:News at 11 by Allicorn · · Score: 5, Insightful

      So write it down and put it in your wallet with your credit card.

      Unless - of course - you routinely tack your credit card to your cubicle wall. No? Didn't think so.

      --
      OMG!!! Ponies!!!
    3. Re:News at 11 by quangdog · · Score: 3, Insightful

      normal users simply can't deal with them. The result is sticky noted passwords.

      This gets especially problematic when the janitorial staff comes through one night and decides all those pesky post-its (and, indeed, most every paper/seeming clutter on every desk) needs to get cleaned up and thrown out.

      Really happened where I worked, once.

      But just once.

    4. Re:News at 11 by Talennor · · Score: 4, Insightful

      Do you have to enter your credit card number every time you want to access your computer? No? Well that's why it's in your wallet and not more easily accessible.

      --

      //TODO: signature
    5. Re:News at 11 by tie_guy_matt · · Score: 5, Insightful

      Another problem with password rules that rotate too fast and have too many rules is that you end up with many users who are locked out of their accounts. I imagine if the helpless desk gets 100 requests a day to reset account passwords then after a while they become less careful to ensure that the person requesting a password reset is actually the person that owns the account. Personally the more stupid password rules I encounter the more likely I am to try to come up with a password that is easy to guess (since I will be the one guessing the password in a little while.)

    6. Re:News at 11 by ArhcAngel · · Score: 5, Insightful

      Agreed, but what I find even more mind numbing is the places that require you to have a password that is between 6 to 10 characters in length (6 for a "strong" password and 10 because their system can't handle passwords any bigger) and must have at least two numbers in them as well as one upper case or some such. If the person/group trying to crack your system know about these requirements (which isn't hard to find out if you plaster it on the logon screen) it greatly reduces the number of permutations they even have to try. You have basically handed them a filter and said Don't bother looking for anything that doesn't contain the following.....

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    7. Re:News at 11 by Hognoxious · · Score: 3, Insightful

      The system doesn't need to store any passwords, not even the current one. It's called a one way hash.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    8. Re:News at 11 by eyrieowl · · Score: 3, Insightful

      Strawmen. Those data points don't change every six months to something relatively arbitrary. Even the last world series question (the only one of your questions which EVER changes) has a very finite set of possible correct answers. Even more problematic, the many different systems with passwords usually have different schedules on which passwords need to be changed, and different ways of defining "strong" passwords, so you can't use the same "strong" password across multiple systems. I don't have post-its for my passwords, but the only way I've been able to escape that is by coming up with a system for my passwords which allows me to make minor, memorable variations each time I have to change one of my passwords. If it were just one password, well, okay, but voicemail and multiple system logins each with different password requirements and change-schedules? Some of which I only use intermittently? I'm sorry, but at some point these requirements become completely counterproductive.

    9. Re:News at 11 by the_one(2) · · Score: 4, Insightful

      If one assumes that the users are lazy and will only do the bare minimum that would mean (in order): 1 upper case letter, 3 lower case letters and 2 numbers. This would translate to 26 ^ 4 * 10 ^ 2 = 45697600 permutations. That wouldn't be very hard to crack. And that is without using dictionaries!

    10. Re:News at 11 by Mr.+Underbridge · · Score: 5, Insightful

      There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools. 1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc

      Spoken like an ivory-tower admin with people skills worse than an angry badger. Some problems with that attitude:

      1. While you think your system is special, it's not to us. Yours is one of many systems for which we have to remember passwords.

      2. Systems that require such moronically complex passwords also require them to be changed. They also use slightly different rules so that passwords can't be exactly re-used. End result is that I've got about 40 passwords or their variants in recent use. No way I'm remembering that, and I'm smart. You can forget about the secretary.

      3. Admins that set up such systems generally forbid the use of password keychains.

      End result? At work, I have to remember passwords for about 8-10 systems, all with different rules and password expiration schedules. Naturally, each will lock you out after 3 tries. So what I generally have to do is, each time I've gone more than a week without using a particular system, I get the IT guy to reset the password. Only because I'm one of the good guys, I don't write them down. But I've been sorely tempted.

      You can either learn to work with people, or you can keep making unusable edicts that make it impossible for people to follow them. Just know that once you cross the "sticky note" threshold - and you appear to be well over it - your system is far more easily compromised than if you had implemented a sensible security policy in the first place.

      What admins usually forget is that security is inherently practical, not theoretical. Hackers will always focus on the weakest part of any secure system, not the strongest. Making it take 100 days instead of 10 to crack a password file doesn't accomplish anything, because they'll move on to another exploit. All you'll do is piss off your users and make it a lot more likely that passwords get written down. As Mitnick showed, the weakest link is usually human, and your approach makes that link far weaker.

  2. And this is news how? by damn_registrars · · Score: 5, Insightful

    I wouldn't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging. However with the number of brute force methods out there for cracking weak passwords, I don't see how this in any way reduces the value of strong passwords on systems where passwords are critical.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  3. Simple solution by L4t3r4lu5 · · Score: 3, Insightful

    Biometric authentication.

    No problems there!

    --
    Finally had enough. Come see us over at https://soylentnews.org/
    1. Re:Simple solution by Itninja · · Score: 3, Insightful

      Biometrics are not as bullet-proof as many people think. With many fingerprint scanners, for example, one can fool them with little more than a xerox copy of the needed fingerprint. I am more of an advocate of three factor security, instead of just trading one single-factor method for another.

      We should have biometrics, passwords, and proximity smartcards.

      --
      I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
  4. Throwing the baby out with the bathingwater? by Anonymous Coward · · Score: 3, Insightful

    So because something that's good against brute-force attacks, but isn't against phishing and keyloggers, we should stop doing that? Phishing and keylogging are a result of strong passwords. So you need to implement adequate measures against those instead of saying strong passwords are useless.

    If users have a hard time remembering their passwords, train them in it. Using phrases from which you take letters of which some are substituted with letters are very easy to remember for a user, yet very hard to bruteforce because you can make them quite long easily.

    1. Re:Throwing the baby out with the bathingwater? by Anonymous Coward · · Score: 5, Insightful

      Exactly.

      the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers.

      It's like saying that the locks on our doors aren't good enough anymore because people are breaking into our windows -- so we should stop locking our doors? Doesn't make sense either.

    2. Re:Throwing the baby out with the bathingwater? by maxume · · Score: 4, Insightful

      It's more like pointing out that a $25 lock is probably sufficient for a house with 25 glass windows (as opposed to a $100 lock).

      --
      Nerd rage is the funniest rage.
    3. Re:Throwing the baby out with the bathingwater? by itsdapead · · Score: 3, Insightful

      It's like saying that the locks on our doors aren't good enough anymore because people are breaking into our windows -- so we should stop locking our doors?

      More along the lines of: there ain't no sense in fitting a steel door if you live in a tent.

      The main purpose of most door locks is not to stop determined people getting in at all, but to ensure that they have to break something in order to do so and can't claim some innocent excuse.

      Its probably better to regard most user-level, non-banking passwords in much the same way, and concentrate on protecting the really sensitive stuff.

      Also, apart from the "long passwords encourage writing down" issue, long passwords + frequent forced changes = more forgotten passwords = more demands on support staff to reset passwords = less scrutiny of reset requests.

      --
      In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
  5. limited application by damn_registrars · · Score: 3, Insightful
    Sentences as passwords are only applicable in environments that allow such things. Sure, they are very strong for hacker-resistance but you should realize how many systems don't allow:
    • spaces
    • passwords longer than 16 characters

    In particular many *NIX environments still don't natively allow spaces in passwords, so that approach would fail there.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  6. Now if only people would take this into account... by Lendrick · · Score: 5, Insightful

    I signed up for a forum a couple of weeks ago. I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing. When I clicked submit, I got an error message telling me that my password needs a number in it. So I append a '1' on the end to satisfy the filter, and click submit again. I get *another* error message telling me that it needs to be mixed case, so I capitalized the first letter. Now I'll forget the password and never be able to guess the damn thing again, so the next time I want to log in to whatever forum this was, I'll need it to send me an email with a reminder.

    It would be really nice if they'd just turn those damn filters off. This forum site isn't a bank. I couldn't give two shits if someone hacks my account there, not that my regular password is particularly guessable anyway. Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses. Failing that, it would be nice if they at least provided some instructions with the password box that say something to the point of "Capitalize the first letter of your generic password and append a 1."

    [/rant]

  7. Best Practices by Rob+the+Bold · · Score: 5, Insightful

    According to the article (cited by the citation):"Users are frequently reminded of the risks: the popular press often reports on the dangers of ïnancial fraud and identity theft, and most ïnancial institutions have security sections on their web-sites which oïer advice on detecting fraud and good password practices. As to password practices traditionally users have been advised to . . . "

    -Choose strong passwords

    -Change their passwords frequently

    -Never write their passwords down

    I would suggest that this is a case for the popular quip: "Pick two".

    --
    I am not a crackpot.
  8. Multiple Systems by woodchip · · Score: 3, Insightful

    An other hurdle to usability is when you have multiple systems at work place that require a rotating complex password where you can't remember what password belongs to what system. Where I use to work we would have a password for the NT/domain PC login, and a password for the UNIX terminal thing everyone had to log into do anything. And withing the software on the UNIX terminal they used, for certain subsystems there was "shared" passwords that never changed, while remembered, they was still semi-complex, e.g. real word that substitutes a couple numbers for letters. I counted once, I had to know 25 different passwords, two-personal, and two "shared" to do my job, and I wasn't even working in a IT or IT-like postion.

  9. threat model by Tom · · Score: 3, Insightful

    As all things in security, it's not black and white.

    What exactly does "strong" mean? That's the important password.

    In most circumstances, your threat model why you need a "strong" password is password guessing. It is rarely an actual brute-force attack, because most systems these days prevent a brute-force attack (e.g. they lock you out or reset your password to a random one that they send you per mail if you try it more than X times).

    If your threat model does not include brute-force attacks, what you need is a "difficult to guess" password. That means you don't use "password" or "secret" and you don't use your own name, the name of your significant other or dog, your birthday and so on.

    And that's all there is to it, really. All the bullshit about using numbers, special characters, etc. is just that - bullshit. It's defense against a threat that's not important anymore.

    IANAL, but I am a security professional. Most of my passwords contain no numbers, and where the systems enforce them, there's usually a single number at the end or beginning. But I can type all my passwords in about a second on a standard keyboard. That makes shoulder-surfing a lot more difficult. In fact, I can make fairly good guesses at most "hunt and peck" people's passwords when I watch them type it in from across a small room. And the more difficult it is, the longer it takes them to type it in, and the easier it is for me to spot it.

    So it all depends on your threat model, as always. Know what you need to defend against, and you'll have a pretty good idea of how you need to defend.

    --
    Assorted stuff I do sometimes: Lemuria.org
  10. you know by nomadic · · Score: 3, Insightful

    What annoys me is when the security people demand passwords that are, in terms of strength, way out of proportion to the data they protect.

    My bank password? Yes, that should be strong. The forum where I go for auto repair advice? No, I shouldn't have to memorize an 8 character password with at least one upper case, one number, and one symbol character.