Slashdot Mirror

← Back to Stories (view on slashdot.org)

Strong Passwords Not As Good As You Think

Posted by CmdrTaco on from the still-better-than-'password' dept.

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

6 of 553 comments (clear)

  1. Re:News at 11 by DrLang21 · · Score: 4, Interesting

    There's another problem at the work place. I have to change my password every 4 months to a moderately strong password. It cannot be a password I have used in the last 6 months or any of my last 6 passwords. The result? My password is prominently tacked up on my cubical wall. Seriously I can only remember so many passwords before I just can't do it anymore. If I enter the wrong password 3 times, my account locks up.

    --
    I see the glass as full with a FoS of 2.
  2. Re:News at 11 by bbernard · · Score: 4, Interesting

    This kind of thinking is, well, disappointing. Yes, it would be "easier" for you the user to not need such a strong password. That would be one way of looking at it. I think it would be easier, too, if I didn't need to look both ways for pedestrians while backing out of my driveway every day. What are the chances that I'm going to hit a pedestrian? Pretty small, but I need to look for them anyway.

    There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools.

    1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc.

    2. Teach yourself an easy way to create complex passwords. Use the first letter of each word in a silly phrase like "Snoopy Prefers @nchovies 0n his 8rick Oven pizza." (SP@0h8Op) Or pick some other way of remembering these things.

    3. Or, install a backup camera so you don't need to look around for those pedestrians.

    Just my 2 cents.

    --
    ----- Connection reset by beer
  3. Re:News at 11 by Inda · · Score: 4, Interesting

    Oh yes, oh yes indeed.

    Get yourself a little password bruteforcing app. One that does ZIP files as a starter as they are nice and easy.

    Play with it. It'll brute force dictionary passwords instantly. 8 letters in a couple of hours. 6 letters in a few minutes. On a crappy HP laptop, I might add.

    Add some CAPS, numbers etc and watch the times go in weeks, months, years.

    --
    This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  4. Re:News at 11 by AmberBlackCat · · Score: 5, Interesting

    At the places I've worked, I bet you can reduce the brute force time from years to seconds if you know the names of everybody's kids and pets...

  5. Re:News at 11 by CapnStank · · Score: 5, Interesting

    AmberBlackCat has it right. I worked in IT where there was 1 guy who COULDN'T understand password reset procedure. Down side was that he always demanded that it be reset to his name (maybe a 123 or something added) but nothing more. Just so happens that his name was also the name of the company. Need to guess the password? I'd say you'd have a harder time NOT guessing it.

    And I don't blame him sometimes. He was 60+, computers were not his forte and he had to come up with a password that:
    A) Expired every 45 days
    B) Could not be manually reset to a password that's been used within the last 20 passwords
    C) 8+ characters long
    D) Numbers
    E) Capitals

    Hell, I got 3-4 passwords that don't expire on the same sync so I'm slowly losing my mind trying to remember them within the 3 try lockout period. Sure, I can unlock myself but its still crap trying to do it.

  6. Re:News at 11 by AliasMarlowe · · Score: 4, Interesting

    Pick one good password, don't let it get cracked, and you'll be fine, and your users/co-workeres will be much happier

    That's the way we run our network at home.
    Unfortunately, at work it's different. There are several authentication empires large and small, each with differing password complexity requirements and with differing policies on password expiry and minimum difference from previous several passwords. There's the Oracle empire and the Siebel empire and the Notes empire, and two mutually-hostile LDAP empires. There are also a few minor authentication empires specific to other tools. There are probably other authentication empires/ghettoes for tools I don't interact with.
    The longest password validity is 90 days, for some systems it's 60 days. The shortest password acceptable to any system is 8 characters. All require upper and lower case, some require number and/or punctuation as well. Some don't count an upper case character if it's the first character in the password. Others don't count a number or punctuation if it's the last character in the password. So upper case, number, and punctuation have to be in the middle. One system requires that at least two characters in the password change type in each update (e.g. number becomes letter). Another system does not ever allow re-use of old passwords, claiming unlimited memory of previous passwords.
    The result? A few of the passwords are used regularly enough that they can be remembered, even with the updates every two or three months. Those used intermittently cannot be effectively commited to memory. So passwords are recorded on sticky notes under keyboards, scrawled on margins of wall calenders, on notepads in desk drawers, etc. Some keep them in plain-text files on their laptops. Our systems at home are more secure.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire