Strong Passwords Not As Good As You Think

← Back to Stories (view on slashdot.org)

Strong Passwords Not As Good As You Think

Posted by CmdrTaco on Monday July 13, 2009 @02:42AM from the still-better-than-'password' dept.

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

81 of 553 comments (clear)

Min score:

Reason:

Sort:

News at 11 by sweatyboatman · 2009-07-13 02:45 · Score: 4, Insightful

If your computer is hacked than you're boned.
Seems to me that the solution is to have a strong password and keep your computer free of malware.
Is that really so hard?

--
It breaks my pluginses, my precious!
1. Re:News at 11 by DrLang21 · 2009-07-13 02:48 · Score: 4, Interesting
  
  There's another problem at the work place. I have to change my password every 4 months to a moderately strong password. It cannot be a password I have used in the last 6 months or any of my last 6 passwords. The result? My password is prominently tacked up on my cubical wall. Seriously I can only remember so many passwords before I just can't do it anymore. If I enter the wrong password 3 times, my account locks up.
  
  --
  I see the glass as full with a FoS of 2.
2. Re:News at 11 by Tridus · 2009-07-13 02:51 · Score: 5, Insightful
  
  Yeah, this.
  "Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.
  Users have to be able to remember their passwords in order for this security to be of any use. Push them beyond that ability, and you're actively making the situation worse.
  
  --
  -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
3. Re:News at 11 by Allicorn · 2009-07-13 02:56 · Score: 5, Insightful
  
  So write it down and put it in your wallet with your credit card.
  Unless - of course - you routinely tack your credit card to your cubicle wall. No? Didn't think so.
  
  --
  OMG!!! Ponies!!!
4. Re:News at 11 by quangdog · 2009-07-13 02:58 · Score: 3, Insightful
  
  normal users simply can't deal with them. The result is sticky noted passwords.
  This gets especially problematic when the janitorial staff comes through one night and decides all those pesky post-its (and, indeed, most every paper/seeming clutter on every desk) needs to get cleaned up and thrown out.
  
  Really happened where I worked, once.
  
  But just once.
5. Re:News at 11 by Secret+Agent+X23 · 2009-07-13 03:01 · Score: 2, Informative
  
  There's another problem at the work place. I have to change my password every 4 months to a moderately strong password. It cannot be a password I have used in the last 6 months or any of my last 6 passwords. The result? My password is prominently tacked up on my cubical wall. Seriously I can only remember so many passwords before I just can't do it anymore. If I enter the wrong password 3 times, my account locks up.
  
  We have this policy on our timekeeping system. I re-use the same password with a number from 1 to 6 appended to the end. When it's time to change the password, I just change the last number. After 6, go back to 1.
6. Re:News at 11 by Talennor · 2009-07-13 03:02 · Score: 4, Insightful
  
  Do you have to enter your credit card number every time you want to access your computer? No? Well that's why it's in your wallet and not more easily accessible.
  
  --
  
  //TODO: signature
7. Re:News at 11 by tie_guy_matt · 2009-07-13 03:05 · Score: 5, Insightful
  
  Another problem with password rules that rotate too fast and have too many rules is that you end up with many users who are locked out of their accounts. I imagine if the helpless desk gets 100 requests a day to reset account passwords then after a while they become less careful to ensure that the person requesting a password reset is actually the person that owns the account. Personally the more stupid password rules I encounter the more likely I am to try to come up with a password that is easy to guess (since I will be the one guessing the password in a little while.)
8. Re:News at 11 by ArhcAngel · 2009-07-13 03:06 · Score: 5, Insightful
  
  Agreed, but what I find even more mind numbing is the places that require you to have a password that is between 6 to 10 characters in length (6 for a "strong" password and 10 because their system can't handle passwords any bigger) and must have at least two numbers in them as well as one upper case or some such. If the person/group trying to crack your system know about these requirements (which isn't hard to find out if you plaster it on the logon screen) it greatly reduces the number of permutations they even have to try. You have basically handed them a filter and said Don't bother looking for anything that doesn't contain the following.....
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
9. Re:News at 11 by bbernard · 2009-07-13 03:09 · Score: 4, Interesting
  
  This kind of thinking is, well, disappointing. Yes, it would be "easier" for you the user to not need such a strong password. That would be one way of looking at it. I think it would be easier, too, if I didn't need to look both ways for pedestrians while backing out of my driveway every day. What are the chances that I'm going to hit a pedestrian? Pretty small, but I need to look for them anyway.
  There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools.
  1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc.
  2. Teach yourself an easy way to create complex passwords. Use the first letter of each word in a silly phrase like "Snoopy Prefers @nchovies 0n his 8rick Oven pizza." (SP@0h8Op) Or pick some other way of remembering these things.
  3. Or, install a backup camera so you don't need to look around for those pedestrians.
  Just my 2 cents.
  
  --
  ----- Connection reset by beer
10. Re:News at 11 by grumpyman · 2009-07-13 03:09 · Score: 4, Funny
  
  "Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.
  .... while sys admin uses "admin" as password on servers/switches without the need to change, ever?
11. Re:News at 11 by Hognoxious · 2009-07-13 03:13 · Score: 3, Interesting
  
  I once worked at a place where you couldn't have more than 2 characters in common with any of the lant N so that wouldn't work.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
12. Re:News at 11 by Hognoxious · 2009-07-13 03:15 · Score: 3, Insightful
  
  The system doesn't need to store any passwords, not even the current one. It's called a one way hash.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
13. Re:News at 11 by MadKeithV · 2009-07-13 03:15 · Score: 2, Informative
  
  Oh how I wish you were kidding, but experience confirms that you are not.
14. Re:News at 11 by bitslinger_42 · 2009-07-13 03:18 · Score: 2, Insightful
  
  Do you remember your mother's birthday? Your anniversary? Who won the last 5 World Series? The name of the first girl you had a crush on? What I'd mean if I were to say "Ni!" to an old woman? While you might not know all of them (I have no clue who won the most recent World Series, nor do I care), I'm sure you know all sorts of similarly esoteric information.
  People can remember all sorts of information, if it is important enough to them. People look at passwords as inconveniences at best.
  If you can't manage to remember one new chunk of information every 6 months, seems to me you're woefully over-employed. Perhaps you'd remember better if your boss would walk around and fire everyone with passwords on sticky notes.
  Having said that, I did read the paper, and I agree with the conclusion the author makes: long, complex passwords only work to deter offline brute-force attacks and, to some extent, shoulder surfing. Both of these attacks are not likely these days. It is time for those of us in the computer security field (and yes, I am one of them) to take a hard look at our treasured "standards" and make sure that they still apply. I've already started discussions with my management with an eye towards implementing some of the recommendations. To be honest, I doubt management will agree to lower the password complexity rules since a) they haven't read the paper, and b) neither have the auditors, but I want to get the conversation started so we can do the other things (improve analysis of the log files).
15. Re:News at 11 by Deadstick · 2009-07-13 03:26 · Score: 5, Funny
  
  on my cubical wall
  Most of mine are planar...
  rj
16. Re:News at 11 by corbettw · 2009-07-13 03:42 · Score: 3, Funny
  
  Not yet, but that's supposed to be a feature in Windows 7.
  
  --
  God invented whiskey so the Irish would not rule the world.
17. Re:News at 11 by eyrieowl · 2009-07-13 03:43 · Score: 3, Insightful
  
  Strawmen. Those data points don't change every six months to something relatively arbitrary. Even the last world series question (the only one of your questions which EVER changes) has a very finite set of possible correct answers. Even more problematic, the many different systems with passwords usually have different schedules on which passwords need to be changed, and different ways of defining "strong" passwords, so you can't use the same "strong" password across multiple systems. I don't have post-its for my passwords, but the only way I've been able to escape that is by coming up with a system for my passwords which allows me to make minor, memorable variations each time I have to change one of my passwords. If it were just one password, well, okay, but voicemail and multiple system logins each with different password requirements and change-schedules? Some of which I only use intermittently? I'm sorry, but at some point these requirements become completely counterproductive.
18. Re:News at 11 by the_one(2) · 2009-07-13 03:45 · Score: 4, Insightful
  
  If one assumes that the users are lazy and will only do the bare minimum that would mean (in order): 1 upper case letter, 3 lower case letters and 2 numbers. This would translate to 26 ^ 4 * 10 ^ 2 = 45697600 permutations. That wouldn't be very hard to crack. And that is without using dictionaries!
19. Re:News at 11 by geminidomino · 2009-07-13 03:46 · Score: 3, Funny
  
  ...using the first line of each song to generate your password... 'I see a little silhouetto of a man' becomes 15al50am
  I'm sure you mean "1ttr71tjf" yes?
20. Re:News at 11 by Mr.+DOS · 2009-07-13 03:47 · Score: 2, Insightful
  
  Directly related item on The Daily WTF.
  The more fine-grained the requirements you can punch into your brute forcer, the faster the hash goes down...
  --- Mr. DOS
21. Re:News at 11 by Inda · 2009-07-13 03:49 · Score: 2, Insightful
  
  Same as that! Me too! OK, OK!
  
  This month's password is: July2009. It has numbers and capitals. Great!
  
  Next month's password will be: August2009. It has numbers and capitals. Great!
  
  Don't be scared of the rules man. They are there to help you ;p
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
22. Re:News at 11 by Inda · 2009-07-13 03:56 · Score: 4, Interesting
  
  Oh yes, oh yes indeed.
  
  Get yourself a little password bruteforcing app. One that does ZIP files as a starter as they are nice and easy.
  
  Play with it. It'll brute force dictionary passwords instantly. 8 letters in a couple of hours. 6 letters in a few minutes. On a crappy HP laptop, I might add.
  
  Add some CAPS, numbers etc and watch the times go in weeks, months, years.
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
23. Re:News at 11 by bkpark · 2009-07-13 04:04 · Score: 2, Informative
  
  If the person/group trying to crack your system know about these requirements (which isn't hard to find out if you plaster it on the logon screen) it greatly reduces the number of permutations they even have to try. You have basically handed them a filter and said Don't bother looking for anything that doesn't contain the following.....
  Er, not really. Breaking 10-char password is takes so much longer time than breaking 6-char through 9-char passwords combined, so for computing the brute force time, you might as well assume that you have 10-char passwords (a sibling post assumes that one has 6-char password but that's just wishful thinking; I think most people have the ability to come up with at least 8-char passwords; at least people who do online banking should).
  By having at least one upper case, you essentially require potential crackers to need to look for 52 possible letters for each position (remember: the requirement isn't that you need upper case letter in the first position; it's any position, so you can't really use that to generally rule out bunch of passwords), and by requiring at least one number, you essentially require potential crackers to look for 62 possible alphanumeric choice for each letter (again, the requirement isn't that you should have numbers at the end of passwords or the beginning; even if you assume exact 2 numbers, you don't know where they are), with that, the possible combination, in the optimal case is 62^10, and if it takes 1 second to try one password (which might be true, unless the hacker has access to the password hash), it would take the cracker 27 billion years.
  Now, you complained about this specific requirement ruling out certain combinations. How many combinations do you think are ruled out? I haven't actually done the math, statistics, or Monte Carlo, but I'm willing to bet it's fewer than 50%, so the crakcer will now take somewhere around 13 billion years to crack the system instead of 27 billion years.
  I think I still feel relatively safe, as long as the hash remains secret.
24. Re:News at 11 by bitslinger_42 · 2009-07-13 04:08 · Score: 2, Interesting
  
  Glad to see you read the first paragraph of my post. Did you happen to see the end, where I said that I agreed with the paper, increasing password complexity doesn't solve the problems that we face today, and that I'm engaging my management with an eye towards changing our password policy?
  But, since you brought it up, sure those don't change, but we have all sorts of information that we learn every day. If you're a programmer, you might have to learn a new technique, the parameters for a new method invocation, whatever. The password itself doesn't change for six months (in the parent's example), so while the first few days or so are a pain, it is possible to learn one new eight character "word" twice a year.
  Passwords are FAR from perfect, but for most businesses, the alternatives are too costly to implement for the incremental gains. Biometrics always get mentioned, as do their inherent weaknesses (jello fingers, photocopies, etc.) PKI is perennially "next year's hot technology", but it never gets implemented because of the staggering costs and the inherent problems of determining who you really trust. One-time password tokens are a proven technology, but they're expensive to deploy, wear out after a fairly short time period, and are easily lost/stolen. All of the other technologies still have training and management issues for the users. Compared with those options, keeping passwords makes business sense.
  The problem is that the same people who won't pay for other authentication methods also read in CIO Weekly about the latest brute-force attack that cracks 14 bajillion passwords a second, and they think that longer, more complex passwords equal better security. Same goes for the external auditors. Everyone's been schooled in longer=better when it comes to password strength, so that's all they care about. This is the mindset that needs to be changed, but it won't happen over night. I'm doing what I can for my users here, but the rest of you are on your own :-)
25. Re:News at 11 by Mr.+Underbridge · 2009-07-13 04:11 · Score: 5, Insightful
  
  There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools. 1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc
  Spoken like an ivory-tower admin with people skills worse than an angry badger. Some problems with that attitude:
  1. While you think your system is special, it's not to us. Yours is one of many systems for which we have to remember passwords.
  2. Systems that require such moronically complex passwords also require them to be changed. They also use slightly different rules so that passwords can't be exactly re-used. End result is that I've got about 40 passwords or their variants in recent use. No way I'm remembering that, and I'm smart. You can forget about the secretary.
  3. Admins that set up such systems generally forbid the use of password keychains.
  End result? At work, I have to remember passwords for about 8-10 systems, all with different rules and password expiration schedules. Naturally, each will lock you out after 3 tries. So what I generally have to do is, each time I've gone more than a week without using a particular system, I get the IT guy to reset the password. Only because I'm one of the good guys, I don't write them down. But I've been sorely tempted.
  You can either learn to work with people, or you can keep making unusable edicts that make it impossible for people to follow them. Just know that once you cross the "sticky note" threshold - and you appear to be well over it - your system is far more easily compromised than if you had implemented a sensible security policy in the first place.
  What admins usually forget is that security is inherently practical, not theoretical. Hackers will always focus on the weakest part of any secure system, not the strongest. Making it take 100 days instead of 10 to crack a password file doesn't accomplish anything, because they'll move on to another exploit. All you'll do is piss off your users and make it a lot more likely that passwords get written down. As Mitnick showed, the weakest link is usually human, and your approach makes that link far weaker.
26. Re:News at 11 by AmberBlackCat · 2009-07-13 04:17 · Score: 5, Interesting
  
  At the places I've worked, I bet you can reduce the brute force time from years to seconds if you know the names of everybody's kids and pets...
27. Re:News at 11 by sfarmstrong · 2009-07-13 04:56 · Score: 5, Funny
  
  I know! And "Area51" is like the only dictionary-like password within the constraints you describe, so I can crack the system in a single guess! And I'm practically guaranteed to get classified information with that kind of password!
28. Re:News at 11 by CapnStank · 2009-07-13 05:05 · Score: 5, Interesting
  
  AmberBlackCat has it right. I worked in IT where there was 1 guy who COULDN'T understand password reset procedure. Down side was that he always demanded that it be reset to his name (maybe a 123 or something added) but nothing more. Just so happens that his name was also the name of the company. Need to guess the password? I'd say you'd have a harder time NOT guessing it.
  
  And I don't blame him sometimes. He was 60+, computers were not his forte and he had to come up with a password that:
  A) Expired every 45 days
  B) Could not be manually reset to a password that's been used within the last 20 passwords
  C) 8+ characters long
  D) Numbers
  E) Capitals
  
  Hell, I got 3-4 passwords that don't expire on the same sync so I'm slowly losing my mind trying to remember them within the 3 try lockout period. Sure, I can unlock myself but its still crap trying to do it.
29. Re:News at 11 by AK+Marc · 2009-07-13 05:22 · Score: 2, Insightful
  
  The password itself doesn't change for six months (in the parent's example), so while the first few days or so are a pain, it is possible to learn one new eight character "word" twice a year.
  
  For one, changing passwords do not improve security. At best, they limit the time when a system is compromised, but almost never improve the security (the only exception is if someone managed to get a hold of an encrypted password file and it takes 7 months to crack a 6 month rotation, but that takes an already compromised system to get that, so you've already been hacked). So, aside from the uselessness of that policy, it is a problem to learn a new word every 6 months. For one, people rarely have just one password, so it isn't just one. For another, as people age, they will have memories of passwords past. They will either do as I do password1 followed by password2 with a post-it up with just a number on it to remind me which version I'm on, or they will end up with "blocking" happening. That's where you can't remember which password you recall when you think about your password is the current one, and which is the time before, or for that other system, or such. There is no fix to that, it's the way the brain works. When people code systems with no thought to how the users themselves work, you will end up with a crap system. And that's what you are defending, a useless policy that results in a crap system and compromised passwords.
  
  --
  Learn to love Alaska
30. Re:News at 11 by ShieldW0lf · 2009-07-13 05:30 · Score: 2, Informative
  
  So, use an acronym for your password, but write down the full sentence.
  Use the password "Dftpu2jomaw!" and write yourself a note that says "Don't forget to pick up 2 jugs of milk after work!"
  
  --
  -1 Uncomfortable Truth
31. Re:News at 11 by AliasMarlowe · 2009-07-13 05:31 · Score: 4, Interesting
  
  Pick one good password, don't let it get cracked, and you'll be fine, and your users/co-workeres will be much happier
  That's the way we run our network at home.
  Unfortunately, at work it's different. There are several authentication empires large and small, each with differing password complexity requirements and with differing policies on password expiry and minimum difference from previous several passwords. There's the Oracle empire and the Siebel empire and the Notes empire, and two mutually-hostile LDAP empires. There are also a few minor authentication empires specific to other tools. There are probably other authentication empires/ghettoes for tools I don't interact with.
  The longest password validity is 90 days, for some systems it's 60 days. The shortest password acceptable to any system is 8 characters. All require upper and lower case, some require number and/or punctuation as well. Some don't count an upper case character if it's the first character in the password. Others don't count a number or punctuation if it's the last character in the password. So upper case, number, and punctuation have to be in the middle. One system requires that at least two characters in the password change type in each update (e.g. number becomes letter). Another system does not ever allow re-use of old passwords, claiming unlimited memory of previous passwords.
  The result? A few of the passwords are used regularly enough that they can be remembered, even with the updates every two or three months. Those used intermittently cannot be effectively commited to memory. So passwords are recorded on sticky notes under keyboards, scrawled on margins of wall calenders, on notepads in desk drawers, etc. Some keep them in plain-text files on their laptops. Our systems at home are more secure.
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
32. Re:News at 11 by Mr.+Underbridge · 2009-07-13 05:36 · Score: 2, Insightful
  
  The Security Analyst can care less if you can remember your passwords or not. The real issue is whose fault it's going to be when the system does get compromised. I can tell you right now, it's not going to be the SA. Its all you, the end user! You can fight the good fight for admins and end users, but in the end, SA can care less if you have you password on a sticky note on your monitor. They have covered their ass, and when all your business gets owned. They are going to point their finger right at you. They will keep their job... You wont.
  That's all fun and games until the person who wrote the password on the sticky note outranks the admin. And believe me, executives are the worst about that sort of thing.
33. Re:News at 11 by Bigjeff5 · 2009-07-13 10:04 · Score: 2, Informative
  
  If people at your office can be trusted, you don't really take a huge risk by having a postit with the password.
  Ahh, I see, so you hang out with the housekeeping staff and fully trust them too. You know, the ones who do the shitty job, are thoroughly underpaid but are easily smart enough to realize that somebody "out there" might find confidential information on your system very, very valuable? Same with the building owners your company leases to, right? You know, 16+ gig flash drives are very cheap and hold a lot of confidential information. Hell, if they're a little more technical than that they'll find a trojan on the internet and give themselves full access to your systems. There are plenty of IRC chat rooms with people willing to give you step by step advice to set it all up, especially if you're willing to share.
  It's also suicidal to assume you know that nobody in your office would ever use your passwords to access your system, no matter how much you trust them. There are a lot of people who aren't as nice as you think they are, and there are even more situations that would sorely tempt even decent people to do not so decent things.
  You can make systems invulnerable to brute-force attacks without making them vulnerable to social engineering. IT security demands balancing BOTH issues. As others have mentioned, 10 days to crack a password may as well be 100 years in most situations, especially when social engineering or security systems so complicated they force bad habits on the users can get you the password in minutes.
  As an example, I worked helpdesk for an Army Guard armory with very strict security - they used biometrically locked smart cards with a 6 digit pin that had to be changed if it were ever locked out. There was also a password requirement should your smart card be locked out that would allow you access to your system, but it required 12 digits, 2 upper, 2 lower, 2 numbers and 2 special characters, it had to be changed every 90 days, and you couldn't use the last 20 passwords. The result? You could walk down the halway at any given time of day and find at least one or two offices with the smart card in the computer, a sticky note with the current pin on the monitor, and the user nowhere to be found.
  Sure, the smart card system and password were essentially unbreakable, but they didn't need to be. Smart card resets, password resets, and sticky notes with passwords and pins were so common it was easilly the least secure system I've ever had the privilage of working with. It also severely hampered productivity.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
34. Re:News at 11 by mrcaseyj · 2009-07-14 04:08 · Score: 2, Insightful
  
  For companies that don't allow simple incrementing of the password at each change, but rather require almost every character to be changed, I would suggest using a hash function to create a seemingly random but easily regenerated password. For example on Ubuntu the following command will give an easily reproducible password:
  echo -n "LongUnchangingBasePasswordSiteNameJan2009" | sha512sum | xxd -r -p | tr -cd [:print:]
  Just changing the month will give an entirely different password. Such a password will be dictionary and brute force proof unless the hacker knows this little generator scheme. And even if the hacker knows this scheme, using an easy to remember but long enough base password, will keep it dictionary and brute force proof. Even if someone knows that your little generator scheme increments the date, they still won't be able to predict next month's password by shoulder surfing this month's password. Unfortunately this may leave an unencrypted record of your password in your command or standard output log, which may also get copied to backup machines. Under windows these command line tools may not be available, so it may be necessary to create a small javascript program or something with similar functionality. That might also keep this input and output out of your logs. This might also be good for creating a completely different but easily reproducible password for every web site you log into, and prevent a hacker who obtains the web site's password file from brute forcing the site's hash of your password and getting your password to use on other sites.
Woo hoo! by BobSixtyFour · 2009-07-13 02:46 · Score: 2, Funny

Yes! Now i can change my password back to password!
1. Re:Woo hoo! by ae1294 · 2009-07-13 03:55 · Score: 2, Funny
  
  At least those of us who speak french have much better passwords. Mine is 10 characters long, that's 2 characters better than yours!
  O yeah! Well my passwords go to 11.. yeah that's right... exactly 1 higher than yours frenchy...
2. Re:Woo hoo! by SlashBugs · 2009-07-13 04:00 · Score: 4, Funny
  
  "lepassword"?
c'mon by greebowarrior · 2009-07-13 02:46 · Score: 4, Funny

surely we should all be changing our passwords back to "Joshua"?
1. Re:c'mon by maxume · 2009-07-13 03:04 · Score: 2, Funny
  
  At least it is a reasonable name. If he named his kid Swordfish...
  
  --
  Nerd rage is the funniest rage.
And this is news how? by damn_registrars · 2009-07-13 02:48 · Score: 5, Insightful

I wouldn't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging. However with the number of brute force methods out there for cracking weak passwords, I don't see how this in any way reduces the value of strong passwords on systems where passwords are critical.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I'll repeat what I've said before: Use sentences. by kinabrew · 2009-07-13 02:48 · Score: 3, Informative

I advise people to use unusual sentences as passwords.
For example, look at the previous sentence.

I advise people to use unusual sentences as passwords.
It contains uppercase letters, lowercase letters, spaces and punctuation.
It's easy to remember, and hard to guess, so users are unlikely to forget it/write it down.
And even if you did write down your sentence/password near your computer, people might not even guess that it was your password.
Simple solution by L4t3r4lu5 · 2009-07-13 02:49 · Score: 3, Insightful

Biometric authentication.

No problems there!

--
Finally had enough. Come see us over at https://soylentnews.org/
1. Re:Simple solution by Itninja · 2009-07-13 03:13 · Score: 3, Insightful
  
  Biometrics are not as bullet-proof as many people think. With many fingerprint scanners, for example, one can fool them with little more than a xerox copy of the needed fingerprint. I am more of an advocate of three factor security, instead of just trading one single-factor method for another.
  
  We should have biometrics, passwords, and proximity smartcards.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
2. Re:Simple solution by caseih · 2009-07-13 04:31 · Score: 2, Informative
  
  In a word, no. Biometrics is only a part of identifying someone and controlling access. In essence, classic security thought says that there are three things to authorizing and authenticating a principal:
  1. Something you are
  2. Something you have
  3. Something you know
  So if biometrics provided #1, a smart card could be #2, and a password could be #3.
  I've known of several high-security installations that required all three things. A thumb print, the smart card, and a passphrase (or passcode) to go through a door. Whether or not this really granted real security I don't know.
  Certainly it's clear that biometrics cannot replace passwords as biometrics are not secret really (you leave your fingerprints everywhere). And as Mythbusters showed, you can fool even the most sophisticated fingerprint scanners quite easily. But they are still an important part of positively authorizing someone.
Throwing the baby out with the bathingwater? by Anonymous Coward · 2009-07-13 02:49 · Score: 3, Insightful

So because something that's good against brute-force attacks, but isn't against phishing and keyloggers, we should stop doing that? Phishing and keylogging are a result of strong passwords. So you need to implement adequate measures against those instead of saying strong passwords are useless.
If users have a hard time remembering their passwords, train them in it. Using phrases from which you take letters of which some are substituted with letters are very easy to remember for a user, yet very hard to bruteforce because you can make them quite long easily.
1. Re:Throwing the baby out with the bathingwater? by Anonymous Coward · 2009-07-13 02:52 · Score: 5, Insightful
  
  Exactly.
  
  the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers.
  It's like saying that the locks on our doors aren't good enough anymore because people are breaking into our windows -- so we should stop locking our doors? Doesn't make sense either.
2. Re:Throwing the baby out with the bathingwater? by maxume · 2009-07-13 02:58 · Score: 4, Insightful
  
  It's more like pointing out that a $25 lock is probably sufficient for a house with 25 glass windows (as opposed to a $100 lock).
  
  --
  Nerd rage is the funniest rage.
3. Re:Throwing the baby out with the bathingwater? by ArsenneLupin · 2009-07-13 03:23 · Score: 2, Funny
  
  Yeah, Windows weaken the security of every house...
4. Re:Throwing the baby out with the bathingwater? by itsdapead · 2009-07-13 04:05 · Score: 3, Insightful
  
  It's like saying that the locks on our doors aren't good enough anymore because people are breaking into our windows -- so we should stop locking our doors?
  More along the lines of: there ain't no sense in fitting a steel door if you live in a tent.
  The main purpose of most door locks is not to stop determined people getting in at all, but to ensure that they have to break something in order to do so and can't claim some innocent excuse.
  Its probably better to regard most user-level, non-banking passwords in much the same way, and concentrate on protecting the really sensitive stuff.
  Also, apart from the "long passwords encourage writing down" issue, long passwords + frequent forced changes = more forgotten passwords = more demands on support staff to reset passwords = less scrutiny of reset requests.
  
  --
  In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
5. Re:Throwing the baby out with the bathingwater? by tehdaemon · 2009-07-13 04:19 · Score: 2, Insightful
  
  If you have to break your own windows to get in about once a month - because your ridiculously complicated lock keeps locking you out - and it takes a week to replace those windows - then you probably need a simpler/less 'secure' lock. You might even be better off without a lock....
  T
  
  --
  Laws are horrible moral guides, moral guides make even worse laws.
Sounds dumb to me by drinkypoo · 2009-07-13 02:52 · Score: 2, Insightful

But maybe it's just the summary? I'll go RTFA right after this, or at least skim it. But since phishing and keyloggers are only two threats, and people can still guess passwords (or brute-force them) I think I'll keep using randomly generated passwords.
"Wrote a piece" apparently means "wrote a sentence" because all Bruce said about the paper is that it was "Interesting", then he C&P'd the abstract. Why not link directly?
Okay, I read the first page of the paper and they say you only need about 20 bits of password so long as there is a three strikes policy in place. However, this ignores the type of attack where a remote hole allows retrieval of a file, and that hole is used to retrieve the password list. There are also other attacks which would allow one to get ahold of your encrypted password, not least by sniffing, which can then be brute-forced without having to worry about three-strikes policies.
In other words, keep your complicated passwords, they are still necessary to defeat dictionary attacks. Security is not something you can buy in the store, it is a mindset that you must adopt. The more factors of security, the better. If you can't memorize a complex password after using it twenty or thirty times, you should start playing memory games or something. Even I can do that and my memory is poor enough to be a liability (and always has been since childhood.) We're all different and excel in different ways, but you owe it to yourself to sharpen certain skills.
I guess the bottom line is that I'd be concerned about employing someone who can't remember a password. You write it down until you memorize it, you treat that piece of paper as precious and secret, you burn it and scatter the ashes (or eat it, or whatever) when you no longer need it. It shouldn't be that difficult for a modern human who can understand how to operate a computer.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
limited application by damn_registrars · 2009-07-13 02:55 · Score: 3, Insightful
Sentences as passwords are only applicable in environments that allow such things. Sure, they are very strong for hacker-resistance but you should realize how many systems don't allow:
- spaces
- passwords longer than 16 characters
In particular many *NIX environments still don't natively allow spaces in passwords, so that approach would fail there.
--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:limited application by MrMr · 2009-07-13 03:07 · Score: 3, Informative
  
  In particular many *NIX environments
  I have used passwords with spaces since the 1990's on AIX,IRIX,HPUX, Solaris and Linux and have only seen that happen on poorly written sql code (deliberatily put there by some ignorant web-developer).
  Which environment would that be?
2. Re:limited application by Rob+Riggs · 2009-07-13 03:16 · Score: 2, Informative
  
  The biggest problem of all is that there is no standard to what should be allowed in a password. I have had banks tell me that punctuation is not allowed in passwords.
  Some require uppercase, lowercase and numbers.
  Some require specific complexity; most do not
  Some require a symbol.
  Some don't allow a symbol.
  Some require at least 8 characters.
  Some allow at most 8 characters.
  Really, it's just stupid. Until some standards body issues requirements in internet password practices that financial institutions are required to implement, it is just a lost cause.
  
  --
  the growth in cynicism and rebellion has not been without cause
3. Re:limited application by Opportunist · 2009-07-13 03:31 · Score: 4, Funny
  
  It's a sticky note with gibberish on the monitor. What could it be.
  A friend of mine had a genuinely clever idea for a password: The serial key on the back of the monitor of the guy sitting opposite of him. He has it right in front of him, it's completely impossible to guess, no sticky note giving it away and yet it's written down and won't go away or get lost.
  He only has to call IT every other year when they upgrade monitors.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:I'll repeat what I've said before: Use sentence by Nerdfest · 2009-07-13 02:55 · Score: 4, Funny

Slashdot is an excellent source of many of these sentences, as with spelling mistakes they're even harder to brute-force.
My password by Rik+Sweeney · 2009-07-13 02:56 · Score: 4, Funny

I sometimes set my password to ******** It sounds stupid but it has two advantages:
1. I know that I've typed in a * because I can see it
and, most importantly
2. When I have to repeat my password to confirm it, I can just copy and paste the previous field, saving me literally seconds of typing

--
Summation 2
1. Re:My password by ptbarnett · 2009-07-13 03:10 · Score: 2, Funny
  
  I sometimes set my password to ********
  Your password is hunter2?
Now if only people would take this into account... by Lendrick · 2009-07-13 02:57 · Score: 5, Insightful

I signed up for a forum a couple of weeks ago. I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing. When I clicked submit, I got an error message telling me that my password needs a number in it. So I append a '1' on the end to satisfy the filter, and click submit again. I get *another* error message telling me that it needs to be mixed case, so I capitalized the first letter. Now I'll forget the password and never be able to guess the damn thing again, so the next time I want to log in to whatever forum this was, I'll need it to send me an email with a reminder.
It would be really nice if they'd just turn those damn filters off. This forum site isn't a bank. I couldn't give two shits if someone hacks my account there, not that my regular password is particularly guessable anyway. Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses. Failing that, it would be nice if they at least provided some instructions with the password box that say something to the point of "Capitalize the first letter of your generic password and append a 1."
[/rant]
Defense-in-depth by Rennt · 2009-07-13 03:00 · Score: 2, Interesting

From the article:

Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place.
This may be statistically true, but isn't it missing the point of defense-in-depth? Why rely on three-strikes to catch brute force attempts, when you can also have a password that resists brute force in the first place.
Best Practices by Rob+the+Bold · 2009-07-13 03:03 · Score: 5, Insightful

According to the article (cited by the citation):"Users are frequently reminded of the risks: the popular press often reports on the dangers of ïnancial fraud and identity theft, and most ïnancial institutions have security sections on their web-sites which oïer advice on detecting fraud and good password practices. As to password practices traditionally users have been advised to . . . "
-Choose strong passwords
-Change their passwords frequently
-Never write their passwords down
I would suggest that this is a case for the popular quip: "Pick two".

--
I am not a crackpot.
Re:HEY! by Mattcelt · 2009-07-13 03:03 · Score: 3, Funny

Ha! Dumbass. You need a better password now, like the one I have on my luggage: 1-2-3-4-5
Re:HEY! by Yvan256 · 2009-07-13 03:08 · Score: 4, Funny

1-2-3-4-5? That's amazing. I've got the same combination on my planetary air shield!
Re:I'll repeat what I've said before: Use sentence by MadKeithV · 2009-07-13 03:21 · Score: 3, Funny

My password ends in:
3...
4 PROFIT!.
It's a reward for whoever cracks it - they'll probably profit.
Re:News for who? by Anonymous Coward · 2009-07-13 03:21 · Score: 2, Funny

Here's another news flash for you, computers do not run on magic crystals.
Duh! Everyone already know they run on smoke...
Re:HEY! by sopssa · 2009-07-13 03:22 · Score: 2, Informative

Thankfully I use KeePass myself, so I have everywhere *different* ~20 chars totally random password. If you also use keyfile to protect the container, a trojan getting your master password doesn't matter. Some of them might also be stupid enough not to monitor the clipboard when you're pasting the password. And even if they do, you wont give out password to bunch of websites, services, email, servers etc at once and you're protected against malicious admins or people hacking servers to get passwords because you have different password everywhere.
I dont see why more people dont use KeePass or some other such software, it makes your passwords and accounts a lot more secure. And yes, stong passwords are better than short and easily guessed ones, specially in this case.
Dict' attack is sooooo 2000 by Opportunist · 2009-07-13 03:25 · Score: 3, Interesting

Nobody brute forces anymore. Nobody. Any sensible password challenge/response system (I doubt there is such a thing if it relies only on that, but I ramble...) will lock you out and disable the account after so many tries, and usually the amount of tries is far lower than the threshold where guessing yields a meaningful chance to succeed. If it doesn't, steer clear of such a system altogether, if it doesn't come up with one of the simplest security "features", it probably is hellish insecure altogether.
Take, just for example, various game account or freemail system that let you retry infinitly, because their support would be flooded if they locked you out after 3 tries. Yes, you could keep guessing. And probably it is done. So a "strong" password means more security. Usually, no. Because they invariably also feature some braindead password recovery feature (ya know, the supersecret questions like "what was the name of your pet dog", again with infinite tries) that is usually even easier to defeat than the password guessing game.
You can, essentially, really go back to "12345" style passwords. There are way more than three possible easy to remember passwords, from birthdays to loved ones' names to even your CC pin number, and three being the usual number of retries before lockout. And without lockouts, the average "guess-hacker" won't go for your password. They go for the other venues that are usually far easier to break.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Dict' attack is sooooo 2000 by complete+loony · 2009-07-13 04:18 · Score: 2, Insightful
  
  But then if you allow trivially simple passwords, but have thousands of login names in your system, then you pick a single common password and try it with a dictionary attack against every user instead...
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Multiple Systems by woodchip · 2009-07-13 03:37 · Score: 3, Insightful

An other hurdle to usability is when you have multiple systems at work place that require a rotating complex password where you can't remember what password belongs to what system. Where I use to work we would have a password for the NT/domain PC login, and a password for the UNIX terminal thing everyone had to log into do anything. And withing the software on the UNIX terminal they used, for certain subsystems there was "shared" passwords that never changed, while remembered, they was still semi-complex, e.g. real word that substitutes a couple numbers for letters. I counted once, I had to know 25 different passwords, two-personal, and two "shared" to do my job, and I wasn't even working in a IT or IT-like postion.
Anonymous Coward by Anonymous Coward · 2009-07-13 03:47 · Score: 2, Insightful

There's a bigger problem that I've yet to see written about and that's the shared username/password issue. I have at least 2 dozen different accounts, if you include Amazon, EBay, credit cards, bank account, youtube, blog/forums, etc.There's no way that I'm going to use different user names for each of them.
And of course, I'm going going to use the same passwords for the accounts as well. While I'm not too worried about using the same username + password for both Amazon and Ebay, what if I have the same password for MyFavoriteBlog.com. A single nefarious employee at a large blogging/forum site has access to many username/password combinations. What's to stop that user from trying those username/password combinations through eBay, every major bank, every major credit card, etc?
In truth, I user different user names for more "secure" sites like Amazon and banks than I do for ones that I don't trust, but I'll bet that most people don't bother.
yup by Thaelon · 2009-07-13 03:47 · Score: 2, Interesting

They make things hard on users, but are useless against phishing and keyloggers.
Forcing users to change passwords does nothing against keyloggers either. But it definitely makes it easier to tell when a user has changed their password.
They'll type the current known password, then tab or click, then type some new cryptic garbage, then tab or click, then the same cryptic garbage.
But the worst possible password constraint I can think of is limiting the maximum number of allowed characters. I can think of absolutely no good reason for this restriction, yet large companies, such as Cedar Point's online reservation system posses this restriction.

--
Question everything
threat model by Tom · 2009-07-13 03:48 · Score: 3, Insightful

As all things in security, it's not black and white.
What exactly does "strong" mean? That's the important password.
In most circumstances, your threat model why you need a "strong" password is password guessing. It is rarely an actual brute-force attack, because most systems these days prevent a brute-force attack (e.g. they lock you out or reset your password to a random one that they send you per mail if you try it more than X times).
If your threat model does not include brute-force attacks, what you need is a "difficult to guess" password. That means you don't use "password" or "secret" and you don't use your own name, the name of your significant other or dog, your birthday and so on.
And that's all there is to it, really. All the bullshit about using numbers, special characters, etc. is just that - bullshit. It's defense against a threat that's not important anymore.
IANAL, but I am a security professional. Most of my passwords contain no numbers, and where the systems enforce them, there's usually a single number at the end or beginning. But I can type all my passwords in about a second on a standard keyboard. That makes shoulder-surfing a lot more difficult. In fact, I can make fairly good guesses at most "hunt and peck" people's passwords when I watch them type it in from across a small room. And the more difficult it is, the longer it takes them to type it in, and the easier it is for me to spot it.
So it all depends on your threat model, as always. Know what you need to defend against, and you'll have a pretty good idea of how you need to defend.

--
Assorted stuff I do sometimes: Lemuria.org
It's what the password's strong against by Todd+Knarr · 2009-07-13 03:53 · Score: 3, Interesting

Conventional "strong" passwords protect against someone trying to guess or brute-force the password. They're really good at this.
The problem is, few attackers try to guess or brute-force passwords anymore. It's too time-consuming and too readily detected. Most of them will try to get you to tell them the password by one means or another. Phishing e-mails, keyloggers, traffic sniffing, man-in-the-middle attacks, the whole point of all of them's to get your password directly without having to figure out what it is. And against that sort of attack, "secret" is precisely, exactly as secure as "wkL3jfo*Zle". To guard against those attacks you need to strengthen things other than the password itself. And part of what you have to harden against attack is the user themselves, which makes it unlikely you'll succeed.
Re:HEY! by poetmatt · 2009-07-13 03:57 · Score: 2, Insightful

Keepass only works so well if you have a keylogger AND configure it properly. If you have a trojan + keylogger where they can log the entry and download the file, the whole concept is moot.
figure out your password + copy your credential + copy your keepass file? It's not like keepass originated yesterday.
There is no perfect solution. There are "best practices" and thats about the best an average person can hope for.
Re:HEY! by tnk1 · 2009-07-13 03:57 · Score: 3, Funny

1-2-3-4-5?
Newbs. The highly secure password on US Nuclear weapons used to be:
00000000
http://en.wikipedia.org/wiki/Permissive_Action_Link
On the other hand, at least the US weapons actually have locks. Other countries' nukes don't.
you know by nomadic · 2009-07-13 04:14 · Score: 3, Insightful

What annoys me is when the security people demand passwords that are, in terms of strength, way out of proportion to the data they protect.

My bank password? Yes, that should be strong. The forum where I go for auto repair advice? No, I shouldn't have to memorize an 8 character password with at least one upper case, one number, and one symbol character.
Re:Now if only people would take this into account by tehdaemon · 2009-07-13 04:38 · Score: 2, Insightful

You may not care if you account is compromised, but the forum may not want the flood of spam/crap that could result. I can't say for sure - but I wouldn't be surprised if this was the logic behind it.
T

--
Laws are horrible moral guides, moral guides make even worse laws.
Even Better by Zygamorph · 2009-07-13 04:59 · Score: 3, Funny

Years ago one of my co-workers was asked by management to do a global password change on the systems (s)he supported. It was to be done late Friday afternoon for the "usual" reasons. The systems were such that you couldn't just expire them so they were individually reset to new ones. (S)He did this and then put post-its on everyone's monitor to let them know what their new password was when they came in on Monday. Shortly thereafter there was a new global password change.
Re:I'll repeat what I've said before: Use sentence by S77IM · 2009-07-13 06:20 · Score: 2, Informative

You should set your password to,

I am a pedophile and this encrypted partition contains my child pornography.
That way, if a court orders you to reveal your password, you can plead the 5th Amendment.
-- 77IM
PS. I am not a pedophile, and my encrypted partition no child pornography, just pirated movies and TV shows.

--
Student: Is it true that the foundation of the universe is paradox?
Master: Well, yes and no.
Re:HEY! by JWSmythe · 2009-07-13 09:52 · Score: 2, Insightful

Keepass will work fine and dandy until enough people are using it where it's worth exploiting. The targets of most of this stuff aren't individual users. They're the broad audience, which a percentage will do a compromising activity.
I'll admit, I once worked for a company who sent spam. This was before the days of it's evilness, and laws, and ... well, what it's become.
The general thought at the time was, for every 100 emails sent out, there would be approximately 3 paying customers. Those were targeted towards previous account holders, which still is in the gray areas of legal. Even though the customer base continued to grow through this method, but more of affiliate marketing, the returns on sending the notices dwindled as spam became a bigger problem. 3% became 1%. We never sent any more mailings after the conversion rate dropped to something like 0.02%. I spoke with someone later (probably about 7 years ago) who was still in that business. He said no matter what the product was, the conversion rate was down to 0.0003%. That business folded from ISP pressures, and they went into the business of handling mailing list transfers. They acted as the neutral intermediary, to ensure both parties would be satisfied with the transaction. That dried up as the conversion rates dropped down below 0.0001%. Who wants to send 1 million emails, to make a single $29.95 sale? Well, they still try, or our spam boxes would be empty.
The same will happen with this market. As users become smarter or have better technology protecting them, the market will dry up. But in our current state, key loggers grabbing passwords, bank info, etc, is a lucrative business. I am very happy to say that I have never, nor ever will, be involved in that line of work. It's one thing to market and sell something. It's another to blatantly steal from an oblivious user.
How will this market dry up? It won't be better antivirus/antispyware applications. Those are just chasing the problem. How was a big dent put into the spam industry? Innovation and education. You can ask even the barely computer literate "Should you buy something from an email that someone you don't know sent you?". The majority of answers will be "No".
Such malware isn't quite as in your face, and masquerades itself quite gracefully. If it's a well written piece, you'd never know it was there. Fortunately, most of them aren't as well written as they should be.

--
Serious? Seriousness is well above my pay grade.