Slashdot Mirror

← Back to Stories (view on slashdot.org)

Strong Passwords Not As Good As You Think

Posted by CmdrTaco on from the still-better-than-'password' dept.

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

28 of 553 comments (clear)

  1. News at 11 by sweatyboatman · · Score: 4, Insightful

    If your computer is hacked than you're boned.

    Seems to me that the solution is to have a strong password and keep your computer free of malware.

    Is that really so hard?

    --
    It breaks my pluginses, my precious!
    1. Re:News at 11 by DrLang21 · · Score: 4, Interesting

      There's another problem at the work place. I have to change my password every 4 months to a moderately strong password. It cannot be a password I have used in the last 6 months or any of my last 6 passwords. The result? My password is prominently tacked up on my cubical wall. Seriously I can only remember so many passwords before I just can't do it anymore. If I enter the wrong password 3 times, my account locks up.

      --
      I see the glass as full with a FoS of 2.
    2. Re:News at 11 by Tridus · · Score: 5, Insightful

      Yeah, this.

      "Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.

      Users have to be able to remember their passwords in order for this security to be of any use. Push them beyond that ability, and you're actively making the situation worse.

      --
      -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    3. Re:News at 11 by Allicorn · · Score: 5, Insightful

      So write it down and put it in your wallet with your credit card.

      Unless - of course - you routinely tack your credit card to your cubicle wall. No? Didn't think so.

      --
      OMG!!! Ponies!!!
    4. Re:News at 11 by Talennor · · Score: 4, Insightful

      Do you have to enter your credit card number every time you want to access your computer? No? Well that's why it's in your wallet and not more easily accessible.

      --

      //TODO: signature
    5. Re:News at 11 by tie_guy_matt · · Score: 5, Insightful

      Another problem with password rules that rotate too fast and have too many rules is that you end up with many users who are locked out of their accounts. I imagine if the helpless desk gets 100 requests a day to reset account passwords then after a while they become less careful to ensure that the person requesting a password reset is actually the person that owns the account. Personally the more stupid password rules I encounter the more likely I am to try to come up with a password that is easy to guess (since I will be the one guessing the password in a little while.)

    6. Re:News at 11 by ArhcAngel · · Score: 5, Insightful

      Agreed, but what I find even more mind numbing is the places that require you to have a password that is between 6 to 10 characters in length (6 for a "strong" password and 10 because their system can't handle passwords any bigger) and must have at least two numbers in them as well as one upper case or some such. If the person/group trying to crack your system know about these requirements (which isn't hard to find out if you plaster it on the logon screen) it greatly reduces the number of permutations they even have to try. You have basically handed them a filter and said Don't bother looking for anything that doesn't contain the following.....

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    7. Re:News at 11 by bbernard · · Score: 4, Interesting

      This kind of thinking is, well, disappointing. Yes, it would be "easier" for you the user to not need such a strong password. That would be one way of looking at it. I think it would be easier, too, if I didn't need to look both ways for pedestrians while backing out of my driveway every day. What are the chances that I'm going to hit a pedestrian? Pretty small, but I need to look for them anyway.

      There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools.

      1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc.

      2. Teach yourself an easy way to create complex passwords. Use the first letter of each word in a silly phrase like "Snoopy Prefers @nchovies 0n his 8rick Oven pizza." (SP@0h8Op) Or pick some other way of remembering these things.

      3. Or, install a backup camera so you don't need to look around for those pedestrians.

      Just my 2 cents.

      --
      ----- Connection reset by beer
    8. Re:News at 11 by grumpyman · · Score: 4, Funny
      "Security" people who don't know anything about non-IT users like to make password rules that are so obtuse that normal users simply can't deal with them. The result is sticky noted passwords.

      .... while sys admin uses "admin" as password on servers/switches without the need to change, ever?

    9. Re:News at 11 by Deadstick · · Score: 5, Funny
      on my cubical wall

      Most of mine are planar...

      rj

    10. Re:News at 11 by the_one(2) · · Score: 4, Insightful

      If one assumes that the users are lazy and will only do the bare minimum that would mean (in order): 1 upper case letter, 3 lower case letters and 2 numbers. This would translate to 26 ^ 4 * 10 ^ 2 = 45697600 permutations. That wouldn't be very hard to crack. And that is without using dictionaries!

    11. Re:News at 11 by Inda · · Score: 4, Interesting

      Oh yes, oh yes indeed.

      Get yourself a little password bruteforcing app. One that does ZIP files as a starter as they are nice and easy.

      Play with it. It'll brute force dictionary passwords instantly. 8 letters in a couple of hours. 6 letters in a few minutes. On a crappy HP laptop, I might add.

      Add some CAPS, numbers etc and watch the times go in weeks, months, years.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    12. Re:News at 11 by Mr.+Underbridge · · Score: 5, Insightful

      There are just some things that we all have to do, even if they are "hard." So may I suggest that instead of complaining that passwords are too hard to remember, perhaps you could try using a couple of tools. 1. Use something like password safe for all those "useless" passwords. You know, the ones for Yahoo, Google, Slashdot, etc

      Spoken like an ivory-tower admin with people skills worse than an angry badger. Some problems with that attitude:

      1. While you think your system is special, it's not to us. Yours is one of many systems for which we have to remember passwords.

      2. Systems that require such moronically complex passwords also require them to be changed. They also use slightly different rules so that passwords can't be exactly re-used. End result is that I've got about 40 passwords or their variants in recent use. No way I'm remembering that, and I'm smart. You can forget about the secretary.

      3. Admins that set up such systems generally forbid the use of password keychains.

      End result? At work, I have to remember passwords for about 8-10 systems, all with different rules and password expiration schedules. Naturally, each will lock you out after 3 tries. So what I generally have to do is, each time I've gone more than a week without using a particular system, I get the IT guy to reset the password. Only because I'm one of the good guys, I don't write them down. But I've been sorely tempted.

      You can either learn to work with people, or you can keep making unusable edicts that make it impossible for people to follow them. Just know that once you cross the "sticky note" threshold - and you appear to be well over it - your system is far more easily compromised than if you had implemented a sensible security policy in the first place.

      What admins usually forget is that security is inherently practical, not theoretical. Hackers will always focus on the weakest part of any secure system, not the strongest. Making it take 100 days instead of 10 to crack a password file doesn't accomplish anything, because they'll move on to another exploit. All you'll do is piss off your users and make it a lot more likely that passwords get written down. As Mitnick showed, the weakest link is usually human, and your approach makes that link far weaker.

    13. Re:News at 11 by AmberBlackCat · · Score: 5, Interesting

      At the places I've worked, I bet you can reduce the brute force time from years to seconds if you know the names of everybody's kids and pets...

    14. Re:News at 11 by sfarmstrong · · Score: 5, Funny

      I know! And "Area51" is like the only dictionary-like password within the constraints you describe, so I can crack the system in a single guess! And I'm practically guaranteed to get classified information with that kind of password!

    15. Re:News at 11 by CapnStank · · Score: 5, Interesting

      AmberBlackCat has it right. I worked in IT where there was 1 guy who COULDN'T understand password reset procedure. Down side was that he always demanded that it be reset to his name (maybe a 123 or something added) but nothing more. Just so happens that his name was also the name of the company. Need to guess the password? I'd say you'd have a harder time NOT guessing it.

      And I don't blame him sometimes. He was 60+, computers were not his forte and he had to come up with a password that:
      A) Expired every 45 days
      B) Could not be manually reset to a password that's been used within the last 20 passwords
      C) 8+ characters long
      D) Numbers
      E) Capitals

      Hell, I got 3-4 passwords that don't expire on the same sync so I'm slowly losing my mind trying to remember them within the 3 try lockout period. Sure, I can unlock myself but its still crap trying to do it.

    16. Re:News at 11 by AliasMarlowe · · Score: 4, Interesting

      Pick one good password, don't let it get cracked, and you'll be fine, and your users/co-workeres will be much happier

      That's the way we run our network at home.
      Unfortunately, at work it's different. There are several authentication empires large and small, each with differing password complexity requirements and with differing policies on password expiry and minimum difference from previous several passwords. There's the Oracle empire and the Siebel empire and the Notes empire, and two mutually-hostile LDAP empires. There are also a few minor authentication empires specific to other tools. There are probably other authentication empires/ghettoes for tools I don't interact with.
      The longest password validity is 90 days, for some systems it's 60 days. The shortest password acceptable to any system is 8 characters. All require upper and lower case, some require number and/or punctuation as well. Some don't count an upper case character if it's the first character in the password. Others don't count a number or punctuation if it's the last character in the password. So upper case, number, and punctuation have to be in the middle. One system requires that at least two characters in the password change type in each update (e.g. number becomes letter). Another system does not ever allow re-use of old passwords, claiming unlimited memory of previous passwords.
      The result? A few of the passwords are used regularly enough that they can be remembered, even with the updates every two or three months. Those used intermittently cannot be effectively commited to memory. So passwords are recorded on sticky notes under keyboards, scrawled on margins of wall calenders, on notepads in desk drawers, etc. Some keep them in plain-text files on their laptops. Our systems at home are more secure.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  2. c'mon by greebowarrior · · Score: 4, Funny

    surely we should all be changing our passwords back to "Joshua"?

  3. And this is news how? by damn_registrars · · Score: 5, Insightful

    I wouldn't expect that anyone smart enough to come up with a strong password would be dense enough to somehow expect it to be immune to keylogging. However with the number of brute force methods out there for cracking weak passwords, I don't see how this in any way reduces the value of strong passwords on systems where passwords are critical.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  4. Re:Throwing the baby out with the bathingwater? by Anonymous Coward · · Score: 5, Insightful

    Exactly.

    the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers.

    It's like saying that the locks on our doors aren't good enough anymore because people are breaking into our windows -- so we should stop locking our doors? Doesn't make sense either.

  5. Re:I'll repeat what I've said before: Use sentence by Nerdfest · · Score: 4, Funny

    Slashdot is an excellent source of many of these sentences, as with spelling mistakes they're even harder to brute-force.

  6. My password by Rik+Sweeney · · Score: 4, Funny

    I sometimes set my password to ******** It sounds stupid but it has two advantages:

    1. I know that I've typed in a * because I can see it

    and, most importantly

    2. When I have to repeat my password to confirm it, I can just copy and paste the previous field, saving me literally seconds of typing

    --
    Summation 2
  7. Now if only people would take this into account... by Lendrick · · Score: 5, Insightful

    I signed up for a forum a couple of weeks ago. I used the same generic password that I use for every other throw-away site out there, so it's easy to remember the damn thing. When I clicked submit, I got an error message telling me that my password needs a number in it. So I append a '1' on the end to satisfy the filter, and click submit again. I get *another* error message telling me that it needs to be mixed case, so I capitalized the first letter. Now I'll forget the password and never be able to guess the damn thing again, so the next time I want to log in to whatever forum this was, I'll need it to send me an email with a reminder.

    It would be really nice if they'd just turn those damn filters off. This forum site isn't a bank. I couldn't give two shits if someone hacks my account there, not that my regular password is particularly guessable anyway. Seriously, I my password to your dipshit forum shouldn't have to contain mixed case, three numbers, nine punctuation marks, Egyptian fucking hieroglyphs, and that goddamn symbol the artist formerly known as Prince uses. Failing that, it would be nice if they at least provided some instructions with the password box that say something to the point of "Capitalize the first letter of your generic password and append a 1."

    [/rant]

  8. Re:Throwing the baby out with the bathingwater? by maxume · · Score: 4, Insightful

    It's more like pointing out that a $25 lock is probably sufficient for a house with 25 glass windows (as opposed to a $100 lock).

    --
    Nerd rage is the funniest rage.
  9. Best Practices by Rob+the+Bold · · Score: 5, Insightful

    According to the article (cited by the citation):"Users are frequently reminded of the risks: the popular press often reports on the dangers of ïnancial fraud and identity theft, and most ïnancial institutions have security sections on their web-sites which oïer advice on detecting fraud and good password practices. As to password practices traditionally users have been advised to . . . "

    -Choose strong passwords

    -Change their passwords frequently

    -Never write their passwords down

    I would suggest that this is a case for the popular quip: "Pick two".

    --
    I am not a crackpot.
  10. Re:HEY! by Yvan256 · · Score: 4, Funny

    1-2-3-4-5? That's amazing. I've got the same combination on my planetary air shield!

  11. Re:limited application by Opportunist · · Score: 4, Funny

    It's a sticky note with gibberish on the monitor. What could it be.

    A friend of mine had a genuinely clever idea for a password: The serial key on the back of the monitor of the guy sitting opposite of him. He has it right in front of him, it's completely impossible to guess, no sticky note giving it away and yet it's written down and won't go away or get lost.

    He only has to call IT every other year when they upgrade monitors.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. Re:Woo hoo! by SlashBugs · · Score: 4, Funny

    "lepassword"?