Poor Passwords A Worse Problem Than Poor Antivirus

dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."

Sunflowers aren't so bad

[plover]

In TFA the author complains about "sunflowers", people who have passwords on post-its stuck around their monitor frame. The thing about post-its is that 89% of last year's credit-card breaches originated from sources outside the companies. And there is no malware possible that can read what's written on a post-it note.

Re:Sunflowers aren't so bad

[Shikaku]

And there is no malware possible that can read what's written on a post-it note.

Security cameras. If you know what to Google you can find all sorts of security cameras on the internet.

Or just walk in and look yourself.

Re:Sunflowers aren't so bad

[KeithIrwin]

I agree completely. I generally tell people that it's far, far, far better to have a strong password which you write down than a weak one which you can remember. Simply moving the post-its from the monitor to a locked desk drawer would do a lot to decrease the security risk of writing them down.

It's also not even vaguely clear to me why people feel that regular password changes are helpful or a good idea. As far as I can see, all they do is make it tougher for users to use strong passwords (due to being unable to memorize them), thus leading to weaker passwords and less security. An uncompromised password is an uncompromised password. They don't go stale.

Regular password changes don't help decrease the likelihood of a system being compromised, they just offer some mitigation in the event that it has been compromised. However, given that an attacker probably will need only a few hours or days to slurp plenty of information or do plenty of damage, rotating passwords monthly isn't even likely to mitigate the compromise much.

So the trade-off being made is that the system is now more likely to be compromised due to weaker passwords but in return, there's small chance that an attack will be stopped after the system has been compromised due to the password changing. That doesn't seem like a good trade-off to me. My best guess is that this advice is left over from a time when some systems had shared passwords. The regular password change was so that people who had been given the password to a system to do one thing wouldn't have access forever. Some places even used daily passwords so that they could give someone access for one day, but have their access reset the next day. But that advice has been carried over to individual user passwords in systems which use better access control technologies to manage access.

These sort of reports don't stop and analyze what constitutes good password management. They just say "Passwords should be changed regularly. It must be true because everyone is saying it. This company doesn't change their passwords regularly, so they have poor password management." As such, they aren't really a good assessment of the problem.

Re:Sunflowers aren't so bad

[grumbel]

Simply moving the post-its from the monitor to a locked desk drawer would do a lot to decrease the security risk of writing them down.

Or better yet, store it in your wallet. A place that is save enough for your money, credit cards and car keys should be save enough for a bunch of passwords. One could of course go one step further and get rid of passwords altogether and use a secure authentication device instead, with USB being commonplace everywhere that shouldn't be to hard to just use a USB device that does the authentication and encryption in a secure and easy to use manner.

The core problem isn't that users chose insecure passwords, thats just human nature, the core problem is simply that hardware and software developers haven't build systems that work well enough with this "flaw" of human nature.

Re:Sunflowers aren't so bad

[exley]

OK so I went and searched for "office security cameras" and that pretty much just turned up companies selling cameras. I then tried "office security cameras HOT XXX ACTION" and that DID yield me some results... But no passwords on sticky notes :( Rule 34 should kick in eventually, through, right?

Seriously though, I'm guessing most office security cameras are too low-res and they give a wide-area view so as to make it pretty damn difficult to be able to get someone's PW that way.

Re:Sunflowers aren't so bad

[MadnessASAP]

Try searching for "axis-cgi", you may be suprised what you can find.

Re:Sunflowers aren't so bad

[techno-vampire]

It's also not even vaguely clear to me why people feel that regular password changes are helpful or a good idea.

I spent time doing tech support for an ISP. As part of my job, I needed to log into a web page. The server was inside the office firewall, and nobody outside it could log in. Not only were we required to use ten-character passwords (Upper, lower, numeric and punctuation all required.) they expired every sixty days. There was no possible way for an outside attacker to reach that web server, no way that constantly changing our passwords made anything more secure, but we had to do it, probably because somebody in IT realized that they could set it up that way and decided that if they could force passwords to expire, they should, whether it helped or not. What made it worse was, all the Certificates expired and nobody ever bothered to update them. This wouldn't have been so bad (You tell your browser to accept it, and the problem goes away.) but our boxes were locked down so badly that telling the browser that the cert's OK didn't survive a reboot, meaning you had to go through the same song-and-dance several times a day.

Re:Sunflowers aren't so bad

[brentonboy]

And there is no malware possible that can read what's written on a post-it note.

Security cameras. If you know what to Google you can find all sorts of security cameras on the internet.

Or just walk in and look yourself.

Seriously? No security camera will have a resolution high enough to actually read what's written on a post it note, assuming it's even in focus. It's not like on TV where you can just "zoom in, and enhance." Probably the best you could get would be to see a vaguely "sunflower" shaped monitor, as described.

Re:Sunflowers aren't so bad

[ScrewMaster]

Or better yet, store it in your wallet. A place that is save enough for your money, credit cards and car keys should be save enough for a bunch of passwords.

Huh? That's not very good advice. If someone steals my wallet, they get access to whatever cash I have in it, and some easily-replaceable plastic. If I report the loss/theft promptly, my liability is limited.

On the other hand, if I put passwords to my important online services there (such as my bank account, 401K, etc.) I could find those assets gone forever. If I have passwords to my company's systems there, they also could be compromised, and it would be my fault for storing those passwords in such a readily accessible place. A wallet is not secure, was not intended to be secure, and is something people carry around out of necessity, and the thought of losing it is a source of constant worry. Plus which, there are people who specialize in relieving us of the burden of carrying said items, you know ... they're called "pickpockets."

Also, the problem with carrying arround a "secure authentication device" is that very few services support them. Well, not in the U.S. anyway, and that's where I live. And even if you are able to use one, you'll probably still require a PIN of some kind. Probably not a good idea to put that in your wallet either.

Regardless, you are absolutely correct that people not thinking things through and concerning themselves solely with convenience is human nature, Me, I use difficult passwords and I make the effort to a. memorize them and b. change them now and then. But that's me: few computer users are willing to work that hard, and I also agree with you that they really shouldn't have to. However, the core problem isn't so much hardware and software developers: the problem is that the people in charge of the financial systems in many countries just don't see the investment in secure transaction handling to be worth the money. It's cheaper to pay their insurance underwriters and just charge off the fraud. Of course, that fact that some number of citizens get totally fucked over every year is just acceptable collateral damage.

The United States' banking system is horribly insecure at pretty much every level, and I don't see that improving any time soon because it would cost a lot of money. A good first step might be getting rid of Diebold (I mean, come on, a Windows-based ATM?) but I don't see that happening soon either.

Re:Sunflowers aren't so bad

[mwbeatty]

But they do it on TV all the time! You mean the technology on those cop shows isn't real?

Re:Sunflowers aren't so bad

[plover]

Regular password changes don't help decrease the likelihood of a system being compromised, they just offer some mitigation in the event that it has been compromised. However, given that an attacker probably will need only a few hours or days to slurp plenty of information or do plenty of damage, rotating passwords monthly isn't even likely to mitigate the compromise much.

Many of the really big credit card attacks (TJX, Network Solutions) took place over several months (or years), harvesting on-line transaction data. We have no way of knowing if the passwords were rotated during the course of the attack if that would have shut down the attackers. Network Solutions was PCI DSS rated, which means they had a password rotation policy in place, and their attack continued from March through June. We can probably assume the attackers seized the first opportunity to create a back door that they could use in the event the passwords were changed, so a rotating password would have had no effect on them.

Re:Sunflowers aren't so bad

[plover]

You can certainly take a little responsibility for your own security. You don't have to write down the whole password, or you can obscure it in some way that you remember. If your password is aRgLeBaRgLe123 you can just write down "aRgLeBaRgLe" and remember that you glue 123 to the end of all your passwords, or write down "arglebargle123" knowing that you always cApItAlIzE eVeRy oThEr lEtTeR. For most people, the people who have physical access to their screens are less likely to be sophisticated attackers than your average network hacker.

Of course you still have to make sure that nobody learns any of your passwords, because they'll easily figure out your simple obscuration scheme.

Years ago I had all my various credit card PINs written and stored in my wallet with the cards, but I knew I had an offset to add to each before using it. The offset was the PIN for my main bank card, so it was something I already remembered. (I have since divested myself of all those extra cards, so I don't have the paper any more.)

All that said, I still don't write down or save my secure work or banking passwords. I'll write down stupid web site passwords, but not anything that puts me or the company I work for at risk.

Re:Sunflowers aren't so bad

[Tom9729]

I don't think it's really that big of a problem. First of all if you have passwords written down in your wallet and someone steals it, they're still going to have to figure out your username (unless you wrote that) and what password is for what service, what bank you use, etc. In the meantime you could just change all of your passwords to be safe.

Of course this wouldn't work if you didn't know your wallet was stolen (if they copied your passwords and returned it before you knew it was missing), but it seems like that would be a pretty targeted attack...

There's nothing wrong with ATMs running Windows, OS/2 or whatever as long as it's set up right. An ATM should NEVER be hooked up directly to the outside network (no matter what OS it is running), and should always be physically secured (in a very visible location, watched by cameras 24/7, etc).

Re:Sunflowers aren't so bad

[Ronald+Dumsfeld]

Good password policy...

Strong, not written down, regularly changed

Pick Two.

Re:Sunflowers aren't so bad

[ScrewMaster]

There's nothing wrong with ATMs running Windows, OS/2 or whatever as long as it's set up right.

But they're not. Many are run through the public Internet (and there are many known instances of them having been compromised, either directly by thieves or indirectly through worm infestations) and furthermore Diebold is not a company that can be trusted to set them up correctly. That's also pretty clear, given their track record. And I disagree with you that there's nothing wrong with an ATM running Windows. In fact, I don't really know where to begin a response to that statement.

Re:Sunflowers aren't so bad

[flappinbooger]

As someone who does IT and computer work "in the field" for small local businesses in a small midwestern town, the "Just walk in and look" thing is more true than you might think. If you look like a clean-cut semi-geek with a laptop and an air of confidence, all you need to do is walk in.

Go up to the bored and underpaid secretary/receptionist who doesn't really give a flock, and say you're there to fix the computer in the back, or to fix the printer, whatever. Most likely they'll say "yeah, sure, whatever" and let you go on because they don't care, don't know, and most places DID have problems with the computer/printer/whatever the day before, and she will assume the owner called you.

Memory stick with a few choice apps, clickety click, and you can own the place whenever you want and nab whatever you want.

Oh, and all the passwords are either on a post-it on the monitor, under the keyboard, or are some variant of Password. Or, everyone knows it because it's the dogs name and ALL the passwords are the same.

"Oh, hey, can you give me the password real quick for this workstation right here?" (wants to be helpful and is embarrassed because they don't know jack about computers) "Sure, it's password123!"

One time the manager of a chiropractic/PT place was giving me access to the server because she needed me to do something, and I watched her peck in the password at 1 WPM. The password was "SPRAIN". I about busted out laughing.

Way too many places that should have security - lawer offices, medical offices, have open AP's and crap security. Actually, NO security. No backup, either. I'm turning things around as I go.

Re:Sunflowers aren't so bad

[SlashWombat]

Especially since jpeg/mpeg gets a large percentage of its compression through deleting high frequency detail during the DCT pass. So unless the note is very close to the camera, the text will disappear in the compression process!

The thing that really is a pain is the IT admin insisting on monthly changes to the password. So you might use a strong passphrase (say 20 characters long) but in the end you use the minimum, and put it on a post-it note so you don't lock yourself out of the system. (And, since most IT admin think their related to god, asking them for help is like grovelling in shit, something very few people enjoy!)

It's all down to ridiculous password rules...

[musefrog]

I think one day, we'll look back at this period of needing umpteen different 8-16 character one capital letter one alphanumeric character passwords (changed each month!) with the same horror we now regard the times when the best solution to a serious leg injury was to cut the freaking thing off. With no anasthetic. Maybe it's not directly analogous, but it's just as barbaric and wrong and crazy!

Re:It's all down to ridiculous password rules...

[bcmm]

And Linux has had Pluggable Authentication Modules since 1996. It currently supports, among other things, smart cards, fingerprints, passwords and and a bunch of different hardware crypto devices.

Re:It's all down to ridiculous password rules...

[Artifakt]

The wallet idea works safer if you don't write the password, but an 'un-mutated' version of the password, and you know the rule you use to mutate all your passwords. If you can disguise what's written down so it doesn't look like a password, even better. Jot some name (Lucinda Mott), and address (1630 N. Highway 33, Mesa City) on the back of a business card, with a note like 'carries Valmont brand 3/8ths tubing - closes early Fridays - call Dodge city branch', and let anyone who steals your wallet guess which part of all that is the cue to your password. You can even use dates with this system to let you pick out the current password, just leave the old ones in your wallet too - that actually makes it harder for a pickpocket to spot.
      One way to make an actual word safer (at least from your cohorts at the office), is just to pick something you have no interest in, if you can avoid becoming interested in it just from picking it. If you are in your 20's, and learn the name of a song Frank Sinatra got a Grammy for, and the year, who's going to guess something permutated from that, by a rule such as "reverse the date and put it in the even numbered characters of the password.", especially if you don't write the rule down. Yet you can remember a system like this more easily by far than a truly random password.
      I base this on having once cracked a machine on the first try, when a national guard NCO that was former Navy dared me to - (Hint, most sailors get assigned to just one ship their whole hitch, and it's a big deal to them, as in they usually have a picture or two around standing on the dock in front of their ship, and OMFG, those ships have names painted right on their bows!). I told this person some of the above methods, and kept testing until he got something I wouldn't guess quickly (which took about three tries - Hint 2, If you talk NASCAR all the time, don't be surprised when someone else tries a few variations on your favorite driver and their Car number.). I don't know what he came up with eventually, but it was evidently something actually tricky, because we had a change passwords every month rule and after the first few months, he got to where I couldn't get a one of them. (yes, it was part of my job description to bug half a dozen people this way).

My password isn't guessable.

[XPeter]

It's password! How ingenious is that?

Oh, wait...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Arora

[Sir_Lewk]

It's good to see Arora getting some more attention now. I've been using it now for more than half a year and I must say it's the first webbrowser I have actually liked in several. I would definetly consider it the best OSS webbrowser on linux right now, particularly if you're running KDE (although Arora is desktop agnostic, it is Qt). I've been fed up with Firefox's bloat (ever try comparing Firefox and Seamonkey these days? Guess which is heavier...) for some time and Arora is a nice change from that.

Biometrics

[the_macman]

What's wrong with biometrics? Maybe somebody could explain to me why more keyboards don't ship with biometrics built in? Instead of remembering 25 different passwords each with their own ridiculous rules you could just scan your finger. It could even work when you want to make CC purchase or login to your email.

Re:Biometrics

[Hal+The+Computer]

Okay, I'll bite. Because you're too cheap. Seriously, biometrics that actually work (are hard to fool) are going to make your keyboard several hundred to several thousand dollars more expensive.

Those fingerprint readers that come for "free" build into laptops are snake oil.
Some educational reading:
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
http://mythbustersresults.com/episode59

Re:Biometrics

[KeithIrwin]

The problem with biometrics is that they aren't secrets and they aren't changeable. As such, they're fine for low-security in-person authentication. For example, I've heard of a restaurant which had their wait staff punch in by scanning their finger prints. That's fine. But if you use it to control access to the VPN, then that's problematic due to the non-changeability.

Here's why:
Let's assume that you are an employee who runs Windows at home. You keep up with the latest patches and don't do anything stupid. You probably even run Firefox. But still, someone manages to slip through an unpatched bug and infect your system. It can happen to just about anyone. They then install a back door and start logging what's going on in your system. They notice that you connect to a VPN so they start sniffing your USB traffic so that they can appear as you (recording either your password or your fingerprint). Now they can get into your company's VPN. It's compromised. Fortunately, your IT guy is on the ball. At 11am the next day, you get a call from your network admin asking you if you are signed into the VPN because he expects that you're in the office, but you also appear to be signed in remotely. You confirm that you are not signed in and the two of you realize that you've been hacked. He temporarily disables your access. You go home, clean up your home computer (assuming that you can) or bring it in to have them clean it up, and then it's time to give you access back.

Now here's where things diverge. If you've used a password, you just have to change your password to a new one, and it's secure again. Your fingerprint isn't changeable. Obviously, you can switch to a different finger, but that's a limited strategy since you've only got 10 of them (well, maybe slightly more or less if you were born with extra fingers or have lost some in accidents). I suppose once you're out of fingers, you could use toes, but I doubt most users would be willing to. This becomes especially problematic if any non-hashed versions of things are stored (as often must be done for fuzzy matching) because if the database gets compromised, every single person would need to change to a new finger. You also wouldn't want to use the same finger for your work password as you use for your bank. So, a total of 10 may seem like a lot, but over the course of a lifetime, you're almost certain to run out. Other biometrics are even more problematic since people have at most two irises, only one voice, only two sets of hand geometry, etc.

The non-secrecy can also be a pretty big issue, although that one usually only comes up with insider attacks since they generally have to know you in person. Let's say you use the fingerprints for controlling access to the company database. Now, Alice is a supervisor in payroll accounting and can change people's salaries in the database. Eve works sales and is clever and unscrupulous. Eve invites Alice over to dinner, and after she's left, lifts her fingerprints from her wine glass or the glass table top or almost any other smooth surface she's touched. Heck, she might even be able to get it from a door knob at work if she's careful. Once Eve has the fingerprint data she can then log-in over the network to the database.

The banking situation would be even tougher because you would expose your fingerprint when you use an ATM. All an attacker would have to do is wipe the buttons and/or fingerprint scanner clean before you use it and then lift your print from the machine when you're done.

Alice can keep her password in her head, or if it's too hard to keep in her head, she can write it down and keep it in a locked drawer in the office. This isn't absolute security, especially since keys can be duplicated from pictures of them, but would at least require that Eve physical break into the office. But still, her password at least starts out as a secret unknown to anyone else. Her fingerprints are not secrets. Using your fingerprint as your password is like writing you pas

I have an idea.

[neokushan]

I'd like to make a proposition to everyone on slashdot.

For the greater good of humanity, we need to employ some social engineering. I suggest that all of us stop referring to it as a "password" and start referring to it as a "passphrase". With a little luck, it'll catch on and people will start using phrases instead of just words. This tiny change should cause people to create easily remembered passes that are in excess of 10 characters long.

Re:I have an idea.

[Headrick]

Agreed, but unfortunately it's not that easy. I just started a new job and got my AMEX corporate card in the mail today. The online account had a maximum password length of 8 characters with no special characters allowed. A phrase would never work when we have companies that are still limiting their passwords to 8 characters.

Re:I have an idea.

[lgw]

No, no, and no.

Stop making life hard on users for no real gain in security. Make a system that is secure with a 4-digit PIN. It's easy, and there's really no reason not to use two-factor authentication these days except (a) you don't really care about security, or (b) you actively hate your users, and a passphrase is as close as you're allow to come to hitting them with a hammer whenever they log in.

I realize (b) is common, but it still doesn't make for good security.

Author parrots common fallacy

[whoever57]

The author parrots out the common fallacy that passwords have to changed frequently:

Even worse, good password management requires frequently changing passwords - every 30 to 60 days is the standard. Rotating passwords more frequently--every 15 days or so--is possible, but the panelist say it creates more of management and user headache that leads to more sunflowers by users who's memories can't keep up with changes.

Until people get over this misconception and communicate to their users: "give yourself a good password. I won't ask you to change it so you can pick a strong password that you will remember and that will be the end of memorising passwords" Then stress what makes a strong password.

Re:Author parrots common fallacy

[dotgain]

This.
Password rotation is dumb dumb dumb dumb dumb. At least half of my users would have mentioned the annoyance of changing passwords, many tell me the exact process they use to circumvent it while doing so.
But my hands are tied, because twice a year the auditors come in, and if I don't have a password rotation policy he'll tell my boss, who'll then tell me to implement it. I've tried to reason with him, but passing the audit was more important. Beancounters in charge of IT FTW.

Re:Author parrots common fallacy

[ScrewMaster]

Just assign the damn things! When I was in college (about thirty years ago, now) the school's mainframe would assign users a strong password when you got your account. Choosing a poor one wasn't an option. The system did manage to come up with interesting and easy-to-memorize combinations, I must say. It was actually fairly impressive: I never saw anyone writing down their password because they didn't need to. However, they weren't just random combinations of characters, and they weren't subject to a dictionary attack.

Depending upon individuals to come up with strong passwords is utterly hopeless: you tell them what their password is. However, you can't just give them something like "pz039yq53t" because they'll get frustrated and stick it on a Post-IT note. Come up with an algorithm that generates strong but easy-to-remember passwords and you'll be in good shape.

Poor passwords in TV shows

[Kligat]

When the password is the name of the computer owner's son, daughter, or significant other, why is it that the main character never has to fiddle around altering names by replacing random letters with 1337 or @, $, and # signs?

Re:Poor passwords in TV shows

[techno-vampire]

Script writers do that for a very good reason: timing considerations. A TV drama has a one-hour time slot, minus time for commercials, opening and closing; probably about 40 minutes or so for the story. Fiddling around with creative misspellings of names takes time and doesn't move the story along. It's the same reason, BTW, why when somebody on TV turns on the news, the story they're looking for is just starting.

The Article is poor....

[Manip]

The article repeats the same Myths of password security that we have been repeating for the last thirty years. Let me review them for you:
  - Password Length is important
  - Password Complexity is key (e.g. A-Z with at least one special, one number)
  - Password Expiration is important

Like all good myths these have elements of truth in them but fail to really hit the nail on what the problems actually are, or namely:
  - Strong login auditing is important (failed attempts, unusual patterns, etc)
  - Login speed should be throttled (e.g. No 60/guesses per minute)
  - Failed logins should be capped (e.g. Login wrong five times? Consult technical support)

Now we are talking about password security. You can also throw on a five length minimum. Now even if your password was "password" they would still find it extremely difficult to compromise the system since it would be slow and would break after the first five. If you tried to spread out the attempts over several weeks (making it slower still) the audit logs should be alerting the administrator to 14/failed attempts per week from China.

Re:The Article is poor....

[blincoln]

Now we are talking about password security. You can also throw on a five length minimum. Now even if your password was "password" they would still find it extremely difficult to compromise the system since it would be slow and would break after the first five.

The reason length is important is because there are ways to crack most types of password that don't involve going through the same interface that an interactive user would.

For example, on Windows you can get ahold of the password hashes either off of a domain controller or with network sniffing software. Then you can make any number of cracking attempts offline. Or you can just use a rainbow table system like Ophcrack and do a reverse lookup in a matter of minutes on the hash of virtually any password less than 15 characters long.

Re:The Article is poor....

[Coriolis]

Oh, come on.

If you're in a pure Windows 2000 or greater environment, you can turn off NTLM and LM altogether. This reduces you to sniffing Kerberos packets, which are substantially harder to crack - you're talking hours for a single weak password. And you've still got to be on the same network segment.

As for getting the hashes off the domain controller, by what magic do you intend to obtain sufficient remote access to a properly-secured DC? That's the equivalent of saying that if you don't use shadow passwords it's really easy to crack UN*X. Well, duh.

No Surprise

[virtual_mps]

This is probably because most security assessments aren't very good and don't correlate well to an organization's actual security problems. At least the assessments help people get rid of all that extra money they have.

poor password policies

[mayberry42]

I remember when working for a major financial firm in Boston, they had the most ridiculous password policies for each password. We had to have at least four or five different passwords according to what you needed to access, each with their own rules and limitations (size, characters allowed etc...). Not only that, but each password expired in different intervals. So basically every week, you'd have to change at least one password making the whole damn thing impossible to remember.So, what did people do? They wrote them down in little sticky-notes. Sure, I came up with my own schemes to facilitate remembering them, but nevertheless a forgotten password was bound to happen. It amazes me how paranoid firms are about some policies, yet leave the back door wide open due to such stupidity

Due to a recent identity-theft scare I had the other day, it made me realize the importance of safe-guarding the data with good passwords. Since then, I've used KeePass to generate and store all my 20-digit random passwords that I've since never have to remember (a backup, of course, is constantly made and stored in a safe place). Either way, I'm no security expert, but it seems to me an approach like this would be much more sensible than inconsistent password policies that expire randomly. Just my $0.02

Maybe not such a good idea...

[musefrog]

I've come accross one (badly coded) site where that stategy backfired on me. I typed my standard use-it-for-non-critical-sites 15 character passphrase - all seemed well and good. But then, when I tried to log in, it kept telling me I had the wrong password.

Turns out their form only saved the first 12 or so characters - but they hadn't limited how many characters you could type into the field, so I didn't know I'd typed too many. And guess what - the login form accepted more than 12 characters! Hence my borked login.

Fortunately I think that flaw got fixed when they upgraded their site, but I wonder how many more sites out there are broken like this...

Re:Maybe not such a good idea...

[KeithIrwin]

I use PasswordMaker for website passwords (as everyone should) with a 16 character password length. I've probably run into a half dozen sites which have silently removed the last 4 or 8 characters, cutting it down to 8 or 12 characters. I've also run into several which strip out "special" characters (single or double quotes, slashes, spaces, parentheses, or whatever else they feel threatened by) in an asymmetric manner. That is, they remove them from the password before they store it in the database but not when you type it in or vice versa. It's a real pain.

I've also had other sites which simply reject my password because of excessive length or because it contains "special" characters. Any place which can't accept any password I give them is doing a terrible job of securing their users accounts.

Re:mod down

[Nerdfest]

That's ok. Compared to the typical post these days it's refreshingly informative.

"Good Enough Security"

[resistant]

We all know most people will never use "proper" passwords, let alone "properly", quite aside from offices in which ridiculous password management policies drive people to drink^h^h^h^h^h simply writing their passwords on Post-it notes stuck to their monitors. Why not make the best of a bad situation by only insisting on reasonable passwords changed no more than once per six months, complete with freely available "wallet-sized password booklets", but which are accompanied by other methods such as once-per-session typing pattern analysis verifications or cheap magnetic stripe cards? (The obvious security problem with a magnetic stripe card in the same wallet as a password booklet, for example, can be ameliorated by insisting that the magnetic stripe cards be kept in small employee lockers, and never allowed off-premises).

The point is that a little imagination is all that is needed to make security reasonably good or at least acceptable, given that the weak link will always be the kind of muppets who insist on shoving bricks between doorjambs and ultra-high-security triple-locked doors if they are at all allowed. Sure, any security method can be defeated, but it's far easier to educate (okay, frighten) people into not removing stuff from company premises (the magnetic stripe cards) or to make them perform once-a-day monkey tricks (the typing pattern analysis verifications) than it is to make them stop writing stuff down in very insecure ways. Security will tend to be more even, and problem employees will be easier to spot.

The old saying comes to mind, "The perfect is the enemy of the good."

"strong password policy" is NOT the solution

[IGnatius+T+Foobar]

Listen up, paranoid policy people everywhere: setting up a "strong password policy" is NOT the solution. Typically this involves forcing the user to choose a password that's more than ten characters, has punctuation and numbers and mixed case in it, and forces a password change every 30 days.

You know what that does?

It forces people to write their passwords down. On paper.

With the password written down, it's very easy to "crack" because it's sitting there, "in the clear" on a dead tree.

Re:Fingerprints?

[KeithIrwin]

Biometrics work fine for in-person authentication, but they are terrible for network authentication because they are not secrets and because they cannot be changed. In person, they might be hard to fake (depending on the technology), but over the network, it's just data like any other and, as such, trivial to fake. I have a longer comment about this further down if you want more detail.

Re:Fingerprints?

[6Yankee]

Fingerprints, great... Might as well get a permanent marker and scrawl my password all over my laptop!

Re:The 1960's Called

[Entropius]

There's a reason usernames are public.

On a Unix machine, knowing someone else's username lets you send them mail. It lets you access (if they allow you to) their home directory. It lets you see if they're logged on (using "w"), see information about them (using finger), and even communicate with them (using write), and lots of other useful things.

Re:The 1960's Called

[arndawg]

What are you talking about? What good would asterisking the username do? It would result in a longer unkown string, but you should use strong passwords anyway so it shouldn't provide any extra security.

RSA tokens and Etrade

[zerofoo]

My Etrade accounts have a traditional password with the requirement of an RSA token. This seems to be a great solution to the password problem.

The first part of the password is easy to remember, the second is changed every 60 seconds by the token.

It is a bit less convenient than a standard password, but that is the price to be paid to secure a bank account.

-ted

1Password

[davebarnes]

Strong, weak.
Your choice.
Use 1Password t manage them all.

1-2-3-4-5....

that's something an idiot would have on his luggage!!!

Keychain Access

[trudyscousin]

I'm surprised no one has mentioned this yet, but Mac OS X has an application called "Keychain Access." Keychains store private keys, certificates, and arbitrary notes securely. I use one to store my passwords to all my e-mail and web accounts. They're encrypted using Triple DES.

Not only that, but it can generate passwords for you. Tell it how many characters you want, and whether the password should be memorable (comprised of dictionary words and a short string of numbers), letters and numbers, numbers only, something called "FIPS-181 compliant," or random. You can choose from the ones it generates from a pop-up menu, and if you don't like any of them, it can generate some more. Whatever password you choose, there's a gauge that tells you how strong it is.

I have to use it occasionally to look up a password to an infrequently visited web page. Entering my user password (that is, the one for my account on my computer) will unlock any one that is stored on the keychain.

Is it easy to use? Kind of, sort of; it takes a few seconds and more than a few mouse clicks to retrieve a password. Safari (perhaps Firefox as well, but I don't know) can be configured to remember your login information for a given page, and though it stores this information in the login keychain, the problem with Safari's implementation is that it works for some pages and not others, and doesn't require you to provide your user password--not exactly the most secure arrangement.

No one's ever compromised this scheme, as far as I know. Yet. Meanwhile, it works pretty well for me.

Re:Keychain Access corruption

[tg123]

I'm surprised no one has mentioned this yet, but Mac OS X has an application called "Keychain Access.........

word of warning from experience, used to work for apple, make sure you have another copy of your passwords because as you say the keychain is encrypted and if the keychain gets corrupted you may have to reset the keychain.

I would get a keychain access issue about once a week and the person on the other end of the phone used to get very upset as they were unable to do there banking.