Slashdot Mirror
Please Do Not Change Your Password
cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."
hunter2
We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.
Give me Classic Slashdot or give me death!
"Change your passwords and be rooted." -- JIRA attackers.
1. Apache Foundation Attacked, Passwords Stolen
2. Please Do Not Change Your Password
Slashdot is awesome today!
hi yes it is time to update your pass word. please enter below your current password and new password. then the phisy site changes it for you logs you in and has two of your passwords profit
every anarchist is a baffled dictator. Benito_Mussolini
Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.
Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:
(1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
(2) A lot more easy-to-guess passwords
(3) Incremented passwords (FuckTheSecurityGuys14)
This is why I consider password policies a great indicator of where your IT department is on the "keepin' it real" scale: No restrictions, you IT people are idiots and don't care or understand security. Reasonable restrictions (min 8 characters, letters and numbers) and you're in the sweet spot. Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Password aging is not only irritating for users, it causes them to choose even worse passwords, or to write their passwords down. If you are lucky, and they do neither of these, then it is very likely that they will use "strong-password-1", "strong-password-2".
Enjoy life! This is not a dress rehearsal.
If anyone gathered metrics on such practices, I would bet that for most environments, they would find that it yields the opposite effect of what is intended.
It makes strong passwords and lots and lots of password lists under keyboards, in text files, and on post-it notes.
I gave a little talk at a Toorcon event a couple years ago where I included some pictures of password lists found in the wild.
I think everyone competent knows about these things, they just choose not to say anything about it because it is a "best practice."
If your password is 365 days old and not hacked, how is it any MORE secure if you change it and it becomes 3 days old?
The odds are the 3 day old password is a derivative (and easier to create) of your original, so hacking it will be easier too. In fact, if somehow people got your historical passwords, they could figure out what your next one was.
Where I worked last, I picked the date on the calendar and added it to the end of my regular password. Not secure, but a 30 day interval to change it was brutally annoying.
The price is always right if someone else is paying.
Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.
You neglected one possibility: Your IT people are sadists who are sick of dealing with lusers ;)
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Yes, yes. This is all very fine. Until there is a massive security breach (like this recent one) and the CEO is looking for a place to drop the blame-hammer. Password aging may have had nothing to do with the breach, but who cares? The IS dept didn't have one? It's their fault then....
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Less than a month ago. http://news.slashdot.org/story/10/03/16/1931214/Users-Rejecting-Security-Advice-Considered-Rational
Kudos to the /. editors for cutting way down on the number of dupes and summary-contradicts-article stories over the past couple of years, but they're certainly not eradicated. Maybe dupe-checking should be part of slashcode--an automatic search for links and link titles that the editor (or submitter?) has to at least scroll past to post.
The original Howling Frog is a fictional character and has no UID.
(4) Users who actually come up with relatively easy-to-remember passwords that make sense to them and are difficult to guess.
But I guess, to make a point, one has to ignore the possible good outcome ;)
In general though, I agree that your #s 1-3 are going to be a lot more prevalent.
Oh look, a pun on "aging" and "retire"! ....
Seriously, I see too many people keeping their passwords. Some of the "Smarter" people I've met keep the same base 8-10 character password, with a 2 digit month at the end of it. 2-3 week password aging cycle? That 2 digit number gets 1 added to it every change, until they hit however many the cycle has to be, and then they start over again, or changing back to 1 every jan.
How about NON-IT related passwords: I'm talking about bank website, or telephone banking passwords? ATM PIN on their bank / credit card?
We change website, email passwords, network passwords, you bet, but the admin / root password on the systems they monitor?
How about revisiting your accounts on whatever social networks / forums you have and changing their passwords, or better yet, checking out to see if the answer to your "Security question" is available online somewhere? How often should we run the gamut of "What websites do I have a username and password on", and how often should we change THOSE passwords?
That is a sentence fragment. Look it up.
I understand the whole point behind having a secure, random password with a limited life. At the same time, I also have a piss-poor memory for random strings of ASCII characters. I don't work for a government agency, or a company with classified or even proprietary works, yet, even my mindlessly boring personal email account requires an 8 character random string with alpha and numerical characters, no runs, no common words, and no repeats. I don't use that account for ANYTHING secure or private, and if it were to suddenly be paraded to the world for all to see I really couldn't give a damn. So why the hell can't my password be any fraking thing I want?
Why aren't we teaching people general security practices instead of forcing them to pick a password such that the first thing they are going to do is write it down on a little post-it that they store under their keyboard.
Could someone post an actual stong password you have in use?
Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.
SSID?
You neglected another possibility: your security restrictions were set by some dumbass in a state legislature who read some paper or book regarding "IT Security" and passed laws and regulations for government agencies...
People, in my organization at least, are forced to change after 180 days but they only change to a slight variation of the previous one. Ex: old password=Password1, New password=1Password. Sure, you can make it so no part of the previous password be used, but they always find a way around, thereby making it quite easy to guess.
Now, the military has a completely annoying process, but I think it works pretty well. It not only makes your 10 character alpha-numeric + symbol password change every 180 days, but you have to answer 3 questions that it randomly pulls from a survey of about 30 questions you had to take before you can even log in. That, or use your CAC (common access card) along with a PIN, but that requires a smart card reader and their proprietary client.
The short: No one method will ever be secure enough; you need a combination of methods to make things as safe as possible. Even then, the most skilled hacker will get your shit and there's nothing you can do.
Loading...
The real problem with password expiration is that the benefit is not clearly understood.
What does it combat?
Once someone HAS the password, you are faced with closing the barn door scenario. Anything that could have been taken or accessed, likely already was. Granted you may prevent them from acquiring additional information or access, but you can't be sure that they haven't made any backdoors, even if those backdoors aren't even related to your system. With your email, I could easily construct a spear phishing attempt to gather information from people whose passwords were never compromised.
Hey Bill, I'm working with Susan on XYZ project. I know that when you had trouble with the SUBCOMPONENT you resolved that with WHATEVER. I'm running into a similar problem with our SIMILAR SUBCOMPONENT. Could you take a quick look at our approach and give us your opinion?
It works. People want to help.
The real thing that I think this does help, is reducing the risk from Password creep. Everyone knows that we end up using variations on our passwords across domains. I'm willing to bet that at least 80% of people's facebook passwords are also their email passwords. Rotating does help to keep that down, but people fight against it, and likely will change ALL of their passwords to match their newly changed one.
I doubt we will ever convince people otherwise, but it is probably a hell of a lot more cost effective to have simple password rules (Or hell, just a damned physical token with a simple PIN).
Out of modpoints but really liked a post? 1BDkF6TtmmeZ3yqXbz9yhdYVqRYnwFoXDj
Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.
The stereotype is that computer geeks can't get a date or fit into social situations. Why? Because they don't understand human nature. And who is in charge of setting the password policy? The geekiest guy in the organization. I see a major issue.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
The problem with passwords is we all have to 'remember' so many of the darned things.
I really wish I could authenticate by being able to decrypt a secret using my private OpenPGP key. That way I would only need to remember one password, and changing that regularly would be something I could imagine. Changing the swarm of passwords I currently have to deal with is just inconcevable.
Password machine policies are only effective if there combined with user password policies. Unfortunately none of this matters when you set user's as admin accounts. Sloppy code writing and ineffectual company policies place users at risk. What has helped in my job is teaching the user's effective web navigation, monitoring everything!, letting them know we monitor everything ( the honor system - just make them think we see everything) and implicitly denying all incoming requests to our firewall. Unfortunately this is how we do things since our users are to lazy to remember their passwords; they write them down on paper and leave them posted to their desks.
Of all the things I've lost; I miss my mind the most. - Mark Twain
If the lusers deserve it, is it sadistic to torture them?
At the bottom of the
I've always found it curious that anti-Semites generally claim that Jews are somehow inferior or sub-human, and then assign them unparalleled power to swindle and deceive, and claim that the Jews control most/all governments or most/all money.
The two concepts, are mutually exclusive. If the Jews were inferior, they would never have been able to control everyone else who is of higher intelligence and ability.
The logical conclusion, is that IF you are right and the Jews control all money and all governments (and have done so throughout known history), then they are clearly far superior to the rest of humanity and whatever sufferings you may ascribe to their victims, are merely the inevitable pains of one species being superseded by a further evolved descendant.
In essence, if your conspiracy theories are correct, that means that YOU are inferior to the Jew, and your skull will be examined by the Jew descendants a thousand years from now in a museum... right next to Australopithecus and Neanderthal.
There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.
I see password security as an exponential curve, on a graph, reaching a certain peak and then dropping to zero. That dropping point is where the password rules become so complicated that most people would rather write the password down than try to remember it. That piece of paper suddenly became your weak point in the security model. For this reason you password policies need to focus on something that is sufficiently secure, but not so secure that it is in effect insecure.
Jumpstart the tartan drive.
Password aging made sense, once upon a time. When the biggest issue was resource theft, changing passwords every few months cleaned out the unintended access some people had, either nefariously or through chance (old unclosed account and what have you).
Now with the speed of automated hacking tools password rotation is less than useless as a defense.
I'm a little confused, "if" they deserve it???
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
I've been doing columns of keys on they keyboard, It's going to be a long time before I run out, and meets most requirements. (Sometimes I hit a caps lock for the second set), Plus logging in takes almost no time at all.
1qaz2wsx
1qaz3edc
2wsx3edc
1qaz4rfv
2wsx4rfv
3edc4rfv
1qaz5tgb
The author makes a good point- users see the time cost of missing assignments as more damaging to their career than the benefits of following security protocol to the letter. They're probably right.
What's interesting, I believe, is that the security employee is being fairly rational by implementing every possible security mechanism, eg CYA-type behavior. Security people tend to get a lot of stick-motivation when there's a problem but very little carrot-motivation for minimizing the intrusiveness/timewasting of their protocols. If you're only ever getting feedback when something goes wrong, it's pretty rational as an individual to employ every defense mechanism possible.
It's called singular they, and its usage is debated. Shakespeare and Jane Austin can't be that wrong.
Terrorist, bomb, al Qaeda, nuclear, yellowcake, kill, assassinate. Carnivore is dead... long live Echelon.
And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..
You are in a maze of twisty little passages, all alike.
How many times have you seen "the password must be between x and y characters in length and must contain blah blah"?
I want to enter a full sentence. Like "this is my password and you won't be able to guess it, you idiot". You aren't making this possible, because you're thinking like geek programmers who use randomly-generated strings of 8-12 characters by the dozens.
I write code and do inter-office support for my apps. Do you know how many times someone told me "I forgotz my password, halp!!11" after they were instructed to use a full sentence with a minimum of twenty-five characters? Zero. Nobody ever forgot it.
http://img541.imageshack.us/img541/1992/2inarow.png
Oh, slashdot, how do we love thee.
I often tell people at work I'll be adding a squirrel noise requirement to the password policy next month. I always expect them to laugh but they usually just have a horrified look on their face that reads something like 'you can do that?'. I then have to clam them down and tell them I'm only kidding.
"There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed H
I wish Microsoft would listen to its own researchers. I work there and we have to change our passwords every 90 days. They have to use characters of various types and you can't reuse a password... ever as far as I can tell. I've never really understood how this was supposed to improve security and often wondered if it made passwords more guessable since a lot of people probably use memorable patterns. I personally couldn't actually tell you what my password was without typing it since it follows a certain pattern on the keyboard.
Perhaps you should take your own advice, and find out what "subject-verb agreement" means? Neither "user" nor "they" is a verb or a subject, so I'm not sure how subject-verb agreement could be relevant here.
If you meant "pronoun agreement," you're still wrong. "They" agrees perfectly with a singular noun of indeterminate gender.
Password aging should automatically take into account the security of the password someone creates, via some algorithm that estimates 'guessability'
If it's a dictionary word and number, give it three months. If it's a dictionary word, number, and two symbols, give it six months. If it's a passphrase, all regular dictionary words but not a 'standard' phrase like 'lorem Ipsum" or "The quick brown fox' leave it alone for a couple years.
In other words - if someone is using a secure password, fuckin' reward them for it!.
Plus, if a password is being aged, and it's in it's expiration period - give people the entire 14 day (or whatever) period where they can use either the old password or the new password, and every time they use the old one remind them of the new one until they start using it. Let them transition between the two.
Just a couple obvious thoughts - Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
Password: Aaaaaayyy
Man, I just looked down at my kb thinking you had a good idea, then was REALLY confused for a minute.
Then I remembered I'd messed the keys around to fuck with people who looked over my shoulder.
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Not so much for the Congress comments but for the recognition that "blame" is POLITICAL.
It isn't about the facts or the obvious consequences of human nature + rule X.
It's about CYA and playing political games so that other people get stuck with the blame.
Increased security always decreases usability. Though now that I think about it, I'm wondering: why aren't smart cards used more in corporations? Wouldn't it be convenient for people to log in with the same ID they use to get into their workplace building or floor?
Just a thought...
I have heard the argument for password expiration and it makes sense in a corporate setting. The theory is that the 'bad guys' manage to figure out users passwords at a given rate (likely shotgunning multiple usernames with multiple passwords until they get a match). Once a username/password combination is obtained they have access to everything that person has access to, and can access it silently and over time. By forcing password changes every so often (and ensuring that passwords aren't reused) these hacked accounts will be temporary problems rather than permanent or recurring (if passwords are reused in a cycle) problem.
For most stuff where damage would be sudden and immediate (online banking, MMO accounts, etc.) it makes very little sense.
But expiring passwords just adds one more thing for users to be bugging you about (I forgot my password after I changed it for the 3rd time this week...). Yes, you're torturing your users, but is the extra pain you have to go through as a result worth it?
Yes it won't be perfect, but that's not the question. The question is will voice recognition fail more often than people forget their passwords.
I have to check a password clue book (to figure out which of about 12 different passwords go with which appliction) about once a week. I bet the voice recognition will be better than that.
excitingthingstodo.blogspot.com
Herley's article lost me when I skimmed the URL recognition part and read the claim that the Bank shoulders all the cost of a phishing attack. What, so a phisher empties my bank account and there's zero cost to me? No stress, no trouble when my debit card suddenly can't purchase anything? No effort required on my part to restore my account before being evicted by my landlord? Herley goes on to calculate the cost of paying attention to URLs in terms of the current level of phishing losses -- what, like phishing wouldn't be way, way more effective if we started hiding URLs from users, if we all started blindly clicking on links in emails and entering our passwords on any page whose logos looked familiar?
TFA is garbage, trying too hard to get attention, and too little to assess situations honestly.
Is it just me, or does Microsoft seem to be full of a-holes lately? Not long ago I was watching some junk video by Kim Cameron who thought it'd be cute to use the BSD demon icon to represent black hat attackers. Is this what happens when the nerdy geek founder hands the reigns to the soap salesman, drawing attention to yourself becomes more important than doing good work?
Another pet peeve: half-baked stuff like this being typeset in PDFs in an attempt to appear more legitimate and scholarly. Herley's piece is garbage and should be one big inline wordpress piece with lots of space at the bottom for the world to rip it to shreds.
Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:
(1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
(2) A lot more easy-to-guess passwords
(3) Incremented passwords (FuckTheSecurityGuys14)
Oh, I was using a script to flush the password history by randomly changing the password until my old password was good again. :)
My work requires a 12 digit alpha + number + symbol every month. If I were given time to think about it I might have a much better password. But when I am accessing, it is very time dependent. I am usually accessing it about once every two weeks or so under emergency conditions. I have to come up with a new one on the spot after I log in before I can continue (no skipable prompt to put it off until later). There is no way anyone has a good password with that criteria.
My favorite method to create passwords at home used to be using the first letter of song lyrics.
Igalboc.ttaasiar. Any takers?
Most of the time your computer at work is physically secure enough for the data that is on it.
Your work computer better not be accessible through the firewall.
Your office should ensure that viruii do not exist, this includes monitoring firewall traffic and computer activity internally.
With those precautions, aging passwords isn't going to help.
With them, aging passwords probably won't help.
The only thing they are going to help is when someone has physical access to your computer--and when that happens any /.er will tell you that all bets are off and passwords are pretty much irrelevant.
So what is the drawback? If there are any passwords I have to change regularly, I'll toggle between two.
If they don't allow toggling, I'll add the month to the end or something like that.
If that's blocked (too similar) I'll write it down and tape it to my damn monitor. Physical security is NOT my job.
The one thing a password is good for is keeping co-workers from sabotaging me via sending bad emails or putting child porn on my computer. If they force rotation and I have to tape my password to my monitor, this is the one level of security I lose (which is a pretty reasonable chance to take).
At work, I get accounts assigned to me all the time. My rule of thumb is that if I don't log onto to a system inside the password expiry period, I let the account lapse. I figure it's less hassle to have the account resurrected the next time I need it than to remember another password I'm obviously not using...
c.
Log in or piss off.
Cruel dude, but, honestly, I have a Squirrel Caller noisemaker I bought at a science museum so I say BRING IT ON!
Dammit, I hate to sound like "that old guy who never got his jetpack," but weren't computers supposed to talk to us by now and figure out who we are???? I'm so tired of typing in my ever-changing password to get the bathroom door to unlock.
At my work they require the password to be no more and no less than 8 characters, cannot begin with a number, and cannot have double letters. Great idea, right? Haha.
Software setups that require password aging force me to use simpler and simpler passwords so I can remember them. At my last job my original password was "DepletedUranium1sH3avy", once they implemented password aging it became "passwordXXXX" where XXXX was the month/year. Which do you think is easier to crack?
The biggest problem with password security is user education.
USER. EDUCATION.
Forget the WHY password complexity and expiring passwords is important; end-users don't care about that.
Educate end-users on how to make passwords that are complex and easy to remember. Such a thing IS possible. For example teach users to pick a phrase or sentence and type that in, replacing all the instances of the letter E with the number 3 and to capitalize all vowels. All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". Maybe you leave the spaces in. Maybe you change A to 4 or L to 1. Whatever the user wants.
It produces a complex, easy to remember password.
It really irks me when I have to have ridiculous passwords on networks that are physically isolated from the outside world. They used to physically assign us passwords for two separate networks (that are not isolated from each other) that were synchronized. Then, the Windows domain got a much stronger password requirement. So, instead of just assigning us a new stronger password synchronized across the two networks, they make us pick a new, ridiculous password for the Windows domain and still assign us a password on the other one, and the Windows passwords change several times per year instead of once like the other network.
So, not only do I have to memorize a new stronger password that changes frequently, but I have to remember another less strict one too. And both on networks where the only way for someone to steal my password is to physically stand there and watch me type it anyway, which is only marginally more difficult while typing a longer password with more special characters in it.
My office does all three of those, although it's partially so coworkers can access your computer if you're sick (lack of folder sharing being a problem in and of itself). In fact, I think my immediate boss is at 'password14' right now.
Let's not forget password recovery/reset either. If you have very restrictive password requirements, but very liberal recovery requirements, you've created a false sense of security.
My bank has all sorts of requirements on passwords: mixed case, numbers, punctuation, length, had to change every ___ time, couldn't reuse your last ____ passwords, etc. The password recovery page, however, amounted to something along the lines of "What is your father's middle name?", and even let you change the password right then (instead of being emailed a random password).
I guess enough techie folks complained, since they've recently made password recovery a little harder (you need to also add an account number and part of your SSN).
A few years back on April Fools day I sent around an e-mail staying passwords would now be expiring weekly (instead of quarterly), your password had to be 24 characters long, and we'd all have to use swipe cards to open any doors in the building. I got a bunch of horrified responses, but mostly people caught on. Flash forward 2 years. We merged our Active Directory domain with out head office, and the password requirements shot up (not as much as I said in my e-mail, but more then users were used to). Also we all got ID/swipe cards, although as of yet we don't use them for anything other then looking pretty.
Where this goes wrong is when its taken to the extreme of not being able to re-use an old password, or any one of the last bagillion passwords you've used. This is just dumb and I cannot see what measurable threat it addresses. It just sounds good on paper.
Part of my password stays the same; part changes. The part that changes, I write down on a post-it (literally). The part that stays the same is memorized.
In practice, I have a sandwich, xxxxxYYYYzzzzz, where x and z are constant and Y changes to meet the needs. This is also how I customize for different applications, e.g. my slashdot password might be xxxx/.zzzzz, my bank password xxxx$$zzzz, etc.
It works. It's pretty safe and easy compared to the alternatives.
It's actually just a cut and paste error. The PDF actually says "... users' rejection ...".
(grammar pedants not RTFAing? Shurely Shome Mishtake...)
but we just ran a cracker program on the passwd file )on Solaris at the time) and exposed about 50% of the passwords. Then we went to the affected users and said, "This is your password, right?" After the first shock passed we would say, "It's too easy. You need to change it. Next week we'll run the cracker program again." We also sent around a little tutorial on how to create good passwords by using initials of a memorized sentence (as some have suggested here) After about four runs we were down to less than 10%, and we called it good.
How about a moderation of -1 pedantic.
It's not the IT folks you have to convince, it's their auditors.
Did you replace your keys with monospace keys?
Who the hell can remember a new eight-digit string of nonsense every month?
It seems that things are going backwards faster than they are going forward. Used to be you only had to remember your SSN, spouse' bday/anniversary, and a few phone numbers.
Now we no longer need to remember phone numbers, but we have to remember passwords, which, unlike phone numbers, have to be re-memorized every month. And I've always been terrible at rote memorization.
Free Martian Whores!
TechRepublic covered this almost a month ago, though it still gets sidetracked (like the Boston article) in a way that exemplifies the bigger issue.
Particularly, the point is not about password ageing, which is merely one example of how controls are often ineffective at achieving the security objectives. The bigger problem is that the usual IT security industry mantra has total disregard for all the other IT objectives. The goal (the ultimate, parent objective) of IT is to assist the organisation in achieving its objectives. IT security is just one objective for achieving that goal, but all of them are important.
When evaluating implementing security controls do not simply consider security. You also have to consider things like productivity, expense, risk, or how it might make it harder for the company to respond to customer requirements. Failing to do this is why users’ rejection of the security advice they receive is entirely rational from an economic perspective: they are pursuing objectives and IT security appears little more than an obstacle.
They have this thing called a Rainbow Table not including Salt it would be a matter of a simple lookup since all the "grunt" work has been done already.
(and i think that if they can figure out what salt was used its semi-trivial to generate a new table)
Any person using FTFY or editing my postings agrees to a US$50.00 charge
http://xkcd.com/538/
Speedy thing goes in; speedy thing comes out.
The reason why you need to periodically change your password is because passwords get stored in databases, databases get hacked/stolen... if you always use the same password, on every website, chances are someone will steal it somewhere you don't care about and then use it somewhere you do care about... Just stop whining and change it, you memorize phone numbers and street addresses, celebrity names and product jingles every day - how hard is it to memorize a couple passwords for crying out loud.
There are three possible authentication factors:
Something you know (i.e. username or password)
Something you have (i.e. security token)
Something you are (i.e. fingerprint or retinal scan)
Guessing usernames is less than trivial. You get one every time you receive an email, in most cases.
Users use weak passwords because they come between them and what they want to accomplish, leaving them open to dictionary attacks. It's usually easier to get a password with social engineering anyway.
Adding a second factor significantly reduces the risks. I wish we had legislation requiring two-factor authentication for online banking, at a minimum.
Eagles may soar, but weasels don't get sucked into jet engines.
As somebody whose girlfriend recently changed her password, let me say it does have an effect.
:)
LOL
I am actually on "FuckTheSecurityGuys#67"
IT here is retarded. My passwords have to change every month, have to have like 12 long, include both numbers and letters, also must include a special chara, as well as have both upper case and lowercase. Stupidest. Policy. Ever. When it first came out I told everyone involved that this is a very bad idea. No one listened to me. Bring on the sticky notes.
Anyway I am just waiting to the day I finally forget my password, or have to call IT to look it up. Should be good for a laugh. (Note mine doesn't exactly say that, and I don't swear, but its the same idea).
The one concession they did make, was when it first came out it would do a text comparison to the previous passwords, and if any part of it repeated, it would not allow it. I assume they got too many complaints and ditched that part, but it is still ridiculous.
Made all the more so as you can walk by any desk and see a USB HD backing up the whole computer with no encryption, and no passwords at all. I also used to have multiple passwords like this for various systems, all changing, it was crazy. They have also since unified some of the authorizing structure so I can share some passwords between some systems. Anyway there is some mad IT manager at the helm (or no one perhaps) it seems... They seem to just make arbitrary decisions without looking at possible consequences. Though I am sure many corporations are like this also...
The problem with password rules, unlike rules passed by city councils or congress, is that we can use computers to completely enforce them.
That immediately points out exactly how useful real-life rulez are, too but I won't get into that except to say that civilization creates laws, laws do not create civilization. As proof, look at any political revolution.
Getting back to passwords, the rules have very little to do with desired goals--no break-ins.
Seriously, how many accounts are hacked by guessing passwords? Brute force guessing is stopped by a 3 and out system rule for bad pwds. Continued access from a compromised pwd is a serious issue but 1) the account first has to be hacked and 2) continual access from different machines can be monitored by the sys admins without user involvement.
Just a modicum of analysis shows that if you implement no reuse and a 45-day timeout, then each user has to come up with 8-10 hard-to-remember passwords each year. FOR EACH ACCOUNT.
The rule is as silly as Citibank's warning on the envelope they send me that a paper trail is an identity thief's best friend. How many of those crimes occur via paper and how many occur electronically? They just want to make their jobs easier and more cost-effective.
Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.
That is an incorrect argument made by somebody who knows nothing about statistics.
First, if the time taken to crack a password is two months, and you change your passwords every two months, then there's a 50% chance of cracking the password in the first attempt, and a 100% chance of cracking the password the second attempt. So your example doesn't work.
Now, suppose a cracker has a, say 1% chance of guessing a password per month of attempts, and is attacking, say, 10,000 accounts. On the average, the cracker will have a ten hits every month, but he will only break your account, on the average, once every 8 years. Still, that's a 12 percent chance of you getting compromised in a year, and a 6 percent chance you'll get hit in six months. So, can you reduce that 6 percent chance by changing your password every 2 months? NO. The chance that your change password moves into the window of passwords that the cracker is going to try next month is exactly equal to the chance that the password change moves the password out of the window the cracker is trying. The odds of the cracking succeeding does not change at all by password changing.
The number of passwords that the cracker guesses per month does not change.
http://www.geoffreylandis.com
That's where draconian corporate IT policies can dispose of the trash for you. Tell your boss to institute a new policy - if a user asks for more than X requests from the IT department within Y time frame, they are to be disciplined for "wasting valuable department time" or some such corporate-speak. Tell your boss that you need this policy in place to weed out a "small minority" of users that repeatedly "monopolize" your time. Then, once it's put into place, show your boss who's in charge by requiring them to call you X-1 times (fiddling with their patch cable, applying the "Keyboard layout defaults to Dvorak" GPO to their user account, etc.), then telling them that if they even think about changing the policy, you'll be sure they have to make that one last call.
For many of us, it isn't one new password. It's dozens of passwords! In my case somewhere between 60 and 70, on servers running various operating systems and with varying sets of password rules.
If it wasn't for KeePass, I'd be lost. And yes, my KeePass password is a fairly strong one. :-)
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Me too, but I haven't figured out how to operate human nature's repository manager. I keep telling people to "apt-get a clue", but they just stare at me funny.
I have three passwords, shared between almost everything. One is a low-security one, used for stuff like usenet lists and forums. I'm not worried about anyone knowing it, because it doesn't access anything remotely important. It's even set up as a decoy password on my discreet drive. There's a nearly blank account, using my standard username and lowest password. The .login includes the line "rm -rf /home". Never actually tested it, though.
Second is a medium-security one, covers my system logins and email. Both have more than 5 alpha chars, both cases, and at least one symbol and/or number.
The top-security one covers my most important stuff, root logins and banking. Three numbers, three symbols, fourteen alpha of varying cases. The only way I remember it is a complex mnemonic referencing Jules Verne, Douglas Adams, the qwerty keyboard layout and hexadecimal.
Never had problems with hacking. Actually, the biggest problem I had was a bank that didn't accept my maximum password. It only accepted alphanumerics, max 16 chars. Needless to say, I was not impressed.
That's exactly why our IT department implemented the password expiry policy some years back. My workplace is stuffed full of enginerds, so when they sent out the email informing us of the change, of course they got back tons of emails explaining all the reasons discussed here why it was a stupid idea. They politely dodged all questions while insisting that the policy was going through. I thought this was all kinda weird, since our sysadmins were on the whole IT ninjas and knew their stuff. Well when I talked to one in person and asked they said that yup, it was stupid, but Corporate said they had to do it for liability reasons. Password rotation was one of a number of bullet-point items that would make it appear we were trying to protect our data, which would increase our legal position in the event that it was actually stolen.
The enemies of Democracy are
You are only looking at one factor to a password policy. The effectiveness of a password policy is the correlation of all of the factors.
Password composition (min characters, character set requirements) - Helps make dictionary attacks more difficult.
Password expiration (change your password every x days) - Helps eliminate shared accounts, prevents compromised accounts from staying compromised forever.
Authentication Lockout (temporarily locking an account after x number of incorrect attempts) - protects against brute force and dictionary attacks.
Attestation (verifying account is needed and authorizations associated to it are correct every x months) - protects against abandoned accounts.
While you can argue whether some of these policies in and of themselves are effective, when combined into a single policy they are far more effective than the sum of their parts.
For example, your argument that automated hacking tools make password expiration useless is only valid if you don't also have a password lockout policy as well.
As a long time sysadmin, my experience has been, the more onerous the password aging algorithm, the more likely that passwords will be on yellow stickies under the keyboard.
For instance, if your password expires monthly and you're required to pick a password with upper case, lower case, numbers and symbols, I guarantee that the majority of your users will write it down and stick it to something easily accessible.
If you get really draconian about keeping passwords on stickies on the monitor or under the keyboard, they'll keep it in their pocketbook or stuck to the back of their cell phone, which is difficult to track and actually a worse security hole (because the building at least has physical security).
My opinion is that password aging and password complexity rules are a managerial line item, not really a security strategy. A true security strategy is a combination of good logging, regular analysis, and tools like password breakers.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
"Who the hell can remember a new eight-digit string of nonsense every month?"
You only have to remember ONE string of nonsense, and it only has to be eight characters long?
I have to use 35 different passwords for work, for different access domains. Each of them has a different required change schedules, and different rules about what characters are required. I also have a couple for home, a couple of PINS for debit cards, and a few dozen for online accounts. Even if I don't count those others, the ones just for work are completely unmanageable without writing them down.
The time spent TYPING passwords eats up 20 minutes a day... never mind the trouble of keeping track of them all.
At the community college I work at, we have a password policy with 180 day expiration, complexity, length and history, but for students, we reset their password date every few months to keep theirs from expiring because we don't have adequate tech support staffing to handle the call volume generated by students who can't figure out how to reset their password.
It seems you have forgotten the other common user behavior... sharing passwords.
One of my reporting users had direct SQL access to a replicated and sanitized (no sensitive data) copy of our Database. He is an advanced user with plenty of reporting knowledge and we required ad-hoc reporting that did not damage/slow production.
during a security audit, I was required to expire his password.
the next day we had 9 tickets from 9 different users: "My access was taken away"
Explaining that joke on /. is like explaining who Jesus was to the Pope.
You should be ashamed.
you say "it's inconvenient for the users" but all I hear is whining.
You don't have to have a 16 character random password assigned to be secure. Password aging is designed to be used in tandem with other security measures. You don't have to pick something ultra secure, but pick something that can't be guessed with 100 tries.
No one's going to guess eyeLikesl@sh. but you're probably going to remember it or a variant of it. You rely on account lockout and log auditing to keep yourself from getting hacked. Educate people how to make a decent password and why you avoid Password1. Shame on anyone saying a basic 6 character + 1 alpha is too tough to remember on a 90 day basis. That argument just shows that the users doing the whining have no concept of things that are more important than themselves.
or Vikram Pandit of Citibank or John Thain of Merrill Lynch or ...
basically anybody on Wall Street complaining about the unfair burden of complying with Sarbanes-Oxley Act or SEC oversight or other regulatory restrictions which exist specifically as an attempt to avert a "tragedy of the commons" http://en.wikipedia.org/wiki/Tragedy_of_the_commons scenario by leveraging some of the downstream costs back on to the folks who caused (or failed to prevent) them.
So no password expiration, hmm.
So, over say a year or so I: give my password to the IT guy who is fixing my mailbox problem, or I give it to my wife, or I write it down, or I use it on other resources... which of course are now vulnerable to all those folks who somehow inadvertently got the password from the user....
Yeah, never expiring a password is a great idea. Welcome to increased exposure.
There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.
Bull. A bad password can be guessed by some guy in China and used to compromise everything.
A good password on a Post-it can be found by the cleaning staff, which already has access to the building and everything in it.
Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.
Or, they merely work for these kinds of people.
The problem is that the IT people get in trouble if there is a security breach. If the IT person can point to a bunch of strict-sounding policies they've instituted then their manager points their finger at the policy violator and the IT guys are fine. If the IT guys don't have aggressive password aging turned on then consultant comes in, puts up a bunch of slides titled "Best Practices" and the boss fires the IT guys. The boss wants to know who to fire - they really don't care to get into a debate about effective security measures.
Real security improvements would require changes that hit the IT budget, and you can imagine how popular you'll be for proposing that! Instead you can have security theater, and a bunch of rules that everybody ignores. Then when something goes wrong everybody bears such a small portion of the accountability that nobody loses their job, or at least nobody the IT guy cares about.
I comply with all kinds of dumb IT policies when I deploy systems at work. Sure, I could "take on the system," or I could go ahead and deploy the system and collect a bonus for a smooth implementation. The users end up bearing pain as a result, but unless a policy is completely brain-dead it just isn't worth dying on that hill. When I see a real chance to change the system I take it, but fighting over password aging isn't going to get me anywhere, since any PHB can see how it is "more secure." The PHB doesn't pay for all the lost productivity, and they don't get in trouble when somebody writes down their password either.
Especially when the security breach is due to someone reading someone else's password taped to their monitor.
I think you know what you're asking for is impossible, John. Is that your point?
Physical penetration tests can validate the presence of password lists in wallets, in desks, and in caches on workstations. I think I can say with confidence that there are no sources of metrics for what you have specifically asked.
So where are we then? No one can prove anything and therefore we can all claim to be correct? That's awful. That's also the state of the security industry; mountaintop sages and so called best practices sold by vendors.
Your suggestion on having a little book with them is also pretty bad. It breaks the password model of being something you know to something you have.
Remember everyone, multi-factor authentication should be a combination of something you are, something you have, and/or something you know.
If everyone did as you suggest, all thieves would have to do would be to throw an admin in the back of a van. In fact, I'm surprised that we haven't been seeing more of that anyway.
Every one I know about that chose a simple password for it's MSN / WLM account got their account hacked. They also didn't want to know about using complex passwords... but the number of contacts lost and other consequences were not so good... all of them that start listening the basic advices: - use a complex password; - different password for different services; - use an anti-malware program; - don't access your msn/wlm from any other computer other than your own; - don't install programs you aren't sure if they are secure. How many of them got hacked after following that advices until today? None of them. It's my experience.
In MSN/WLM losing the account can be problematic, but in an enterprise / bank can mean the company is closed and everyone is fired.
Yup. Not to mention the security theater that is air travel.
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
I just got rid of a couple IT guys who think as you do.
IT is a support function, like a mail room, motor pool or building maintenance. Your purpose is to allow the organization to function more efficiently and effectively.
IT guys who don't "get it" end up on the chopping block as far as I'm concerned.
Who can blame him? After all, it is Windows we are talking about here.
So why bother freaking out about secure passwords when we all know the average user downloads pirated movies and MP3s using Limewire, accesses porn sites regularly, syncs their infected iPods with their work desktops and engages in other similar insecure behavior.
There is no way a "secure" password is going to protect any user from their own foolishness. These people need their LOLcatz, and they're not gonna worry about whether they have working antivirus before they click OK on the pop-up banners asking them if it's alright to install yet another toolbar on their browser before granting them access.
I gave up after telling people not to use Limewire, only to have them ask me where else they could get free MP3s and movies to download.
So yeah - they should stop using secure passwords - in fact they might as well post their social security numbers and credit card information on their Facebook profile to save the ID thieves some time and effort and get it over with (I wouldn't be much surprised if this is already happening).
And no, I'm not gonna recommend a Mac or LINUX either. I gave up on trying to convince people to switch to either of those alternatives long ago. It's either too expensive or too much reading/learning. And it doesn't matter what kind of computer you use - if you're you're easily duped by drive-by downloads, you'll be equally easy to dupe using phishing and other social hacking techniques. It's not all viruses & spyware these days.
(goes back to his quiet, clean, & relatively safe corner of the 'net)
Quoting TFA, which is paraphrasing the source whitepaper: "Security professionals need to consider that user education costs everyone (in time), but benefits only the small percentage who are actually victimized, he wrote." Perhaps I am dense, but can anyone explain how this statement makes any sense whatsoever? User education benefits those who are actually victimized? Someone who has been victimized as a result of his own ignorance or failure to heed security advice/user education certainly has not benefited (other than to have experienced a real-life "teaching moment"), nor has the poor sot who got victimized through sheer bad luck! Full disclosure: I happen to think the source material is short-sighted and takes a very naive view of aggregate risk, some interesting points notwithstanding. But the quote above is just pure nonsense.
(3) Incremented passwords
Ha! Piece of cake. This is why I simply decrement my passwords! I started at 12345, and now I'm down to 11235. Still got eleven thousand more to go before I have to start over.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
One advantage of password expiry is that it garuntees stupid easy to input passwords dished out by a service desk that may remain in use for a while get wiped out every cycle, should a user not be forced to change it at the time. It does ensure, at a minimum, that Password1 isn't access all areas for your corporate LAN.
A drawback is that, after 90 days, the same user may call back the helpdesk and recieve Password1 again.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Most grammarians accept that "they" has come to substitute for a gender-neutral pronoun. Sucka.
It depends on where you are and what level of security you need.
Expiring passwords make sense - IF you are in a situation where you run a regular risk of passwords being exposed.
This is reminding me of when I worked as a FSE for IBM. The admin password for the managed client systems was moderately complex and changed daily by an automated process. We had to call in each morning and request the password of the day. It was trivial for an authorized person to get the password, and even if someone at a client site shoulder surfed the password or you gave it to them it was only good until midnight -significantly limiting what harm they could do.
The main problem we run into is shoulder surfing. By changing the passwords every so often we reduce the number of instances where people are using an account with higher privileges. I actually ran into one instance where someone was giving out their account information so that a subordinate could do his work for him. If the account password had not been changed the subordinate would have had access to the account forever.
In the real world the CEO doesn't give a rats ass about these kinds of things, he just wants me to handle it.
So it makes my life easier to just expire the account password and say something went wrong.
The more times I force password changes the more times the idiot user has to tell people his password, which increases the likelihood of someone catching them and telling me.
I still only require a 90 day password change and am for passwords being changed.
The one place where this becomes apparent is after a password change, I see logs of denied access for a given account, which are much easier to track than access accepted.
Here's a bit from the Globe article that caught my attention:
It’s not that Herley believes we should give up on protecting our computers from being hijacked or corrupted simply because safety measures consume time. The problem, he said, is that users are being asked to take too many steps, and more are constantly being added as new threats emerge or evolve. Security professionals have generally assumed that users can’t have too much knowledge in the battle against cyber crime. But that fails to take into account a crucial part of the equation, according to Herley: the worth of users’ time.
“A lot of advice makes sense only if we think user time has no value,” he said.
I'm wondering if this is actually fundamental to the problem. It's notorious that many IT workers are contemptuous, often openly, of non-IT workers. Are the strict rules for secure passwords, and calls for more user education, based on a tendency for IT workers to assume that all workers should share their evaluation of priorities? It's easy to imagine a system administrator who forgets that the maintenance supervisor is more worried about getting the conveyor belt working again than choosing a secure password for his email account.
Use-to piss me off, especially when I was trained to swivel around when a user was entering their password!
I remember asking people who should have known better to please stop leaning over me and watching my hands.
The young ones were the worst, I reported each incident (in writing) every time.
I killed da wabbit -Elmer Fudd
Don't be giving away my passwords (but mine is completely different, they use ROWS).
I've heard that some brute force algorithms look for QWerASdf123, WSXert, etc... and other spacial ones just because of these rotating password policies.
Course, the number of possibilities must get pretty high pretty quick.
ASDF!!!!U_MF!!!!
What? No special characters (I thought it was suppose to be "strong")?
DICKwads1234
Atlas Shrugged : Thematic Story
Mine are always days, months or something else with 1234567890! at the end!
By Lance Spitzner. Too bad most /.ers won't see this post.
http://www.honeytech.com/blog/rebuttal/
Do really dense people warp space more than others?
I do agree there is a pain changing passwords constantly, and I can't say I like it any better where am working with two separate rolling passwords every 2 months.
I did however obtain a great tip on the net previously: Find yourself a 8 letter pass-phrase but leave two spots empty: example "_phrase_", "Phra__se" or something. Memorize the phrase except for the 2 letters you left out - this give you 3600 alternative passwords combinations to choose from! And you can write down these two letters. : Q!, : W*, and so on. Nobody can guess your phrase, so the password is still quite safe!
I am using one phrase for work, another for my personal stuff. Now every time I update my password I simply update these letters.
Sure, I am still at times typing the wrong password right after I have changed one, but after two tries I am sure to remember that I changed it, and what combination I changed to after last one.
Would love to see a similar cost-benefit analysis done on the 'essential' security measures we need to combat terrorism.
I use a letter arrangement which is quite similar to the one you described above, but I only change the last letter (advance it to the next letter in the alphabeth, haha) every time I am obliged to (this is @ work). This is an old friend of you, Kandresen...
The very next story on Slashdot is "Apache Foundation Attacked, Passwords Stolen". I think the answer is "yes", password aging makes lots of sense.
Are you familiar with tape recorders?
In the mainframe days we put in place a delay before another attempt that exponentially grew each time the password was entered incorrectly. First fail - 2 seconds delay, Second fail - 4 seconds delay, Third fail - 8 seconds...etc
Sounds sensible, doesn't it?
Except for the fact that most users - and especially the less tech-savy ones, like most CEOs - will respond to a password rotation policy by using an easily guessable (read memorizable) series of passwords. So, when the cracked password of "T3hDude01" stops working, guess which one I'm going to try next? Betcha a dollar "T3hDude02" works...
Which I assume you know is a great example of why password rotation _doesn't_ work, rather than some kind of sneaky awesome password that noone will ever guess, or else you wouldn't have posted it on slashdot. The column passwords are right up the top of many a crackers dictionary.
I use them too, when someone hits me with ridiculous password requirements on an account I don't care about anyways.
This study nicely shows that using a phrase to remember your password - even if you're not using the entire phrase as your password - helps make them harder to crack _and_ easier to remember (and therefore less likely to be stuck on a post-it note on the monitor.) And all it takes to implement is an email to new users giving them a bit of advice.
The study also notes that a certain percentage of users are just arseholes who will ignore any advice you give them, but hey; you can't fix everything with code...
And if it doesn't, why it doesn't (plaintext passwords?) is probably more of a potential problem.
All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". .
It produces a complex, easy to remember password.
For nerds like me and most of the people here this is trivial. But for most people it isn't. I once explained a simple password technique that used a regular password with one letter that changed based on the first letter of the website name. I was amazed at how many people (regular users of the internet) found this difficult.
I have on my desktop.
I love Jesus, except for his foreign policy.
I didn't know you could change the keys on a selectric.
Sent from my PDP-11
Seriously, Slashdot. The paper made its rounds in the security community months ago and this is no less than the third time it has hit the front page.
Because computers users in an office environment frequently tell each other passwords. The passwords have to be changed at a rate much faster than the rate of employee turnover.
It's paticularly insane where I work because people log on as others (and send email from the dead) because they like the desktop icon placement on the other persons login. After about 15 years of using Win95 to XP they still don't know how to use the "start" menu so will log in as someone else with the right desktop icons instead.
The funniest password restriction I heard of was for the VAX systems at my university in 1991. "Stop using foreign words in your passwords". Pondering the reasoning behind that rule is like a zen koan. The rule was rescinded a few days later.
Password aging isn't for you, it's for the idiot that is looking for something for a work experience kid with no loyalty to the company to do and sends then around to do things for half a dozen people at the top of the company. They usually don't bother to tell IT to set up a login so the kid ends up knowing half a dozen logins, and will tell them to anyone if asked.
It's also for the rather bizzare situation where clerical staff assume that they have to log in as the person that sits at a desk instead of their own login - so they all end up knowing each others passwords.
To sum up, password rotation has to be higher than employee turnover in those areas, and it looks like you've been lumped in with them because a global policy was easier politically than a targeted one.
Well if it's all about economics, why doesn't someone create aging rules that make it more expensive for simple passwords and cheaper for complex passwords. If it's a simple password, set the expiration to 2-4 weeks. If it's a complex password, make it like 6 months.
Whats needed is a password expiry policy that only applies to weak passwords. If the system lets them use the weak password for a day and then prompts the next day they will eventually try to come up with something more secure to avoid the prompt and learn what a secure password is.
If you just tell them straight up that what they entered is wrong they will just get frustrated that they can't get into their machines and keep trying to find something easy to remember that they can't get through.
Its gotta appear like its, well thats insecure but you can use it for today and I'll remind you again tomorrow. It sure as hell ain't perfect but none of the systems are.
Clam them down? What kind of shell are they logging into?
Ok. I annoying, but I have no choice and go with the expiring passwords. I just increment the trailing number.
The issue isn't a security issue. It's a user quantity issue. I don't have 1 password, or 2, or 3. I have > 200 passwords. I know, because they are all maintained in my password file. The important ones are written on paper so I can find them when the machine dies. Who could possibly remember 200 rotating passwords, let alone invent that many on a revolving basis?
I do have a really old pc at home that I can no long log into because I forgot the password a few years ago though. Yeah. I know. There are ways. But why? Hence, my new home pc's have no friggin passwords. Don't want em. Don't need em. Don't care who might get onto them. If people are willing to store data in the cloud, why the hell should they ever care about security?
Passwords should be replaced by large blocks of random ascii characters. Simply cut and paste it into a password field, or have the login process read from a USB drive in a specific location to "unlock" the application or system.
rkK!%9C&>ibwkd3Jl/;`/bm':%^]QP]R_SNrvf$tgY6}{sCu9vo;MDkzbN}kBI&^md2Yn?bNSd3%K2k8d#,ZjPc7l1djfjY3{.$HKn_3K_:JFBFW2;WODtiq{.ebhFz5|F(r.A2R"0#Z9EEaB@R}gM6k0W:b}Ya{NUglUaxx=AwD@NPWre7cx8]?E!7Fg1$BhvXhnt=bopT0%o~v8E4Kvf>E.@qry?'r93)fA;WE_Ekux$7Qq24l(l\=,d_^
The password is then just an access key. People understand keys. They know what to do when they lose them, they know not to give them to other people, they know not to copy them and they can't read them out over the phone.
The key store should be privileged, it's like going into someone's pocket or wallet, the system should require explicit user action or confirmation before the keys can be read.
Deleted
Oh yeah, this is a great idea. (tic) Let's tell the computer inept to not change their passwords. Crackers around the world rejoice.
Now, once you break into the person's PC and steal their password, you can come back in a month and access their accounts without having to crack anything. Because their passwords will be the same! Not to mention the same password for every blasted thing they use.
"I don't know why $1,000.00 is being transferred out of my account every month. I had malware removed from my PC over 2 months ago... This shouldn't keep happening because the crooks only use the password once at the time of the break in and don't wait to use it again."
Yup, a criminal will only try to take funds from a breached account once. They won't try again next month because they have better things to do.
So sentence fragments can't have errors? Or a sentence fragment that contains the error is somehow insufficient to show it? How much should I quote? Everything he ever wrote in his life, would that be enough? Which spastic started this sentence fragment meme? I hope they die soon, but slowly.
At the bottom of the
Really? It appears that "they" is the person who did the receiving. Perhaps in whatever language you speak that isn;t a subject, but in English it is. Moron.
At the bottom of the
Allowing lax security is easy, but it isn't effective or efficient.
At the bottom of the
It takes a while, and a really tiny screwdriver
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)