Slashdot Mirror

← Back to Stories (view on slashdot.org)

Please Do Not Change Your Password

Posted by CmdrTaco on from the my-password-is-trustno1 dept.

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

25 of 497 comments (clear)

  1. The best password is: by Anonymous Coward · · Score: 5, Funny

    hunter2

    1. Re:The best password is: by bluefoxlucid · · Score: 4, Funny

      Yeah, when you type it you'll see 'hunter2', and when I copy/paste it you'll see 'hunter2', but all I see is *******

      --
      Support my political activism on Patreon.
    2. Re:The best password is: by Anonymous Coward · · Score: 3, Funny

      Oh great. Now that you've revealed your password, anybody will be able to post as Anonymous Coward.

    3. Re:The best password is: by billcopc · · Score: 3, Funny

      For those of you who didn't know where the hunter2 joke was from, get off mah interwebs.

      --
      -Billco, Fnarg.com
    4. Re:The best password is: by dudpixel · · Score: 2, Funny

      I get tired of changing passwords because I tend to forget the new one. I'd rather just keep it. For crucial things like banking or stocks, then I'll use a separate unique PASS and then lock it in a safe for future referral.

      I know.

      --
      This seemed like a reasonable sig at the time.
  2. Totally in time. by Anonymous Coward · · Score: 4, Funny

    "Change your passwords and be rooted." -- JIRA attackers.

  3. Re:Please let me use the same password by oldspewey · · Score: 5, Funny

    What a waste of a perfectly good pretend. No thanks, I'm going to pretend I'm on a white sand beach in Thailand, gentle waves lapping at the nearby shoreline, while I sip gin tonics and a dainty masseuse massages my pale white calves.

    --
    If libertarians are so opposed to effective government, why don't they all move to Somalia?
  4. Re:Please let me use the same password by ColdWetDog · · Score: 1, Funny
    Here's a nice argument to beat the Password Police over the head with (from TFA):

    In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It's a high hurdle to clear.

    Hey, I make more than double the minimum wage! Yeah, no more passwords for me!!!!

    Oops. I'm salaried. Shit.

    --
    Faster! Faster! Faster would be better!
  5. i need an example by fattmatt · · Score: 3, Funny

    Could someone post an actual stong password you have in use?

    1. Re:i need an example by Cro+Magnon · · Score: 2, Funny

      My password is ********

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
  6. Re:Please let me use the same password by Shakrai · · Score: 4, Funny

    Am I mistaken?

    Please provide me with your social security number, birthday and mailing address so that I may answer your question.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  7. Re:Post-it Note passwords by cheeks5965 · · Score: 2, Funny

    uhh... an exponential curve keeps going up. there's no maximum, no dropping down to zero. Perhaps you're thinking of a bell curve? Feel free to mod this comment down because it provides no useful content and is just kind of snarky. In fact, I should just hit the cancel button instead of the preview/submit buttons. oops...

    --
    -- Flame me and I will happily flame you back. Bring it!
  8. Re:Password aging isn't in touch with the real wor by Starteck81 · · Score: 3, Funny

    I often tell people at work I'll be adding a squirrel noise requirement to the password policy next month. I always expect them to laugh but they usually just have a horrified look on their face that reads something like 'you can do that?'. I then have to clam them down and tell them I'm only kidding.

    --
    "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed H
  9. Username: TheFonz by poptones · · Score: 4, Funny

    Password: Aaaaaayyy

  10. Re:Password aging isn't in touch with the real wor by NeoSkandranon · · Score: 3, Funny

    Man, I just looked down at my kb thinking you had a good idea, then was REALLY confused for a minute.

    Then I remembered I'd messed the keys around to fuck with people who looked over my shoulder.

    --
    If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
  11. Re:Please fix your systems! by Benzido · · Score: 5, Funny

    Better yet, change your password to "do you have a pen?" and then call your IT person to say that you've forgotten what your password is.

  12. Re:Please let me use the same password by FictionPimp · · Score: 2, Funny

    Todd Davis 457-55-5462 .....

  13. Re:Please let me use the same password by Real1tyCzech · · Score: 2, Funny

    "(dramatic voice)
    Welcome to the world of tomorrow!"

    You forgot:

    "Brought to you Today!"

  14. Re:Please let me use the same password by PPH · · Score: 4, Funny

    Or ex-wife.

    --
    Have gnu, will travel.
  15. Complex and expiring passwords are a GOOD thing by _bug_ · · Score: 5, Funny

    The biggest problem with password security is user education.

    USER. EDUCATION.

    Forget the WHY password complexity and expiring passwords is important; end-users don't care about that.

    Educate end-users on how to make passwords that are complex and easy to remember. Such a thing IS possible. For example teach users to pick a phrase or sentence and type that in, replacing all the instances of the letter E with the number 3 and to capitalize all vowels. All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". Maybe you leave the spaces in. Maybe you change A to 4 or L to 1. Whatever the user wants.

    It produces a complex, easy to remember password.

  16. Re:Password aging does *not* help by Anonymous Coward · · Score: 1, Funny

    OK, but if you wanted a really strong password you wouldn't truncate the decimals.

  17. On password aging... by know1 · · Score: 2, Funny

    As somebody whose girlfriend recently changed her password, let me say it does have an effect.

  18. Re:Post-it Note passwords by UnknowingFool · · Score: 3, Funny

    I used to work a government facility that had really steep requirements:

    "Passwords must be at least 15 characters long and be a combination of lowercase, uppercase, numerals, special characters, and at least one hieroglyph from the following languages: Aztec, Egyptian, or Mayan."

    I would have written down my passwords but I can't draw that well. "Is this a stork, Anubis, or a hippo?"

    They also had armed security guards wandering the halls. You had 3 chances to get the password right or they would send in the guards to blindfold you and take you away to be "liberated."

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  19. Hilarious by richozer · · Score: 2, Funny

    The very next story on Slashdot is "Apache Foundation Attacked, Passwords Stolen". I think the answer is "yes", password aging makes lots of sense.

  20. Re:ROFL by Anonymous Coward · · Score: 1, Funny

    Depending on who you believe (in), the Pope might need the refresher.