Slashdot Mirror


Please Do Not Change Your Password

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

15 of 497 comments (clear)

  1. The best password is: by Anonymous Coward · · Score: 5, Funny

    hunter2

    1. Re:The best password is: by bluefoxlucid · · Score: 4, Funny

      Yeah, when you type it you'll see 'hunter2', and when I copy/paste it you'll see 'hunter2', but all I see is *******

    2. Re:The best password is: by Anonymous Coward · · Score: 3, Funny

      Oh great. Now that you've revealed your password, anybody will be able to post as Anonymous Coward.

    3. Re:The best password is: by billcopc · · Score: 3, Funny

      For those of you who didn't know where the hunter2 joke was from, get off mah interwebs.

      --
      -Billco, Fnarg.com
  2. Totally in time. by Anonymous Coward · · Score: 4, Funny

    "Change your passwords and be rooted." -- JIRA attackers.

  3. Re:Please let me use the same password by oldspewey · · Score: 5, Funny

    What a waste of a perfectly good pretend. No thanks, I'm going to pretend I'm on a white sand beach in Thailand, gentle waves lapping at the nearby shoreline, while I sip gin tonics and a dainty masseuse massages my pale white calves.

    --
    If libertarians are so opposed to effective government, why don't they all move to Somalia?
  4. i need an example by fattmatt · · Score: 3, Funny

    Could someone post an actual stong password you have in use?

  5. Re:Please let me use the same password by Shakrai · · Score: 4, Funny

    Am I mistaken?

    Please provide me with your social security number, birthday and mailing address so that I may answer your question.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  6. Re:Password aging isn't in touch with the real wor by Starteck81 · · Score: 3, Funny

    I often tell people at work I'll be adding a squirrel noise requirement to the password policy next month. I always expect them to laugh but they usually just have a horrified look on their face that reads something like 'you can do that?'. I then have to clam them down and tell them I'm only kidding.

    --
    "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed H
  7. Username: TheFonz by poptones · · Score: 4, Funny

    Password: Aaaaaayyy

  8. Re:Password aging isn't in touch with the real wor by NeoSkandranon · · Score: 3, Funny

    Man, I just looked down at my kb thinking you had a good idea, then was REALLY confused for a minute.

    Then I remembered I'd messed the keys around to fuck with people who looked over my shoulder.

    --
    If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
  9. Re:Please fix your systems! by Benzido · · Score: 5, Funny

    Better yet, change your password to "do you have a pen?" and then call your IT person to say that you've forgotten what your password is.

  10. Re:Please let me use the same password by PPH · · Score: 4, Funny

    Or ex-wife.

    --
    Have gnu, will travel.
  11. Complex and expiring passwords are a GOOD thing by _bug_ · · Score: 5, Funny

    The biggest problem with password security is user education.

    USER. EDUCATION.

    Forget the WHY password complexity and expiring passwords is important; end-users don't care about that.

    Educate end-users on how to make passwords that are complex and easy to remember. Such a thing IS possible. For example teach users to pick a phrase or sentence and type that in, replacing all the instances of the letter E with the number 3 and to capitalize all vowels. All the user needs to remember is the phrase and the rules to make it complex. And the phrase can be something VERY easy to remember like "my daughter was born in march" which turns into "mydAught3rwAsbOrnInmArch". Maybe you leave the spaces in. Maybe you change A to 4 or L to 1. Whatever the user wants.

    It produces a complex, easy to remember password.

  12. Re:Post-it Note passwords by UnknowingFool · · Score: 3, Funny

    I used to work a government facility that had really steep requirements:

    "Passwords must be at least 15 characters long and be a combination of lowercase, uppercase, numerals, special characters, and at least one hieroglyph from the following languages: Aztec, Egyptian, or Mayan."

    I would have written down my passwords but I can't draw that well. "Is this a stork, Anubis, or a hippo?"

    They also had armed security guards wandering the halls. You had 3 chances to get the password right or they would send in the guards to blindfold you and take you away to be "liberated."

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.