Please Do Not Change Your Password

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

Re:The best password is:

[danomac]

For those that don't know where that comes from, it's a bash quote.

Re:Please let me use the same password

[Bearhouse]

And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

Indeed. Similar to the Enigma: http://en.wikipedia.org/wiki/Enigma_machine
Where a misguided decision was taken to never let a character be encoded to itself. This actually weakened the cypher: http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma

Re:Please let me use the same password

[CastrTroy]

Any halfway decent password system only stores a hash of the password, and therefore can't tell if you only changed 1 character on your password, because it has no idea what your previous password was, only what your previous password hashed to.

Re:Please let me use the same password

[greed]

Even if it is a hash, the old UNIX crypt(3C) function only hashed the first 8 characters. So you could have what you thought was an arbitrarily-long password, but an attacker only needed to go after the first 8 characters.

If you were using the presumed length to use an English phrase (for example), you could wind up with a very weak password. "passwordisreallylongsoimsafe" would be unlocked with "password", which is fairly early in the dictionary attacks I've seen.

I normally think it's acceptable to trade entropy density for memorability: English is fairly low entropy, but I can remember a 12-word passphrase without too much trouble, so the total entropy is OK compared to a line-noise 8 character string. But that requires the hashing functions work with the complete input; so on systems which still use crypt(3C) or something like it, I go with the line-noise.

Re:Please let me use the same password

[cusco]

Had an instructor once whose day job was penetration testing for financial institutions. He and his partner would show up at the site and he would start unpacking the equipment they would use to probe the external connections to the network. While he was doing this his partner would get on the phone and start calling branch offices, asking to speak to the manager claiming to be from the IT department. He said that in three years he had never finished setting up before his partner had managed to secure a login and password.

Amusingly enough, they learned quickly not to bother with rank and file employees. Most of those folks were aware that they would be out the door if they were stupid enough to hand over a login and password to a voice on the phone, but managers always seemed to think they were too important to be fired, so too important to have to pay attention to minor issues like security policies.