Please Do Not Change Your Password

← Back to Stories (view on slashdot.org)

Please Do Not Change Your Password

Posted by CmdrTaco on Tuesday April 13, 2010 @05:11AM from the my-password-is-trustno1 dept.

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

34 of 497 comments (clear)

Min score:

Reason:

Sort:

Please let me use the same password by Hatta · 2010-04-13 05:13 · Score: 5, Insightful

We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

--
Give me Classic Slashdot or give me death!
1. Re:Please let me use the same password by oldspewey · 2010-04-13 05:18 · Score: 5, Insightful
  
  And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
2. Re:Please let me use the same password by r_jensen11 · 2010-04-13 05:21 · Score: 4, Insightful
  
  We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.
  Password rotation doesn't help with hackers, but it helps when a coworker learns what your password is.
3. Re:Please let me use the same password by Skarecrow77 · 2010-04-13 05:22 · Score: 3, Insightful
  
  I was under the impression that the -vast- majority of compromised passwords were due to either social engineering (Hey, this is "Bill from IT", I need your password to fix that "performance issue" you're having) or sheer neglect on the part of the the user (password on a post-it on the monitor). Am I mistaken?
4. Re:Please let me use the same password by whois · 2010-04-13 05:31 · Score: 4, Insightful
  
  There is a flip-side to this. No matter how careful you think you are, you will one day expose your password in the clear. Once that happens you have no way of knowing if anyone was watching.
  Typing a password in the wrong terminal, typing a password in the wrong web field and having it autosearch google for your password. Typing your password over a bluetooth wireless keyboard with unknown encryption. Using a telnet session, etc. Logging in using a friend or co-workers PC that may have been compromised, etc.
  Because of all this, it's still a good policy to change passwords on an annual basis, with an immediate password change if you know it's been leaked.
  I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.
  Or having to change a password on a system you only login to once every 6 months, every time you login. I hate that. :)
  Unfortunately, it doesn't always work out because one centralized password means you trust one department of a company with access to everything (there are workarounds for this, but still company politics gets in the way)
5. Re:Please let me use the same password by Moryath · 2010-04-13 05:34 · Score: 4, Insightful
  
  I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.
  Single sign-on for a single company is a great idea.
  Having your work password, gmail, hotmail, bank password all be the same? BAD idea.
6. Re:Please let me use the same password by b0bby · 2010-04-13 05:34 · Score: 2, Insightful
  
  Mod this up - this is especially relevant when it's a former coworker.
7. Re:Please let me use the same password by COMON$ · 2010-04-13 05:34 · Score: 4, Insightful
  
  On our LAN I put rational policies in place. Essentially I look at the threat of an event and what it will take to mitigate it. If I am worried about a brute force attack I can solve that by password rotation or increasing complexity. I let the user choose which they are comfortable with. Some users dont want to use a passphrase so they have to change their password more often. Other people have realized that "I love my dog fluffy." is really easy to remember and since it meets my complexity and length requirements I make the password rotation much much longer.
  Yes, In 2008 AD you can do granular password policies, and yes this works VERY well. Not only do I have a pile of users with 15+ characters, I have users who WANT to use these passwords.
  I find that when you give the users a choice and work with them, security goes much smoother. users will always take the easiest way out, every time.
  
  --
  CS: It is all sink or swim...oh and did I mention there are sharks in that water?
8. Re:Please let me use the same password by DarkOx · 2010-04-13 05:41 · Score: 4, Insightful
  
  What is might do is limit exposure. Suppose someone guesses a password. They are not a hacker and even having guess a password they perhaps lack priviliges to make any systemic changes given them a back door. Having a rotation policy ensures they are only reading your CEO's e-mail for 90 days rather than years undetected.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
9. Re:Please let me use the same password by MobyDisk · 2010-04-13 05:48 · Score: 4, Insightful
  
  My favorite is "password may be no longer than X characters" - why arbitrarily limit the length of them? It's especially great when X is something small like 4 (pin #s) or 8.
10. Re:Please let me use the same password by John+Hasler · 2010-04-13 05:49 · Score: 2, Insightful
  
  > It goes into the password expiration paradigm as well, pointing out that if
  > someone steals your house key, they're not going to give you time to change
  > the locks; they're breaking in immediately.
  Not likely. Perhaps if they pick it out of my pocket as I am getting in the car to go to work they will walk straight up to the house and let themselves in (BTW it isn't breaking if they have a key). Far more likely, though, it will take days or weeks to figure out what the key fits, get it into the hands of someone able (and willing) to try using it, and for me to be away from the house at night so that they have a safe opportunity.
  If your password is written down in a little black book in your wallet, your wallet is stolen, and you go to IT the next day, report it, and get a new password, it is very unlikely that it will have been used in the interim. In fact, it is very unlikely that the thief will ever attempt to use it or even figure out what it is.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
11. Re:Please let me use the same password by ColdWetDog · 2010-04-13 05:58 · Score: 2, Insightful
  
  Yeah, and if they beat you over the head with a rubber hose, you will tell them what your password is anyway. The rotating character / shifted field approach may not be the best policy for nuclear weapons unlock codes but it's probably OK for 'generic' level stuff.
  
  If you're doing something very secure with passwords, you're doing it wrong anyway.
  
  --
  Faster! Faster! Faster would be better!
12. Re:Please let me use the same password by eth1 · 2010-04-13 06:47 · Score: 2, Insightful
  
  The thing that worries me most about that is that it seems to indicate that they're storing the passwords plain text rather than hashing them, so they're limited to whatever field width the DB designer pulled out of his ass that day.
13. Re:Please let me use the same password by Tomy · 2010-04-13 07:00 · Score: 4, Insightful
  
  Pretend that if an attempt to log into his account fails three times, his account is locked and requires a new password.
  Or pretend that your security system notes what IP address such failures comes from, and disables all access from that IP. Or it scores various IP connections, giving more trust to IP addresses that are successful.
  Whenever I see the onus forced on users, I see people who haven't learned the wisdom of the following quote:
  "I object to doing things that computers can do." - Olin Shivers
14. Re:Please let me use the same password by jbengt · 2010-04-13 07:02 · Score: 4, Insightful
  
  Sounds like a bad application of math to me. (I admit, though that I only skimmed through the report, so I could be wrong)
  There are two sides to a risk analysis, the probabilities and the values being risked. People will play the lottery even when they don't have a reasonable chance, because the thing being risked is not that valuable. But they are not willing to risk their life savings when the odds are slightly in their favor, because they can't repeat the bet 100 times to try and come out ahead on average.
  If I'm the owner of a business, and I'm paying my employees X time the minimum wage, and a breach costs me Y dollars, I can live with the math. But if there's even a small chance that a breach will cause the death of my business, then I'm willing to have my employees spend "more than it's worth".
15. Re:Please let me use the same password by Quirkz · 2010-04-13 07:42 · Score: 2, Insightful
  
  I was under the impression that the -vast- majority of compromised passwords were due to either social engineering (Hey, this is "Bill from IT", I need your password to fix that "performance issue" you're having) or sheer neglect on the part of the the user (password on a post-it on the monitor). Am I mistaken?
  Scenarios like stealing passwords from post-its are certainly possible, but I'd guess as a percentage of all stolen passwords it's insignificant to being at the point of near zero. Most people don't have access to the physical space of the person they're trying to hack. I'd argue most successful password stealing is done remotely, against victims the target doesn't even know.
  
  The big ones are going to be things like dictionary attacks against a login page where it can guess stupendously stupid/common passwords, or by exploiting a weakness in the system, or a virus/spyware with keylogger--all of these techniques bypassing the user entirely. If you count phishing as social engineering then that may be up there, but not the way you describe it.
  
  Now, if you have a specific account you want to break into, the things you suggest may be among your best bets to get into that one account. But if you want to steal a few million accounts, you're doing to be doing something a lot more automated. For every guy out there breaking into a co-worker's account because of a monitor stickie, there's a virus capturing thousands of usernames and passwords at once.
  
  --
  The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
16. Re:Please let me use the same password by pwnies · 2010-04-13 07:47 · Score: 3, Insightful
  
  Since we're pretending, let's pretend your imaginary computer cluster actually exists. Now let's find us the speed that said computer would have to run at to crack that password in 2 months.
  A 16 character password with symbols (12), numbers (10), lowercase letters (26) and uppercase letters (26) would have 76^16 combinations. This is approximately 1.24 * 10^30th.
  An MD5 hash takes 256 clock cycles in the best-case scenario (search for 256), assuming no overhead. That means that we have 3.17*10^32 number of clock cycles that must be ran through in order to compute/crack every possible password in that range.
  Two months is approximately (365.242199 days/year)(2/12)(24hours/day)(3600seconds/hour) = 5259488 = 5.26*10^6 seconds.
  In that time, a "computer or cluster" would have to run at (3.17*10^32 cycles)/(5.26*10^6 seconds) = 6.03 * 10^25 Hz. That's 6.03 * 10^16 GHz, or 60.3 yottahertz.
  Currently, the world's fastest supercomputer is the Cray Jaguar. It has 224256 opteron cores clocked at 3.2Ghz. That means it's total processing speed (again, assuming no overhead here) is 7.18*10^14 Hz. Your pretend "computer or cluster" is 84027852100 times as fast as the worlds fastest supercomputer. 84 billion times as fast.
  Using the same architecture as the Cray Jaguar, the world GDP couldn't afford to buy that computer. The world's power grids couldn't power it. This is /., know the math behind your arguments before you post.
17. Re:Please let me use the same password by timnbron · 2010-04-13 12:50 · Score: 2, Insightful
  
  Correct. For special effect, if someone was watching, I would type my password, randomly hit a few keys, and then thump the keyboard four times. Then press Enter, and get logged in. It usually got quite a stunned expression from anybody nearby.
  
  --
  There are some who call me ... Tim.
Password aging isn't in touch with the real world by Skyshadow · 2010-04-13 05:20 · Score: 4, Insightful

Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.
Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:
(1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
(2) A lot more easy-to-guess passwords
(3) Incremented passwords (FuckTheSecurityGuys14)
This is why I consider password policies a great indicator of where your IT department is on the "keepin' it real" scale: No restrictions, you IT people are idiots and don't care or understand security. Reasonable restrictions (min 8 characters, letters and numbers) and you're in the sweet spot. Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.

--
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Password aging does *not* help by bradley13 · 2010-04-13 05:20 · Score: 4, Insightful

Password aging is not only irritating for users, it causes them to choose even worse passwords, or to write their passwords down. If you are lucky, and they do neither of these, then it is very likely that they will use "strong-password-1", "strong-password-2".

--
Enjoy life! This is not a dress rehearsal.
Re:Password aging isn't in touch with the real wor by Moryath · 2010-04-13 05:28 · Score: 2, Insightful

You neglected another possibility: your security restrictions were set by some dumbass in a state legislature who read some paper or book regarding "IT Security" and passed laws and regulations for government agencies...
Re:Password aging isn't in touch with the real wor by Shotgun · 2010-04-13 05:29 · Score: 2, Insightful

Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.
The stereotype is that computer geeks can't get a date or fit into social situations. Why? Because they don't understand human nature. And who is in charge of setting the password policy? The geekiest guy in the organization. I see a major issue.

--
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Re:Password aging isn't in touch with the real wor by tsalmark · 2010-04-13 05:30 · Score: 3, Insightful

Password aging does not prevent the cracking of passwords, it prevents against leaving compromised account around forever.
Password aging made sense, once upon a time. When the biggest issue was resource theft, changing passwords every few months cleaned out the unintended access some people had, either nefariously or through chance (old unclosed account and what have you).
Now with the speed of automated hacking tools password rotation is less than useless as a defense.
Re:Password aging isn't in touch with the real wor by ConceptJunkie · 2010-04-13 05:35 · Score: 5, Insightful

And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..

--
You are in a maze of twisty little passages, all alike.
Re:Logical Inconsistency by Shakrai · 2010-04-13 05:36 · Score: 2, Insightful

Don't feed the trolls.

--
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Re:Password aging and complexity = lists by John+Hasler · 2010-04-13 05:39 · Score: 2, Insightful

Please cite some incidents traceable to the writing down of passwords.
IMHO users should be instructed to write their passwords down in a little black book and to keep that book in their wallets with their money and credit cards. The company should issue the book and teach the employees how to record passwords in it, how to keep it secure, and what to do if it is stolen or lost.

--
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It's a design problem. by MrCrassic · 2010-04-13 05:45 · Score: 3, Insightful

Increased security always decreases usability. Though now that I think about it, I'm wondering: why aren't smart cards used more in corporations? Wouldn't it be convenient for people to log in with the same ID they use to get into their workplace building or floor?
Just a thought...
Re:Please fix your systems! by MobyDisk · 2010-04-13 05:49 · Score: 5, Insightful

Amen! The concept of "password" is obsolete. Just never use it. Say "passphrase" and watch the light bulb go off as people realize it is easier to remember *and* more secure.
Define the problem by minstrelmike · 2010-04-13 06:26 · Score: 2, Insightful

The problem with password rules, unlike rules passed by city councils or congress, is that we can use computers to completely enforce them.

That immediately points out exactly how useful real-life rulez are, too but I won't get into that except to say that civilization creates laws, laws do not create civilization. As proof, look at any political revolution.

Getting back to passwords, the rules have very little to do with desired goals--no break-ins.
Seriously, how many accounts are hacked by guessing passwords? Brute force guessing is stopped by a 3 and out system rule for bad pwds. Continued access from a compromised pwd is a serious issue but 1) the account first has to be hacked and 2) continual access from different machines can be monitored by the sys admins without user involvement.

Just a modicum of analysis shows that if you implement no reuse and a 45-day timeout, then each user has to come up with 8-10 hard-to-remember passwords each year. FOR EACH ACCOUNT.

The rule is as silly as Citibank's warning on the envelope they send me that a paper trail is an identity thief's best friend. How many of those crimes occur via paper and how many occur electronically? They just want to make their jobs easier and more cost-effective.
Bad argument by Geoffrey.landis · 2010-04-13 06:29 · Score: 4, Insightful

Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.
That is an incorrect argument made by somebody who knows nothing about statistics.
First, if the time taken to crack a password is two months, and you change your passwords every two months, then there's a 50% chance of cracking the password in the first attempt, and a 100% chance of cracking the password the second attempt. So your example doesn't work.
Now, suppose a cracker has a, say 1% chance of guessing a password per month of attempts, and is attacking, say, 10,000 accounts. On the average, the cracker will have a ten hits every month, but he will only break your account, on the average, once every 8 years. Still, that's a 12 percent chance of you getting compromised in a year, and a 6 percent chance you'll get hit in six months. So, can you reduce that 6 percent chance by changing your password every 2 months? NO. The chance that your change password moves into the window of passwords that the cracker is going to try next month is exactly equal to the chance that the password change moves the password out of the window the cracker is trying. The odds of the cracking succeeding does not change at all by password changing.
The number of passwords that the cracker guesses per month does not change.

--
http://www.geoffreylandis.com
1. Re:Bad argument by PRMan · 2010-04-13 06:46 · Score: 2, Insightful
  
  Ah, but people inevitably give their password to a co-worker who then gets fired. The 2 month rule takes care of that situation.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
Re:This may not be the best political move by blair1q · 2010-04-13 06:32 · Score: 3, Insightful

So what you're saying is, you hamstrung 100% of employees to still leave 10% of your employees vulnerable, when no doubt it only takes one opening for anyone to get to any information that matters on your network...
ROFL by Anonymous Coward · 2010-04-13 06:50 · Score: 0, Insightful

Explaining that joke on /. is like explaining who Jesus was to the Pope.
You should be ashamed.
Re:The best password is: by commodore64_love · 2010-04-13 07:05 · Score: 2, Insightful

hunter2 is "very good" according to my password strength meter. Add a "$" and then it will be strong. (Supposedly)
I get tired of changing passwords because I tend to forget the new one. I'd rather just keep it. For crucial things like banking or stocks, then I'll use a separate unique PASS and then lock it in a safe for future referral.

--
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall