Slashdot Mirror

← Back to Stories (view on slashdot.org)

Please Do Not Change Your Password

Posted by CmdrTaco on from the my-password-is-trustno1 dept.

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

15 of 497 comments (clear)

  1. Please let me use the same password by Hatta · · Score: 5, Insightful

    We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

    --
    Give me Classic Slashdot or give me death!
    1. Re:Please let me use the same password by oldspewey · · Score: 5, Insightful

      And don't forget the arbitrary rules put in place to ensure "strong" passwords - with each ruleset being different depending on the environment or portal being secured. My personal favourite: "No repeating characters allowed." Super idea! Let's force users to weaken their passwords by eliminating the possibility of duplicate characters in strategic locations.

      --
      If libertarians are so opposed to effective government, why don't they all move to Somalia?
    2. Re:Please let me use the same password by r_jensen11 · · Score: 4, Insightful

      We have a password expiration policy at my work. Every time I change my password I have to memorize a new one. So I pick a password that's easy to remember, as such it's also easy to guess. If I could just memorize a password once, and keep it forever I'd be using a password that's essentially random. This policy is nonsense.

      Password rotation doesn't help with hackers, but it helps when a coworker learns what your password is.

    3. Re:Please let me use the same password by whois · · Score: 4, Insightful

      There is a flip-side to this. No matter how careful you think you are, you will one day expose your password in the clear. Once that happens you have no way of knowing if anyone was watching.

      Typing a password in the wrong terminal, typing a password in the wrong web field and having it autosearch google for your password. Typing your password over a bluetooth wireless keyboard with unknown encryption. Using a telnet session, etc. Logging in using a friend or co-workers PC that may have been compromised, etc.

      Because of all this, it's still a good policy to change passwords on an annual basis, with an immediate password change if you know it's been leaked.

      I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.

      Or having to change a password on a system you only login to once every 6 months, every time you login. I hate that. :)

      Unfortunately, it doesn't always work out because one centralized password means you trust one department of a company with access to everything (there are workarounds for this, but still company politics gets in the way)

    4. Re:Please let me use the same password by Moryath · · Score: 4, Insightful

      I encourage companies to move to single sign-on, since I consider having to memorize 17 passwords for one company to be more hassle than having to change a password frequently.

      Single sign-on for a single company is a great idea.

      Having your work password, gmail, hotmail, bank password all be the same? BAD idea.

    5. Re:Please let me use the same password by COMON$ · · Score: 4, Insightful
      On our LAN I put rational policies in place. Essentially I look at the threat of an event and what it will take to mitigate it. If I am worried about a brute force attack I can solve that by password rotation or increasing complexity. I let the user choose which they are comfortable with. Some users dont want to use a passphrase so they have to change their password more often. Other people have realized that "I love my dog fluffy." is really easy to remember and since it meets my complexity and length requirements I make the password rotation much much longer.

      Yes, In 2008 AD you can do granular password policies, and yes this works VERY well. Not only do I have a pile of users with 15+ characters, I have users who WANT to use these passwords.

      I find that when you give the users a choice and work with them, security goes much smoother. users will always take the easiest way out, every time.

      --
      CS: It is all sink or swim...oh and did I mention there are sharks in that water?
    6. Re:Please let me use the same password by DarkOx · · Score: 4, Insightful

      What is might do is limit exposure. Suppose someone guesses a password. They are not a hacker and even having guess a password they perhaps lack priviliges to make any systemic changes given them a back door. Having a rotation policy ensures they are only reading your CEO's e-mail for 90 days rather than years undetected.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    7. Re:Please let me use the same password by MobyDisk · · Score: 4, Insightful

      My favorite is "password may be no longer than X characters" - why arbitrarily limit the length of them? It's especially great when X is something small like 4 (pin #s) or 8.

    8. Re:Please let me use the same password by Tomy · · Score: 4, Insightful

      Pretend that if an attempt to log into his account fails three times, his account is locked and requires a new password.

      Or pretend that your security system notes what IP address such failures comes from, and disables all access from that IP. Or it scores various IP connections, giving more trust to IP addresses that are successful.

      Whenever I see the onus forced on users, I see people who haven't learned the wisdom of the following quote:

      "I object to doing things that computers can do." - Olin Shivers

    9. Re:Please let me use the same password by jbengt · · Score: 4, Insightful

      Sounds like a bad application of math to me. (I admit, though that I only skimmed through the report, so I could be wrong)
      There are two sides to a risk analysis, the probabilities and the values being risked. People will play the lottery even when they don't have a reasonable chance, because the thing being risked is not that valuable. But they are not willing to risk their life savings when the odds are slightly in their favor, because they can't repeat the bet 100 times to try and come out ahead on average.
      If I'm the owner of a business, and I'm paying my employees X time the minimum wage, and a breach costs me Y dollars, I can live with the math. But if there's even a small chance that a breach will cause the death of my business, then I'm willing to have my employees spend "more than it's worth".

  2. Password aging isn't in touch with the real world by Skyshadow · · Score: 4, Insightful

    Password aging is one of those policies that sounds like it makes some degree of sense only if you don't have any understanding of human nature.

    Here in reality, forcing people to change their password every 30 or 60 or 90 days only has a few possible results:

    (1) A lot more people writing down passwords and sticking them to their monitors. Who the hell can remember a new eight-digit string of nonsense every month?
    (2) A lot more easy-to-guess passwords
    (3) Incremented passwords (FuckTheSecurityGuys14)

    This is why I consider password policies a great indicator of where your IT department is on the "keepin' it real" scale: No restrictions, you IT people are idiots and don't care or understand security. Reasonable restrictions (min 8 characters, letters and numbers) and you're in the sweet spot. Passwords that expire every 15 minutes, your IT people are idiots and don't care or understand security.

    --
    Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
  3. Password aging does *not* help by bradley13 · · Score: 4, Insightful

    Password aging is not only irritating for users, it causes them to choose even worse passwords, or to write their passwords down. If you are lucky, and they do neither of these, then it is very likely that they will use "strong-password-1", "strong-password-2".

    --
    Enjoy life! This is not a dress rehearsal.
  4. Re:Password aging isn't in touch with the real wor by ConceptJunkie · · Score: 5, Insightful

    And this points to a huge problem in IT departments, companies in general and our whole society. So much effort needs to be put into CYA activities, not because you're not doing your job right, but because you are liable to be subject to the whimsical judgement of stupid or ignorant people. Appearing to do the right thing is perceived as much more important that actually doing the right thing because failures of appearance tend to have much worse consequences. Look at Congress, 90% of what they do is so they appear to taking positive action on some issue, regardless of the effects it will have. And for them, it clearly works because they keep getting re-elected despite being the most consistently incompetent group of people drawing a salary in the U.S..

    --
    You are in a maze of twisty little passages, all alike.
  5. Re:Please fix your systems! by MobyDisk · · Score: 5, Insightful

    Amen! The concept of "password" is obsolete. Just never use it. Say "passphrase" and watch the light bulb go off as people realize it is easier to remember *and* more secure.

  6. Bad argument by Geoffrey.landis · · Score: 4, Insightful

    Pretend it would take about two months of processing time for a computer or cluster of computers to crack your 16 character length password with symbols, uppercase, lowercase and numbers. Now imagine that if your password were to be changed every month that the two month duration attempt to crack the password is useless since the password has changed and another two month attempt would have to be initiated.

    That is an incorrect argument made by somebody who knows nothing about statistics.

    First, if the time taken to crack a password is two months, and you change your passwords every two months, then there's a 50% chance of cracking the password in the first attempt, and a 100% chance of cracking the password the second attempt. So your example doesn't work.

    Now, suppose a cracker has a, say 1% chance of guessing a password per month of attempts, and is attacking, say, 10,000 accounts. On the average, the cracker will have a ten hits every month, but he will only break your account, on the average, once every 8 years. Still, that's a 12 percent chance of you getting compromised in a year, and a 6 percent chance you'll get hit in six months. So, can you reduce that 6 percent chance by changing your password every 2 months? NO. The chance that your change password moves into the window of passwords that the cracker is going to try next month is exactly equal to the chance that the password change moves the password out of the window the cracker is trying. The odds of the cracking succeeding does not change at all by password changing.

    The number of passwords that the cracker guesses per month does not change.

    --
    http://www.geoffreylandis.com