Please Do Not Change Your Password

cxbrx writes "Mark Pothier's Boston Globe article, 'Please do not change your password,' covers a paper by Microsoft Researcher Cormac Herley, 'So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users,' from the 2009 New Security Paradigms Workshop. Herley argues 'that user's rejection of the security advice they receive is entirely rational from an economic perspective.' Herley discusses 'password rules,' 'teaching users to recognize phishing sites by reading URLs,' and 'certificate errors.' Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic. I'm especially interested in hearing about studies about password aging."

Ironic Juxtaposition

[Arancaytar]

1. Apache Foundation Attacked, Passwords Stolen

2. Please Do Not Change Your Password

Slashdot is awesome today!

Post-it Note passwords

[Midnight+Thunder]

There is one thing worse than a bad password, and that is one that needs to be written down on a post-it note.

I see password security as an exponential curve, on a graph, reaching a certain peak and then dropping to zero. That dropping point is where the password rules become so complicated that most people would rather write the password down than try to remember it. That piece of paper suddenly became your weak point in the security model. For this reason you password policies need to focus on something that is sufficiently secure, but not so secure that it is in effect insecure.

Please fix your systems!

[A+Friendly+Troll]

How many times have you seen "the password must be between x and y characters in length and must contain blah blah"?

I want to enter a full sentence. Like "this is my password and you won't be able to guess it, you idiot". You aren't making this possible, because you're thinking like geek programmers who use randomly-generated strings of 8-12 characters by the dozens.

I write code and do inter-office support for my apps. Do you know how many times someone told me "I forgotz my password, halp!!11" after they were instructed to use a full sentence with a minimum of twenty-five characters? Zero. Nobody ever forgot it.

password aging doesn't work

[roc97007]

As a long time sysadmin, my experience has been, the more onerous the password aging algorithm, the more likely that passwords will be on yellow stickies under the keyboard.

For instance, if your password expires monthly and you're required to pick a password with upper case, lower case, numbers and symbols, I guarantee that the majority of your users will write it down and stick it to something easily accessible.

If you get really draconian about keeping passwords on stickies on the monitor or under the keyboard, they'll keep it in their pocketbook or stuck to the back of their cell phone, which is difficult to track and actually a worse security hole (because the building at least has physical security).

My opinion is that password aging and password complexity rules are a managerial line item, not really a security strategy. A true security strategy is a combination of good logging, regular analysis, and tools like password breakers.

Re:Please let me use the same password

[UnknowingFool]

Actually the Enigma is a good example of how a system is weakened by its users. Yes the cipher had weaknesses such as never encoding a character to itself and that the rotors were in alphabetic order rather than randomized. But the main weakness was the users and the Allies exploited that.

The machine itself had a number of settings. With all these settings, the Enigma messages could have daily and message specific settings. For the Army and Luftwaffe, it was left up to the operator to set them. Unfortunately, some operators were lazy and re-used settings. Also the German military had a habit of re-sending the same messages again and again for propaganda, morale, etc.

The German Navy was much more disciplined. They issued code books that specified many of the settings per day. These settings were much more randomized. These code books were printed on specialized paper that would disintegrate in contact with water. This system was much more secure until the Allies captured some code books when they captured a German vessel. The procedure was the captain was to destroy the code books by tossing them into sea. The captain of a disabled vessel abandoned it only to return to retrieve his personal effects rather than destroy the books.